valitydev/Cortex-Analyzers
14
0
Fork 0
mirror of https://github.com/valitydev/Cortex-Analyzers.git synced 2024-11-06 09:05:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixes #258: Merge remote-tracking branch 'ant1/fixetmalwareinfo' into release/1.10.0

Browse Source
This commit is contained in:
Nils Kuhnert 2018-06-04 11:00:05 +02:00
commit 4d9332b59d
No known key found for this signature in database
GPG Key ID: 3591DD5B3103ED50
4 changed files with 55 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
analyzers/EmergingThreats/EmergingThreats_DomainInfo.json
View File

@ -5,7 +5,7 @@
"url": "https://github.com/dadokkio/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Retrieve ET reputation, related malware, and IDS requests for a given domain.",
"dataTypeList": ["domain"],
"dataTypeList": ["domain", "fqdn"],
"command": "EmergingThreats/emergingthreats_analyzer.py",
"baseConfig": "EmergingThreats",
"configurationItems": [

2
analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json
View File

@ -5,7 +5,7 @@
"url": "https://github.com/dadokkio/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Retrieve ET details and info related to a malware hash.",
"dataTypeList": ["hash"],
"dataTypeList": ["file", "hash"],
"command": "EmergingThreats/emergingthreats_analyzer.py",
"baseConfig": "EmergingThreats",
"configurationItems": [

23
analyzers/EmergingThreats/emergingthreats_analyzer.py
View File

@ -3,6 +3,7 @@
from cortexutils.analyzer import Analyzer
import hashlib
import requests
import time
@ -59,8 +60,10 @@ class EmergingThreatsAnalyzer(Analyzer):
Analyzer.run(self)
info = {}
try:
object_name = self.get_data()
if self.data_type == 'domain':
if self.data_type != 'file':
object_name = self.get_data()
if self.data_type in ['domain', 'fqdn']:
url = "https://api.emergingthreats.net/v1/domains/"
features = {'reputation', 'urls', 'samples', 'ips', 'events', 'nameservers', 'whois', 'geoloc'}
@ -68,9 +71,21 @@ class EmergingThreatsAnalyzer(Analyzer):
url = "https://api.emergingthreats.net/v1/ips/"
features = {'reputation', 'urls', 'samples', 'domains', 'events', 'geoloc'}
elif self.data_type == 'malware':
elif self.data_type == 'hash':
url = "https://api.emergingthreats.net/v1/samples/"
features = {'', 'connections', 'dns', 'events'}
features = {'', 'connections', 'dns', 'http', 'events'}
elif self.data_type == 'file':
url = "https://api.emergingthreats.net/v1/samples/"
features = {'', 'connections', 'dns', 'http', 'events'}
hashes = self.get_param('attachment.hashes', None)
if hashes is None:
filepath = self.get_param('file', None, 'File is missing')
object_name = hashlib.md5(open(filepath, 'r').read()).hexdigest()
else:
# find MD5 hash
object_name = next(h for h in hashes if len(h) == 32)
else:
self.error('Invalid data type !')

34
thehive-templates/EmergingThreats_MalwareInfo_1_0/long.html
View File

@ -88,6 +88,40 @@
</div>
</div>
<div class="panel panel-info" ng-if="content.http && content.http != '-' && content.http != 'Error'">
<div class="panel-heading">
<strong>Http</strong>
</div>
<div class="panel-body">
<table class="table table-hover">
<tr>
<th>Source</th>
<th>Date</th>
<th>Domain</th>
<th>Source ip</th>
<th>Destination ip</th>
<th>Source port</th>
<th>Destination port</th>
<th>Method</th>
<th>Url</th>
<th>User agent</th>
</tr>
<tr ng-repeat="http in content.http track by $index">
<td>{{ http.source }}</td>
<td>{{ http.date }}</td>
<td>{{ http.domain }}</td>
<td>{{ http.source_ip }}</td>
<td>{{ http.destination_ip }}</td>
<td>{{ http.source_port }}</td>
<td>{{ http.destination_port }}</td>
<td>{{ http.method }}</td>
<td>{{ http.url }}</td>
<td>{{ http.user_agent }}</td>
</tr>
</table>
</div>
</div>
<div class="panel panel-info" ng-if="content.connections && content.connections != '-' && content.connections != 'Error'">
<div class="panel-heading">
<strong>Connections</strong>