New analyzer: Talos Reputation

[mgabriel-silva]

Fixes #426
Created an analyzer to query Cisco Talos Intelligence for IP spam reputation

[jeromeleonard]

I get this error when running this analyzer : {"success": false, "input": {"tlp": 1, "dataType": "ip", "data": "8.8.8.8"}, "errorMessage": "Failed to query Talos. Status_code 403"}

Looking at the response from Talosintelligence site, I get this :

[mgabriel-silva]

I've analyzed the issue. Seems that Talos team don't want their endpoint used by APIs.
They've added a new cookie called '_talos_website_session' to prevent connections from external APIs.

[jeromeleonard]

Thx for the info.
Moving it to the release 1.17.0 waiting for more info about what we can do with this analyzer.

[mgabriel-silva]

Problem solved.
Now it works again.

[romarito90]

Hello @mgabriel-silva @jeromeleonard , Are there any solution to this error 403

This is my code:

   #!/usr/bin/env python3

   #encoding: utf-8

   import cfscrape
   from cortexutils.analyzer import Analyzer

   class TalosReputation(Analyzer):

  def init(self):
  Analyzer.init(self)

  def summary(self, raw):
  taxonomies = []
  level = 'info' # If there's a change of naming, will be presented as info
  namespace = 'Talos'
  predicate = 'Reputation'
  value = raw.get('email_score_name')
  if value == 'Good':
  level = 'safe'
  elif value == 'Poor':
  level = 'malicious'
  elif value == 'Neutral':
  level = 'suspicious'
  taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
  return {'taxonomies': taxonomies}

 def run(self):
  Analyzer.run(self)
  if self.data_type == 'ip':
try:
 data = self.get_data()

   scraper = cfscrape.CloudflareScraper()

    headers = {
        'Host': '[talosintelligence.com](http://talosintelligence.com/)',
        'Referer': '[https://talosintelligence.com/reputation_center/lookup?search={}'.format(data)](https://talosintelligence.com/reputation_center/lookup?search=%7B%7D%27.format(data)),
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36',
        'Accept': 'application/json'
      
    }


    response_details = scraper.get('https://talosintelligence.com/sb_api/query_lookup',
        headers = headers,
        params = {
            'query': '/api/v2/details/ip/',
            'query_entry': data
            }
       
        )

    response_location = scraper.get('https://talosintelligence.com/sb_api/query_lookup',
        headers = headers,
        params = {
            'query': '/api/v2/location/ip/',
            'query_entry': data
            }
 
        )

    if response_details.status_code == 200 | 201:
        if response_location.status_code == 200 | 201:
            result = response_details.json()
            result['country'] = response_location.json().get('country', None)
            self.report(result if len(result) > 0 else {})
        else:
            self.error('Failed to query Talos location. Status_code {}'.format(response_location.status_code))
    else:
        self.error('Failed to query Talos details. Status_code {}'.format(response_details.status_code))
except Exception as e:
    self.unexpectedError(e)
else:
  self.notSupported()

if name == 'main':
TalosReputation().run()