def analyse_hash(self, value, type, node): if self.vt: result_log_scan_elem = db.session.query(ResultLogScan).filter( ResultLogScan.scan_value == value).first() response = None if result_log_scan_elem: if self.name not in result_log_scan_elem.reputations: response = self.vt.get_file_report(value) if 'response_code' in response and response[ 'response_code'] == 200: newReputations = dict(result_log_scan_elem.reputations) newReputations[self.name] = response result_log_scan_elem.reputations = newReputations db.session.add(result_log_scan_elem) db.session.commit() else: response = result_log_scan_elem.reputations[self.name] if 'results' in response and 'positives' in response[ 'results'] and response['results']['positives'] > 0: check_and_save_intel_alert(scan_type=type, scan_value=value, data=response, source=self.name, severity="LOW")
def analyse_domain(self, value, type, node): response = cybercure.search('url') if 'exists' in response and response['exists'] == True: check_and_save_intel_alert(scan_type=type, scan_value=value, data={}, source="cybercure", severity="LOW") # TODO(andrew-d): better message? current_app.logger.log(self.level, 'Triggered alert: ')
def analyse_domain(self, value, type, node): # TODO(andrew-d): better message? r = self.api.lookup_urls( url='http://malware.testing.google.test/testing/malware/') if 'malicious' in r and r['malicious'] == True: check_and_save_intel_alert(scan_type=type, scan_value=value, data=r, source="SafeBrowsing", severity="LOW") current_app.logger.log(self.level, 'Triggered alert: SfeBrowsing ')
def analyse_hash(self, value, type, node): if self.vt: result_log_scan_elem = db.session.query(ResultLogScan).filter( ResultLogScan.scan_value == value).first() min_match_count = db.session.query(Settings).filter( Settings.name == 'virustotal_min_match_count').first() av_engines = [ item[0] for item in db.session.query(VirusTotalAvEngines).filter( VirusTotalAvEngines.status == True).all() ] response = None is_detected = False if result_log_scan_elem: if self.name not in result_log_scan_elem.reputations: response = self.vt.get_file_report(value) if 'response_code' in response and response[ 'response_code'] == 200: newReputations = dict(result_log_scan_elem.reputations) newReputations[self.name] = response result_log_scan_elem.reputations = newReputations db.session.add(result_log_scan_elem) db.session.commit() else: response = result_log_scan_elem.reputations[self.name] if 'results' in response and 'positives' in response[ 'results'] and response['results']['positives'] > 0: for avengine in response['results']['scans']: if response['results']['scans'][avengine][ 'detected'] == True and avengine in av_engines: is_detected = True break if is_detected == False and response['results'][ 'positives'] >= int(min_match_count.setting): is_detected = True if is_detected: check_and_save_intel_alert(scan_type=type, scan_value=value, data=response, source=self.name, severity="LOW")
def generate_alerts(self): try: source = self.name from polylogyx.database import db from polylogyx.models import ResultLogScan from polylogyx.utils import check_and_save_intel_alert result_log_scans = db.session.query(ResultLogScan).filter( ResultLogScan.reputations[source + "_detected"].astext.cast( sqlalchemy.Boolean).is_(True)).all() for result_log_scan in result_log_scans: check_and_save_intel_alert( scan_type=result_log_scan.scan_type, scan_value=result_log_scan.scan_value, data=result_log_scan.reputations[source], source=source, severity="LOW") except Exception as e: current_app.logger.error(e)
def generate_alerts(self): try: source = self.name from polylogyx.models import ResultLogScan from polylogyx.database import db from polylogyx.utils import check_and_save_intel_alert matches = db.session.query(ResultLogScan, IOCIntel.severity).join( IOCIntel, IOCIntel.value == ResultLogScan.scan_value).all() for match in matches: scan_elem = match[0] severity = match[1] check_and_save_intel_alert(scan_type=scan_elem.scan_type, scan_value=scan_elem.scan_value, data={}, source=source, severity=severity) except Exception as e: current_app.logger.error(e)
def analyse_hash(self, value, type, node): if self.otx: result_log_scan_elem = db.session.query(ResultLogScan).filter( ResultLogScan.scan_value == value).first() response = {} if result_log_scan_elem: if self.name not in result_log_scan_elem.reputations: response = is_hash_malicious(value, self.otx) newReputations = dict(result_log_scan_elem.reputations) newReputations[self.name] = response result_log_scan_elem.reputations = newReputations db.session.add(result_log_scan_elem) db.session.commit() else: response = result_log_scan_elem.reputations[self.name] if 'alerts' in response and len(response['alerts']) > 0: check_and_save_intel_alert(scan_type=type, scan_value=value, data=response['result'], source=self.name, severity="LOW")
def generate_alerts(self): try: from polylogyx.utils import check_and_save_intel_alert from polylogyx.models import ResultLogScan from polylogyx.database import db source = self.name result_log_scans = db.session.query(ResultLogScan).filter( ResultLogScan.reputations[source + "_detected"].astext.cast(sqlalchemy.Boolean).is_(True)).all() for result_log_scan in result_log_scans: severity=Alerts.INFO if result_log_scan.reputations[source]['malware']['risk']=='high': severity=Alerts.CRITICAL elif result_log_scan.reputations[source]['malware']['risk']=='medium': severity=Alerts.WARNING check_and_save_intel_alert(scan_type=result_log_scan.scan_type, scan_value=result_log_scan.scan_value, data=result_log_scan.reputations[source], source=source, severity=severity) except Exception as e: current_app.logger.error(e)