def get(self, id):
"""Get the analysis with `id`.
.. :quickref: Analysis; Get an analysis
Resulting object is in the ``analysis`` field.
:param id: id of the analysis.
:>json dict _id: ObjectId dict.
:>json dict analyst: analyst's ObjectId.
:>json dict date: date dict.
:>json list executed_modules: list of executed modules.
:>json list pending_modules: list of pending modules.
:>json list waiting_modules: list of waiting modules.
:>json list canceled_modules: list of canceled modules.
:>json list executed_modules: list of executed modules.
:>json string module: the name of the target module.
:>json string status: status of the analysis (one of `pending`, `running`, `finished` or `error`).
:>json list tags: the list of tags.
:>json list probable_names: the list of probable names.
:>json list iocs: list of dict describing observables.
:>json dict results: detailed results for each module, with the module name being the key.
:>json dict generated_files: a dict of generated files, the key being the file type.
:>json list extracted_files: a list of extracted files.
:>json dict support_files: a dict of support files, the key being the module name.
"""
analysis = {
'analysis':
clean_analyses(get_or_404(current_user.analyses, _id=id))
}
file = current_user.files.find_one(
{'_id': analysis['analysis']['file']})
analysis['analysis']['file'] = clean_files(file)
ti_modules = [
m.name for m in dispatcher.get_threat_intelligence_modules()
]
av_modules = [m.name for m in dispatcher.get_antivirus_modules()]
if 'extracted_files' in analysis['analysis']:
files = []
for id in analysis['analysis']['extracted_files']:
files.append(current_user.files.find_one({'_id': id}))
analysis['analysis']['extracted_files'] = clean_files(files)
modules = dict()
for module in ModuleInfo.get_collection().find():
modules[module['name']] = ModuleInfo(module)
return render(analysis,
'analyses/show.html',
ctx={
'analysis': analysis,
'modules': modules,
'av_modules': av_modules,
'ti_modules': ti_modules
})
def _lookup_ioc(self, ioc, tags):
ti_tags = []
ti_indicators = []
for module in dispatcher.get_threat_intelligence_modules():
try:
tags, indicators = module.ioc_lookup(ioc, tags)
ti_tags += tags
ti_indicators += indicators
except Exception, e:
import traceback
traceback.print_exc()
self.log('error', "error in threat intelligence module '{}': {}".format(module.name, e))
def submit_iocs(self, id, module):
"""Submit observables to a Threat Intelligence module.
.. :quickref: Analysis; Submit observables to a threat intelligence module
If succesful, the response will be ``"ok"``.
:param id: id of the analysis.
:param module: name of the module to submit the file to.
:<jsonarr string value: the value of the observable.
:<jsonarr list tags: a list of tags associated to it.
"""
analysis = Analysis(get_or_404(current_user.analyses, _id=id))
for ti_module in dispatcher.get_threat_intelligence_modules():
if ti_module.name == module:
ti_module.iocs_submission(analysis, request.json)
analysis.update_value(['threat_intelligence', module], True)
return make_response("ok")
