async def run_analyzer(self,
apikey,
url,
analyzer_name,
data,
datatype,
message="",
tlp=1):
self.api = Api(url, apikey, cert=False)
try:
job = self.api.analyzers.run_by_name(analyzer_name, {
'data': data,
'dataType': datatype,
'tlp': tlp,
'message': message,
},
force=1)
except cortex4py.exceptions.ServiceUnavailableError as e:
return str(e)
except cortex4py.exceptions.AuthorizationError as e:
return str(e)
except cortex4py.exceptions.NotFoundError as e:
return str(e)
return job.id
async def run_available_analyzers(self,
apikey,
url,
data,
datatype,
message="",
tlp=1):
self.api = Api(url, apikey, cert=False)
analyzers = await self.get_available_analyzers(datatype)
alljobs = []
for analyzer in analyzers:
try:
job = self.api.analyzers.run_by_name(analyzer, {
'data': data,
'dataType': datatype,
'tlp': tlp,
'message': message,
},
force=1)
alljobs.append(job.id)
except cortex4py.exceptions.ServiceUnavailableError as e:
return [e]
except cortex4py.exceptions.AuthorizationError as e:
return [e]
except cortex4py.exceptions.NotFoundError as e:
return [e]
return alljobs
async def run_available_analyzers(self,
apikey,
url,
data,
datatype,
message="",
tlp=1):
if data == "" or data == "[]":
return "No values to handle []"
self.api = Api(url, apikey, cert=False)
analyzers = await self.get_available_analyzers(apikey, url, datatype)
alljobs = []
for analyzer in analyzers:
try:
job = self.api.analyzers.run_by_name(analyzer, {
'data': data,
'dataType': datatype,
'tlp': tlp,
'message': message,
},
force=1)
alljobs.append(job.id)
except cortex4py.exceptions.ServiceUnavailableError as e:
return [str(e)]
except cortex4py.exceptions.AuthorizationError as e:
return [str(e)]
except cortex4py.exceptions.NotFoundError as e:
return [str(e)]
#if len(alljobs) == 1:
# return alljobs[0]
return alljobs
def connect(self):
self.logger.info('%s.connect starts', __name__)
url = self.cfg.get('Cortex', 'url')
api_key = self.cfg.get('Cortex', 'api_key')
return Api(url, api_key)
def __init__(self, url, token):
self.url = url + '/api/'
self.headers = {'Authorization': 'Bearer ' + token}
self.post_header = {
'Authorization': 'Bearer ' + token,
'Content-Type': 'application/json'
}
self.api = Api(url, token)
def connect(self):
self.logger.info('%s.connect starts', __name__)
url = self.cfg.get('Cortex', 'url')
api_key = self.cfg.get('Cortex', 'api_key')
cert = self.cfg.get('Cortex', 'ca', fallback=True)
return Api(url, api_key, cert)
def get_info(mail=True, cortex=True):
try:
info = InternalInfo.objects.first()
except (ObjectDoesNotExist, AttributeError):
logging.error("missing information")
raise CeleryError
# MAIL ITEM ONLY ONCE
if mail:
try:
info = InternalInfo.objects.first()
inbox = IMAP4(info.imap_server)
inbox.starttls()
inbox.login(info.imap_username, info.imap_password)
inbox.select(info.imap_folder)
except (ObjectDoesNotExist, AttributeError):
logging.error("missing information")
raise CeleryError
except (IMAP4.error, ConnectionRefusedError, socket.gaierror):
logging.error("error connecting to imap")
raise CeleryError
else:
inbox = None
# CORTEX CHECK NOT ON MAIL DOWNLOAD
if cortex:
try:
if info.http_proxy and info.https_proxy:
cortex_api = Api(
info.cortex_url,
info.cortex_api,
proxies={
"http": info.http_proxy,
"https": info.https_proxy
},
verify_cert=False,
)
else:
cortex_api = Api(info.cortex_url,
info.cortex_api,
verify_cert=False)
except Exception:
raise CeleryError
else:
cortex_api = None
return info, inbox, cortex_api
def __init__(self, redis, logger, console_logger=None):
"""
Each app should have this __init__ to set up Redis and logging.
:param redis:
:param logger:
:param console_logger:
"""
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
self.api = Api("http://localhost:9001", "APIKEY", cert=False)
super().__init__(redis, logger, console_logger)
async def get_analyzer_result(self, url, apikey, result_id):
self.api = Api(url, apikey, cert=False)
try:
report = self.api.jobs.get_report(result_id).report
except cortex4py.exceptions.ServiceUnavailableError as e:
return str(e)
except cortex4py.exceptions.AuthorizationError as e:
return str(e)
except cortex4py.exceptions.NotFoundError as e:
return str(e)
return report
def __init__(self, config_file='C:\\automation-hunting\\cortex\\conf\\cortex-provider.yaml'):
self.cortex_url = None
self.api_key = None
self.analyzers = list()
self.auto_analyzers_discovery = False
self.cleanup = False
if not self.get_config_data(config_file):
raise Exception('Invalid Configuration File')
self.api = Api(self.cortex_url, self.api_key)
self.update_analyzers_list()
def connect(self, params={}):
url = '{}://{}:{}'.format(
params.get('protocol').lower(), params.get('host'),
params.get('port'))
api_key = params.get('api_key').get('secretKey')
self.verify = params.get('verify', True)
self.logger.info('URL: %s', url)
if not params.get('proxy'):
self.proxy = {}
else:
self.proxy = params.get('proxy')
self.logger.info('Proxy specified: %s', self.proxy)
self.logger.info("Connect: Connecting..")
self.api = Api(url,
api_key,
verify_cert=self.verify,
proxies=self.proxy)
def connect(self, params={}):
url = "{}://{}:{}".format(
params.get("protocol").lower(), params.get("host"),
params.get("port"))
api_key = params.get("api_key").get("secretKey")
self.verify = params.get("verify", True)
self.logger.info("URL: %s", url)
if not params.get("proxy"):
self.proxy = {}
else:
self.proxy = params.get("proxy")
self.logger.info("Proxy specified: %s", self.proxy)
self.logger.info("Connect: Connecting..")
self.api = Api(url,
api_key,
verify_cert=self.verify,
proxies=self.proxy)
async def get_available_analyzers(self, apikey, url, datatype):
self.api = Api(url, apikey, cert=False)
try:
analyzers = self.api.analyzers.find_all({}, range='all')
except cortex4py.exceptions.ServiceUnavailableError as e:
return [str(e)]
except cortex4py.exceptions.AuthorizationError as e:
return [str(e)]
except cortex4py.exceptions.NotFoundError as e:
return [str(e)]
if len(analyzers) == 0:
return []
all_results = []
for analyzer in analyzers:
if not datatype in analyzer.dataTypeList:
continue
all_results.append(analyzer.name)
return all_results
import datetime import time import pytz # Config File import ApiConfig as cfg # TheHive4Py Imports from thehive4py.api import TheHiveApi from thehive4py.models import * from thehive4py.query import * #Cortex Imports from cortex4py.api import Api from cortex4py.query import * #APIs Connection hiveServer = cfg.ApiConfig["TheHiveHost"] + ":" + cfg.ApiConfig["TheHivePort"] hiveKey = cfg.ApiConfig["TheHiveApiKey"] apiH = TheHiveApi(hiveServer, hiveKey) cortexServer = cfg.ApiConfig["CortexHost"] + ":" + cfg.ApiConfig["CortexPort"] cortexKey = cfg.ApiConfig["CortexApiKey"] apiC = Api(cortexServer, cortexKey)
def handle(self, *args, **kwargs):
analyzers = Analyzer.objects.all()
analyzers_name = [x.name for x in analyzers]
if len(analyzers) > 0:
self.stdout.write(
self.style.SUCCESS("Analyzers: {}".format(
", ".join(analyzers_name))))
else:
self.stdout.write(self.style.SUCCESS("No analyzers in db"))
info = InternalInfo.objects.first()
if info.http_proxy and info.https_proxy:
cortex_api = Api(
info.cortex_url,
info.cortex_api,
proxies={
"http": info.http_proxy,
"https": info.https_proxy
},
verify_cert=False,
)
else:
cortex_api = Api(
info.cortex_url,
info.cortex_api,
proxies={
"http": None,
"https": None
},
verify_cert=False,
)
try:
cortex_analyzers = [
(x.name, x.dataTypeList)
for x in cortex_api.analyzers.find_all({}, range="all") if len(
set(x.dataTypeList).intersection(("url", "ip", "file",
"mail", "hash"))) > 0
]
except (
cortex4py.exceptions.AuthenticationError,
cortex4py.exceptions.AuthorizationError,
cortex4py.exceptions.ServiceUnavailableError,
cortex4py.exceptions.CortexError,
):
self.stdout.write(
self.style.ERROR("Problems during cortex connection - Exit!"))
sys.exit()
if len(cortex_analyzers) > 0:
self.stdout.write(
self.style.SUCCESS("Cortex Analyzers: {}".format(", ".join(
[x[0] for x in cortex_analyzers]))))
else:
self.stdout.write(self.style.ERROR("No analyzers in cortex"))
for analyzer in analyzers:
if analyzer.name not in [x[0] for x in cortex_analyzers]:
analyzer.disabled = True
analyzer.save()
self.stdout.write(
self.style.ERROR(
"Disabled {}, not in cortex".format(analyzer)))
for analyzer, supported_types in cortex_analyzers:
if analyzer not in analyzers_name:
new = Analyzer(
name=analyzer,
disabled=True,
supported_types=[
x for x in supported_types
if x in ("url", "ip", "file", "mail", "hash")
],
)
new.save()
self.stdout.write(
self.style.SUCCESS(
"Created {} from cortex".format(analyzer)))
inbox = IMAP4(info.imap_server)
inbox.starttls()
inbox.login(info.imap_username, info.imap_password)
inbox.select(info.imap_folder)
except ObjectDoesNotExist:
raise Error
except (IMAP4.error, ConnectionRefusedError, socket.gaierror):
raise Error
try:
if info.http_proxy and info.https_proxy:
cortex_api = Api(
info.cortex_url,
info.cortex_api,
proxies={
"http": info.http_proxy,
"https": info.https_proxy
},
verify_cert=False,
)
else:
cortex_api = Api(info.cortex_url,
info.cortex_api,
verify_cert=False)
except Exception:
raise Error
misp_api = None
_, data = inbox.search(None, "(ALL)")
email_list = list(data[0].split())