From 939ceadf27874623841764179d4ed576b6d45805 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9arch?= Date: Mon, 15 Jul 2019 16:21:30 +0200 Subject: [PATCH] Support for Cuckoo 2.0.7 and custom CA --- .../CuckooSandbox_File_Analysis.json | 22 ++++++++++ .../CuckooSandbox_Url_Analysis.json | 22 ++++++++++ .../CuckooSandbox/cuckoosandbox_analyzer.py | 39 ++++++++++++---- analyzers/catalog-devel.json | 44 +++++++++++++++++++ analyzers/catalog-stable.json | 44 +++++++++++++++++++ analyzers/catalog.json | 44 +++++++++++++++++++ 6 files changed, 207 insertions(+), 8 deletions(-) diff --git a/analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json b/analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json index 5a667ac99..94c6dad26 100644 --- a/analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json +++ b/analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json @@ -15,6 +15,28 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "cert_path", + "description": "Path to the CA on the system used to check server certificate", + "type": "string", + "multi": false, + "required": false } ] } diff --git a/analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json b/analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json index 70df5aa07..bd63f8d88 100644 --- a/analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json +++ b/analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json @@ -15,6 +15,28 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "cert_path", + "description": "Path to the CA on the system used to check server certificate", + "type": "string", + "multi": false, + "required": false } ] diff --git a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py index 131602fd5..8e6245041 100755 --- a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py +++ b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py @@ -13,6 +13,15 @@ def __init__(self): Analyzer.__init__(self) self.url = self.get_param('config.url', None, 'CuckooSandbox url is missing') self.url = self.url + "/" if not self.url.endswith("/") else self.url + self.token = self.get_param('config.token', None, None) + if self.get_param('config.cert_check', True): + ssl_path = self.get_param('config.cert_path', None) + if not ssl_path or ssl_path == '': + self.ssl = True + else: + self.ssl = ssl_path + else: + self.ssl = False # self.analysistimeout = self.get_param('config.analysistimeout', 30*60, None) # self.networktimeout = self.get_param('config.networktimeout', 30, None) @@ -46,6 +55,9 @@ def run(self): Analyzer.run(self) try: + headers = dict() + if self.token and self.token != "": + headers['Authorization'] = "Bearer {0}".format(self.token) # file analysis if self.data_type == 'file': @@ -53,15 +65,26 @@ def run(self): filename = self.get_param('filename', basename(filepath)) with open(filepath, "rb") as sample: files = {"file": (filename, sample)} - response = requests.post(self.url + 'tasks/create/file', files=files) - task_id = response.json()['task_ids'][0] if 'task_ids' in response.json().keys() \ - else response.json()['task_id'] + response = requests.post(self.url + 'tasks/create/file', files=files, headers=headers, verify=self.ssl) + if 'task_ids' in response.json().keys(): + task_id = response.json()['task_ids'][0] + elif 'task_id' in response.json().keys(): + task_id = response.json()['task_id'] + elif response.status_code == 401: + self.error("API token is required by this Cuckoo instance.") + else: + self.error(response.json()['message']) # url analysis elif self.data_type == 'url': data = {"url": self.get_data()} - response = requests.post(self.url + 'tasks/create/url', data=data) - task_id = response.json()['task_id'] + response = requests.post(self.url + 'tasks/create/url', data=data, headers=headers, verify=self.ssl) + if 'task_id' in response.json().keys(): + task_id = response.json()['task_id'] + elif response.status_code == 401: + self.error("API token is required by this Cuckoo instance.") + else: + self.error(response.json()['message']) else: self.error('Invalid data type !') @@ -70,7 +93,7 @@ def run(self): tries = 0 while not finished and tries <= 15: # wait max 15 mins time.sleep(60) - response = requests.get(self.url + 'tasks/view/' + str(task_id)) + response = requests.get(self.url + 'tasks/view/' + str(task_id), headers=headers, verify=self.ssl) content = response.json()['task']['status'] if content == 'reported': finished = True @@ -79,7 +102,7 @@ def run(self): self.error('CuckooSandbox analysis timed out') # Download the report - response = requests.get(self.url + 'tasks/report/' + str(task_id) + '/json') + response = requests.get(self.url + 'tasks/report/' + str(task_id) + '/json', headers=headers, verify=self.ssl) resp_json = response.json() list_description = [x['description'] for x in resp_json['signatures']] if 'suricata' in resp_json.keys() and 'alerts' in resp_json['suricata'].keys(): @@ -141,7 +164,7 @@ def run(self): }) except requests.exceptions.RequestException as e: - self.error(e) + self.error(str(e)) except Exception as e: self.unexpectedError(e) diff --git a/analyzers/catalog-devel.json b/analyzers/catalog-devel.json index 2158f9a3e..bc71d756c 100644 --- a/analyzers/catalog-devel.json +++ b/analyzers/catalog-devel.json @@ -306,6 +306,28 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "cert_path", + "description": "Path to the CA on the system used to check server certificate", + "type": "string", + "multi": false, + "required": false } ], "dockerImage": "cortexneurons/cuckoosandbox_file_analysis_inet:devel" @@ -329,6 +351,28 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "cert_path", + "description": "Path to the CA on the system used to check server certificate", + "type": "string", + "multi": false, + "required": false } ], "dockerImage": "cortexneurons/cuckoosandbox_url_analysis:devel" diff --git a/analyzers/catalog-stable.json b/analyzers/catalog-stable.json index 221c2002e..e4d9cfeb4 100644 --- a/analyzers/catalog-stable.json +++ b/analyzers/catalog-stable.json @@ -306,6 +306,28 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "cert_path", + "description": "Path to the CA on the system used to check server certificate", + "type": "string", + "multi": false, + "required": false } ], "dockerImage": "cortexneurons/cuckoosandbox_file_analysis_inet:1.1" @@ -329,6 +351,28 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "cert_path", + "description": "Path to the CA on the system used to check server certificate", + "type": "string", + "multi": false, + "required": false } ], "dockerImage": "cortexneurons/cuckoosandbox_url_analysis:1.1" diff --git a/analyzers/catalog.json b/analyzers/catalog.json index c92be13ec..a8b9e4951 100644 --- a/analyzers/catalog.json +++ b/analyzers/catalog.json @@ -306,6 +306,28 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "cert_path", + "description": "Path to the CA on the system used to check server certificate", + "type": "string", + "multi": false, + "required": false } ], "dockerImage": "cortexneurons/cuckoosandbox_file_analysis_inet:1" @@ -329,6 +351,28 @@ "type": "string", "multi": false, "required": true + }, + { + "name": "token", + "description": "API token", + "type": "string", + "multi": false, + "required": false + }, + { + "name": "cert_check", + "description": "Verify server certificate", + "type": "boolean", + "multi": false, + "required": true, + "defaultValue": true + }, + { + "name": "cert_path", + "description": "Path to the CA on the system used to check server certificate", + "type": "string", + "multi": false, + "required": false } ], "dockerImage": "cortexneurons/cuckoosandbox_url_analysis:1"