def test_hostname_get(self):
""" Test that performs an hostname lookup"""
m = Maltiverse()
item = m.hostname_get('samuest.ru')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('hostname' in item)
def test_url_get(self):
""" Test that performs an url lookup"""
m = Maltiverse()
item = m.url_get('https://www.welsfagmary-online.com/')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('url' in item)
def test_ip_get(self):
""" Test that performs an ip lookup"""
m = Maltiverse()
item = m.ip_get('1.1.1.1')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('ip_addr' in item)
def test_sample_get(self):
""" Test that performs an sample lookup"""
m = Maltiverse()
item = m.sample_get('3b9d4f379e59cfc5ed8217424c833fbd16e7bff322c2ea696870061bbd2c5273')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('sha256' in item)
def test_search(self):
""" Test that performs search into the platform"""
m = Maltiverse()
print m.login(email=self.email, password=self.password)
item = m.search('country_code:"CN"', fr=0, size=2)
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
print len(item['hits']['hits'])
def test_url_get_with_authentication(self):
""" Test that performs an url lookup with authenticantion"""
m = Maltiverse()
m.login(email=self.email, password=self.password)
item = m.url_get('https://www.welsfagmary-online.com/')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('url' in item)
def test_hostname_get_with_authentication(self):
""" Test that performs an hostname lookup with authenticantion"""
m = Maltiverse()
m.login(email=self.email, password=self.password)
item = m.hostname_get('samuest.ru')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('hostname' in item)
def test_url_get(self):
""" Test that performs an url lookup"""
m = Maltiverse()
item = m.url_get(
'http://www.hedgeconetworks.com/wp-includes/js/login.php')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('url' in item)
def test_sample_get_with_authentication(self):
""" Test that performs an sample lookup with authenticantion"""
m = Maltiverse()
m.login(email=self.email, password=self.password)
item = m.sample_get('3b9d4f379e59cfc5ed8217424c833fbd16e7bff322c2ea696870061bbd2c5273')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('sha256' in item)
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Service parameter is missing')
# self.username = self.get_param('config.username', None, 'Missing Maltiverse API Username')
# self.password = self.get_param('config.password', None, 'Missing Maltiverse API Password')
self.polling_interval = self.get_param('config.polling_interval', 60)
self.proxies = self.get_param('config.proxy', None)
self.m = Maltiverse()
def test_url_get_with_authentication(self):
""" Test that performs an url lookup with authenticantion"""
m = Maltiverse()
m.login(email=self.email, password=self.password)
item = m.url_get(
'http://www.hedgeconetworks.com/wp-includes/js/login.php')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('url' in item)
def test_ip_get_with_authentication(self):
""" Test that performs an ip lookup with authenticantion"""
m = Maltiverse()
m.login(email=self.email, password=self.password)
item = m.ip_get('1.1.1.1')
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('ip_addr' in item)
def test_hostname_put_delete(self):
""" Test that performs a hostname put and a delete """
m = Maltiverse()
m.login(email=self.email, password=self.password)
hostname_dict = {
"blacklist": [{
"description": "test",
"source": "test"
}],
"classification": "malicious",
"domain": "test.com",
"hostname": "www.test.com",
"tld": "com",
"type": "hostname",
}
item = m.hostname_put(hostname_dict)
print item
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('status' in item)
self.assertTrue(item['status'] == 'success')
self.assertTrue(item['message'] == 'Hostname created'
or item['message'] == 'Hostname updated')
item = m.hostname_delete(hostname_dict['hostname'])
print item
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('status' in item)
self.assertTrue(item['status'] == 'success')
self.assertTrue(item['message'] == 'Hostname deleted')
def test_url_put_delete(self):
""" Test that performs a url put and a delete """
m = Maltiverse()
m.login(email=self.email, password=self.password)
url_dict = {
"blacklist": [{
"description": "test",
"source": "test"
}],
"domain": "test.com",
"hostname": "www.test.com",
"type": "url",
"url": "http://www.test.com/test.php"
}
item = m.url_put(url_dict)
print item
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('status' in item)
self.assertTrue(item['status'] == 'success')
self.assertTrue(item['message'] == 'Url created'
or item['message'] == 'Url updated')
item = m.url_delete(url_dict['url'])
print item
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('status' in item)
self.assertTrue(item['status'] == 'success')
self.assertTrue(item['message'] == 'Url deleted')
def test_ip_put_delete(self):
""" Test that performs a IP put and a delete """
m = Maltiverse()
m.login(email=self.email, password=self.password)
print m.auth_token
ip_dict = {
"blacklist": [{
"description": "test",
"source": "test"
}],
"classification": "whitelisted",
"ip_addr": "60.60.60.60",
"type": "ip"
}
item = m.ip_put(ip_dict)
print item
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('status' in item)
self.assertTrue(item['status'] == 'success')
self.assertTrue(item['message'] == 'IP created'
or item['message'] == 'IP updated')
item = m.ip_delete(ip_dict['ip_addr'])
print item
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('status' in item)
self.assertTrue(item['status'] == 'success')
self.assertTrue(item['message'] == 'IP deleted')
def test_sample_put_delete(self):
""" Test that performs a sample put and a delete """
m = Maltiverse()
m.login(email=self.email, password=self.password)
sample_dict = {
"blacklist": [{
"description": "test",
"source": "test"
}],
"classification": "whitelisted",
"filename": ["test"],
"md5": "00000000000000000000000000000000",
"sha1": "0000000000000000000000000000000000000000",
"sha256":
"0000000000000000000000000000000000000000000000000000000000000000",
"sha512":
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"type": "sample"
}
item = m.sample_put(sample_dict)
print item
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('status' in item)
self.assertTrue(item['status'] == 'success')
self.assertTrue(item['message'] == 'Sample created'
or item['message'] == 'Sample updated')
item = m.sample_delete(sample_dict['sha256'])
print item
self.assertTrue(isinstance(str(item), str))
self.assertTrue(isinstance(item, dict))
self.assertTrue('status' in item)
self.assertTrue(item['status'] == 'success')
self.assertTrue(item['message'] == 'Sample deleted')
class MaltiverseAnalyzer(Analyzer):
def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None,
'Service parameter is missing')
# self.username = self.get_param('config.username', None, 'Missing Maltiverse API Username')
# self.password = self.get_param('config.password', None, 'Missing Maltiverse API Password')
self.polling_interval = self.get_param('config.polling_interval', 60)
self.proxies = self.get_param('config.proxy', None)
self.m = Maltiverse()
def maltiverse_query_ip(self, data):
try:
result = self.m.ip_get(data)
self.report({
'registrant_name':
result.get("registrant_name", "-"),
'last_updated':
result.get("last_updated", "-"),
'asn_registry':
result.get("asn_registry", "-"),
'classification':
result.get("classification", "-"),
'asn_country_code':
result.get("asn_country_code", "-"),
'creation_time':
result.get("creation_time", "-"),
'visits':
result.get("visits", "-"),
'blacklist':
result.get("blacklist", "-"),
'asn_date':
result.get("asn_date", "-"),
'modification_time':
result.get("modification_time", "-"),
'asn_cidr':
result.get("asn_cidr", "-"),
'location':
result.get("location", "-"),
'country_code':
result.get("country_code", "-"),
'address':
result.get("address", "-"),
'ip_addr':
result.get("ip_addr", "-"),
'cidr':
result.get("cidr", "-"),
'tag':
result.get("tag", "-"),
'type':
result.get("type", "-"),
'email':
result.get("email", "-")
})
except Exception:
self.error('API Error! Please verify data type is correct.')
def maltiverse_query_domain(self, data):
try:
result = self.m.hostname_get(data)
self.report({
'domain':
result.get("domain", "-"),
'classification':
result.get("classification", "-"),
'hostname':
result.get("hostname", "-"),
'creation_time':
result.get("creation_time", "-"),
'domain_lenght':
result.get("domain_lenght", "-"),
'resolved_ip':
result.get("resolved_ip", "-"),
'modification_time':
result.get("modification_time", "-"),
'domain_consonants':
result.get("domain_consonants", "-"),
'visits':
result.get("visits", "-"),
'tld':
result.get("tld", "-"),
'entropy':
result.get("entropy", "-"),
'type':
result.get("type", "-"),
'as_name':
result.get("as_name", "-")
})
except Exception:
self.error('API Error! Please verify data type is correct.')
def maltiverse_query_file(self, data):
try:
result = self.m.sample_get(data)
self.report(result)
except Exception:
self.error('API Error! Please verify data type is correct.')
def maltiverse_query_url(self, data):
# urlencode the URL that we are searching for
#data = urllib.quote_plus(data)
try:
result = self.m.url_get(data)
self.report({
'original':
data,
'hash':
hash,
'url':
result.get("url", "-"),
'type':
result.get("type", "-"),
'classification':
result.get("classification", "-"),
'tag':
result.get("tag", "-"),
'blacklist':
result.get("blacklist", "-"),
'creation_time':
result.get("creation_time", "-"),
'modification_time':
result.get("modification_time", "-")
})
except:
self.error('API Error! Please verify data type is correct.')
def summary(self, raw):
taxonomies = []
level = "info"
namespace = "Maltiverse"
predicate = "Report"
value = "{}".format("n/a")
if "classification" in raw:
if raw["classification"] == "malicious":
level = "malicious"
elif raw["classification"] == "suspicious":
level = "suspicious"
else:
level = "safe"
value = "{}".format(raw["classification"])
taxonomies.append(
self.build_taxonomy(level, namespace, predicate, value))
return {"taxonomies": taxonomies}
def run(self):
Analyzer.run(self)
if self.data_type == 'file':
hashes = self.get_param('attachment.hashes', None)
if hashes is None:
filepath = self.get_param('file', None, 'File is missing')
sha256 = hashlib.sha256()
with io.open(filepath, 'rb') as fh:
while True:
data = fh.read(4096)
if not data:
break
sha256.update(data)
hash = sha256.hexdigest()
else:
# find SHA256 hash
hash = next(h for h in hashes if len(h) == 64)
self.maltiverse_query_file(hash)
elif self.data_type == 'url':
data = self.get_param('data', None, 'Data is missing')
self.maltiverse_query_url(data)
elif self.data_type == 'domain':
data = self.get_param('data', None, 'Data is missing')
self.maltiverse_query_domain(data)
elif self.data_type == 'ip':
data = self.get_param('data', None, 'Data is missing')
self.maltiverse_query_ip(data)
elif self.data_type == 'hash':
data = self.get_param('data', None, 'Data is missing')
self.maltiverse_query_file(data)
else:
self.error('Invalid data type')
def _api(self, auth_token):
"""Instantiates Maltiverse API"""
api = Maltiverse(auth_token=auth_token)
return api
