Merge pull request #1 from TheHive-Project/master

Speed up of repo.

.drone.yml

@@ -0,0 +1,116 @@
+---
+kind: pipeline
+name: default
+
+steps:
+  - name: build analyzers for release
+    image: thehiveproject/cortex-worker-builder
+    settings:
+      worker_path: analyzers
+      namespace: cortexneurons
+      user: {from_secret: docker_username}
+      password: {from_secret: docker_password}
+      stable: true
+    when:
+      event: [tag]
+
+  - name: build responders for release
+    image: thehiveproject/cortex-worker-builder
+    settings:
+      worker_path: responders
+      namespace: cortexneurons
+      user: {from_secret: docker_username}
+      password: {from_secret: docker_password}
+      stable: true
+    when:
+      event: [tag]
+
+  - name: build snapshot analyzers
+    image: thehiveproject/cortex-worker-builder
+    settings:
+      worker_path: analyzers
+      namespace: cortexneurons
+      user: {from_secret: docker_username}
+      password: {from_secret: docker_password}
+    when:
+      event: {exclude: [tag]}
+
+  - name: build snapshot responders
+    image: thehiveproject/cortex-worker-builder
+    settings:
+      worker_path: responders
+      namespace: cortexneurons
+      user: {from_secret: docker_username}
+      password: {from_secret: docker_password}
+    when:
+      event: {exclude: [tag]}
+
+  - name: build catalogs
+    image: thehiveproject/neurons-build-catalogs
+
+  - name: upload catalogs to bintray
+    image: thehiveproject/drone-bintray
+    settings:
+      user: {from_secret: bintray_user}
+      key: {from_secret: bintray_key}
+      subject: thehive-project
+      package: catalogs
+      version: latest
+      override: 1
+      publish: 1
+    commands:
+    - |
+      export PLUGIN_USER
+      export PLUGIN_KEY
+      export PLUGIN_SUBJECT
+      export PLUGIN_PACKAGE
+      export PLUGIN_VERSION
+      export PLUGIN_OVERRIDE
+      export PLUGIN_PUBLISH
+      upload \
+      --file analyzers/analyzers.json \
+      --repo cortexneurons
+      upload \
+      --file analyzers/analyzers-stable.json \
+      --repo cortexneurons
+      upload \
+      --file responders/responders.json \
+      --repo cortexneurons
+      upload \
+      --file responders/responders-stable.json \
+      --repo cortexneurons
+    when:
+      event: [tag]
+
+  - name: upload devel catalogs to bintray
+    image: thehiveproject/drone-bintray
+    settings:
+      user: {from_secret: bintray_user}
+      key: {from_secret: bintray_key}
+      subject: thehive-project
+      package: catalogs
+      version: latest
+      override: 1
+      publish: 1
+    commands:
+    - |
+      export PLUGIN_USER
+      export PLUGIN_KEY
+      export PLUGIN_SUBJECT
+      export PLUGIN_PACKAGE
+      export PLUGIN_VERSION
+      export PLUGIN_OVERRIDE
+      export PLUGIN_PUBLISH
+      upload \
+      --file analyzers/analyzers-devel.json \
+      --repo cortexneurons
+
+      upload \
+      --file responders/responders-devel.json \
+      --repo cortexneurons
+    when:
+      event:
+        branch:
+        - develop
+        event:
+        - push

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[Bug]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. step 1
+1. step 2
+1. step 3...
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Complementary information**
+If applicable, add screenshots and any additional information that might help explain your problem.
+
+**Work environment**
+ - Client OS: 
+- Server OS:
+ - Browse type and version:
+- Cortex version:
+ - Cortex Analyzer/Responder name:
+- Cortex Analyzer/Responder version:
+
+**Possible solutions**
+If applicable, indicate possible solutions to the problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[FR]"
+labels: feature request
+assignees: ''
+
+---
+
+**Feature description**
+A clear and concise description of your feature request.
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

AUTHORS

@@ -21,21 +21,29 @@ Contributors
 * Antoine Brodin
 * Eric Capuano
 * crackytsi
+* Arcuri Davide
 * Marc-André Doll (Starc, by EXAPROBE)
 * etz69
+* Matt Erasmus
 * Andrea Garavaglia (LDO-CERT)
 * Julian Gonzalez
 * Sébastien Larinier
+* Matteo Lodi
+* Nicolas Mattiocco
+* Xavier Mertens
 * Nclose
+* Manabu Niseki
 * Robert Nixon
 * ph34tur3
+* Kyle Parrish
 * Rémi Pointel
 * Guillaume Rousse
+* Gabriel Antonio da Silva
 * Michael Stensrud
 * Emmanuel Torquato
 * Daniil Yugoslavskiy
 
-Copyright (C) 2017-2018 Nabil Adouani
-Copyright (C) 2014-2018 Thomas Franco
-Copyright (C) 2014-2018 Saâd Kadhi
-Copyright (C) 2014-2018 Jérôme Leonard
+Copyright (C) 2017-2019 Nabil Adouani
+Copyright (C) 2014-2019 Thomas Franco
+Copyright (C) 2014-2019 Saâd Kadhi
+Copyright (C) 2014-2019 Jérôme Leonard

analyzers/AbuseIPDB/AbuseIPDB.json

@@ -0,0 +1,33 @@
+{
+    "name": "AbuseIPDB",
+    "version": "1.0",
+    "author": "Matteo Lodi",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-v3",
+    "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB",
+    "dataTypeList": ["ip"],
+    "baseConfig": "AbuseIPDB",
+    "command": "AbuseIPDB/abuseipdb.py",
+    "configurationItems": [
+      {
+        "name": "key",
+        "description": "API key for AbuseIPDB",
+        "type": "string",
+        "multi": false,
+        "required": true
+      },
+      {
+        "name": "days",
+        "description": "Check for IP Reports in the last X days",
+        "type": "number",
+        "multi": false,
+        "required": false,
+        "defaultValue": 30
+      }
+    ],
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "auto_extract": false
+    }
+}

analyzers/AbuseIPDB/abuseipdb.py

@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+
+import requests
+
+from cortexutils.analyzer import Analyzer
+
+
+class AbuseIPDBAnalyzer(Analyzer):
+    """
+    AbuseIPDB API docs: https://www.abuseipdb.com/api
+    """
+
+    @staticmethod
+    def extract_abuse_ipdb_category(category_number):
+        # Reference: https://www.abuseipdb.com/categories
+        mapping = {
+            "3": "Fraud Orders",
+            "4": "DDOS Attack",
+            "5": "FTP Brute-Force",
+            "6": "Ping of Death",
+            "7": "Phishing",
+            "8": "Fraud VOIP",
+            "9": "Open Proxy",
+            "10": "Web Spam",
+            "11": "Email Spam",
+            "12": "Blog Spam",
+            "13": "VPN IP",
+            "14": "Port Scan",
+            "15": "Hacking",
+            "16": "SQL Injection",
+            "17": "Spoofing",
+            "18": "Brute Force",
+            "19": "Bad Web Bot",
+            "20": "Exploited Host",
+            "21": "Web App Attack",
+            "22": "SSH",
+            "23": "IoT Targeted",
+        }
+        return mapping.get(str(category_number), 'unknown category')
+
+    def run(self):
+
+        try:
+            if self.data_type == "ip":
+                api_key = self.get_param('config.key', None, 'Missing AbuseIPDB API key')
+                days_to_check = self.get_param('config.days', 30)
+                ip = self.get_data()
+                url = 'https://www.abuseipdb.com/check/{}/json?days={}'.format(ip, days_to_check)
+                response = requests.post(url, data = {'key': api_key})
+                if not (200 <= response.status_code < 300):
+                    self.error('Unable to query AbuseIPDB API\n{}'.format(response.text))
+                json_response = response.json()
+                # this is because in case there's only one result, the api gives back a list instead of a dict
+                response_list = json_response if isinstance(json_response, list) else [json_response]
+                for found in response_list:
+                    if 'category' in found:
+                        categories_strings = []
+                        for category in found['category']:
+                            categories_strings.append(self.extract_abuse_ipdb_category(category))
+                        found['categories_strings'] = categories_strings
+                self.report({'values': response_list})
+            else:
+                self.notSupported()
+        except Exception as e:
+            self.unexpectedError(e)
+
+    def summary(self, raw):
+        taxonomies = []
+
+        if raw and 'values' in raw and len(raw['values']) > 0 :
+            taxonomies.append(self.build_taxonomy('malicious', 'AbuseIPDB', 'Records', len(raw['values'])))
+        else:
+            taxonomies.append(self.build_taxonomy('safe', 'AbuseIPDB', 'Records', 0))
+
+        return {"taxonomies": taxonomies}
+
+
+if __name__ == '__main__':
+    AbuseIPDBAnalyzer().run()

analyzers/AbuseIPDB/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

analyzers/Abuse_Finder/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:2
+
+WORKDIR /worker
+COPY . Abuse_Finder
+RUN pip install --no-cache-dir -r Abuse_Finder/requirements.txt
+ENTRYPOINT Abuse_Finder/abusefinder.py

analyzers/BackscatterIO/BackscatterIO_Enrichment.json

@@ -0,0 +1,26 @@
+{
+    "name": "BackscatterIO_Enrichment",
+    "version": "1.0",
+    "author": "[email protected]",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "APLv2",
+    "description": "Enrich values using Backscatter.io data.",
+    "dataTypeList": ["ip", "network", "autonomous-system", "port"],
+    "baseConfig": "BackscatterIO",
+    "command": "BackscatterIO/backscatter-io.py",
+    "configurationItems": [
+      {
+        "name": "key",
+        "description": "API key for Backscatter.io",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+    ],
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "auto_extract": true,
+        "service": "enrichment"
+    }
+}

analyzers/BackscatterIO/BackscatterIO_GetObservations.json

@@ -0,0 +1,26 @@
+{
+    "name": "BackscatterIO_GetObservations",
+    "version": "1.0",
+    "author": "[email protected]",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "APLv2",
+    "description": "Determine whether a value has known scanning activity using Backscatter.io data.",
+    "dataTypeList": ["ip", "network", "autonomous-system"],
+    "baseConfig": "BackscatterIO",
+    "command": "BackscatterIO/backscatter-io.py",
+    "configurationItems": [
+      {
+        "name": "key",
+        "description": "API key for Backscatter.io",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+    ],
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "auto_extract": true,
+        "service": "observations"
+    }
+}