Fix Issue #311 - Extend Pull #312

Extend pull request #312 Fixes code issues and long report template Improve naming for folder and files
TheHive-Project · Feb 18, 2020 · 5fe0711 · 5fe0711
1 parent b89ee9d
commit 5fe0711
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 0 deletions.
diff --git a/analyzers/ClamAV/ClamAV_FileInfo.json b/analyzers/ClamAV/ClamAV_FileInfo.json
@@ -0,0 +1,13 @@
+{
+  "name": "ClamAV_FileInfo",
+  "version": "1.1",
+  "author": "Brian Laskowski",
+  "url": "https://github.com/Hestat/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Use Clamscan with custom rules",
+  "dataTypeList": ["file"],
+  "command": "ClamAV/pyclam_analyzer.py",
+  "baseConfig": "ClamAV"
+
+}
+
diff --git a/analyzers/ClamAV/pyclam_analyzer.py b/analyzers/ClamAV/pyclam_analyzer.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+from cortexutils.analyzer import Analyzer
+
+import os
+import pyclamd
+
+cd = pyclamd.ClamdUnixSocket()
+
+
+class ClamAnalyzer(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def check(self, file: str) -> list:
+        """
+        Checks a given file against all available yara rules
+
+        :param file: Path to file
+        :returns: Python dictionary containing the results
+        """
+        match = cd.scan_file(file)
+        if match:
+            return match[file][1]
+        return None
+
+    # def summary(self, raw):
+    #    return raw
+    def summary(self, raw):
+        taxonomies = []
+        namespace = "Clamscan"
+        predicate = "Match"
+
+        if raw["results"]:
+            value = "{} rule matched".format(raw["results"])
+            level = "malicious"
+        else:
+            value = "No matched rules"
+            level = "safe"
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        if self.data_type == "file":
+            self.report({"results": self.check(self.getParam("file"))})
+        else:
+            self.error("Wrong data type.")
+
+
+if __name__ == "__main__":
+    """This is necessary, because it is called from the CLI."""
+    ClamAnalyzer().run()
diff --git a/analyzers/ClamAV/requirements.txt b/analyzers/ClamAV/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+pyclamd
diff --git a/thehive-templates/ClamAV_1_0/long.html b/thehive-templates/ClamAV_1_0/long.html
@@ -0,0 +1,33 @@
+<div class="panel panel-danger" ng-if="success && content.results.length > 0">
+	<div class="panel-heading">
+		ClamAV Report
+	</div>
+	<div class="panel-body">
+		<dl class="dl-horizontal">
+			<dt>Match</dt>
+			<dd>{{content.results}}</dd>
+		</dl>
+	</div>
+</div>
+<div class="panel panel-success" ng-if="success && content.results.length == 0">
+	<div class="panel-heading">
+		ClamAV Report
+	</div>
+	<div class="panel-body">
+		<span>No matches.</span>
+	</div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+    	<dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt><i class="fa fa-warning"></i> ClamAV : </dt>
+            <dd class="wrap">{{content.errorMessage}}</dd>
+        </dl>
+    </div>
+</div>
+
diff --git a/thehive-templates/ClamAV_1_0/short.html b/thehive-templates/ClamAV_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>