def __init__(self):
Analyzer.__init__(self)
self.basic_url = 'https://www.hybrid-analysis.com/api/'
self.headers = {'User-Agent': 'VxStream'}
self.secret = self.get_param('config.secret', None, 'VxStream Sandbox secret key is missing')
self.api_key = self.get_param('config.key', None, 'VxStream Sandbox API key is missing')
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
"config.service", None, "SecurityTrails service is missing")
self.api_key = self.get_param(
"config.api_key", None, "SecurityTrails API key is missing")
def __init__(self):
Analyzer.__init__(self)
# Fixes #94. Instead of None, the string Unnamed should be passed to MISPClient constructor
name = self.get_param('config.name', None)
if not name or len(name) == 0:
name = 'Unnamed'
if self.get_param('config.cert_check', True):
ssl_path = self.get_param('config.cert_path', None)
if not ssl_path or ssl_path == '':
ssl = True
else:
ssl = ssl_path
else:
ssl = False
try:
self.misp = MISPClient(url=self.get_param('config.url', None, 'No MISP url given.'),
key=self.get_param('config.key', None, 'No MISP api key given.'),
ssl=ssl,
name=name,
proxies={'http': self.http_proxy, 'https': self.https_proxy})
except MISPClientError as e:
self.error(str(e))
except TypeError as te:
self.error(str(te))
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'Service parameter is missing')
self.api_key = self.get_param('config.api_key', None, 'api_key is missing')
self.api_secret = self.get_param('config.api_secret', None, 'api_secret is missing')
self.organization_id = self.get_param('config.organization_id', None, 'organization_id is missing')
self.query_limit = str(self.get_param('config.query_limit', None, 20))
def __init__(self):
Analyzer.__init__(self)
self.filepath = self.get_param('file', None, 'File parameter is missing.')
self.filename = self.get_param('filename', None, 'Filename is missing.')
self.filetype = pyexifinfo.fileType(self.filepath)
self.mimetype = magic.Magic(mime=True).from_file(self.filepath)
# Check if manalyze submodule is enabled
if self.get_param('config.manalyze_enable', False, 'Parameter manalyze_enable not given.'
'Please enable or disable manalyze submodule explicitly.'):
binary_path = self.get_param('config.manalyze_binary_path',
'/opt/Cortex-Analyzers/utils/manalyze/bin/manalyze')
if self.get_param('config.manalyze_enable_docker', False):
available_submodules.append(
ManalyzeSubmodule(
use_docker=True
)
)
elif self.get_param('config.manalyze_enable_binary', False) \
and os.path.isfile(binary_path):
available_submodules.append(
ManalyzeSubmodule(
use_binary=True,
binary_path=binary_path
)
)
else:
self.error('Manalyze submodule is enabled, but either there is no method allowed (docker or binary)'
'or the path to binary is not correct.')
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'Service parameter is missing')
self.virustotal_key = self.get_param('config.key', None, 'Missing VirusTotal API key')
self.polling_interval = self.get_param('config.polling_interval', 60)
self.proxies = self.get_param('config.proxy', None)
self.vt = VirusTotalPublicApi(self.virustotal_key, self.proxies)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.key = self.get_param('config.key', None, 'Missing API key')
self.pwd = self.get_param('config.pwd', None, 'Missing API password')
self.request_handler = APIRequestHandler(self.key, self.pwd)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.url = self.get_param('config.url', None, 'Missing API url')
self.key = self.get_param('config.key', None, 'Missing API key')
self.pwd = self.get_param('config.pwd', None, 'Missing API password')
def __init__(self):
Analyzer.__init__(self)
self.data = self.get_data()
self.path = self.get_param('config.path', 'misp-warninglists')
if not exists(self.path):
self.error('Path to misp-warninglists does not exist.')
self.warninglists = self.readwarninglists()
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.dnsdb_server = self.get_param(
'config.server', None, 'Missing DNSDB server name')
self.dnsdb_key = self.get_param(
'config.key', None, 'Missing DNSDB API key')
def __init__(self):
Analyzer.__init__(self)
#filename of the observable
self.filename = self.getParam('attachment.name', 'noname.ext')
#filepath to the observable, looks like /tmp/cortex-4224850437865873235-datafile
self.filepath = self.getParam('file', None, 'File is missing')
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'Service parameter is missing')
if self.service == "status":
self.url = 'https://api.hashdd.com/'
elif self.service == "detail":
self.hashdd_key = self.get_param('config.api_key', None, 'Missing hashdd API key')
self.url = 'https://api.hashdd.com/detail'
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam('config.service', None,
'Cymon service is missing')
self.key = self.getParam('config.key', None,
'Cymon API key is missing')
self.con = CymonEngine(self.key)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'ProofPoint service is missing')
self.url = self.get_param('config.url', 'https://tap-api-v2.proofpoint.com', None)
self.apikey = self.get_param('config.apikey', None, 'ProofPoint apikey is missing')
self.secret = self.get_param('config.secret', None, 'ProofPoint secret is missing')
self.verify = self.get_param('config.verifyssl', True, None)
if not self.verify:
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def __init__(self):
Analyzer.__init__(self)
self.url = 'https://pulsedive.com/api/'
self.key = self.get_param('config.key', None, 'API-Key not given.')
self.mapping = {
'high': 'malicious',
'medium': 'suspicious',
'low': 'info'
}
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'JoeSandbox service is missing')
self.url = self.get_param('config.url', None, 'JoeSandbox url is missing')
if self.get_param('config.key'):
self.apikey = self.get_param('config.key')
else:
self.apikey = self.get_param('config.apikey', None, 'JoeSandbox API key is missing')
self.analysistimeout = self.get_param('config.analysistimeout', 30*60, None)
self.networktimeout = self.get_param('config.networktimeout', 30, None)
def __init__(self):
Analyzer.__init__(self)
if self.data_type != 'ip':
self.error('SinkDB Analyzer only usable with ip data type.')
self.apikey = self.get_param('config.key', None, 'API Key needed for querying SinkDB.')
self.data = self.get_data().split('.')
self.data.reverse()
self.data = '.'.join(self.data)
def __init__(self):
Analyzer.__init__(self)
self.auth_url = self.get_param('config.auth_url', None, 'Missing URL for Staxx API auth')
self.query_url = self.get_param('config.query_url', None, 'Missing URL for Staxx API query')
self.username = self.get_param('config.username', None, 'Missing username for Staxx API')
self.password = self.get_param('config.password', None, 'Missing password for Staxx API')
if self.get_param('config.cert_check', True):
self.ssl = self.get_param('config.cert_path', True)
else:
self.ssl = False
def __init__(self):
Analyzer.__init__(self)
self.proxies = self.get_param('config.proxy', None)
self.malicious_confidence_level = self.get_param(
'config.malicious_confidence_level',
StopforumspamAnalyzer._malicious_default_confidence_level)
self.suspicious_confidence_level = self.get_param(
'config.suspicious_confidence_level',
StopforumspamAnalyzer._suspicious_default_confidence_level)
self.client = StopforumspamClient(proxies=self.proxies)
def __init__(self):
Analyzer.__init__(self)
self.url = self.get_param('config.url', None, 'PayloadSecurity url is missing')
self.apikey = self.get_param('config.key', None, 'PayloadSecurity apikey is missing')
self.secret = self.get_param('config.secret', None, 'PayloadSecurity secret is missing')
self.environmentid = self.get_param('config.environmentId', None, 'PayloadSecurity environmentId is missing')
self.timeout = self.get_param('config.timeout', 15, None)
self.verify = self.get_param('config.verifyssl', True, None)
if not self.verify:
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def __init__(self):
Analyzer.__init__(self)
self.api_key = self.get_param('config.key', None, 'No Google API key provided.')
self.client_id = self.get_param('config.client_id', 'Cortex')
self.client_version = '0.1'
self.sb = safebrowsing.SafebrowsingClient(
key=self.api_key,
client_id=self.client_id,
client_version=self.client_version
)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param(
'config.service', None, 'Service parameter is missing')
self.url = self.get_param('config.url', None, 'Missing API url')
self.key = self.get_param('config.key', None, 'Missing API key')
self.pwd = self.get_param('config.pwd', None, 'Missing API password')
self.verify = self.get_param('config.verify', True)
if not self.verify:
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
self.proxies = self.get_param('config.proxy', None)
def __init__(self):
Analyzer.__init__(self)
self.ttl = self.get_param('config.ttl', 86400)
self.cache_duration = self.get_param('config.cache.duration', 3600)
self.cache_root = self.get_param(
'config.cache.root', '/tmp/cortex/tor_project'
)
self.client = tor_project.TorProjectClient(
ttl=self.ttl,
cache_duration=self.cache_duration,
cache_root=self.cache_root
)
def __init__(self):
Analyzer.__init__(self)
self.__uid = self.get_param(
'config.uid',
None,
'No UID for Censys given. Please add it to the cortex configuration.'
)
self.__api_key = self.get_param(
'config.key',
None,
'No API-Key for Censys given. Please add it to the cortex configuration.'
)
def __init__(self):
Analyzer.__init__(self)
self.url = self.get_param(
'config.url', None, 'Missing Nessus scanner URL')
self.login = self.get_param(
'config.login', None, 'Missing Nessus scanner login')
self.password = self.get_param(
'config.password', None, 'Missing Nessus scanner password')
self.policy = self.get_param(
'config.policy', None, 'Missing Nessus scanner policy')
self.ca_bundle = self.get_param(
'config.ca_bundle')
self.allowed_networks = self.get_param(
'config.allowed_networks')
def __init__(self):
Analyzer.__init__(self)
self.base_url = "https://portal.mnemonic.no/web/api/pdns/v3"
self.apikey = self.get_param("config.key", None)
self.service = self.get_param('config.service', None, 'Service parameter is missing')
self.headers = {
"User-Agent": "Cortex 2",
"Accept": "application/json"
}
self.params = {
"aggregate": "true",
"limit": "0"
}
self.response = None
def __init__(self):
Analyzer.__init__(self)
self.url = self.get_param('config.url', None, 'No VMRay url given.').rstrip('/ ')
self.disable_reanalyze = self.get_param('config.disablereanalyze', False)
# Check for string and boolean True
if self.disable_reanalyze == 'true' or self.disable_reanalyze:
reanalyze = False
else:
reanalyze = True
verify = self.get_param('config.certverify', None, 'Certificate verification parameter is missing.')
certpath = self.get_param('config.certpath', None)
if verify and certpath:
verify = certpath
self.vmrc = VMRayClient(url=self.url,
key=self.get_param('config.key', None, 'No VMRay API key given.'),
cert=verify,
reanalyze=reanalyze)
def __init__(self):
Analyzer.__init__(self)
self.rulepaths = self.get_param('config.rules', None, 'No paths for rules provided.')
if isinstance(self.rulepaths, str):
self.rulepaths = [self.rulepaths]
self.ruleset = []
for rulepath in self.rulepaths:
if os.path.isfile(rulepath):
if rulepath[len(rulepath)-3:] == 'yar':
self.ruleset.append(yara.compile(rulepath))
elif rulepath[len(rulepath)-3:] == 'yas':
self.ruleset.append(yara.load(rulepath))
elif os.path.isdir(rulepath):
if os.path.isfile(rulepath + '/index.yas'):
self.ruleset.append(yara.load(rulepath + '/index.yas'))
elif os.path.isfile(rulepath + '/index.yar'):
self.ruleset.append(yara.compile(rulepath + '/index.yar'))
def __init__(self):
Analyzer.__init__(self)
self.baseurl = "https://malpedia.caad.fkie.fraunhofer.de/api/get"
self.rulepaths = self.get_param('config.path', None, 'No rulepath provided.')
self.user = self.get_param('config.username', None, 'No username provided.')
self.pwd = self.get_param('config.password', None, 'No password provided.')
self.update_hours = int(self.get_param('config.update_hours', 10))
if not os.path.exists(self.rulepaths):
os.makedirs(self.rulepaths)
timestamps = []
try:
for fn in os.listdir(self.rulepaths):
for path in os.path.join(self.rulepaths, fn):
if os.path.isfile(path) and path.endswith('.yar'):
timestamps.append(datetime.datetime.fromtimestamp(os.stat(path)[ST_MTIME]))
newest = max(timestamps)
hours = (datetime.datetime.now() - newest).seconds / 3600
except ValueError:
hours = self.update_hours + 1
if hours > self.update_hours or len(timestamps) == 0:
try:
req = requests.get('{}/yara/after/2010-01-01?format=json'.format(self.baseurl),
auth=HTTPBasicAuth(self.user, self.pwd))
if req.status_code == requests.codes.ok:
rules_json = json.loads(req.text)
for color, color_data in rules_json.items():
for rule_name, rule_text in color_data.items():
with io.open(os.path.join(self.rulepaths, rule_name), 'w', encoding='utf-8') as f:
f.write(rule_text)
else:
self.error('Could not download new rules due tue HTTP {}: {}'.format(req.status_code, req.text))
except Exception as e:
with io.open('%s' % os.path.join(self.rulepaths, "error.txt"), 'w') as f:
f.write('Error: {}\n'.format(e))
def __init__(self):
Analyzer.__init__(self)
# Get config parameters
self.path = self.get_param('config.blocklistpath', None, 'No path to blocklists provided.')
self.ignoreolderthandays = self.get_param('config.ignoreolderthandays', 365)
self.utc = pytz.UTC
self.now = dt.datetime.now(tz=self.utc)
# Check if directory exists
if not os.path.exists(self.path):
os.mkdir(self.path, 0o0700)
# Downloading/updating the list is implemented with an external cronjob which git pulls the repo
# Read files in the given path and prepare file lists for ip- and netsets
files = os.listdir(self.path)
self.ipsets = []
self.netsets = []
for file in files:
if '.ipset' in file:
self.ipsets.append(file)
elif '.netset' in file:
self.netsets.append(file)
def __init__(self):
Analyzer.__init__(self)
self.mode = self.get_param('config.service', None, 'No service given.')
def __init__(self):
Analyzer.__init__(self)
self.api_key = self.get_param("config.api_key", None)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Service parameter is missing')
self.key = self.get_param('config.key', None,
'Missing hunter.io API key')
def __init__(self):
Analyzer.__init__(self)
self.url = 'https://hashlookup.circl.lu'
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Service parameter is missing')
def __init__(self):
Analyzer.__init__(self)
self.url = self.get_param('url', None)
self.proxies = self.get_param('config.proxy', None)
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam('config.service', None,
'Service parameter is missing')
self.virustotal_key = self.getParam('config.key', None,
'Missing VirusTotal API key')
def __init__(self):
Analyzer.__init__(self)
self.cortexURL = self.getParam('config.cortexURL', None,
'Cortex URL is missing')
self.MISPSearch = self.getParam('config.MISPSearch', None,
'MISP Analyzer is missing')
def __init__(self):
Analyzer.__init__(self)
self.WOT_id = self.get_param('config.user', None,
'Missing WOT API user')
self.WOT_key = self.get_param('config.key', None,
'Missing WOT API key')
def __init__(self):
Analyzer.__init__(self)
self.BC_url = 'https://sitereview.bluecoat.com/'
self.BC_parameter_name = 'url'
self.BC_sitereview = 'sitereview.jsp'
self.BC_rest_page = 'rest/categorization'
def __init__(self):
Analyzer.__init__(self)
self.hostname = self.get_param('config.hostname', None)
self.timeout = self.get_param('config.timeout', None)
self.path = self.get_param('config.path', None)
def __init__(self):
Analyzer.__init__(self)
self.limit = self.get_param('config.limit', '100')
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam('config.service', None,
'Service parameter is missing')
self.phishtank_key = self.getParam('config.key', None,
'Missing PhishTank API key')
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam('config.service', None, 'Service parameter is missing')
self.shodan_key = self.getParam('config.key', None, 'Missing Shodan API key')
self.shodan_client = None
self.polling_interval = self.getParam('config.polling_interval', 60)
def __init__(self):
Analyzer.__init__(self)
self.url = self.getParam('config.url', None,
'Missing URL for Hippocampe API')
self.service = self.getParam('config.service', None,
'Service parameter is missing')
def __init__(self):
Analyzer.__init__(self)
self.url = self.get_param('config.url', None,
'Missing URL for Yeti API')
def __init__(self):
Analyzer.__init__(self)
self.filename = self.getParam('attachment.name', 'noname.ext')
self.filepath = self.getParam('file', None, 'File is missing')
def __init__(self):
Analyzer.__init__(self)
self.observable = self.get_param('data', None, 'Data missing!')
def __init__(self):
Analyzer.__init__(self)
self.apikey = self.get_param('config.key', None,
'EmergingThreats apikey is missing')
self.session = requests.Session()
self.session.headers.update({"Authorization": self.apikey})
def __init__(self):
Analyzer.__init__(self)
self.url = "https://dns.google.com/resolve?"
self.proxies = None
self.answer = None
def __init__(self):
"""Initialization of the class. Here normally all parameters are read using `self.get_param`
(or `self.getParam`)"""
Analyzer.__init__(self)
def __init__(self):
Analyzer.__init__(self)
self.pdns = pypdns.PyPDNS(basic_auth=(self.getParam('config.user', None, 'No passiveDNS username given.'),
self.getParam('config.password', None, 'No passiveDNS password given.')))
def __init__(self):
Analyzer.__init__(self)
self.service = self.getParam(
'config.service', 'search',
'ipvoid service is missing, default method is used')
def __init__(self):
Analyzer.__init__(self)
def __init__(self):
Analyzer.__init__(self)
self.name = "DomainMailSPFDMARC"
def __init__(self):
Analyzer.__init__(self)
self.api_key = self.get_param('config.key', None,
'VirusTotal API key is missing')
self.basic_url = "https://www.virustotal.com/vtapi/v2/"
def __init__(self):
Analyzer.__init__(self)
self.api_key = self.get_param('config.key', None, 'Key is missing')
def __init__(self):
Analyzer.__init__(self)
self.otx_key = self.get_param('config.key', None, 'Missing OTX API key')
def __init__(self):
Analyzer.__init__(self)
self.ouis = dict()
self.company = ''
self.address = ''
def __init__(self):
Analyzer.__init__(self)
self.phishtank_key = self.get_param('config.key', None,
'Missing PhishTank API key')