From 506353eb9bb323cf8502c3e7072ddc3b61e1411d Mon Sep 17 00:00:00 2001 From: remiallain Date: Fri, 11 May 2018 14:33:40 +0200 Subject: [PATCH 1/7] add threatcrowd analyzer --- analyzers/Threatcrowd/Threatcrowd.json | 19 ++++++++ analyzers/Threatcrowd/requirements.txt | 2 + analyzers/Threatcrowd/threatcrowd_analyzer.py | 46 +++++++++++++++++++ thehive-templates/Threatcrowd_1_0/long.html | 30 ++++++++++++ thehive-templates/Threatcrowd_1_0/short.html | 3 ++ 5 files changed, 100 insertions(+) create mode 100644 analyzers/Threatcrowd/Threatcrowd.json create mode 100644 analyzers/Threatcrowd/requirements.txt create mode 100644 analyzers/Threatcrowd/threatcrowd_analyzer.py create mode 100644 thehive-templates/Threatcrowd_1_0/long.html create mode 100644 thehive-templates/Threatcrowd_1_0/short.html diff --git a/analyzers/Threatcrowd/Threatcrowd.json b/analyzers/Threatcrowd/Threatcrowd.json new file mode 100644 index 000000000..24e2b78f3 --- /dev/null +++ b/analyzers/Threatcrowd/Threatcrowd.json @@ -0,0 +1,19 @@ +{ + "name": "Threatcrowd", + "author": "RĂ©mi ALLAIN, Cyberprotect", + "license": "AGPL-V3", + "url": "https://github.com/Cyberprotect/Cortex-Analyzers", + "version": "1.0", + "description": "Search for information on threatcrowd.org", + "dataTypeList": [ + "email", + "ip", + "domain" + ], + "command": "Threatcrowd/threatcrowd_analyzer.py", + "baseConfig": "Threatcrowd", + "config": { + "check_tlp": false, + "service": "get" + } +} \ No newline at end of file diff --git a/analyzers/Threatcrowd/requirements.txt b/analyzers/Threatcrowd/requirements.txt new file mode 100644 index 000000000..4a21dbf63 --- /dev/null +++ b/analyzers/Threatcrowd/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +requests \ No newline at end of file diff --git a/analyzers/Threatcrowd/threatcrowd_analyzer.py b/analyzers/Threatcrowd/threatcrowd_analyzer.py new file mode 100644 index 000000000..48da660ba --- /dev/null +++ b/analyzers/Threatcrowd/threatcrowd_analyzer.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python +# encoding: utf-8 + +import requests +from cortexutils.analyzer import Analyzer + +class Threatcrowd(Analyzer): + + URI = "http://www.threatcrowd.org/searchApi/v2" + + def summary(self, raw): + taxonomies = [] + + level = "info" + value = "None" + + if 'votes' in raw: + r = raw.get('votes') + value = r + if r == 1: + level = "safe" + elif r == 0: + level = "suspicious" + elif r == -1: + level = "malicious" + + taxonomies.append(self.build_taxonomy(level, "Threatcrowd", "votes", value)) + + result = {"taxonomies": taxonomies} + return result + + def run(self): + Analyzer.run(self) + + if (self.data_type == 'domain' or self.data_type == 'ip' or self.data_type == 'email'): + try: + response = requests.get("{}/{}/report/".format(self.URI, self.data_type), {self.data_type: self.get_data()}) + self.report(response.json()) + except Exception as e: + self.unexpectedError(e) + else: + self.notSupported() + + +if __name__ == '__main__': + Threatcrowd().run() diff --git a/thehive-templates/Threatcrowd_1_0/long.html b/thehive-templates/Threatcrowd_1_0/long.html new file mode 100644 index 000000000..358a6e3fc --- /dev/null +++ b/thehive-templates/Threatcrowd_1_0/long.html @@ -0,0 +1,30 @@ +
+
+ Threatcrowd analysis for + {{artifact.data}} +
+
+

+ Votes : {{content.votes}} +
+ View report on threatcrowd.org +

+ + + + + + {{ref}} + +
references
+
+
+ +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.errorMessage}} +
+
diff --git a/thehive-templates/Threatcrowd_1_0/short.html b/thehive-templates/Threatcrowd_1_0/short.html new file mode 100644 index 000000000..57f9d29cf --- /dev/null +++ b/thehive-templates/Threatcrowd_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} + From ce631fb58f30dac9bd4a066be84b4e7964060a2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20ALLAIN?= Date: Fri, 11 May 2018 14:51:49 +0200 Subject: [PATCH 2/7] using https to request api instead of http --- analyzers/Threatcrowd/threatcrowd_analyzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/Threatcrowd/threatcrowd_analyzer.py b/analyzers/Threatcrowd/threatcrowd_analyzer.py index 48da660ba..e8fd752c9 100644 --- a/analyzers/Threatcrowd/threatcrowd_analyzer.py +++ b/analyzers/Threatcrowd/threatcrowd_analyzer.py @@ -6,7 +6,7 @@ class Threatcrowd(Analyzer): - URI = "http://www.threatcrowd.org/searchApi/v2" + URI = "https://www.threatcrowd.org/searchApi/v2" def summary(self, raw): taxonomies = [] From 32f8fd6782e1e647bdcdb510d0317a506c842efe Mon Sep 17 00:00:00 2001 From: remiallain Date: Tue, 15 May 2018 13:38:06 +0200 Subject: [PATCH 3/7] Completed the long.html report --- thehive-templates/Threatcrowd_1_0/long.html | 49 ++++++++++++++++++--- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/thehive-templates/Threatcrowd_1_0/long.html b/thehive-templates/Threatcrowd_1_0/long.html index 358a6e3fc..2010ec79f 100644 --- a/thehive-templates/Threatcrowd_1_0/long.html +++ b/thehive-templates/Threatcrowd_1_0/long.html @@ -4,17 +4,56 @@ {{artifact.data}}
-

+

Votes : {{content.votes}}
View report on threatcrowd.org -

- + +
- + - {{ref}} + + +
referencesReferences
{{ref}}
+ + + + + + + +
Domains
{{dom}}
+ + + + + + + +
Subdomains
{{dom}}
+ + + + + + + +
Emails
{{email}}
+ + + + + + + + + + + + +
Resolutions
Last resolvedDomainIp
{{res.last_resolved}}{{res.domain}}{{res.ip_address}}

From 3cd2e6e0c7225e24b1f7b1afeb7fc18e3f537aa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20ALLAIN?= Date: Wed, 30 May 2018 10:25:44 +0200 Subject: [PATCH 4/7] Changes requested by @3c7 --- analyzers/Threatcrowd/threatcrowd_analyzer.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/analyzers/Threatcrowd/threatcrowd_analyzer.py b/analyzers/Threatcrowd/threatcrowd_analyzer.py index e8fd752c9..de827dbd9 100644 --- a/analyzers/Threatcrowd/threatcrowd_analyzer.py +++ b/analyzers/Threatcrowd/threatcrowd_analyzer.py @@ -11,8 +11,8 @@ class Threatcrowd(Analyzer): def summary(self, raw): taxonomies = [] - level = "info" - value = "None" + level = None + value = None if 'votes' in raw: r = raw.get('votes') @@ -23,6 +23,9 @@ def summary(self, raw): level = "suspicious" elif r == -1: level = "malicious" + else: + value = "unknow" + level = "info" taxonomies.append(self.build_taxonomy(level, "Threatcrowd", "votes", value)) @@ -32,9 +35,10 @@ def summary(self, raw): def run(self): Analyzer.run(self) - if (self.data_type == 'domain' or self.data_type == 'ip' or self.data_type == 'email'): + if (self.data_type == 'domain' or self.data_type == 'ip' or self.data_type == 'mail'): + threatcrowd_data_type = self.data_type if self.data_type != 'mail' else 'email' try: - response = requests.get("{}/{}/report/".format(self.URI, self.data_type), {self.data_type: self.get_data()}) + response = requests.get("{}/{}/report/".format(self.URI, threatcrowd_data_type), {threatcrowd_data_type: self.get_data()}) self.report(response.json()) except Exception as e: self.unexpectedError(e) From f62f22fa57b05c768d007550583a6edbf047a85c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20ALLAIN?= Date: Wed, 30 May 2018 10:26:10 +0200 Subject: [PATCH 5/7] Changes requested by @3c7 --- analyzers/Threatcrowd/Threatcrowd.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/analyzers/Threatcrowd/Threatcrowd.json b/analyzers/Threatcrowd/Threatcrowd.json index 24e2b78f3..3f1e14bc3 100644 --- a/analyzers/Threatcrowd/Threatcrowd.json +++ b/analyzers/Threatcrowd/Threatcrowd.json @@ -6,7 +6,7 @@ "version": "1.0", "description": "Search for information on threatcrowd.org", "dataTypeList": [ - "email", + "mail", "ip", "domain" ], @@ -16,4 +16,4 @@ "check_tlp": false, "service": "get" } -} \ No newline at end of file +} From 5641d691c84e970c2dcd4d56b00a21faab78a812 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20ALLAIN?= Date: Wed, 30 May 2018 10:30:25 +0200 Subject: [PATCH 6/7] Request changes by @3c7 --- thehive-templates/Threatcrowd_1_0/long.html | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/thehive-templates/Threatcrowd_1_0/long.html b/thehive-templates/Threatcrowd_1_0/long.html index 2010ec79f..a8501fb68 100644 --- a/thehive-templates/Threatcrowd_1_0/long.html +++ b/thehive-templates/Threatcrowd_1_0/long.html @@ -9,7 +9,7 @@


View report on threatcrowd.org

- +
@@ -17,7 +17,7 @@

References
{{ref}}
- +
@@ -25,7 +25,7 @@

Domains
{{dom}}
- +
@@ -33,7 +33,7 @@

Subdomains
{{dom}}
- +
@@ -41,7 +41,7 @@

Emails
{{email}}
- +
From 86bcbcec675fe07f3152b2bf3986fdd088b43e75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20ALLAIN?= Date: Wed, 30 May 2018 10:31:38 +0200 Subject: [PATCH 7/7] Catch empty content --- thehive-templates/Threatcrowd_1_0/long.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/thehive-templates/Threatcrowd_1_0/long.html b/thehive-templates/Threatcrowd_1_0/long.html index a8501fb68..f340bfca9 100644 --- a/thehive-templates/Threatcrowd_1_0/long.html +++ b/thehive-templates/Threatcrowd_1_0/long.html @@ -3,7 +3,7 @@ Threatcrowd analysis for {{artifact.data}} -
+

Votes : {{content.votes}}

Resolutions