def test_hostname_get(self): """ Test that performs an hostname lookup""" m = Maltiverse() item = m.hostname_get('samuest.ru') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('hostname' in item)
def test_url_get(self): """ Test that performs an url lookup""" m = Maltiverse() item = m.url_get('https://www.welsfagmary-online.com/') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('url' in item)
def test_ip_get(self): """ Test that performs an ip lookup""" m = Maltiverse() item = m.ip_get('1.1.1.1') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('ip_addr' in item)
def test_sample_get(self): """ Test that performs an sample lookup""" m = Maltiverse() item = m.sample_get('3b9d4f379e59cfc5ed8217424c833fbd16e7bff322c2ea696870061bbd2c5273') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('sha256' in item)
def test_search(self): """ Test that performs search into the platform""" m = Maltiverse() print m.login(email=self.email, password=self.password) item = m.search('country_code:"CN"', fr=0, size=2) self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) print len(item['hits']['hits'])
def test_url_get_with_authentication(self): """ Test that performs an url lookup with authenticantion""" m = Maltiverse() m.login(email=self.email, password=self.password) item = m.url_get('https://www.welsfagmary-online.com/') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('url' in item)
def test_hostname_get_with_authentication(self): """ Test that performs an hostname lookup with authenticantion""" m = Maltiverse() m.login(email=self.email, password=self.password) item = m.hostname_get('samuest.ru') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('hostname' in item)
def test_url_get(self): """ Test that performs an url lookup""" m = Maltiverse() item = m.url_get( 'http://www.hedgeconetworks.com/wp-includes/js/login.php') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('url' in item)
def test_sample_get_with_authentication(self): """ Test that performs an sample lookup with authenticantion""" m = Maltiverse() m.login(email=self.email, password=self.password) item = m.sample_get('3b9d4f379e59cfc5ed8217424c833fbd16e7bff322c2ea696870061bbd2c5273') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('sha256' in item)
def __init__(self): Analyzer.__init__(self) self.service = self.get_param('config.service', None, 'Service parameter is missing') # self.username = self.get_param('config.username', None, 'Missing Maltiverse API Username') # self.password = self.get_param('config.password', None, 'Missing Maltiverse API Password') self.polling_interval = self.get_param('config.polling_interval', 60) self.proxies = self.get_param('config.proxy', None) self.m = Maltiverse()
def test_url_get_with_authentication(self): """ Test that performs an url lookup with authenticantion""" m = Maltiverse() m.login(email=self.email, password=self.password) item = m.url_get( 'http://www.hedgeconetworks.com/wp-includes/js/login.php') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('url' in item)
def test_ip_get_with_authentication(self): """ Test that performs an ip lookup with authenticantion""" m = Maltiverse() m.login(email=self.email, password=self.password) item = m.ip_get('1.1.1.1') self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('ip_addr' in item)
def test_hostname_put_delete(self): """ Test that performs a hostname put and a delete """ m = Maltiverse() m.login(email=self.email, password=self.password) hostname_dict = { "blacklist": [{ "description": "test", "source": "test" }], "classification": "malicious", "domain": "test.com", "hostname": "www.test.com", "tld": "com", "type": "hostname", } item = m.hostname_put(hostname_dict) print item self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('status' in item) self.assertTrue(item['status'] == 'success') self.assertTrue(item['message'] == 'Hostname created' or item['message'] == 'Hostname updated') item = m.hostname_delete(hostname_dict['hostname']) print item self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('status' in item) self.assertTrue(item['status'] == 'success') self.assertTrue(item['message'] == 'Hostname deleted')
def test_url_put_delete(self): """ Test that performs a url put and a delete """ m = Maltiverse() m.login(email=self.email, password=self.password) url_dict = { "blacklist": [{ "description": "test", "source": "test" }], "domain": "test.com", "hostname": "www.test.com", "type": "url", "url": "http://www.test.com/test.php" } item = m.url_put(url_dict) print item self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('status' in item) self.assertTrue(item['status'] == 'success') self.assertTrue(item['message'] == 'Url created' or item['message'] == 'Url updated') item = m.url_delete(url_dict['url']) print item self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('status' in item) self.assertTrue(item['status'] == 'success') self.assertTrue(item['message'] == 'Url deleted')
def test_ip_put_delete(self): """ Test that performs a IP put and a delete """ m = Maltiverse() m.login(email=self.email, password=self.password) print m.auth_token ip_dict = { "blacklist": [{ "description": "test", "source": "test" }], "classification": "whitelisted", "ip_addr": "60.60.60.60", "type": "ip" } item = m.ip_put(ip_dict) print item self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('status' in item) self.assertTrue(item['status'] == 'success') self.assertTrue(item['message'] == 'IP created' or item['message'] == 'IP updated') item = m.ip_delete(ip_dict['ip_addr']) print item self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('status' in item) self.assertTrue(item['status'] == 'success') self.assertTrue(item['message'] == 'IP deleted')
def test_sample_put_delete(self): """ Test that performs a sample put and a delete """ m = Maltiverse() m.login(email=self.email, password=self.password) sample_dict = { "blacklist": [{ "description": "test", "source": "test" }], "classification": "whitelisted", "filename": ["test"], "md5": "00000000000000000000000000000000", "sha1": "0000000000000000000000000000000000000000", "sha256": "0000000000000000000000000000000000000000000000000000000000000000", "sha512": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "type": "sample" } item = m.sample_put(sample_dict) print item self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('status' in item) self.assertTrue(item['status'] == 'success') self.assertTrue(item['message'] == 'Sample created' or item['message'] == 'Sample updated') item = m.sample_delete(sample_dict['sha256']) print item self.assertTrue(isinstance(str(item), str)) self.assertTrue(isinstance(item, dict)) self.assertTrue('status' in item) self.assertTrue(item['status'] == 'success') self.assertTrue(item['message'] == 'Sample deleted')
class MaltiverseAnalyzer(Analyzer): def __init__(self): Analyzer.__init__(self) self.service = self.get_param('config.service', None, 'Service parameter is missing') # self.username = self.get_param('config.username', None, 'Missing Maltiverse API Username') # self.password = self.get_param('config.password', None, 'Missing Maltiverse API Password') self.polling_interval = self.get_param('config.polling_interval', 60) self.proxies = self.get_param('config.proxy', None) self.m = Maltiverse() def maltiverse_query_ip(self, data): try: result = self.m.ip_get(data) self.report({ 'registrant_name': result.get("registrant_name", "-"), 'last_updated': result.get("last_updated", "-"), 'asn_registry': result.get("asn_registry", "-"), 'classification': result.get("classification", "-"), 'asn_country_code': result.get("asn_country_code", "-"), 'creation_time': result.get("creation_time", "-"), 'visits': result.get("visits", "-"), 'blacklist': result.get("blacklist", "-"), 'asn_date': result.get("asn_date", "-"), 'modification_time': result.get("modification_time", "-"), 'asn_cidr': result.get("asn_cidr", "-"), 'location': result.get("location", "-"), 'country_code': result.get("country_code", "-"), 'address': result.get("address", "-"), 'ip_addr': result.get("ip_addr", "-"), 'cidr': result.get("cidr", "-"), 'tag': result.get("tag", "-"), 'type': result.get("type", "-"), 'email': result.get("email", "-") }) except Exception: self.error('API Error! Please verify data type is correct.') def maltiverse_query_domain(self, data): try: result = self.m.hostname_get(data) self.report({ 'domain': result.get("domain", "-"), 'classification': result.get("classification", "-"), 'hostname': result.get("hostname", "-"), 'creation_time': result.get("creation_time", "-"), 'domain_lenght': result.get("domain_lenght", "-"), 'resolved_ip': result.get("resolved_ip", "-"), 'modification_time': result.get("modification_time", "-"), 'domain_consonants': result.get("domain_consonants", "-"), 'visits': result.get("visits", "-"), 'tld': result.get("tld", "-"), 'entropy': result.get("entropy", "-"), 'type': result.get("type", "-"), 'as_name': result.get("as_name", "-") }) except Exception: self.error('API Error! Please verify data type is correct.') def maltiverse_query_file(self, data): try: result = self.m.sample_get(data) self.report(result) except Exception: self.error('API Error! Please verify data type is correct.') def maltiverse_query_url(self, data): # urlencode the URL that we are searching for #data = urllib.quote_plus(data) try: result = self.m.url_get(data) self.report({ 'original': data, 'hash': hash, 'url': result.get("url", "-"), 'type': result.get("type", "-"), 'classification': result.get("classification", "-"), 'tag': result.get("tag", "-"), 'blacklist': result.get("blacklist", "-"), 'creation_time': result.get("creation_time", "-"), 'modification_time': result.get("modification_time", "-") }) except: self.error('API Error! Please verify data type is correct.') def summary(self, raw): taxonomies = [] level = "info" namespace = "Maltiverse" predicate = "Report" value = "{}".format("n/a") if "classification" in raw: if raw["classification"] == "malicious": level = "malicious" elif raw["classification"] == "suspicious": level = "suspicious" else: level = "safe" value = "{}".format(raw["classification"]) taxonomies.append( self.build_taxonomy(level, namespace, predicate, value)) return {"taxonomies": taxonomies} def run(self): Analyzer.run(self) if self.data_type == 'file': hashes = self.get_param('attachment.hashes', None) if hashes is None: filepath = self.get_param('file', None, 'File is missing') sha256 = hashlib.sha256() with io.open(filepath, 'rb') as fh: while True: data = fh.read(4096) if not data: break sha256.update(data) hash = sha256.hexdigest() else: # find SHA256 hash hash = next(h for h in hashes if len(h) == 64) self.maltiverse_query_file(hash) elif self.data_type == 'url': data = self.get_param('data', None, 'Data is missing') self.maltiverse_query_url(data) elif self.data_type == 'domain': data = self.get_param('data', None, 'Data is missing') self.maltiverse_query_domain(data) elif self.data_type == 'ip': data = self.get_param('data', None, 'Data is missing') self.maltiverse_query_ip(data) elif self.data_type == 'hash': data = self.get_param('data', None, 'Data is missing') self.maltiverse_query_file(data) else: self.error('Invalid data type')
def _api(self, auth_token): """Instantiates Maltiverse API""" api = Maltiverse(auth_token=auth_token) return api