Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tor blutmagie #139

Merged
merged 13 commits into from
Dec 18, 2017
Merged

Tor blutmagie #139

merged 13 commits into from
Dec 18, 2017

Conversation

srilumpa
Copy link
Contributor

As for PR #138, this PR aims to offer a solution to issue #45 with an analyzer extracting data from torstatus.blutmagie.de to check if an artifact is linked to a TOR node. The artifact can be an IP address, a FQDN or a domain.

I documented both of the classes but if you need a more advance documentation, please tell me. Also, I hope i coped with your coding standards. If not tell me so I can fix it.

As for #138, there is a caching system in place.

@saadkadhi saadkadhi added scope:analyzer Issue is analyzer related category:feature-request Issue is related to a feature request status:pr-submitted labels Dec 13, 2017
@jeromeleonard jeromeleonard added this to the 1.8.0 milestone Dec 14, 2017
@3c7
Copy link
Contributor

3c7 commented Dec 15, 2017

Thanks for the fast response. Caching works great.

  • Python3 compatibility
  • Caching
  • Shell test
(TorBlutmagie) ➜  TorBlutmagie git:(TorBlutmagie) ✗ ./tor_blutmagie_analyzer.py <<< '{
"dataType": "ip",
"data": "134.119.3.2"
}' | jq
{
  "success": true,
  "summary": {
    "taxonomies": [
      {
        "level": "suspicious",
        "namespace": "TorBlutmagie",
        "predicate": "Node",
        "value": "1 node"
      }
    ]
  },
  "artifacts": [
    {
      "type": "fqdn",
      "value": "j72505.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "134.119.3.2"
    }
  ],
  "full": {
    "nodes": [
      {
        "hostname": "j72505.servers.jiffybox.net",
        "name": "Zwiebel2",
        "country_code": "DE",
        "ip": "134.119.3.2",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      }
    ]
  }
}
(TorBlutmagie) ➜  TorBlutmagie git:(TorBlutmagie) ✗ ./tor_blutmagie_analyzer.py <<< '{
"dataType": "fqdn",
"data": "j72505.servers.jiffybox.net"
}' | jq
{
  "success": true,
  "summary": {
    "taxonomies": [
      {
        "level": "suspicious",
        "namespace": "TorBlutmagie",
        "predicate": "Node",
        "value": "1 node"
      }
    ]
  },
  "artifacts": [
    {
      "type": "fqdn",
      "value": "j72505.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "134.119.3.2"
    }
  ],
  "full": {
    "nodes": [
      {
        "hostname": "j72505.servers.jiffybox.net",
        "name": "Zwiebel2",
        "country_code": "DE",
        "ip": "134.119.3.2",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      }
    ]
  }
}
(TorBlutmagie) ➜  TorBlutmagie git:(TorBlutmagie) ✗ ./tor_blutmagie_analyzer.py <<< '{
"dataType": "domain",
"data": "jiffybox.net" 
}' | jq
{
  "success": true,
  "summary": {
    "taxonomies": [
      {
        "level": "suspicious",
        "namespace": "TorBlutmagie",
        "predicate": "Node",
        "value": "7 nodes"
      }
    ]
  },
  "artifacts": [
    {
      "type": "fqdn",
      "value": "j98727.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "93.180.156.84"
    },
    {
      "type": "fqdn",
      "value": "j60204.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "37.200.99.251"
    },
    {
      "type": "fqdn",
      "value": "j17531.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "46.252.26.2"
    },
    {
      "type": "fqdn",
      "value": "j54490.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "37.200.98.5"
    },
    {
      "type": "fqdn",
      "value": "j184462.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "134.119.36.135"
    },
    {
      "type": "fqdn",
      "value": "j32098.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "37.200.98.117"
    },
    {
      "type": "fqdn",
      "value": "j72505.servers.jiffybox.net"
    },
    {
      "type": "ip",
      "value": "134.119.3.2"
    }
  ],
  "full": {
    "nodes": [
      {
        "hostname": "j98727.servers.jiffybox.net",
        "name": "BARACUDA",
        "country_code": "DE",
        "ip": "93.180.156.84",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      },
      {
        "hostname": "j60204.servers.jiffybox.net",
        "name": "JPsi2",
        "country_code": "DE",
        "ip": "37.200.99.251",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      },
      {
        "hostname": "j17531.servers.jiffybox.net",
        "name": "marlen1",
        "country_code": "DE",
        "ip": "46.252.26.2",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      },
      {
        "hostname": "j54490.servers.jiffybox.net",
        "name": "torpidsDEdomainf",
        "country_code": "DE",
        "ip": "37.200.98.5",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      },
      {
        "hostname": "j184462.servers.jiffybox.net",
        "name": "torpidsDEdomainf2",
        "country_code": "DE",
        "ip": "134.119.36.135",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      },
      {
        "hostname": "j32098.servers.jiffybox.net",
        "name": "Unnamed",
        "country_code": "DE",
        "ip": "37.200.98.117",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      },
      {
        "hostname": "j72505.servers.jiffybox.net",
        "name": "Zwiebel2",
        "country_code": "DE",
        "ip": "134.119.3.2",
        "as_name": "HOSTEUROPE-AS- DE",
        "as_number": "20773"
      }
    ]
  }
}
  • TheHive Integration Test (Reports etc.)

3c7
3c7 suggested changes Dec 18, 2017
View reviewed changes
Copy link
Contributor

@3c7 3c7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beside the requested change, everything works perfect. Also, it could be considered to include #!/usr/bin/env python3 instead of #!/usr/bin/env python in tor_blutmagie_analyzer.py, because of the python2/python3 encoding issues that will pop up, if people run that analyzer using python2.

thehive-templates/TorBlutmagie_1_0/long.html
{{n.name}}
</div>
<div class="panel-body">
<dl class="dl-horizontal">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please switch the <dt> and <dd> here:

grafik

3c7
3c7 suggested changes Dec 18, 2017
View reviewed changes
thehive-templates/TorBlutmagie_1_0/long.html Outdated
<div class="panel-body">
<dl class="dl-horizontal">
<dd>Address</dd>
<dt>{{n.hostname | fang}} ({{n.ip_address | fang}})</dt>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here, it has to be n.ip.

thehive-templates/TorBlutmagie_1_0/long.html Outdated
</dl>
<span>
<i class="fa fa-search"></i>
<a ng-href="http://torstatus.blutmagie.de/cgi-bin/whois.pl?ip={{n.ip_address}}" target="_blank">WHOIS</a>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has to be n.ip, also.

@srilumpa
Copy link
Contributor Author

Here are the fixes. I am so sorry for those basic errors.

3c7
3c7 approved these changes Dec 18, 2017
View reviewed changes
Copy link
Contributor

@3c7 3c7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for the contribution.

@nadouani nadouani changed the base branch from master to develop December 18, 2017 10:22
@nadouani nadouani merged commit cf66ed2 into TheHive-Project:develop Dec 18, 2017
@srilumpa srilumpa deleted the TorBlutmagie branch February 22, 2018 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@3c7 3c7 3c7 approved these changes

Assignees
No one assigned
Labels
category:feature-request Issue is related to a feature request scope:analyzer Issue is analyzer related status:pr-submitted
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.
5 participants
@srilumpa @3c7 @nadouani @saadkadhi @jeromeleonard