Cortex-Analyzers/analyzers/VirusTotal/virustotal.py

#!/usr/bin/env python
# encoding: utf-8
import sys
import os
import json
import codecs
import time
import hashlib

from virustotal_api import PublicApi as VirusTotalPublicApi
#from virus_total_apis import PublicApi as VirusTotalPublicApi
from cortexutils.analyzer import Analyzer


class VirusTotalAnalyzer(Analyzer):

    def __init__(self):
        Analyzer.__init__(self)
        self.service = self.getParam('config.service', None, 'Service parameter is missing')
        self.virustotal_key = self.getParam('config.key', None, 'Missing VirusTotal API key')
        self.polling_interval = self.getParam('config.polling_interval', 60)
        self.proxies = self.getParam('config.proxy', None)


    def wait_file_report(self, id):
        results = self.check_response(self.vt.get_file_report(id))
        code = results.get('response_code', None)
        if code == 1:
            self.report(results)
        else:
            time.sleep(self.polling_interval)
            self.wait_file_report(id)

    def wait_url_report(self, id):
        results = self.check_response(self.vt.get_url_report(id))
        code = results.get('response_code', None)
        if code == 1 and (results.get('scan_id') == id):
            self.report(results)
        else:
            time.sleep(self.polling_interval)
            self.wait_url_report(id)

    def check_response(self, response):
        if type(response) is not dict:
            self.error('Bad response : ' + str(response))
        status = response.get('response_code', -1)
        if status == 204:
            self.error('VirusTotal api rate limit exceeded (Status 204).')
        if status != 200:
            self.error('Bad status : ' + str(status))
        results = response.get('results', {})
        if 'verbose_msg' in results:
            print >> sys.stderr, str(results.get('verbose_msg'))
        return results

        # 0 => not found
        # -2 => in queue
        # 1 => ready

    def read_scan_response(self, response, func):
        results = self.check_response(response)
        code = results.get('response_code', None)
        scan_id = results.get('scan_id', None)
        if code == 1 and scan_id is not None:
            func(scan_id)
        else:
            self.error('Scan not found')

    def summary(self, raw):
        taxonomies = []
        level = "info"
        namespace = "VT"
        predicate = "Score"
        value = "\"0\""

        result = {
            "has_result": True
        }

        if(raw["response_code"] != 1):
            result["has_result"] = False

        result["positives"] = raw.get("positives", 0)
        result["total"] = raw.get("total", 0)

        if("scan_date" in raw):
            result["scan_date"] = raw["scan_date"]

        if self.service == "get":
            if("scans" in raw):
                result["scans"] = len(raw["scans"])
                value = "\"{}/{}\"".format(result["positives"], result["total"])
                if result["positives"] == 0:
                    level = "safe"
                elif result["positives"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

            if("resolutions" in raw):
                result["resolutions"] = len(raw["resolutions"])
                value = "\"{} resolution(s)\"".format(result["resolutions"])
                if result["resolutions"] == 0:
                    level = "safe"
                elif result["resolutions"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"
            if("detected_urls" in raw):
                result["detected_urls"] = len(raw["detected_urls"])
                value = "\"{} detected_url(s)\"".format(result["detected_urls"])
                if result["detected_urls"] == 0:
                    level = "safe"
                elif result["detected_urls"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

            if("detected_downloaded_samples" in raw):
                result["detected_downloaded_samples"] = len(
                    raw["detected_downloaded_samples"])

        if self.service == "scan":
            if("scans" in raw):
                result["scans"] = len(raw["scans"])
                value = "\"{}/{}\"".format(result["positives"], result["total"])
                if result["positives"] == 0:
                    level = "safe"
                elif result["positives"] < 5:
                    level = "suspicious"
                else:
                    level = "malicious"

        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
        return {"taxonomies": taxonomies}

    def run(self):
        Analyzer.run(self)
        self.vt = VirusTotalPublicApi(self.virustotal_key, self.proxies)

        if self.service == 'scan':
            if self.data_type == 'file':
                filename = self.getParam('filename', 'noname.ext')
                filepath = self.getParam('file', None, 'File is missing')
                self.read_scan_response(self.vt.scan_file(
                    (filename, open(filepath, 'rb'))), self.wait_file_report)
            elif self.data_type == 'url':
                data = self.getParam('data', None, 'Data is missing')
                self.read_scan_response(
                    self.vt.scan_url(data), self.wait_url_report)
            else:
                self.error('Invalid data type')
        elif self.service == 'get':
            if self.data_type == 'domain':
                data = self.getParam('data', None, 'Data is missing')
                self.report(self.check_response(
                    self.vt.get_domain_report(data)))
            elif self.data_type == 'ip':
                data = self.getParam('data', None, 'Data is missing')
                self.report(self.check_response(self.vt.get_ip_report(data)))
            elif self.data_type == 'file':

                hashes = self.getParam('attachment.hashes',
                                    None)
                if hashes is None:
                    filepath = self.getParam('file', None, 'File is missing')
                    hash = hashlib.sha256(open(filepath, 'r').read()).hexdigest();
                else:
                # find SHA256 hash
                    hash = next(h for h in hashes if len(h) == 64)

                self.report(self.check_response(self.vt.get_file_report(hash)))

            elif self.data_type == 'hash':
                data = self.getParam('data', None, 'Data is missing')
                self.report(self.check_response(self.vt.get_file_report(data)))
            else:
                self.error('Invalid data type')
        else:
            self.error('Invalid service')


if __name__ == '__main__':
    VirusTotalAnalyzer().run()
First commit 2017-01-10 13:24:21 +00:00			`#!/usr/bin/env python`
			`# encoding: utf-8`
			`import sys`
			`import os`
			`import json`
			`import codecs`
			`import time`
#9 compute file hash if no hash is given with the file 2017-02-17 06:28:30 +00:00			`import hashlib`
First commit 2017-01-10 13:24:21 +00:00
			`from virustotal_api import PublicApi as VirusTotalPublicApi`
#130 - set and call VT API with configured proxies 2017-12-21 07:08:52 +00:00			`#from virus_total_apis import PublicApi as VirusTotalPublicApi`
First commit 2017-01-10 13:24:21 +00:00			`from cortexutils.analyzer import Analyzer`


			`class VirusTotalAnalyzer(Analyzer):`

			`def __init__(self):`
			`Analyzer.__init__(self)`
#42 Set the VT polling interval to 60 seconds by default 2017-04-21 15:38:30 +00:00			`self.service = self.getParam('config.service', None, 'Service parameter is missing')`
			`self.virustotal_key = self.getParam('config.key', None, 'Missing VirusTotal API key')`
			`self.polling_interval = self.getParam('config.polling_interval', 60)`
#130 - set and call VT API with configured proxies 2017-12-21 07:08:52 +00:00			`self.proxies = self.getParam('config.proxy', None)`

First commit 2017-01-10 13:24:21 +00:00
			`def wait_file_report(self, id):`
			`results = self.check_response(self.vt.get_file_report(id))`
			`code = results.get('response_code', None)`
			`if code == 1:`
			`self.report(results)`
			`else:`
#42 Set the VT polling interval to 60 seconds by default 2017-04-21 15:38:30 +00:00			`time.sleep(self.polling_interval)`
First commit 2017-01-10 13:24:21 +00:00			`self.wait_file_report(id)`

			`def wait_url_report(self, id):`
			`results = self.check_response(self.vt.get_url_report(id))`
			`code = results.get('response_code', None)`
#93 ensure to wait for the current scan report - if report exist, give the last available one even if a scan has been asked and is in progress 2017-10-26 16:14:40 +00:00			`if code == 1 and (results.get('scan_id') == id):`
First commit 2017-01-10 13:24:21 +00:00			`self.report(results)`
			`else:`
#42 Set the VT polling interval to 60 seconds by default 2017-04-21 15:38:30 +00:00			`time.sleep(self.polling_interval)`
First commit 2017-01-10 13:24:21 +00:00			`self.wait_url_report(id)`

			`def check_response(self, response):`
			`if type(response) is not dict:`
			`self.error('Bad response : ' + str(response))`
			`status = response.get('response_code', -1)`
Added rate limit message 2017-04-13 12:09:29 +00:00			`if status == 204:`
			`self.error('VirusTotal api rate limit exceeded (Status 204).')`
First commit 2017-01-10 13:24:21 +00:00			`if status != 200:`
			`self.error('Bad status : ' + str(status))`
			`results = response.get('results', {})`
			`if 'verbose_msg' in results:`
			`print >> sys.stderr, str(results.get('verbose_msg'))`
			`return results`

			`# 0 => not found`
			`# -2 => in queue`
			`# 1 => ready`

			`def read_scan_response(self, response, func):`
			`results = self.check_response(response)`
			`code = results.get('response_code', None)`
			`scan_id = results.get('scan_id', None)`
			`if code == 1 and scan_id is not None:`
			`func(scan_id)`
			`else:`
			`self.error('Scan not found')`

			`def summary(self, raw):`
#56 VirusTotal() and short reports + bump version 2017-06-20 16:52:07 +00:00			`taxonomies = []`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "info"`
			`namespace = "VT"`
			`predicate = "Score"`
			`value = "\"0\""`
#56 VirusTotal() and short reports + bump version 2017-06-20 16:52:07 +00:00
First commit 2017-01-10 13:24:21 +00:00			`result = {`
			`"has_result": True`
			`}`

			`if(raw["response_code"] != 1):`
			`result["has_result"] = False`

			`result["positives"] = raw.get("positives", 0)`
			`result["total"] = raw.get("total", 0)`

			`if("scan_date" in raw):`
			`result["scan_date"] = raw["scan_date"]`

			`if self.service == "get":`
			`if("scans" in raw):`
			`result["scans"] = len(raw["scans"])`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`value = "\"{}/{}\"".format(result["positives"], result["total"])`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`if result["positives"] == 0:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "safe"`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`elif result["positives"] < 5:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "suspicious"`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`else:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "malicious"`
First commit 2017-01-10 13:24:21 +00:00
			`if("resolutions" in raw):`
			`result["resolutions"] = len(raw["resolutions"])`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`value = "\"{} resolution(s)\"".format(result["resolutions"])`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`if result["resolutions"] == 0:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "safe"`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`elif result["resolutions"] < 5:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "suspicious"`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`else:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "malicious"`
First commit 2017-01-10 13:24:21 +00:00			`if("detected_urls" in raw):`
			`result["detected_urls"] = len(raw["detected_urls"])`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`value = "\"{} detected_url(s)\"".format(result["detected_urls"])`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`if result["detected_urls"] == 0:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "safe"`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`elif result["detected_urls"] < 5:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "suspicious"`
#56 fix multiple bugs 2017-06-23 14:37:07 +00:00			`else:`
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`level = "malicious"`
First commit 2017-01-10 13:24:21 +00:00
			`if("detected_downloaded_samples" in raw):`
			`result["detected_downloaded_samples"] = len(`
			`raw["detected_downloaded_samples"])`

#74 fix short report for scan service 2017-07-13 07:01:52 +00:00			`if self.service == "scan":`
			`if("scans" in raw):`
			`result["scans"] = len(raw["scans"])`
			`value = "\"{}/{}\"".format(result["positives"], result["total"])`
			`if result["positives"] == 0:`
			`level = "safe"`
			`elif result["positives"] < 5:`
			`level = "suspicious"`
			`else:`
			`level = "malicious"`
#56 VirusTotal() and short reports + bump version 2017-06-20 16:52:07 +00:00
#66 use build_taxonomy() for summary() in analyzers 2017-06-27 12:05:56 +00:00			`taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))`
			`return {"taxonomies": taxonomies}`
First commit 2017-01-10 13:24:21 +00:00
			`def run(self):`
			`Analyzer.run(self)`
#130 - set and call VT API with configured proxies 2017-12-21 07:08:52 +00:00			`self.vt = VirusTotalPublicApi(self.virustotal_key, self.proxies)`
First commit 2017-01-10 13:24:21 +00:00
			`if self.service == 'scan':`
			`if self.data_type == 'file':`
Fix getting filenames in analyzers (#140) 2017-12-13 12:33:07 +00:00			`filename = self.getParam('filename', 'noname.ext')`
First commit 2017-01-10 13:24:21 +00:00			`filepath = self.getParam('file', None, 'File is missing')`
			`self.read_scan_response(self.vt.scan_file(`
			`(filename, open(filepath, 'rb'))), self.wait_file_report)`
			`elif self.data_type == 'url':`
			`data = self.getParam('data', None, 'Data is missing')`
			`self.read_scan_response(`
			`self.vt.scan_url(data), self.wait_url_report)`
			`else:`
			`self.error('Invalid data type')`
			`elif self.service == 'get':`
			`if self.data_type == 'domain':`
			`data = self.getParam('data', None, 'Data is missing')`
			`self.report(self.check_response(`
			`self.vt.get_domain_report(data)))`
			`elif self.data_type == 'ip':`
			`data = self.getParam('data', None, 'Data is missing')`
			`self.report(self.check_response(self.vt.get_ip_report(data)))`
			`elif self.data_type == 'file':`
#9 compute file hash if no hash is given with the file 2017-02-17 06:28:30 +00:00
First commit 2017-01-10 13:24:21 +00:00			`hashes = self.getParam('attachment.hashes',`
#9 compute file hash if no hash is given with the file 2017-02-17 06:28:30 +00:00			`None)`
			`if hashes is None:`
			`filepath = self.getParam('file', None, 'File is missing')`
			`hash = hashlib.sha256(open(filepath, 'r').read()).hexdigest();`
			`else:`
First commit 2017-01-10 13:24:21 +00:00			`# find SHA256 hash`
#9 compute file hash if no hash is given with the file 2017-02-17 06:28:30 +00:00			`hash = next(h for h in hashes if len(h) == 64)`

First commit 2017-01-10 13:24:21 +00:00			`self.report(self.check_response(self.vt.get_file_report(hash)))`
#9 compute file hash if no hash is given with the file 2017-02-17 06:28:30 +00:00
First commit 2017-01-10 13:24:21 +00:00			`elif self.data_type == 'hash':`
			`data = self.getParam('data', None, 'Data is missing')`
			`self.report(self.check_response(self.vt.get_file_report(data)))`
			`else:`
			`self.error('Invalid data type')`
			`else:`
			`self.error('Invalid service')`


			`if __name__ == '__main__':`
			`VirusTotalAnalyzer().run()`