mirror of
https://github.com/valitydev/Cortex-Analyzers.git
synced 2024-11-06 09:05:19 +00:00
add templates and small fixes
This commit is contained in:
parent
964da3bf95
commit
73a2776427
BIN
analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_long.png
Normal file
BIN
analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_long.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 46 KiB |
BIN
analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_short.png
Normal file
BIN
analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_short.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 8.7 KiB |
71
analyzers/DomainMailSPFDMARC/domainMailSPFDMARC.py
Normal file → Executable file
71
analyzers/DomainMailSPFDMARC/domainMailSPFDMARC.py
Normal file → Executable file
@ -6,44 +6,43 @@ from cortexutils.analyzer import Analyzer
|
||||
import checkdmarc
|
||||
|
||||
class DomainMailSPFDMARC(Analyzer):
|
||||
def __init__(self):
|
||||
Analyzer.__init__(self)
|
||||
self.name = "DomainMailSPFDMARC"
|
||||
def summary(self, raw):
|
||||
taxonomies = []
|
||||
level = "malicious"
|
||||
level_s = "suspicious"
|
||||
level_sa = "safe"
|
||||
namespace = "DomainMailSPF_DMARC"
|
||||
predicate = "tag"
|
||||
def __init__(self):
|
||||
Analyzer.__init__(self)
|
||||
self.name = "DomainMailSPFDMARC"
|
||||
|
||||
if 'error' in raw['DomainMailSPFDMARC_info']['DomainMailSPFDMARC']['dmarc']:
|
||||
if 'error' in raw['DomainMailSPFDMARC_info']['DomainMailSPFDMARC']['spf']:
|
||||
taxonomies.append(self.build_taxonomy(level, namespace,"DMARC","no"))
|
||||
taxonomies.append(self.build_taxonomy(level, namespace,"SPF","no"))
|
||||
else:
|
||||
taxonomies.append(self.build_taxonomy(level_sa, namespace,"SPF","yes"))
|
||||
taxonomies.append(self.build_taxonomy(level_s, namespace,"DMARC","no"))
|
||||
else:
|
||||
if 'error' in raw['DomainMailSPFDMARC_info']['DomainMailSPFDMARC']['spf']:
|
||||
taxonomies.append(self.build_taxonomy(level_s, namespace,"SPF","no"))
|
||||
taxonomies.append(self.build_taxonomy(level_sa, namespace,"DMARC","yes"))
|
||||
else:
|
||||
taxonomies.append(self.build_taxonomy(level_sa, namespace,"SPF","yes"))
|
||||
taxonomies.append(self.build_taxonomy(level_sa, namespace,"DMARC","yes"))
|
||||
def summary(self, raw):
|
||||
taxonomies = []
|
||||
namespace = "DomainMailSPF_DMARC"
|
||||
|
||||
return {'taxonomies': taxonomies}
|
||||
def get_info(self, data):
|
||||
try:
|
||||
result = checkdmarc.check_domains(data.split())
|
||||
except ValueError:
|
||||
print("Explotioooooooo")
|
||||
return {"DomainMailSPFDMARC": dict(result)}
|
||||
if 'error' in raw['DomainMailSPFDMARC']['dmarc']:
|
||||
if 'error' in raw['DomainMailSPFDMARC']['spf']:
|
||||
taxonomies.append(self.build_taxonomy("malicious", namespace,"DMARC","no"))
|
||||
taxonomies.append(self.build_taxonomy("malicious", namespace,"SPF","no"))
|
||||
else:
|
||||
taxonomies.append(self.build_taxonomy("safe", namespace,"SPF","yes"))
|
||||
taxonomies.append(self.build_taxonomy("suspicious", namespace,"DMARC","no"))
|
||||
else:
|
||||
if 'error' in raw['DomainMailSPFDMARC']['spf']:
|
||||
taxonomies.append(self.build_taxonomy("suspicious", namespace,"SPF","no"))
|
||||
taxonomies.append(self.build_taxonomy("safe", namespace,"DMARC","yes"))
|
||||
else:
|
||||
taxonomies.append(self.build_taxonomy("safe", namespace,"SPF","yes"))
|
||||
taxonomies.append(self.build_taxonomy("safe", namespace,"DMARC","yes"))
|
||||
|
||||
def run(self):
|
||||
if self.data_type == 'domain' or self.data_type == 'fqdn':
|
||||
data = self.get_data()
|
||||
self.report({"DomainMailSPFDMARC_info": self.get_info(data)})
|
||||
return {'taxonomies': taxonomies}
|
||||
|
||||
def get_info(self, data):
|
||||
try:
|
||||
result = checkdmarc.check_domains(data.split())
|
||||
except Exception as e :
|
||||
self.error(e)
|
||||
return {"DomainMailSPFDMARC": dict(result)}
|
||||
|
||||
def run(self):
|
||||
if self.data_type == 'domain' or self.data_type == 'fqdn':
|
||||
self.report(self.get_info(self.get_data()))
|
||||
else:
|
||||
self.error('Data type not supported. Please use this analyzer with data types domain or fqdn.')
|
||||
|
||||
if __name__ == '__main__':
|
||||
DomainMailSPFDMARC().run()
|
||||
DomainMailSPFDMARC().run()
|
||||
|
@ -12,5 +12,19 @@
|
||||
"service": "get"
|
||||
},
|
||||
"configurationItems": [
|
||||
],
|
||||
"registration_required": false,
|
||||
"subscription_required": false,
|
||||
"free_subscription": false,
|
||||
"screenshots": [
|
||||
{
|
||||
"path": "assets/DomainMailSPFDMARC_long.png",
|
||||
"caption": "DomainMailSPFDMARC long report sample"
|
||||
},
|
||||
{
|
||||
"path": "assets/DomainMailSPFDMARC_short.png",
|
||||
"caption:": "DomainMailSPFDMARC mini report sample"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
|
105
thehive-templates/DomainMailSPFDMARC_1_1/long.html
Normal file
105
thehive-templates/DomainMailSPFDMARC_1_1/long.html
Normal file
@ -0,0 +1,105 @@
|
||||
<div class="panel panel-info" ng-if="success">
|
||||
<div class="panel-heading">
|
||||
DomainMailSPF_DMARC information for <strong>{{artifact.data}}</strong>
|
||||
</div>
|
||||
<div class="panel-body">
|
||||
<div>
|
||||
<dl class="dl-horizontal">
|
||||
<dt class="text-bold">Domain</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.domain}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal">
|
||||
<dt class="text-bold">Base domain</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.base_domain}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal">
|
||||
<dt class="text-bold">dnssec</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.dnssec}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.ns.hostnames.length > 0">
|
||||
<dt class="text-bold">[NS] Hostnames</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.ns.hostnames.join(', ') }}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.ns.warnings.length > 0">
|
||||
<dt class="text-bold">[NS] Warnings</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.ns.warnings.join('\n') }}</dd>
|
||||
</dl>
|
||||
|
||||
<dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.mx.hosts.length > 0">
|
||||
<dt class="text-bold">[MX] Hosts</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.mx.hosts.join(', ') }}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.mx.warnings.length > 0">
|
||||
<dt class="text-bold">[MX] Warnings</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.mx.warnings.join('\n')}}</dd>
|
||||
</dl>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="panel panel-info" ng-if="success">
|
||||
<div class="panel-heading">
|
||||
SPF
|
||||
</div>
|
||||
<div class="panel-body">
|
||||
<div>
|
||||
<dl class="dl-horizontal">
|
||||
<dt>Record</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.spf.record}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal">
|
||||
<dt>Valid</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.spf.valid}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal">
|
||||
<dt>Error</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.spf.error}}</dd>
|
||||
</dl>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="panel panel-info" ng-if="success">
|
||||
<div class="panel-heading">
|
||||
DMARK
|
||||
</div>
|
||||
<div class="panel-body">
|
||||
<div>
|
||||
<h4 >Info</h4>
|
||||
<dl class="dl-horizontal">
|
||||
<dt>Record</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.dmarc.record}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal">
|
||||
<dt>Valid</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.dmarc.valid}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal">
|
||||
<dt>Error</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.dmarc.error}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal">
|
||||
<dt>Location</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.dmarc.location}}</dd>
|
||||
</dl>
|
||||
<dl class="dl-horizontal" ng-if="content.DomainMailSPFDMARC.dmarc.warnings.length > 0">
|
||||
<dt class="text-bold">Warnings</dt>
|
||||
<dd>{{content.DomainMailSPFDMARC.dmarc.warnings.join('\n')}}</dd>
|
||||
</dl>
|
||||
<hr>
|
||||
<h4 >Tags</h4>
|
||||
<dl class="dl-horizontal" ng-repeat="(tag, value) in content.DomainMailSPFDMARC.dmarc.tags">
|
||||
<dt>{{tag}}</dt>
|
||||
<dd>{{value.value}} <span ng-if="value.explicit">[Explicit]</span></dd>
|
||||
</dl>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- General error -->
|
||||
<div class="panel panel-danger" ng-if="!success">
|
||||
<div class="panel-heading">
|
||||
<strong>{{artifact.data | fang}}</strong>
|
||||
</div>
|
||||
<div class="panel-body">
|
||||
{{content.errorMessage}}
|
||||
</div>
|
||||
</div>
|
3
thehive-templates/DomainMailSPFDMARC_1_1/short.html
Executable file
3
thehive-templates/DomainMailSPFDMARC_1_1/short.html
Executable file
@ -0,0 +1,3 @@
|
||||
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
|
||||
{{t.namespace}}:{{t.predicate}}="{{t.value}}"
|
||||
</span>
|
Loading…
Reference in New Issue
Block a user