Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AbuseIPDB analyzer creation #353

Closed
mlodic opened this issue Oct 11, 2018 · 15 comments
Closed

AbuseIPDB analyzer creation #353

mlodic opened this issue Oct 11, 2018 · 15 comments
Assignees
@3c7
Labels
category:enhancement Issue is related to an existing feature to improve category:new-analyzer New analyzer submitted status:in progress status:merged status:needs-template Analyzer still needs a template for TheHive
Milestone
1.16.0

Comments

@mlodic
Copy link

mlodic commented Oct 11, 2018

Request Type

Analyzer

Description

AbuseIPDB analyzer to determine whether an IP was reported or not as malicious by AbuseIPDB -> https://www.abuseipdb.com/

Possible Solutions

I'm working on the creation of the analyzer
@3c7 3c7 added category:enhancement Issue is related to an existing feature to improve scope:analyzer Issue is analyzer related status:in progress labels Oct 17, 2018
@ilyaglow
Copy link
Contributor

Any updates? That would be a great addition.

@mlodic mlodic mentioned this issue Jan 3, 2019
Merged
@mlodic
Copy link
Author

mlodic commented Jan 3, 2019

Sorry for coming late, I have just sent a pull request few moments ago #400

@Tux-Panik
Copy link

Oh shit... I was working on it :-/

@Tux-Panik
Copy link

Tux-Panik commented Jan 4, 2019
edited
Loading

@mlodic,
I just tested your code and it doesn't work on my side.
I reach the following "failure" status in Cortex:

{
  "errorMessage": "Invalid output\n",
  "input": null,
  "success": false
}

Do it works for you?

Moreover, would it be relevant to play with the "abuseConfidenceScore" filed present in the output to improve the Analyzer's answer?

@nadouani
Copy link
Contributor

nadouani commented Jan 4, 2019

@mlodic yes, I think that the logging statements is the reason why the analyzer output is not a valid json.

@mlodic
Copy link
Author

mlodic commented Jan 4, 2019

I have just pushed a little change to improve error handling cases, tell me if it's better now.

About the "abuseConfidenceScore", I think that it should not change the "summary" result in any way. You risk to miss interesting reports if you set a threshold. Most people who send reports to AbuseIPDB does not move that score at all.
However that is questionable: for this reason, that field is available in the "full" section. This means that, if you want, you can take advantage of that field to perform further processing.

@Tux-Panik
Copy link

I'm sorry, I can't see any change.
Latest commit 'e13f956d49f3c45ed28b593156626f2b7492f372' 1 day ago...

Thanks for your feedback,
Regards,
Julien

@mlodic
Copy link
Author

mlodic commented Jan 4, 2019
edited
Loading

I don't know where you get that hash, go through this pull request #400

@Tux-Panik
Copy link

I directly went to the forked repository:
https://github.com/mlodic/Cortex-Analyzers/tree/master/analyzers/AbuseIPDB

However, using the PR #400 (here) I still have the same issue:

{
  "errorMessage": "Invalid output\n",
  "input": null,
  "success": false
}

Let me know if you need additinal tests!
Thanks,
Regards,

@mlodic
Copy link
Author

mlodic commented Jan 4, 2019

My commits are in the "develop" branch, not in the "master", that was the cause you didn't reach changes.

Could you provide some context on your error message, because on my side I cannot replicate your issue. Try/except clauses should manage all cases.

If you can, try this commit a20ce52f683acd67705743c13aca431944a40c81 and let me know.
Thanks

@Tux-Panik
Copy link

OK, I'll try this change: https://github.com/TheHive-Project/Cortex-Analyzers/tree/a20ce52f683acd67705743c13aca431944a40c81/analyzers/AbuseIPDB

and I let you know.
Thanks.

@Tux-Panik
Copy link

Dear,
As promise, below a feedback:

  • Cortex version: 2.1.3-1 (Docker)
  • python3 version: Python 3.4.9
  • pwd: /opt/cortex/Cortex-Analyzers/analyzers/AbuseIPDB
  • hash values: md5sum *
    cbea15927277b6f6b2a401bbdf9f25ab AbuseIPDB.json
    9ecf5e8e50a9a93091c1d1229f5cf5b7 abuseipdb.py
    57bf4fd7812a6a5f58a16db373c64c43 requirements.txt

image

image

It works!

image

Thanks and congratulations...
Regards,

@mlodic
Copy link
Author

mlodic commented Jan 7, 2019

Thanks for your help!

@Tux-Panik
Copy link

@nadouani Any chance to add this new analyzer to the existing ones?
Thanks.

@saadkadhi saadkadhi added this to the 1.16.0 milestone Feb 11, 2019
@3c7 3c7 self-assigned this Feb 13, 2019
@3c7 3c7 added status:merged status:needs-template Analyzer still needs a template for TheHive category:new-analyzer New analyzer submitted and removed scope:analyzer Issue is analyzer related labels Feb 13, 2019
@jeromeleonard
Copy link
Contributor

template is ready, see #425

jeromeleonard added a commit that referenced this issue Mar 23, 2019
@jeromeleonard
#425 #353 fix report template and add table for reports
0e26be6
jeromeleonard added a commit that referenced this issue Mar 23, 2019
@jeromeleonard
#425 #353 fix number of values = 0 in summary()
a762315
jeromeleonard added a commit that referenced this issue Mar 23, 2019
@jeromeleonard
#425 #353 fix order of ISO Code and Country
467304a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@3c7 3c7

Labels
category:enhancement Issue is related to an existing feature to improve category:new-analyzer New analyzer submitted status:in progress status:merged status:needs-template Analyzer still needs a template for TheHive
Projects
None yet
Milestone
1.16.0
Development

No branches or pull requests
7 participants
@nadouani @ilyaglow @3c7 @saadkadhi @jeromeleonard @Tux-Panik @mlodic