def run(self): try: is_malicious = False observable = self.observable_name # for URLs we are checking the relative domain if self.observable_classification == "url": observable = urlparse(self.observable_name).hostname client = requests.session() params = { "name": observable, "type": "A", "ct": "application/dns-json", } response = client.get( "https://security.cloudflare-dns.com/dns-query", params=params) response.raise_for_status() response_dict = response.json() response_answer = response_dict.get("Answer", []) if response_answer: resolution = response_answer[0].get("data", "") # CloudFlare answers with 0.0.0.0 if the domain is known as malicious if resolution == "0.0.0.0": is_malicious = True except requests.exceptions.RequestException: raise AnalyzerRunException("Connection to CloudFlare failed") return malicious_detector_response(self.observable_name, is_malicious)
def run(self): observable = self.observable_name # for URLs we are checking the relative domain if self.observable_classification == "url": observable = urlparse(self.observable_name).hostname quad9_answer = self._quad9_dns_query(observable) # if Quad9 has not an answer the site could be malicious if not quad9_answer: # Google dns request google_answer = self._google_dns_query(observable) # if Google response, Quad9 marked the site as malicious, # elsewhere the site does not exist if google_answer: return malicious_detector_response(self.observable_name, True) return malicious_detector_response(self.observable_name, False)
def run(self): api_key_name = "GOOGLE_APPLICATION_CREDENTIALS" credentials = secrets.get_secret(api_key_name) if not credentials: raise AnalyzerRunException( f"No credentials retrieved with name: '{api_key_name}'") if not exists(credentials): raise AnalyzerRunException( f"{credentials} should be an existing file. " "Check the docs on how to add this file to" " properly execute this analyzer") web_risk_client = WebRiskServiceClient() # threat types # MALWARE = 1 # SOCIAL_ENGINEERING = 2 # THREAT_TYPE_UNSPECIFIED = 0 should not be used # UNWANTED_SOFTWARE = 3 threat_types = [ThreatType(1), ThreatType(2), ThreatType(3)] response = web_risk_client.search_uris(uri=self.observable_name, threat_types=threat_types, timeout=5) threats_found = response.threat # ThreatUri object logger.debug(f"threat founds {threats_found}") threat_types = threats_found.threat_types malicious = True if threat_types else False web_risk_result = malicious_detector_response(self.observable_name, malicious) # append extra data if malicious: threats_list = [] if 1 in threat_types: threats_list.append("MALWARE") if 2 in threat_types: threats_list.append("SOCIAL_ENGINEERING") if 3 in threat_types: threats_list.append("UNWANTED_SOFTWARE") web_risk_result["threats"] = threats_list return web_risk_result
def run(self): api_key_name = "GSF_KEY" api_key = secrets.get_secret(api_key_name) if not api_key: raise AnalyzerRunException( f"No API key retrieved with name: '{api_key_name}'") sb_instance = SafeBrowsing(api_key) response = sb_instance.lookup_urls([self.observable_name]) if self.observable_name in response and isinstance( response[self.observable_name], dict): result = response[self.observable_name] else: raise AnalyzerRunException(f"result not expected: {response}") malicious = result["malicious"] googlesb_result = malicious_detector_response(self.observable_name, malicious) # append google extra data if malicious: googlesb_result["cache"] = result["cache"] googlesb_result["threats"] = result["threats"] googlesb_result["platforms"] = result["platforms"] return googlesb_result