class WebAPI(webapi.WebAPI):
emails = webapi.list_input('Domains (Newline Delimited)')
submit_button = webapi.submit_button('Investigate!')
def run(self, form_input):
emails = form_input['emails']
if type(emails) != list:
emails = [x.decode('utf8', 'ignore').rstrip()
for x in re.split('\n', form_input['emails'])]
emails = [x for x in emails if x != '']
sgraph_info = []
for email in emails:
for ew in email_whois(email)[email]['domains']:
info = ew
# info['cooccurrences'] =
info.update({'indicator' : email})
sgraph_info.append(info)
all_headers = set()
for a in sgraph_info:
for k in a.keys():
all_headers.update({k})
all_headers = list(all_headers)
return {'output_type' : 'table',
'output' : sgraph_info,
'headers' : all_headers}
class WebAPI(webapi.WebAPI):
domains = webapi.list_input('Domains (Newline Delimited)')
submit_button = webapi.submit_button('Investigate!')
def run(self, form_input):
domains = form_input['domains']
if type(domains) != list:
domains = [
x.decode('utf8', 'ignore').rstrip()
for x in re.split('\n', form_input['domains'])
]
domains = [x for x in domains if x != '']
sgraph_info = []
for domain in domains:
info = get_security_info(domain)
info.update({'indicator': domain})
sgraph_info.append(info)
all_headers = set()
for a in sgraph_info:
for k in a.keys():
all_headers.update({k})
all_headers = list(all_headers)
return {
'output_type': 'table',
'output': sgraph_info,
'headers': all_headers
}
class WebAPI(webapi.WebAPI):
domains = webapi.list_input('Domains and IPs (Newline Delimited)')
submit_button = webapi.submit_button('Totally!')
def run(self, form_input):
domains = form_input['domains']
if type(domains) != list:
domains = [x.rstrip() for x in re.split('\n', form_input['domains'])]
domains = [x for x in domains if x != '']
vt_reports = cassava.virustotal.get_vt_file_lookup(domains)
headers = ['scan_id ',
'positives',
'total',
'scans',
'sha256',
'sha1',
'md5',
'resource',
'response_code',
'scan_date',
'permalink',
'verbose_msg']
return {'output_type' : 'table',
'output' : vt_reports,
'headers' : headers}
class WebAPI(webapi.WebAPI):
query = webapi.line_input('Query')
username = webapi.line_input('Splunk Username')
password = webapi.password_input('Splunk Password')
submit_button = webapi.submit_button('Splunk!')
def run(self, form_input):
query = form_input['query']
username = form_input['username']
password = form_input['password']
output = search_splunk(query, username, password)
return {'output_type' : 'simple',
'output' : output}
class WebAPI(webapi.WebAPI):
indicators = webapi.list_input('Indicators (Newline Delimited)')
submit_button = webapi.submit_button('Investigate!')
def run(self, form_input):
indicators = form_input['indicators']
if type(indicators) != list:
indicators = [x.rstrip() for x in re.split('\n', form_input['indicators'])]
indicators = [x for x in indicators if x != '']
whois_info = []
for indicator in indicators:
whois_info.append(cassava.whois(indicator))
headers = []
return {'output_type' : 'table',
'output' : whois_info,
'headers' : whois_info[0].keys()}
class WebAPI(webapi.WebAPI):
indicators = webapi.list_input('IPs (Newline Delimited)')
submit_button = webapi.submit_button('Totally!')
def run(self, form_input):
indicators = form_input['indicators']
if type(indicators) != list:
indicators = [x.rstrip() for x in re.split('\n', form_input['indicators'])]
indicators = [x for x in indicators if x != '']
vt_reports = cassava.virustotal.get_ip_report(indicators)
reports_out = []
for info in vt_reports:
if 'permalink' in info:
info['vtlink'] = '<a href="{}">VirusTotal</a>'.format(info['permalink'])
reports_out.append(info)
headers = ['indicator',
'positives',
'total',
'scans',
'scan_date',
'permalink',
'detected_referrer_samples',
'undetected_referrer_samples',
'detected_downloaded_samples',
'undetected_downloaded_samples',
'detected_communicating_samples',
'undetected_communicating_samples',
'response_code',
'as_owner',
'verbose_msg',
'detected_urls',
'country',
'resolutions',
'asn']
return {'output_type' : 'table',
'output' : reports_out,
'headers' : headers}
class WebAPI(webapi.WebAPI):
domains = webapi.list_input('Domains (Newline Delimited)')
submit_button = webapi.submit_button('Dig')
def run(self, form_input):
domains = form_input['domains']
if type(domains) != list:
domains = [
x.rstrip() for x in re.split('\n', form_input['domains'])
]
domains = [x for x in domains if x != '']
dig_info = []
for domain in domains:
dig_info.append(cassava.dig(domain))
return {
'output_type': 'table',
'output': dig_info,
'headers': dig_info[0].keys()
}
class WebAPI(webapi.WebAPI):
domains = webapi.list_input('Domains and IPs (Newline Delimited)')
submit_button = webapi.submit_button('Totally!')
def run(self, form_input):
domains = form_input['domains']
if type(domains) != list:
domains = [
x.rstrip() for x in re.split('\n', form_input['domains'])
]
domains = [x for x in domains if x != '']
print '========>'
print domains
vt_reports = cassava.virustotal.get_domain_report(domains)
reports_out = []
print vt_reports
for info in vt_reports:
info['vtlink'] = '<a href="{}">VirusTotal</a>'.format(
info['permalink'])
reports_out.append(info)
headers = [
'indicator', 'positives', 'total', 'scans', 'scan_date',
'permalink', 'BitDefender category', 'domain_siblings',
'undetected_referrer_samples', 'whois', 'whois_timestamp',
'WOT domain info', 'Websense ThreatSeeker category',
'Webutation domain info', 'subdomains', 'resolutions',
'detected_communicating_samples', 'TrendMicro category',
'categories'
]
return {
'output_type': 'table',
'output': reports_out,
'headers': headers
}
class WebAPI(webapi.WebAPI):
domains = webapi.list_input('Domains (Newline Delimited)')
submit_button = webapi.submit_button('Investigate!')
def run(self, form_input):
domains = form_input['domains']
if type(domains) != list:
domains = [
x.decode('utf8', 'ignore').rstrip()
for x in re.split('\n', form_input['domains'])
]
domains = [x for x in domains if x != '']
sgraph_info = []
for domain in domains:
cat = get_categorization(domain)
cat.update({'indicator': domain})
status = {-1: 'blocked', 0: 'uncategorized', 1: 'benign'}
if 'status' in cat and cat['status'] in status:
cat['status'] = status[cat['status']]
else:
cat['status'] = 'no entry'
sgraph_info.append(cat)
all_headers = set()
for a in sgraph_info:
for k in a.keys():
all_headers.update({k})
all_headers = list(all_headers)
return {
'output_type': 'table',
'output': sgraph_info,
'headers': all_headers
}
class WebAPI(webapi.WebAPI):
domains = webapi.list_input('Domains and IPs (Newline Delimited)')
verbosity = webapi.radio_field('Verbose?',
choices=[('summary', 'Summarize output'),
('verbose', 'Full verbose output')
],
default='summary')
submit_button = webapi.submit_button('Look it all up!')
def run(self, form_input):
domains = form_input['domains']
verbosity = form_input['verbosity']
if type(domains) != list:
domains = [
x.decode('utf8', 'ignore').rstrip()
for x in re.split('\n', form_input['domains'])
]
domains = [x for x in domains if x != '']
all_info = []
for domain in domains:
sec_info = {'indicator': domain}
### OpenDNS ###
try:
sec_info.update(get_security_info(domain))
categorization = get_categorization(domain)
sec_info.update(categorization)
if cassava.utils.is_ip(domain):
rr_history_a = rr_history_ip(domain, query_type='A')
rr_history_ns = rr_history_ip(domain, query_type='NS')
latest_malicious_domains = get_latest_domains(domain)
sec_info[
'link'] = '<a href="https://investigate.opendns.com/ip-view/{}">Investigate</a>'.format(
domain)
else:
rr_history_a = rr_history_domain(domain, query_type='A')
rr_history_ns = rr_history_domain(domain, query_type='NS')
latest_malicious_domains = 'N/A'
sec_info[
'link'] = '<a href="https://investigate.opendns.com/domain-view/name/{}/view">Investigate</a>'.format(
domain)
sec_info['whois'] = domain_whois(domain)
sec_info['whois_entries'] = len(sec_info['whois'])
sec_info['latest_malicious'] = latest_malicious_domains
sec_info['past_a_records'] = list(set(rr_history_a))
sec_info['past_ns_records'] = list(set(rr_history_ns))
status = {-1: 'blocked', 0: 'uncategorized', 1: 'benign'}
if 'status' in sec_info and sec_info['status'] in status:
sec_info['status'] = status[sec_info['status']]
else:
sec_info['status'] = 'no entry'
except:
print "OpenDNS problems. Valid API key?"
### Automater ###
sec_info.update(cassava.automater.automater(domain))
### VirusTotal ###
try:
if cassava.utils.is_ip(domain):
sec_info.update(
cassava.virustotal.get_ip_report(domain)[0])
else:
sec_info.update(
cassava.virustotal.get_domain_report(domain)[0])
sec_info['vtlink'] = '<a href="{}">VirusTotal</a>'.format(
sec_info['permalink'])
except:
print "VirusTotal problems. Valid API key?"
all_info.append(sec_info)
all_headers = set()
for a in all_info:
for k in a.keys():
all_headers.update({k})
all_headers = list(all_headers)
summary_headers = [
'indicator',
'positives',
'total',
'status',
'securerank2',
'content_categories',
'threat_type',
'security_categories',
'fastflux',
'popularity',
'latest_malicious',
'link',
'vtlink',
'BitDefender category',
'Websense ThreatSeeker category',
'Webutation domain info',
'whois_entries',
'TrendMicro category',
'categories'
'mc_date',
'uv_domain',
'mc_ip',
'uv_location',
'vt_pdnsurl',
'un_redirect',
'uv_country',
'mc_country',
'vt_pdnsip',
'mc_asn',
'uv_blacklists',
'uv_ip',
'mc_md5',
'mc_asn_name',
'fnet_url',
]
if verbosity == 'verbose':
headers = all_headers
else:
headers = summary_headers
return {'output_type': 'table', 'output': all_info, 'headers': headers}
class WebAPI(webapi.WebAPI):
indicators = webapi.list_input('Domains (Newline Delimited)')
automater_opt = webapi.radio_field(
'Automater options',
choices=[('automater', 'automater (all sources'), ('robtex', 'robtex'),
('fortinet_classify', 'fortinet_classify'),
('vtpDNSIP', 'vtpDNSIP'), ('ipvoid', 'ipvoid'),
('virustotal', 'virustotal'),
('threatexpert', 'threatexpert'), ('vxvault', 'vxvault'),
('unshortme', 'unshortme'), ('urlvoid', 'urlvoid'),
('vtpDNSDom', 'vtpDNSDom'), ('malc0de', 'malc0de'),
('ReputationAuthority', 'ReputationAuthority'),
('FreeGeo', 'FreeGeo'), ('SANS_API', 'SANS_API'),
('totalhash_ip', 'totalhash_ip')],
default='automater')
submit_button = webapi.submit_button('Submit')
def run(self, form_input):
indicators = form_input['indicators']
automater_opt = form_input['automater_opt']
if type(indicators) != list:
indicators = [
x.rstrip() for x in re.split('\n', form_input['indicators'])
]
indicators = [x for x in indicators if x != '']
automater_option_functions = {
'automater': cassava.automater.automater,
'robtex': cassava.automater.robtex,
'fortinet_classify': cassava.automater.fortinet_classify,
'vtpDNSIP': cassava.automater.vtpDNSIP,
'ipvoid': cassava.automater.ipvoid,
'virustotal': cassava.automater.virustotal,
'threatexpert': cassava.automater.threatexpert,
'vxvault': cassava.automater.vxvault,
'unshortme': cassava.automater.unshortme,
'urlvoid': cassava.automater.urlvoid,
'vtpDNSDom': cassava.automater.vtpDNSDom,
'malc0de': cassava.automater.malc0de,
'ReputationAuthority': cassava.automater.ReputationAuthority,
'FreeGeo': cassava.automater.FreeGeo,
'SANS_API': cassava.automater.SANS_API,
'totalhash_ip': cassava.automater.totalhash_ip
}
automater_info = []
for indicator in indicators:
data = automater_option_functions[automater_opt](indicator)
automater_info.append(data)
all_headers = set()
for a in automater_info:
for k in a.keys():
all_headers.update({k})
all_headers = list(all_headers)
return {
'output_type': 'table',
'output': automater_info,
'headers': all_headers
}
class WebAPI(webapi.WebAPI):
domains = webapi.list_input('Domains/IPs (Newline Delimited)')
verbosity = webapi.radio_field('Verbose?',
choices=[('summary', 'Summarize output'),
('verbose', 'Full verbose output')
],
default='summary')
submit_button = webapi.submit_button('Investigate!')
def run(self, form_input):
domains = form_input['domains']
verbosity = form_input['verbosity']
if type(domains) != list:
domains = [
x.decode('utf8', 'ignore').rstrip()
for x in re.split('\n', form_input['domains'])
]
domains = [x for x in domains if x != '']
sgraph_info = []
for domain in domains:
sec_info = get_security_info(domain)
categorization = get_categorization(domain)
sec_info.update(categorization)
sec_info.update({'indicator': domain})
if cassava.utils.is_ip(domain):
rr_history_a = rr_history_ip(domain, query_type='A')
rr_history_ns = rr_history_ip(domain, query_type='NS')
latest_malicious_domains = get_latest_domains(domain)
sec_info[
'link'] = '<a href="https://investigate.opendns.com/ip-view/{}">Investigate</a>'.format(
domain)
else:
rr_history_a = rr_history_domain(domain, query_type='A')
rr_history_ns = rr_history_domain(domain, query_type='NS')
latest_malicious_domains = 'N/A'
sec_info[
'link'] = '<a href="https://investigate.opendns.com/domain-view/name/{}/view">Investigate</a>'.format(
domain)
sec_info['whois'] = domain_whois(domain)
sec_info['whois_entries'] = len(sec_info['whois'])
sec_info['latest_malicious'] = latest_malicious_domains
sec_info['past_a_records'] = list(set(rr_history_a))
sec_info['past_ns_records'] = list(set(rr_history_ns))
status = {-1: 'blocked', 0: 'uncategorized', 1: 'benign'}
if 'status' in sec_info and sec_info['status'] in status:
sec_info['status'] = status[sec_info['status']]
else:
sec_info['status'] = 'no entry'
sgraph_info.append(sec_info)
all_headers = set()
for a in sgraph_info:
for k in a.keys():
all_headers.update({k})
all_headers = list(all_headers)
summary_headers = [
'indicator', 'link', 'status', 'securerank2', 'content_categories',
'threat_type', 'security_categories', 'past_a_records', 'fastflux',
'popularity', 'past_ns_records ', 'latest_malicious',
'whois_entries'
]
if verbosity == 'verbose':
headers = all_headers
else:
headers = summary_headers
return {
'output_type': 'table',
'output': sgraph_info,
'headers': headers
}