def run(self):
Analyzer.run(self)
if self.service == 'domainsearch' and (self.data_type == 'domain'
or self.data_type == 'fqdn'):
try:
offset = 0
firstResponse = requests.get(
"{}domain-search?domain={}&api_key={}&limit=100&offset={}".
format(self.URI, self.get_data(), self.key, offset))
firstResponse = firstResponse.json()
if firstResponse.get('meta'):
meta = firstResponse.get('meta')
while meta.get('results') > offset:
offset = meta.get('limit') + meta.get('offset')
additionalResponse = requests.get(
"{}domain-search?domain={}&api_key={}&limit=100&offset={}"
.format(self.URI, self.get_data(), self.key,
offset))
additionalResponse = additionalResponse.json()
meta = additionalResponse.get('meta')
firstResponse['data']['emails'] += additionalResponse[
'data']['emails']
self.report(firstResponse)
except Exception as e:
self.unexpectedError(e)
else:
self.notSupported()
class TestTlpConfig(unittest.TestCase):
def setUp(self):
load_test_fixture('fixtures/test-tlp-config.json')
self.analyzer = Analyzer()
def test_check_tlp_disabled(self):
self.analyzer.enable_check_tlp = False
# Using the _Analyzer__check_tlp notation to access managed method
# __check_tlp
self.assertEqual(self.analyzer._Analyzer__check_tlp(), True)
def test_check_tlp_ko(self):
self.analyzer.enable_check_tlp = True
self.analyzer.max_tlp = 1
self.analyzer.tlp = 3
# Using the _Analyzer__check_tlp notation to access managed method
# __check_tlp
self.assertEqual(self.analyzer._Analyzer__check_tlp(), False)
def test_check_tlp_ok(self):
self.analyzer.enable_check_tlp = True
self.analyzer.max_tlp = 3
self.analyzer.tlp = 3
# Using the _Analyzer__check_tlp notation to access managed method
# __check_tlp
self.assertEqual(self.analyzer._Analyzer__check_tlp(), True)
def __init__(self):
Analyzer.__init__(self)
self.pdns = pypdns.PyPDNS(
basic_auth=(self.get_param('config.user', None,
'No passiveDNS username given.'),
self.get_param('config.password', None,
'No passiveDNS password given.')))
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param("config.service", None,
"Service parameter is missing")
self.raw = ""
self.pivot_count_threshold = int(
self.get_param("config.pivot_count_threshold", 500))
def __init__(self):
Analyzer.__init__(self)
self.basic_url = 'https://www.hybrid-analysis.com/api/'
self.headers = {'User-Agent': 'VxStream'}
self.secret = self.get_param('config.secret', None, 'VxStream Sandbox secret key is missing')
self.api_key = self.get_param('config.key', None, 'VxStream Sandbox API key is missing')
def run(self):
Analyzer.run(self)
try:
self.onyphe_client = Onyphe(self.onyphe_key)
if self.service == 'threats':
ip = self.get_param('data', None, 'Data is missing')
results = {'threats': self.onyphe_client.threatlist(ip)}
self.report(results)
if self.service == 'ports':
ip = self.get_param('data', None, 'Data is missing')
results = {'ports': self.onyphe_client.synscan(ip)}
self.report(results)
if self.service == 'geolocate':
ip = self.get_param('data', None, 'Data is missing')
results = {'location': self.onyphe_client.geolocate(ip)}
self.report(results)
if self.service == 'reverse':
ip = self.get_param('data', None, 'Data is missing')
results = {'reverses': self.onyphe_client.reverse(ip)}
self.report(results)
if self.service == 'forward':
ip = self.get_param('data', None, 'Data is missing')
results = {'forwards': self.onyphe_client.forward(ip)}
self.report(results)
if self.service == 'inetnum':
ip = self.get_param('data', None, 'Data is missing')
results = {'inetnum': self.onyphe_client.inetnum(ip)}
self.report(results)
if self.service == 'datascan':
ip = self.get_param('data', None, 'Data is missing')
results = {'datascan': self.onyphe_client.datascan(ip)}
self.report(results)
except Exception:
pass
def run(self):
Analyzer.run(self)
if self.data_type == 'ip':
try:
data = self.getData()
city = geoip2.database.Reader(os.path.dirname(__file__) + '/GeoLite2-City.mmdb').city(data)
country = geoip2.database.Reader(os.path.dirname(__file__) + '/GeoLite2-Country.mmdb').country(data)
self.report({
'city': self.dumpCity(city.city),
'continent': self.dumpContinent(city.continent),
'country': self.dumpCountry(city.country),
'location': self.dumpLocation(city.location),
'registered_country': self.dumpCountry(city.registered_country),
'represented_country': self.dumpCountry(city.represented_country),
'subdivisions': self.dumpCountry(city.subdivisions.most_specific),
'traits': self.dumpTraits(city.traits)
})
except ValueError as e:
self.error('Invalid IP address')
except AddressNotFoundError as e:
self.error('Unknown IP address')
except Exception as e:
self.unexpectedError(type(e))
else:
self.notSupported()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.url = self.get_param('config.url', None, 'Missing API url')
self.key = self.get_param('config.key', None, 'Missing API key')
self.pwd = self.get_param('config.pwd', None, 'Missing API password')
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.key = self.get_param('config.key', None, 'Missing API key')
self.pwd = self.get_param('config.pwd', None, 'Missing API password')
self.request_handler = APIRequestHandler(self.key, self.pwd)
def run(self):
Analyzer.run(self)
if self.data_type == 'file':
hashes = self.get_param('attachment.hashes', None)
if hashes is None:
filepath = self.get_param('file', None, 'File is missing')
sha256 = hashlib.sha256()
with io.open(filepath, 'rb') as fh:
while True:
data = fh.read(4096)
if not data:
break
sha256.update(data)
hash = sha256.hexdigest()
else:
# find SHA256 hash
hash = next(h for h in hashes if len(h) == 64)
self.otx_query_file(hash)
elif self.data_type == 'url':
data = self.get_param('data', None, 'Data is missing')
self.otx_query_url(data)
elif self.data_type == 'domain':
data = self.get_param('data', None, 'Data is missing')
self.otx_query_domain(data)
elif self.data_type == 'ip':
data = self.get_param('data', None, 'Data is missing')
self.otx_query_ip(data)
elif self.data_type == 'hash':
data = self.get_param('data', None, 'Data is missing')
self.otx_query_file(data)
else:
self.error('Invalid data type')
def __init__(self):
Analyzer.__init__(self)
# Fixes #94. Instead of None, the string Unnamed should be passed to MISPClient constructor
name = self.get_param('config.name', None)
if not name or len(name) == 0:
name = 'Unnamed'
if self.get_param('config.cert_check', True):
ssl_path = self.get_param('config.cert_path', None)
if not ssl_path or ssl_path == '':
ssl = True
else:
ssl = ssl_path
else:
ssl = False
try:
self.misp = MISPClient(url=self.get_param('config.url', None, 'No MISP url given.'),
key=self.get_param('config.key', None, 'No MISP api key given.'),
ssl=ssl,
name=name,
proxies={'http': self.http_proxy, 'https': self.https_proxy})
except MISPClientError as e:
self.error(str(e))
except TypeError as te:
self.error(str(te))
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam("config.service", None,
"VxStream Sandbox service is missing")
self.url = self.getParam("config.url", None,
"VxStream Sandbox URL is missing")
self.api = self.getParam("config.api", None,
"VxStream Sandbox API URL is missing")
self.apikey = self.getParam("config.key", None,
"VxStream Sandbox API key is missing")
self.secret = self.getParam("config.secret", None,
"VxStream Sandbox API secret is missing")
self.environmentid = self.getParam("config.environmentid", 100, None)
self.graceperiod = self.getParam("config.graceperiod", 60 * 5, None)
self.interval = self.getParam("config.interval", 30, None)
self.timeout = self.getParam("config.timeout", 60 * 10, None)
self.hybridanalysis = self.getParam("config.hybridanalysis", True,
None)
self.nosharevt = self.getParam("config.nosharevt", False, None)
self.torenabledanalysis = self.getParam("config.torenabledanalysis",
False, None)
self.headers = {
"User-agent":
"Cortex (https://github.com/CERT-BDF/Cortex) "
"VxStream Sandbox Analyzer"
}
def run(self):
Analyzer.run(self)
if self.data_type == 'file':
hashes = self.get_param('attachment.hashes', None)
if hashes is None:
filepath = self.get_param('file', None, 'File is missing')
hash = hashlib.sha256(open(filepath, 'r').read()).hexdigest();
else:
# find SHA256 hash
hash = next(h for h in hashes if len(h) == 64)
self.otx_query_file(hash)
elif self.data_type == 'url':
data = self.get_param('data', None, 'Data is missing')
self.otx_query_url(data)
elif self.data_type == 'domain':
data = self.get_param('data', None, 'Data is missing')
self.otx_query_domain(data)
elif self.data_type == 'ip':
data = self.get_param('data', None, 'Data is missing')
self.otx_query_ip(data)
elif self.data_type == 'hash':
data = self.get_param('data', None, 'Data is missing')
self.otx_query_file(data)
else:
self.error('Invalid data type')
def run(self):
Analyzer.run(self)
if self.data_type == 'ip':
try:
data = self.get_data()
city = geoip2.database.Reader(os.path.dirname(__file__) + '/GeoLite2-City.mmdb').city(data)
self.report({
'city': self.dump_city(city.city),
'continent': self.dump_continent(city.continent),
'country': self.dump_country(city.country),
'location': self.dump_location(city.location),
'registered_country': self.dump_country(city.registered_country),
'represented_country': self.dump_country(city.represented_country),
'subdivisions': self.dump_country(city.subdivisions.most_specific),
'traits': self.dump_traits(city.traits)
})
except ValueError as e:
self.error('Invalid IP address')
except AddressNotFoundError as e:
self.error('Unknown IP address')
except Exception as e:
self.unexpectedError(type(e))
else:
self.notSupported()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
"config.service", None, "SecurityTrails service is missing")
self.api_key = self.get_param(
"config.api_key", None, "SecurityTrails API key is missing")
def run(self):
Analyzer.run(self)
if self.service == 'domainsearch' and (self.data_type == 'domain' or self.data_type == 'fqdn'):
try:
offset = 0
firstResponse = requests.get("{}domain-search?domain={}&api_key={}&limit=100&offset={}".format(self.URI, self.get_data(), self.key, offset))
firstResponse = firstResponse.json()
if firstResponse.get('meta'):
meta = firstResponse.get('meta')
while meta.get('results') > offset:
offset = meta.get('limit') + meta.get('offset')
additionalResponse = requests.get("{}domain-search?domain={}&api_key={}&limit=100&offset={}".format(
self.URI, self.get_data(), self.key, offset))
additionalResponse = additionalResponse.json()
meta = additionalResponse.get('meta')
firstResponse['data']['emails'] += additionalResponse['data']['emails']
self.report(firstResponse)
except Exception as e:
self.unexpectedError(e)
else:
self.notSupported()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'Service parameter is missing')
self.api_key = self.get_param('config.api_key', None, 'api_key is missing')
self.api_secret = self.get_param('config.api_secret', None, 'api_secret is missing')
self.organization_id = self.get_param('config.organization_id', None, 'organization_id is missing')
self.query_limit = str(self.get_param('config.query_limit', None, 20))
def __init__(self):
Analyzer.__init__(self)
self.filepath = self.get_param('file', None, 'File parameter is missing.')
self.filename = self.get_param('filename', None, 'Filename is missing.')
self.filetype = pyexifinfo.fileType(self.filepath)
self.mimetype = magic.Magic(mime=True).from_file(self.filepath)
# Check if manalyze submodule is enabled
if self.get_param('config.manalyze_enable', False, 'Parameter manalyze_enable not given.'
'Please enable or disable manalyze submodule explicitly.'):
binary_path = self.get_param('config.manalyze_binary_path',
'/opt/Cortex-Analyzers/utils/manalyze/bin/manalyze')
if self.get_param('config.manalyze_enable_docker', False):
available_submodules.append(
ManalyzeSubmodule(
use_docker=True
)
)
elif self.get_param('config.manalyze_enable_binary', False) \
and os.path.isfile(binary_path):
available_submodules.append(
ManalyzeSubmodule(
use_binary=True,
binary_path=binary_path
)
)
else:
self.error('Manalyze submodule is enabled, but either there is no method allowed (docker or binary)'
'or the path to binary is not correct.')
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'Service parameter is missing')
self.virustotal_key = self.get_param('config.key', None, 'Missing VirusTotal API key')
self.polling_interval = self.get_param('config.polling_interval', 60)
self.proxies = self.get_param('config.proxy', None)
self.vt = VirusTotalPublicApi(self.virustotal_key, self.proxies)
def __init__(self):
Analyzer.__init__(self)
self.basic_url = 'https://www.hybrid-analysis.com/api/'
self.headers = {'User-Agent': 'VxStream'}
self.secret = self.get_param('config.secret', None, 'VxStream Sandbox secret key is missing')
self.api_key = self.get_param('config.key', None, 'VxStream Sandbox API key is missing')
def run(self):
Analyzer.run(self)
data = self.getData()
try:
# enrichment service
if self.service == 'enrichment':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_enrichment(query=data)
self.report(result)
# malware service
elif self.service == 'malware':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_malware(query=data)
self.report(result)
# osint service
elif self.service == 'osint':
enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
result = enrichment_request.get_osint(query=data)
self.report(result)
# passive dns service
elif self.service == 'passive_dns':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_passive_dns(query=data)
self.report(result)
# ssl certificate details service
elif self.service == 'ssl_certificate_details':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_details(query=data)
self.report(result)
# ssl certificate history service
elif self.service == 'ssl_certificate_history':
ssl_request = SslRequest(username=self.username, api_key=self.api_key)
result = ssl_request.get_ssl_certificate_history(query=data)
self.report(result)
# unique resolutions service
elif self.service == 'unique_resolutions':
dns_request = DnsRequest(username=self.username, api_key=self.api_key)
result = dns_request.get_unique_resolutions(query=data)
self.report(result)
# whois details service
elif self.service == 'whois_details':
whois_request = WhoisRequest(username=self.username, api_key=self.api_key)
result = whois_request.get_whois_details(query=data)
self.report(result)
else:
self.error('Unknown PassiveTotal service')
except Exception as e:
self.unexpectedError(e)
def __init__(self):
Analyzer.__init__(self)
self.tid = self.get_param('config.tid', None, 'Tenant ID is missing')
self.app_id = self.get_param('config.app_id', None, 'App_ID is missing')
self.app_secret = self.get_param('config.app_secret', None, 'Secret is missing')
self.polling_interval = self.get_param('config.polling_interval', 60)
self.API = CyAPI(self.tid, self.app_id, self.app_secret)
self.API.create_conn()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.dnsdb_server = self.get_param(
'config.server', None, 'Missing DNSDB server name')
self.dnsdb_key = self.get_param(
'config.key', None, 'Missing DNSDB API key')
def __init__(self):
Analyzer.__init__(self)
self.misp = MISPClient(url=self.getParam('config.url', None,
'No MISP url given.'),
key=self.getParam('config.key', None,
'No MISP api key given.'),
ssl=self.getParam('config.certpath', True),
name=self.getParam('config.name', None))
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.dnsdb_server = self.get_param(
'config.server', None, 'Missing DNSDB server name')
self.dnsdb_key = self.get_param(
'config.key', None, 'Missing DNSDB API key')
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'PassiveTotal service is missing')
self.username = self.get_param('config.username', None,
'PassiveTotal username is missing')
self.api_key = self.get_param('config.key', None,
'PassiveTotal API key is missing')
def __init__(self):
Analyzer.__init__(self)
#filename of the observable
self.filename = self.getParam('attachment.name', 'noname.ext')
#filepath to the observable, looks like /tmp/cortex-4224850437865873235-datafile
self.filepath = self.getParam('file', None, 'File is missing')
def __init__(self):
Analyzer.__init__(self)
self.url = "https://api.any.run/v1"
self.token = self.get_param("config.token", None,
"Service token is missing")
self.verify_ssl = self.get_param("config.verify_ssl", True, None)
if not self.verify_ssl:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def __init__(self):
Analyzer.__init__(self)
self.cortexURL = self.getParam('config.cortexURL', None,
'Cortex URL is missing')
self.MISPSearch = self.getParam('config.MISPSearch', None,
'MISP Analyzer is missing')
self.filename = self.getParam('attachment.name', 'noname.ext')
self.filepath = self.getParam('file', None, 'File is missing')
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam('config.service', None,
'Service parameter is missing')
self.virustotal_key = self.getParam('config.key', None,
'Missing VirusTotal API key')
self.polling_interval = self.getParam('config.polling_interval', 60)
self.proxies = self.getParam('config.proxy', None)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Service parameter is missing')
self.onyphe_key = self.get_param('config.key', None,
'Missing Onyphe API key')
self.onyphe_client = None
self.polling_interval = self.get_param('config.polling_interval', 60)
def __init__(self):
Analyzer.__init__(self)
self.data = self.get_data()
self.path = self.get_param('config.path', 'misp-warninglists')
if not exists(self.path):
self.error('Path to misp-warninglists does not exist.')
self.warninglists = self.readwarninglists()
def __init__(self):
Analyzer.__init__(self)
self.cache_duration = self.getParam('config.cache.duration', 3600)
self.cache_root = self.getParam('config.cache.root',
'/tmp/cortex/tor_project')
self.client = tor_blutmagie.TorBlutmagieClient(
cache_duration=self.cache_duration, cache_root=self.cache_root)
def __init__(self):
Analyzer.__init__(self)
self.data = self.get_data()
self.path = self.get_param('config.path', 'misp-warninglists')
if not exists(self.path):
self.error('Path to misp-warninglists does not exist.')
self.warninglists = self.readwarninglists()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Service parameter is missing')
self.key = self.get_param('config.key', None,
'Missing Malware API key')
self.polling_interval = self.get_param('config.polling_interval', 60)
self.m_api = Api(self.key)
def __init__(self):
Analyzer.__init__(self)
self.filepath = self.get_param('file', None,
'File parameter is missing.')
self.filename = self.get_param('filename', None,
'Filename is missing.')
self.filetype = pyexifinfo.fileType(self.filepath)
self.mimetype = magic.Magic(mime=True).from_file(self.filepath)
def __init__(self):
Analyzer.__init__(self)
#filename of the observable
self.filename = self.getParam('attachment.name', 'noname.ext')
#filepath to the observable, looks like /tmp/cortex-4224850437865873235-datafile
self.filepath = self.getParam('file', None, 'File is missing')
def run(self):
Analyzer.run(self)
info = {}
try:
if self.data_type != 'file':
object_name = self.get_data()
if self.data_type in ['domain', 'fqdn']:
url = "https://api.emergingthreats.net/v1/domains/"
features = {
'reputation', 'urls', 'samples', 'ips', 'events',
'nameservers', 'whois', 'geoloc'
}
elif self.data_type == 'ip':
url = "https://api.emergingthreats.net/v1/ips/"
features = {
'reputation', 'urls', 'samples', 'domains', 'events',
'geoloc'
}
elif self.data_type == 'hash':
url = "https://api.emergingthreats.net/v1/samples/"
features = {'', 'connections', 'dns', 'http', 'events'}
elif self.data_type == 'file':
url = "https://api.emergingthreats.net/v1/samples/"
features = {'', 'connections', 'dns', 'http', 'events'}
hashes = self.get_param('attachment.hashes', None)
if hashes is None:
filepath = self.get_param('file', None, 'File is missing')
object_name = hashlib.md5(open(filepath,
'r').read()).hexdigest()
else:
# find MD5 hash
object_name = next(h for h in hashes if len(h) == 32)
else:
self.error('Invalid data type !')
for feature in features:
end = '/' if feature else ''
time.sleep(1)
r = self.session.get(url + object_name + end + feature)
if feature == '':
feature = 'main'
r_json = r.json()
if r.status_code == 200 and r_json['response'] not in [{}, []]:
info[feature] = r_json['response']
elif r.status_code != 200:
info[feature] = "Error"
else:
info[feature] = "-"
self.report(info)
except Exception as e:
self.unexpectedError(e)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Service parameter is missing')
# self.username = self.get_param('config.username', None, 'Missing Maltiverse API Username')
# self.password = self.get_param('config.password', None, 'Missing Maltiverse API Password')
self.polling_interval = self.get_param('config.polling_interval', 60)
self.proxies = self.get_param('config.proxy', None)
self.m = Maltiverse()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'Service parameter is missing')
if self.service == "status":
self.url = 'https://api.hashdd.com/'
elif self.service == "detail":
self.hashdd_key = self.get_param('config.api_key', None, 'Missing hashdd API key')
self.url = 'https://api.hashdd.com/detail'
def __init__(self):
Analyzer.__init__(self)
if self.data_type != 'domain':
self.error('DNSSinkhole Analyzer only usable with domain data type.')
self.resolver = dns.resolver.Resolver()
self.resolver.nameservers = [self.get_param('config.ip', None, 'Bind IP server needed for querying Sinkhole.')]
self.data = self.get_data()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Service parameter is missing')
self.client_id = self.get_param('config.client_id', None,
'Missing Client ID')
self.secret = self.get_param('config.secret', None, 'Missing Secret')
self.polling_interval = self.get_param('config.polling_interval', 60)
self.api = Diario(self.client_id, self.secret)
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam('config.service', None,
'Cymon service is missing')
self.key = self.getParam('config.key', None,
'Cymon API key is missing')
self.con = CymonEngine(self.key)
def run(self):
Analyzer.run(self)
if self.data_type == 'ip':
try:
data = self.get_data()
s = requests.Session()
s.get(
'https://talosintelligence.com/reputation_center/lookup?search={}'
.format(data))
headers = {
'Host':
'talosintelligence.com',
'Referer':
'https://talosintelligence.com/reputation_center/lookup?search={}'
.format(data),
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36',
'Accept':
'application/json'
}
response_details = s.get(
'https://talosintelligence.com/sb_api/query_lookup',
headers=headers,
params={
'query': '/api/v2/details/ip/',
'query_entry': data
})
response_location = s.get(
'https://talosintelligence.com/sb_api/query_lookup',
headers=headers,
params={
'query': '/api/v2/location/ip/',
'query_entry': data
})
if response_details.status_code == 200 | 201:
if response_location.status_code == 200 | 201:
result = response_details.json()
result['country'] = response_location.json().get(
'country', None)
self.report(result if len(result) > 0 else {})
else:
self.error(
'Failed to query Talos location. Status_code {}'.
format(response_location.status_code))
else:
self.error(
'Failed to query Talos details. Status_code {}'.format(
response_details.status_code))
except Exception as e:
self.unexpectedError(e)
else:
self.notSupported()
def __init__(self):
"""Initialize the Analyzer."""
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Patrowl service is missing')
self.url = self.get_param('config.url', None,
'Patrowl URL is missing').rstrip('/')
self.api_key = self.get_param('config.api_key', None,
'Patrowl API Key is missing')
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam('config.service', None,
'Cymon service is missing')
self.key = self.getParam('config.key', None,
'Cymon API key is missing')
self.con = CymonEngine(self.key)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'Service parameter is missing')
if self.service == "status":
self.url = 'https://api.hashdd.com/'
elif self.service == "detail":
self.hashdd_key = self.get_param('config.api_key', None, 'Missing hashdd API key')
self.url = 'https://api.hashdd.com/detail'
def run(self):
# get input data
Analyzer.run(self)
data = self.getParam('data', None, 'Data is missing')
try:
# send service
if self.service == 'search':
payload = {'ip': data}
r = requests.post('http://www.ipvoid.com/ip-blacklist-check/',
data=payload)
response = r.content.decode()
result = {}
# ip adress information
try:
result['BlacklistStatus'] = re.findall(
'Blacklist Status.*<span[^>]*>(.*)<\/span>',
response)[0]
result['IPAddress'] = re.findall(
'IP Address.*<strong[^>]*>(.*)<\/strong>', response)[0]
result['ReverseDNS'] = re.findall(
'Reverse DNS.*<td[^>]*>(.*)<\/td>', response)[0]
result['ASN'] = re.findall('ASN.*<a[^>]*>(.*)<\/a>',
response)[0]
result['ASNOwner'] = re.findall(
'ASN Owner.*<td[^>]*>(.*)<\/td>', response)[0]
result['ISP'] = re.findall('ISP.*<td[^>]*>(.*)<\/td>',
response)[0]
result['Continent'] = re.findall(
'Continent.*<td[^>]*>(.*)<\/td>', response)[0]
result['CountryCode'] = re.findall(
'Country Code.*<td[^>]*>(.*)<\/td>', response)[0]
result['Latitude/Longitude'] = re.findall(
'Latitude / Longitude.*<td[^>]*>(.*)<\/td>',
response)[0]
result['City'] = re.findall('City.*<td[^>]*>(.*)<\/td>',
response)[0]
result['Region'] = re.findall(
'Region.*<td[^>]*>(.*)<\/td>', response)[0]
except:
pass
try:
result['report'] = re.findall(
'<td><i class=\"([^\"]*)\" aria-hidden=\"true\"><\/i> ([^>]*)<\/td>',
response)
except:
pass
self.report(result)
else:
self.error('Unknown ipvoid service')
except Exception as e:
self.unexpectedError(e)
def __init__(self):
Analyzer.__init__(self)
if self.data_type != 'ip':
self.error('SinkDB Analyzer only usable with ip data type.')
self.apikey = self.get_param('config.key', None, 'API Key needed for querying SinkDB.')
self.data = self.get_data().split('.')
self.data.reverse()
self.data = '.'.join(self.data)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'ProofPoint service is missing')
self.url = self.get_param('config.url', 'https://tap-api-v2.proofpoint.com', None)
self.apikey = self.get_param('config.apikey', None, 'ProofPoint apikey is missing')
self.secret = self.get_param('config.secret', None, 'ProofPoint secret is missing')
self.verify = self.get_param('config.verifyssl', True, None)
if not self.verify:
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'JoeSandbox service is missing')
self.url = self.get_param('config.url', None, 'JoeSandbox url is missing')
if self.get_param('config.key'):
self.apikey = self.get_param('config.key')
else:
self.apikey = self.get_param('config.apikey', None, 'JoeSandbox API key is missing')
self.analysistimeout = self.get_param('config.analysistimeout', 30*60, None)
self.networktimeout = self.get_param('config.networktimeout', 30, None)
def __init__(self):
Analyzer.__init__(self)
self.url = 'https://pulsedive.com/api/'
self.key = self.get_param('config.key', None, 'API-Key not given.')
self.mapping = {
'high': 'malicious',
'medium': 'suspicious',
'low': 'info'
}
def __init__(self):
Analyzer.__init__(self)
self.auth_url = self.get_param('config.auth_url', None, 'Missing URL for Staxx API auth')
self.query_url = self.get_param('config.query_url', None, 'Missing URL for Staxx API query')
self.username = self.get_param('config.username', None, 'Missing username for Staxx API')
self.password = self.get_param('config.password', None, 'Missing password for Staxx API')
if self.get_param('config.cert_check', True):
self.ssl = self.get_param('config.cert_path', True)
else:
self.ssl = False
def __init__(self):
Analyzer.__init__(self)
self.proxies = self.get_param('config.proxy', None)
self.malicious_confidence_level = self.get_param(
'config.malicious_confidence_level',
StopforumspamAnalyzer._malicious_default_confidence_level)
self.suspicious_confidence_level = self.get_param(
'config.suspicious_confidence_level',
StopforumspamAnalyzer._suspicious_default_confidence_level)
self.client = StopforumspamClient(proxies=self.proxies)
def __init__(self):
Analyzer.__init__(self)
self.url = self.get_param('config.url', None, 'PayloadSecurity url is missing')
self.apikey = self.get_param('config.key', None, 'PayloadSecurity apikey is missing')
self.secret = self.get_param('config.secret', None, 'PayloadSecurity secret is missing')
self.environmentid = self.get_param('config.environmentId', None, 'PayloadSecurity environmentId is missing')
self.timeout = self.get_param('config.timeout', 15, None)
self.verify = self.get_param('config.verifyssl', True, None)
if not self.verify:
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def __init__(self):
Analyzer.__init__(self)
self.api_key = self.get_param('config.key', None, 'No Google API key provided.')
self.client_id = self.get_param('config.client_id', 'Cortex')
self.client_version = '0.1'
self.sb = safebrowsing.SafebrowsingClient(
key=self.api_key,
client_id=self.client_id,
client_version=self.client_version
)
def run(self):
Analyzer.run(self)
if self.service == 'ThreatScore' and (self.data_type == 'domain' or self.data_type == 'ip'):
try:
response = requests.get("{}{}".format(self.URI, self.get_data()))
result = response.json()
self.report(result if len(result) > 0 else {})
except Exception as e:
self.unexpectedError(e)
else:
self.notSupported()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.url = self.get_param('config.url', None, 'Missing API url')
self.key = self.get_param('config.key', None, 'Missing API key')
self.pwd = self.get_param('config.pwd', None, 'Missing API password')
self.verify = self.get_param('config.verify', True)
if not self.verify:
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
self.proxies = self.get_param('config.proxy', None)
def __init__(self):
Analyzer.__init__(self)
self.__uid = self.get_param(
'config.uid',
None,
'No UID for Censys given. Please add it to the cortex configuration.'
)
self.__api_key = self.get_param(
'config.key',
None,
'No API-Key for Censys given. Please add it to the cortex configuration.'
)
def __init__(self):
Analyzer.__init__(self)
self.ttl = self.get_param('config.ttl', 86400)
self.cache_duration = self.get_param('config.cache.duration', 3600)
self.cache_root = self.get_param(
'config.cache.root', '/tmp/cortex/tor_project'
)
self.client = tor_project.TorProjectClient(
ttl=self.ttl,
cache_duration=self.cache_duration,
cache_root=self.cache_root
)
