Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This Node-RED flow invokes the TIE DXL service to retrieve the reputation of a file (as identified by hashes).
[
{
"id": "39707d18.0f97d2",
"type": "tab",
"label": "TIE Get File Reputation Example",
"disabled": false,
"info": "This sample invokes the TIE DXL service to retrieve the reputation of a file (as\r\nidentified by hashes). The response to the TIE request is printed to the\r\nNode-RED `debug` tab.\r\n\r\n### Prerequisites\r\n\r\n* The samples configuration step has been completed (see\r\n [Client Configuration](https://opendxl.github.io/node-red-contrib-dxl/jsdoc/tutorial-configuration.html)).\r\n* A TIE service is available on the DXL fabric.\r\n\r\n### Setup\r\n\r\n* To deploy the flow, press the `Deploy` button in the upper-right corner of the\r\n screen. If Node-RED is able to properly connect to the DXL fabric, a green dot\r\n with the word `connected` should appear under the `Get reputation from TIE`\r\n node.\r\n\r\n### Running\r\n\r\nTo exercise the flow for the \"notepad.exe\" file, double-click the button on the\r\nleft side of the `Start Notepad.exe lookup flow` node.\r\n\r\nTo exercise the flow for the \"EICAR Standard Anti-Virus Test File\" file,\r\ndouble-click the button on the left side of the `Start EICAR lookup flow` node.\r\n\r\n### Output\r\n\r\nThe output in the Node-RED `debug` tab after the flow is run for the\r\n`notepad.exe` file should appear similar to the following:\r\n\r\n```\r\n? { 1: object, 3: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 1: object\r\n ? attributes: object\r\n 2120340: \"2139160704\"\r\n createDate: 1451502875\r\n providerId: 1\r\n trustLevel: 99\r\n ? 3: object\r\n ? attributes: object\r\n 2101652: \"17\"\r\n 2102165: \"1451502875\"\r\n 2111893: \"21\"\r\n 2114965: \"0\"\r\n 2139285: \"72339069014638857\"\r\n createDate: 1526675921\r\n providerId: 3\r\n trustLevel: 99\r\n```\r\n\r\nThe `key` for each entry in the object corresponds to a particular `provider` of\r\nthe associated `reputation`. The list of file reputation providers can\r\nbe found in the\r\n[FileProvider documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-FileProvider.html)\r\nin the TIE JavaScript client SDK.\r\n\r\nThe McAfee Global Threat Intelligence (GTI) service is identified in the results\r\nas `providerId: 1`. The trust level associated with the GTI response\r\n(`trustLevel: 99`) indicates that the file is known good.\r\n\r\nThe output in the Node-RED `debug` tab after the flow is run for the `EICAR`\r\nfile should also appear similar to the following:\r\n\r\n```\r\n? { 1: object, 3: object }\r\n```\r\n\r\nClick on the right arrow buttons to expand the contents of the object. The\r\ncontent should look similar to the following:\r\n\r\n```\r\n? object\r\n ? 1: object\r\n ? attributes: object\r\n 2120340: \"2139162632\"\r\n createDate: 1451504331\r\n providerId: 1\r\n trustLevel: 1\r\n ? 3: object\r\n ? attributes: object\r\n 2101652: \"11\"\r\n 2102165: \"1451504331\"\r\n 2111893: \"22\"\r\n 2114965: \"0\"\r\n 2139285: \"72339069014638857\"\r\n createDate: 1451504331\r\n providerId: 3\r\n trustLevel: 0\r\n```\r\n\r\nThe trust level associated with the GTI response (`trustLevel: 1`) indicates\r\nthat the file is known bad.\r\n\r\nSee the \r\n[TrustLevel documentation](https://opendxl.github.io/opendxl-tie-client-javascript/jsdoc/module-TrustLevel.html)\r\nin the TIE JavaScript client SDK for the list of standard trust levels.\r\n\r\n### Details\r\n\r\nThe flow exercises the nodes below.\r\n\r\n#### Start lookup flow\r\n\r\nThese are `inject` input nodes which start the flow.\r\n\r\n#### Set hashes request parameter\r\n\r\nThese are `change` nodes which set values for different hash types —\r\n`md5`, `sha1`, and `sha256` — onto an object which is stored to the\r\n`hashes` property on the message. The `Get reputation from TIE` node uses\r\nthe `hashes` property when constructing the parameters for the TIE reputation\r\nrequest. \r\n\r\n#### Get reputation from TIE\r\n\r\nThis is a `tie get file reputation` node. This node connects to\r\nthe DXL fabric and sends a DXL `Request` message to the TIE service to lookup\r\nfile reputation information.\r\n\r\nThe request message includes the `hashes` properties set by the\r\n`Set hashes request parameter` nodes.\r\n\r\nThe `Return` property is set to \"a parsed JSON object\" to indicate that the\r\npayload for the response should be added to the output message as a JavaScript\r\nobject decoded from JSON.\r\n\r\n#### Output reputation\r\n\r\nThis is a `debug` output node. This node outputs the `payload` set on\r\nthe message by the `Get reputation from TIE` node. The output should\r\ninclude information for reputation data for the file."
},
{
"id": "51a672e5.8eeacc",
"type": "dxl-tie-get-file-reputation",
"z": "39707d18.0f97d2",
"name": "Get reputation from TIE",
"client": "2ed0ce07.039942",
"returnType": "obj",
"x": 650,
"y": 200,
"wires": [
[
"5fba5195.75416"
]
]
},
{
"id": "5fba5195.75416",
"type": "debug",
"z": "39707d18.0f97d2",
"name": "Debug: Output reputation",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": false,
"complete": "payload",
"x": 770,
"y": 300,
"wires": []
},
{
"id": "6f2b0eb8.3ccf1",
"type": "change",
"z": "39707d18.0f97d2",
"name": "Set hashes request parameter for Notepad.exe",
"rules": [
{
"t": "set",
"p": "hashes",
"pt": "msg",
"to": "payload",
"tot": "msg"
},
{
"t": "set",
"p": "hashes.md5",
"pt": "msg",
"to": "f2c7bb8acc97f92e987a2d4087d021b1",
"tot": "str"
},
{
"t": "set",
"p": "hashes.sha1",
"pt": "msg",
"to": "7eb0139d2175739b3ccb0d1110067820be6abd29",
"tot": "str"
},
{
"t": "set",
"p": "hashes.sha256",
"pt": "msg",
"to": "142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2",
"tot": "str"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 300,
"y": 120,
"wires": [
[
"51a672e5.8eeacc"
]
]
},
{
"id": "373b1de9.ad69a2",
"type": "change",
"z": "39707d18.0f97d2",
"name": "Set hashes request parameter for EICAR",
"rules": [
{
"t": "set",
"p": "hashes",
"pt": "msg",
"to": "payload",
"tot": "msg"
},
{
"t": "set",
"p": "hashes.md5",
"pt": "msg",
"to": "44d88612fea8a8f36de82e1278abb02f",
"tot": "str"
},
{
"t": "set",
"p": "hashes.sha1",
"pt": "msg",
"to": "3395856ce81f2b7382dee72602f798b642f14140",
"tot": "str"
},
{
"t": "set",
"p": "hashes.sha256",
"pt": "msg",
"to": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"tot": "str"
}
],
"action": "",
"property": "",
"from": "",
"to": "",
"reg": false,
"x": 280,
"y": 300,
"wires": [
[
"51a672e5.8eeacc"
]
]
},
{
"id": "b473334d.8f843",
"type": "inject",
"z": "39707d18.0f97d2",
"name": "Start Notepad.exe lookup flow",
"topic": "",
"payload": "{}",
"payloadType": "json",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 160,
"y": 40,
"wires": [
[
"6f2b0eb8.3ccf1"
]
]
},
{
"id": "2a870a65.7cfd26",
"type": "inject",
"z": "39707d18.0f97d2",
"name": "Start EICAR lookup flow",
"topic": "",
"payload": "{}",
"payloadType": "json",
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"x": 140,
"y": 200,
"wires": [
[
"373b1de9.ad69a2"
]
]
}
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment