def handler(q=False):
if q is False:
return False
request = json.loads(q)
if request.get('hostname'):
toquery = request['hostname']
elif request.get('domain'):
toquery = request['domain']
elif request.get('url'):
toquery = request['url']
else:
misperrors['error'] = "Unsupported attributes type"
return misperrors
if not request.get('config') and not (request['config'].get('apikey') and request['config'].et('url')):
misperrors['error'] = 'Phishing Initiative authentication is missing'
return misperrors
p = PyEUPI(request['config']['apikey'], request['config']['url'])
results = p.search_url(url=toquery)
if results.get('results'):
to_return = ''
for r in results['results']:
if r['tag_label'] != 'phishing':
continue
to_return += ' {} {} {} '.format(r['url'], r['domain'], r['ip_address'])
r = {'results': [{'types': mispattributes['output'], 'values': to_return}]}
return r
def run(self):
Analyzer.run(self)
data = self.get_data()
try:
p = PyEUPI(self.phishinginitiative_key)
if self.service == "lookup":
api_response = p.lookup(url=data)
if "status" in api_response and api_response["status"] != 200:
self.error(api_response["message"])
else:
self.report(api_response["results"][0])
elif self.service == "scan":
api_response = p.post_submission(url=data,
comment="Submitted by Cortex")
if api_response["status"] == 201:
api_response_url = "".join(api_response["url"])
if "Elle a été marquée comme étant du phishing" in api_response_url:
self.report({"status": "phishing"})
elif "Elle est en cours d'analyse" in api_response_url:
self.report({"status": "analyzing"})
elif ("Elle n'est pas considérée comme étant du phishing"
in api_response_url):
self.report({"status": "clean"})
else:
self.report({"status": "report"})
else:
self.error("Error: {}".format(api_response["message"]))
except Exception as e:
self.unexpectedError("Service unavailable: {}".format(e))
def __init__(self, config: Dict[str, Any]):
if 'apikey' not in config or config['apikey'] is None:
self.available = False
return
self.available = True
self.autosubmit = False
self.client = PyEUPI(config['apikey'])
if config.get('autosubmit'):
self.autosubmit = True
self.storage_dir_eupi = get_homedir() / 'eupi'
self.storage_dir_eupi.mkdir(parents=True, exist_ok=True)
def eupi(url, key, q):
cached = _cache_get(q, 'eupi')
if cached is not None:
return cached
eu = PyEUPI(key, url)
response = eu.search_url(q)
if response.get('results'):
r = response.get('results')[0]['tag_label']
_cache_set(q, r, 'eupi')
return r
eu.post_submission(q)
return None
def run(self):
Analyzer.run(self)
data = self.getData()
try:
p = PyEUPI(self.phishinginitiative_key)
apiResponse = p.lookup(url=data)
if "status" in apiResponse and apiResponse["status"] != 200:
self.error(apiResponse["message"])
else:
self.report(apiResponse["results"][0])
except:
self.unexpectedError("Service unavailable")
def run(self):
Analyzer.run(self)
data = self.get_data()
try:
p = PyEUPI(self.phishinginitiative_key)
api_response = p.lookup(url=data)
if "status" in api_response and api_response["status"] != 200:
self.error(api_response["message"])
else:
self.report(api_response["results"][0])
except Exception:
self.unexpectedError("Service unavailable")
def handler(q=False):
if q is False:
return False
request = json.loads(q)
if request.get('hostname'):
toquery = request['hostname']
elif request.get('domain'):
toquery = request['domain']
elif request.get('url'):
toquery = request['url']
else:
misperrors['error'] = "Unsupported attributes type"
return misperrors
if not request.get('config') and not (request['config'].get('apikey')
and request['config'].get('url')):
misperrors['error'] = 'EUPI authentication is missing'
return misperrors
pyeupi = PyEUPI(request['config']['apikey'], request['config']['url'])
if 'event_id' in request:
return handle_expansion(pyeupi, toquery)
else:
return handle_hover(pyeupi, toquery)
def run(self):
Analyzer.run(self)
data = self.get_data()
try:
p = PyEUPI(self.phishinginitiative_key)
api_response = p.post_submission(url=data, comment="Submitted by Cortex")
api_response_url = "".join(api_response["url"])
if "Elle a été marquée comme étant du phishing" in api_response_url:
self.report({"status":"phishing"})
elif "Elle est en cours d'analyse" in api_response_url:
self.report({"status":"analyzing"})
elif "Elle n'est pas considérée comme étant du phishing" in api_response_url:
self.report({"status":"clean"})
else:
self.report({"status":"report"})
except Exception:
self.unexpectedError("Service unavailable")
def run(self):
Analyzer.run(self)
data = self.get_data()
try:
p = PyEUPI(self.phishinginitiative_key)
api_response = p.post_submission(url=data,
comment="Submitted by Cortex")
api_response_url = "".join(api_response["url"])
if "Elle a été marquée comme étant du phishing" in api_response_url:
self.report({"status": "phishing"})
elif "Elle est en cours d'analyse" in api_response_url:
self.report({"status": "analyzing"})
elif "Elle n'est pas considérée comme étant du phishing" in api_response_url:
self.report({"status": "clean"})
else:
self.report({"status": "report"})
except Exception:
self.unexpectedError("Service unavailable")
def handler(q=False):
if q is False:
return False
request = json.loads(q)
if request.get('hostname'):
toquery = request['hostname']
elif request.get('domain'):
toquery = request['domain']
elif request.get('url'):
toquery = request['url']
else:
misperrors['error'] = "Unsupported attributes type"
return misperrors
if not request.get('config') and not (request['config'].get('apikey')
and request['config'].et('url')):
misperrors['error'] = 'Phishing Initiative authentication is missing'
return misperrors
p = PyEUPI(request['config']['apikey'], request['config']['url'])
results = p.search_url(url=toquery)
if results.get('results'):
to_return = ''
for r in results['results']:
if r['tag_label'] != 'phishing':
continue
to_return += ' {} {} {} '.format(r['url'], r['domain'],
r['ip_address'])
r = {
'results': [{
'types': mispattributes['output'],
'values': to_return
}]
}
return r
def __init__(self, config: Dict[str, Any]):
if not config.get('apikey'):
self.available = False
return
self.available = True
self.autosubmit = False
self.allow_auto_trigger = False
self.client = PyEUPI(config['apikey'])
if config.get('allow_auto_trigger'):
self.allow_auto_trigger = True
if config.get('autosubmit'):
self.autosubmit = True
self.storage_dir_eupi = get_homedir() / 'eupi'
self.storage_dir_eupi.mkdir(parents=True, exist_ok=True)
class PhishingInitiative():
def __init__(self, config: Dict[str, Any]):
if 'apikey' not in config or config['apikey'] is None:
self.available = False
return
self.available = True
self.autosubmit = False
self.client = PyEUPI(config['apikey'])
if config.get('autosubmit'):
self.autosubmit = True
self.storage_dir_eupi = get_homedir() / 'eupi'
self.storage_dir_eupi.mkdir(parents=True, exist_ok=True)
def __get_cache_directory(self, url: str) -> Path:
m = hashlib.md5()
m.update(url.encode())
return self.storage_dir_eupi / m.hexdigest()
def get_url_lookup(self, url: str) -> Optional[Dict[str, Any]]:
url_storage_dir = self.__get_cache_directory(url)
if not url_storage_dir.exists():
return None
cached_entries = sorted(url_storage_dir.glob('*'), reverse=True)
if not cached_entries:
return None
with cached_entries[0].open() as f:
return json.load(f)
def url_lookup(self, url: str, force: bool = False) -> None:
'''Lookup an URL on Phishing Initiative
Note: force means 2 things:
* (re)scan of the URL
* re fetch the object from Phishing Initiative even if we already did it today
Note: the URL will only be sent for scan if autosubmit is set to true in the config
'''
if not self.available:
raise ConfigError(
'PhishingInitiative not available, probably no API key')
url_storage_dir = self.__get_cache_directory(url)
url_storage_dir.mkdir(parents=True, exist_ok=True)
pi_file = url_storage_dir / date.today().isoformat()
scan_requested = False
if self.autosubmit and force:
self.client.post_submission(url, comment='Received on Lookyloo')
scan_requested = True
if not force and pi_file.exists():
return
for i in range(3):
url_information = self.client.lookup(url)
if not url_information['results']:
# No results, that should not happen (?)
break
if url_information['results'][0]['tag'] == -1:
# Not submitted
if not self.autosubmit:
break
if not scan_requested:
self.client.post_submission(url,
comment='Received on Lookyloo')
scan_requested = True
time.sleep(1)
else:
with pi_file.open('w') as _f:
json.dump(url_information, _f)
break