Patch Unprotected Computers

Deep Security creates Intrusion Prevention rules that patch your computers against CVE's. You can use the API to determine which Intrusion Prevention rule protects against a specific CVE, determine if the rule is applied to your computers, and apply the rule if required.

  1. Use an IntrusionPreventionRulesApi object to obtain the intrusion prevention rules via search.
  2. For each computer, obtain an IntrusionPreventionComputerExtension object and determine if the rule is applied to the computer.
  3. For each vulnerable computer, determine the policy that it uses, add the rule to the policy, and update the computers with the change.

Example: Find the Intrusion Prevention rule for a CVE

The following example searches for the Intrusion Prevention rules that protect against a specific CVE. Intrusion Prevention rule objects include a CVE field that contains the names of the CVE that the rule applies to. The CVE field is searchable so you can easily find the rules for a specific CVE. From the rules that are returned from the search, obtain the rule IDs.

For detailed information about searching, see Search for Resources.

Python
View source
# Set search criteria
search_criteria = api.SearchCriteria()
search_criteria.field_name = "CVE"
search_criteria.string_value = "%" + cve_id + "%"
search_criteria.string_test = "equal"

# Create a search filter
search_filter = api.SearchFilter()
search_filter.search_criteria = [search_criteria]

# Search for all intrusion prevention rules for the CVE
ip_rules_api = api.IntrusionPreventionRulesApi(api.ApiClient(configuration))
ip_rules_search_results = ip_rules_api.search_intrusion_prevention_rules(api_version, search_filter=search_filter)

# Get the intrusion prevention rule IDs for the CVE from the results
for rule in ip_rules_search_results.intrusion_prevention_rules:
    rule_id_s.append(rule.id)

return rule_id_s
JavaScript
View source
const getIpRules = () => {
  // Search criteria
  const cveCriteria = new api.SearchCriteria();
  cveCriteria.fieldName = "CVE";
  cveCriteria.stringValue = "%" + cveID + "%";
  cveCriteria.stringTest = api.SearchCriteria.StringTestEnum.equal;

  // Add criteria to a search filter
  const searchFilter = new api.SearchFilter();
  searchFilter.searchCriteria = [cveCriteria];

  // Add the search filter to a search options object
  const searchOptions = {
    searchFilter: searchFilter,
    overrides: false
  };

  // Perform the search
  const ipRulesApi = new api.IntrusionPreventionRulesApi();
  return ipRulesApi.searchIntrusionPreventionRules(apiVersion, searchOptions);
};

getIpRules()
  .then(ipRules => {
    // Iterate the rules and get the IDs
    for (let i = 0; i < ipRules.intrusionPreventionRules.length; i++) {
      ruleIDs.push(ipRules.intrusionPreventionRules[i].ID);
    }
    resolve(ruleIDs);
  })
  .catch(error => {
    reject(error);
  });
Java
View source
List<Integer> ruleIDs = new ArrayList<>();
IntrusionPreventionRulesApi intrusionPreventionRulesApi = new IntrusionPreventionRulesApi();

// Create a search filter to find the rules
SearchFilter searchFilter = new SearchFilter();

SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.fieldName("CVE");
searchCriteria.setStringValue("%" + cve + "%");
searchCriteria.setStringTest(StringTestEnum.EQUAL);

searchFilter.addSearchCriteriaItem(searchCriteria);

// Perform the search
IntrusionPreventionRules intrusionPreventionRules = intrusionPreventionRulesApi.searchIntrusionPreventionRules(searchFilter, apiVersion);

// Get the rule IDs from the results
for (IntrusionPreventionRule rule : intrusionPreventionRules.getIntrusionPreventionRules()) {
    ruleIDs.add(rule.getID());
}

Also see the Search Intrusion Prevention Rules operation in the API Reference.

Example: Find computers that are not protected against a CVE

The following example determines which computers in a list do not have an Intrusion Prevention rule applied. For each computer, the IDs of the rules that are assigned to the computer are obtained. The assigned rule IDs are compared to the ID of the rule(s) that protect against the CVE.

Python
View source
unprotected_computers = []
for computer in computers_list.computers:
    computer_ip_list = computer.intrusion_prevention
    if computer_ip_list.rule_ids:
        if rule_id in computer_ip_list.rule_ids:
            unprotected_computers.append(computer)
return unprotected_computers
JavaScript
View source
let unprotected = [];
for (let i = 0; i < computers.computers.length; i++) {
  if (computers.computers[i].intrusionPrevention !== undefined) {
    const IDs = computers.computers[i].intrusionPrevention.ruleIDs;
    let found = false;
    if (IDs !== undefined) {
      for (let j = 0; j < IDs.length; j++) {
        if (IDs[j] === ruleID) {
          found = true;
          break;
        }
      }
    }
    if (!found) {
      unprotected.push(computers.computers[i]);
    }
  }
}
Java
View source
Computers needsRule = new Computers();
for (Computer computer : computers.getComputers()) {
    IntrusionPreventionComputerExtension ipExt = computer.getIntrusionPrevention();
    if (ipExt.getRuleIDs() == null || !ipExt.getRuleIDs().contains(ruleID)) {
        needsRule.addComputersItem(computer);
    }
}

Also see the List Computers and Search Computers operations in the API Reference.

Example: Add intrusion prevention rules to computers' policies

The following example adds an Intrusion Prevention rule to a policy.The source code on which this example is based also determines the policy that is assigned to the computers. Once the policy is found, the rule is assigned to the policy if it is not already assigned. Care must be taken to preserve the rules that are already applied.

You could alternatively assign the rule directly to the computer.
Python
View source
# Get the current list of rules from the policy
policies_api = api.PoliciesApi(api.ApiClient(configuration))
current_rules = policies_api.describe_policy(policy_id, api_version, overrides=False)

# Add the rule_id if it doesn't already exist in current_rules
if current_rules.intrusion_prevention.rule_ids == None:
    current_rules.intrusion_prevention.rule_ids = rule_id

elif rule_id not in current_rules.intrusion_prevention.rule_ids:
    current_rules.intrusion_prevention.rule_ids.append(rule_id)

# Add the new and existing intrusion prevention rules to a policy
intrusion_prevention_policy_extension = api.IntrusionPreventionPolicyExtension()
intrusion_prevention_policy_extension.rule_ids = current_rules.intrusion_prevention.rule_ids
policy = api.Policy()
policy.intrusion_prevention = intrusion_prevention_policy_extension
JavaScript
View source
// Creates a policy that includes the Intrusion Prevention rules
// Rule is added to the currently assigned rules so they are not overwritten
const addRulesToPolicyObject = currentRules => {
  if (currentRules !== undefined) {
    currentRules.push(ruleID);
  } else {
    currentRules = [ruleID];
  }
  const intrusionPreventionPolicyExtension = new api.IntrusionPreventionPolicyExtension();
  intrusionPreventionPolicyExtension.ruleIDs = currentRules;

  const policy = new api.Policy();
  policy.intrusionPrevention = intrusionPreventionPolicyExtension;
  return policy;
};

getPolicy(computer.policyID)
  .then(policy => {
    const newPolicy = addRulesToPolicyObject(policy.intrusionPrevention.ruleIDs);
    resolve(sendPolicyToManager(computer.policyID, newPolicy));
  })
  .catch(error => {
    reject(error);
  });
Java
View source
// Get the current list of rules from the policy
List<Integer> currentRules = policiesApi.describePolicy(policyID, Boolean.FALSE, apiVersion).getIntrusionPrevention().getRuleIDs();

// Add the new and existing intrusion prevention rules to a policy
IntrusionPreventionPolicyExtension intrusionPreventionPolicyExtension = new IntrusionPreventionPolicyExtension();
intrusionPreventionPolicyExtension.setRuleIDs(currentRules);
intrusionPreventionPolicyExtension.addRuleIDsItem(ruleID);
Policy policy = new Policy();
policy.setIntrusionPrevention(intrusionPreventionPolicyExtension);

Also see the Modify a Policy operation in the API Reference. For information about authenticating API calls, see Authenticate with Deep Security Manager.