def checkType(self, argument):
"""
Identify observable type
"""
if len(argument.strip()) == 0:
return None
elif argument[0] is '#':
return None
elif validators.url(argument):
return "URL"
elif validators.md5(argument):
return "MD5"
elif validators.sha1(argument):
return "SHA1"
elif validators.sha256(argument):
return "SHA256"
elif validators.sha512(argument):
return "SHA512"
elif validators.ipv4(argument):
return "IPv4"
elif validators.ipv6(argument):
return "IPv6"
elif validators.domain(argument):
return "domain"
else:
mod.display("MAIN", argument, "ERROR", "Unable to retrieve observable type")
return None
def checkType(self, argument):
"""
Identify observable type
"""
if not argument or len(argument.strip()) == 0:
return None
elif argument[0] is '#':
return None
elif validators.url(argument):
return "URL"
elif validators.md5(argument):
return "MD5"
elif validators.sha1(argument):
return "SHA1"
elif validators.sha256(argument):
return "SHA256"
elif validators.sha512(argument):
return "SHA512"
elif validators.ipv4(argument):
return "IPv4"
elif validators.ipv6(argument):
return "IPv6"
elif validators.domain(argument):
return "domain"
else:
return None
def get_data_type(indicator):
if validators.ipv4(indicator) or validators.ipv6(indicator):
return "IP"
elif validators.url(indicator):
return "URL"
elif validators.domain(indicator):
return "DOMAIN"
elif validators.sha1(indicator):
return "FILE_SHA1"
raise PluginException(
cause="Invalid indicator input provided.",
assistance="Supported indicators are IP, URL, domain and SHA1 hash."
)
def parse_items(items: Optional[str]) -> List[Attr]:
parsed_items: List[Attr] = []
if not items:
return parsed_items
for item in items.split('\n'):
if item:
item = ''.join(item.split()) # Normalize whitespace
item = urllib.parse.unquote_plus(item)
if domain(item):
typ = AttrType.DOMAIN
search_types = [AttrType.DOMAIN]
report_types = [AttrType.DOMAIN]
elif url(item):
typ = AttrType.URL
search_types = [AttrType.URL]
report_types = [AttrType.URL]
# Remove arguments from URLs
item = get_canonical_url(item)
elif defanged_url(item):
typ = AttrType.URL
search_types = [AttrType.URL]
report_types = [AttrType.URL]
# MISP wants a correct URL, so replace hxx with htt
item = item.replace('hxx', 'htt', 1)
elif ipv4(item) or ipv6(item):
typ = AttrType.IP_SRC
search_types = [
AttrType.DOMAIN_IP,
AttrType.IP_SRC,
AttrType.IP_SRC_PORT,
AttrType.IP_DST,
AttrType.IP_DST_PORT,
]
report_types = [AttrType.IP_SRC]
elif md5(item):
typ = AttrType.MD5
search_types = [AttrType.MD5, AttrType.FILENAME_MD5]
report_types = [AttrType.MD5]
elif sha1(item):
typ = AttrType.SHA1
search_types = [AttrType.SHA1, AttrType.FILENAME_SHA1]
report_types = [AttrType.SHA1]
elif sha256(item):
typ = AttrType.SHA256
search_types = [AttrType.SHA256, AttrType.FILENAME_SHA256]
report_types = [AttrType.SHA256]
else:
raise ParseException(f'Could not parse {item}')
parsed_items.append(Attr(value=item, type=typ, search_types=search_types, report_types=report_types))
return parsed_items
def run(self, params={}):
self.logger.info("Running...")
indicator = params.get(Input.INDICATOR)
if validators.domain(indicator):
indicator_type = "domains"
elif validators.sha1(indicator):
indicator_type = "files"
else:
indicator_type = "users"
return {
Output.MACHINES:
insightconnect_plugin_runtime.helper.clean(
self.connection.client.get_related_machines(
indicator, indicator_type).get("value"))
}
def hash_scanner():
hashs = open("hashs.txt",
"r") ## make sure you have this file existing
i = 0
for Hash in hashs:
i += 1
if Hash.rstrip('\n') == '':
i -= 1
continue
while i % 5 == 0:
# #### waiting because of quota limitation #### # <= this delay because the public API has only (4) requests/minute
time.sleep(
60) ## If You Have A Private API Key Change It To (1) ##
i += 1
else:
if validators.md5(Hash) == True or validators.sha1(
Hash) == True or validators.sha256(Hash) == True:
url = 'https://www.virustotal.com/vtapi/v2/file/report'
params = {'apikey': api_key, 'resource': Hash}
response = requests.get(url, params=params)
if response.status_code == 200:
json_response = response.json()
if json_response['response_code'] == 1:
pass
else:
print(
'There was an error submitting the File_Hash for scanning.'
)
positives = json_response['positives']
if positives == 0:
result = ' => Clean'
else:
result = ' => Malicious' # a single detection qualifies for malicious
print(Hash.rstrip('\n') + result.rstrip('\n'))
elif response.status_code == 204:
print(
'You may have exceeded your API request quota, try again later.'
)
break
elif response.status_code == 403:
print('Check Your API Key Please.')
break
else: # [Usage] Your Hash Must Be 32 or 40 or 64 Alpha Numeric characters.
print(Hash.rstrip('\n') + " => invalid\n")
def _get_type(indicator):
if validators.ipv4(indicator) or validators.ipv6(indicator):
return "IpAddress"
elif validators.url(indicator):
return "Url"
elif validators.domain(indicator):
return "DomainName"
elif validators.sha1(indicator):
return "FileSha1"
elif validators.sha256(indicator):
return "FileSha256"
elif validators.md5(indicator):
raise PluginException(
cause="MD5 hash is not supported.",
assistance=
"API supported only SHA256 and SHA1. Please check provided hash and try again.",
)
raise PluginException(cause="Could not determine type of indicator.",
assistance="Indicator not added.")
def checkType(self, argument):
"""
Identify IOC type
"""
if validators.url(argument):
return "URL"
elif validators.md5(argument):
return "MD5"
elif validators.sha1(argument):
return "SHA1"
elif validators.sha256(argument):
return "SHA256"
elif validators.sha512(argument):
return "SHA512"
elif validators.ipv4(argument):
return "IPv4"
elif validators.ipv6(argument):
return "IPv6"
elif validators.domain(argument):
return "domain"
else:
display("MAIN", argument, "ERROR", "Unable to retrieve IOC type")
return None
def test_returns_failed_validation_on_invalid_sha1(value):
result = validators.sha1(value)
assert isinstance(result, validators.ValidationFailure)
def test_returns_true_on_valid_sha1(value):
assert validators.sha1(value)
def _is_not_valid_hash(hash):
if validators.md5(hash) or validators.sha1(hash):
return False
return True