From 072ae90cd6165de6c50c491046276fb1fae8036d Mon Sep 17 00:00:00 2001 From: garanews Date: Thu, 30 May 2019 12:19:36 +0200 Subject: [PATCH 1/5] remove extra slash it fixes https://github.com/TheHive-Project/Cortex-Analyzers/issues/487 --- analyzers/IBMXForce/ibmxforce_lookup.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/analyzers/IBMXForce/ibmxforce_lookup.py b/analyzers/IBMXForce/ibmxforce_lookup.py index 2a7074596..e42c9a4b2 100755 --- a/analyzers/IBMXForce/ibmxforce_lookup.py +++ b/analyzers/IBMXForce/ibmxforce_lookup.py @@ -116,10 +116,10 @@ def ip_query(self, data): _session = requests.Session() _session.auth = (self.key, self.pwd) - _query_ip = _session.get('%s/ipr/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_ip = _session.get('%sipr/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) _query_malware = _session.get( - '%s/ipr/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) - _query_info = _session.get('%s/resolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + '%sipr/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_info = _session.get('%sresolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) ip_data = _query_ip.json() if _query_ip.status_code == 200 else {} malware_data = _query_malware.json() if _query_malware.status_code == 200 else {} @@ -141,10 +141,10 @@ def domain_query(self, data): _session = requests.Session() _session.auth = (self.key, self.pwd) - _query_url = _session.get('%s/url/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_url = _session.get('%surl/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) _query_malware = _session.get( - '%s/url/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) - _query_info = _session.get('%s/resolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + '%surl/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_info = _session.get('%sresolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) url_data = _query_url.json() if _query_url.status_code == 200 else {} malware_data = _query_malware.json() if _query_malware.status_code == 200 else {} @@ -167,7 +167,7 @@ def malware_query(self, data): _session.auth = (self.key, self.pwd) _query_malware = _session.get( - '%s/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + '%smalware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) if _query_malware.status_code == 200: return self.cleanup(malware_data=_query_malware.json()) @@ -220,4 +220,4 @@ def run(self): if __name__ == '__main__': - IBMXForceAnalyzer().run() \ No newline at end of file + IBMXForceAnalyzer().run() From 71468d5f8e2e93588ab5e68fefc0faf05b640c05 Mon Sep 17 00:00:00 2001 From: garanews Date: Thu, 30 May 2019 12:52:52 +0200 Subject: [PATCH 2/5] re added slash for ip query after a live check , the slash is needed for ip query --- analyzers/IBMXForce/ibmxforce_lookup.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/analyzers/IBMXForce/ibmxforce_lookup.py b/analyzers/IBMXForce/ibmxforce_lookup.py index e42c9a4b2..f65130c2f 100755 --- a/analyzers/IBMXForce/ibmxforce_lookup.py +++ b/analyzers/IBMXForce/ibmxforce_lookup.py @@ -116,10 +116,10 @@ def ip_query(self, data): _session = requests.Session() _session.auth = (self.key, self.pwd) - _query_ip = _session.get('%sipr/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_ip = _session.get('%s/ipr/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) _query_malware = _session.get( - '%sipr/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) - _query_info = _session.get('%sresolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + '%s/ipr/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_info = _session.get('%/sresolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) ip_data = _query_ip.json() if _query_ip.status_code == 200 else {} malware_data = _query_malware.json() if _query_malware.status_code == 200 else {} From 17612f2abf140ac8b4e984affd37f7441a9eb367 Mon Sep 17 00:00:00 2001 From: garanews Date: Fri, 31 May 2019 08:24:43 +0200 Subject: [PATCH 3/5] added check to strip slash in the url added check to strip slash in the url --- analyzers/IBMXForce/ibmxforce_lookup.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/analyzers/IBMXForce/ibmxforce_lookup.py b/analyzers/IBMXForce/ibmxforce_lookup.py index f65130c2f..d4a0a6dcd 100755 --- a/analyzers/IBMXForce/ibmxforce_lookup.py +++ b/analyzers/IBMXForce/ibmxforce_lookup.py @@ -14,6 +14,8 @@ def __init__(self): self.service = self.get_param( 'config.service', None, 'Service parameter is missing') self.url = self.get_param('config.url', None, 'Missing API url') + if self.url: + self.url = self.url.rstrip('/') self.key = self.get_param('config.key', None, 'Missing API key') self.pwd = self.get_param('config.pwd', None, 'Missing API password') self.verify = self.get_param('config.verify', True) @@ -119,7 +121,7 @@ def ip_query(self, data): _query_ip = _session.get('%s/ipr/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) _query_malware = _session.get( '%s/ipr/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) - _query_info = _session.get('%/sresolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_info = _session.get('%s/resolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) ip_data = _query_ip.json() if _query_ip.status_code == 200 else {} malware_data = _query_malware.json() if _query_malware.status_code == 200 else {} @@ -141,10 +143,10 @@ def domain_query(self, data): _session = requests.Session() _session.auth = (self.key, self.pwd) - _query_url = _session.get('%surl/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_url = _session.get('%s/url/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) _query_malware = _session.get( - '%surl/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) - _query_info = _session.get('%sresolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + '%s/url/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + _query_info = _session.get('%s/resolve/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) url_data = _query_url.json() if _query_url.status_code == 200 else {} malware_data = _query_malware.json() if _query_malware.status_code == 200 else {} @@ -167,7 +169,7 @@ def malware_query(self, data): _session.auth = (self.key, self.pwd) _query_malware = _session.get( - '%smalware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) + '%s/malware/%s' % (self.url, data), proxies=self.proxies, verify=self.verify) if _query_malware.status_code == 200: return self.cleanup(malware_data=_query_malware.json()) From ec9cf1b41069854f351eb83fdbe7bf560f5bc4a7 Mon Sep 17 00:00:00 2001 From: garanews Date: Fri, 31 May 2019 08:32:14 +0200 Subject: [PATCH 4/5] update readme with testing update readme with testing --- analyzers/IBMXForce/README | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/analyzers/IBMXForce/README b/analyzers/IBMXForce/README index 185ab10dc..97dc5b4af 100644 --- a/analyzers/IBMXForce/README +++ b/analyzers/IBMXForce/README @@ -16,8 +16,37 @@ python IBMXForce_lookup.py < input Testing -------- -cd /opt/thehive -bin/thehive -Dconfig.file=conf/application.conf -bin/cortex -Dconfig.file=/opt/cortex/conf/application.conf \ No newline at end of file +import requests +from urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) +url = "https://api.xforce.ibmcloud.com" +key = "31231231-b3e4-1111-aaaa-3231312321312" +pwd = "adasdada-00e5-2222-bbbb-3213123123131" +verify = False +proxies = {'http': 'http://proxy.lab:3128', 'https': 'http://proxy.lab:3128'} +_session = requests.Session() +_session.auth = (key, pwd) + +####### malware_query ################ +data = "d1d984bda0a88e4e3c53880eb9a48ed2f1973b094bb789c548c1d442720c0525" +_query_malware = _session.get('%s/malware/%s' % (url, data), proxies=proxies, verify=False) +print(_query_malware.text) + +####### domain_query ################ +data = "alibuf.com" +_query_url = _session.get('%s/url/%s' % (url, data), proxies=proxies, verify=verify) +_query_malware = _session.get('%s/url/malware/%s' % (url, data), proxies=proxies, verify=verify) +_query_info = _session.get('%s/resolve/%s' % (url, data), proxies=proxies, verify=verify) +print(_query_url.text, _query_malware.text, _query_info.text ) + + +####### ip_query ################ +data = "122.252.241.122" +_query_ip = _session.get('%s/ipr/%s' % (url, data), proxies=proxies, verify=verify) +_query_malware = _session.get('%s/ipr/malware/%s' % (url, data), proxies=proxies, verify=verify) +_query_info = _session.get('%s/resolve/%s' % (url, data), proxies=proxies, verify=verify) + +print(_query_ip.text, _query_malware.text, _query_info.text ) + From fac48388414972813632e34927a414d59c5ae092 Mon Sep 17 00:00:00 2001 From: garanews Date: Fri, 31 May 2019 08:33:06 +0200 Subject: [PATCH 5/5] Update README --- analyzers/IBMXForce/README | 3 --- 1 file changed, 3 deletions(-) diff --git a/analyzers/IBMXForce/README b/analyzers/IBMXForce/README index 97dc5b4af..3db3d7e6a 100644 --- a/analyzers/IBMXForce/README +++ b/analyzers/IBMXForce/README @@ -10,9 +10,6 @@ IBMXForce { } ``` -To test the analyzer from cmdline - -python IBMXForce_lookup.py < input Testing --------