Merge pull request #1121 from vaclavbartos/master

Update of NERD analyzer
TheHive-Project · Oct 16, 2024 · 01fe091 · 01fe091
2 parents 2e86539 + cb5b2b7
commit 01fe091
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 7 deletions.
diff --git a/analyzers/NERD/README.md b/analyzers/NERD/README.md
@@ -1,10 +1,16 @@
-### Nerd 
-Project [Nerd](https://nerd.cesnet.cz/) aims to build an extensive reputation database of known sources of cyber threats. That is, a list of known malicious IP addresses or other network entities (e.g. ASNs or domain names) together with all security-relevant information about each of them.
+### NERD 
 
-The analyzer comes in a single flavour that will return additional information categorization for provided ip.
+
+[NERD](https://nerd.cesnet.cz/) is a service provided by CESNET which collects information about malicious IP addresses
+from CESNET's own detection systems as well as several public sources.
+It keeps a profile of each known malicious IP address, containing all security-relevant information about the
+address, and it summarizes it into a *reputation score* - a number from 0.0 (good) to 1.0 (bad) representing the amount
+and confidence of recently received reports about that address.
+
+The analyzer comes in a single flavour that will return the reputation score and various tags for provided IP.
 
 #### Requirements
-You need a valid Nerd API integration subscription to use the analyzer.
+You need a valid NERD API integration subscription to use the analyzer.
 
 - Provide your API key as values for the `key` parameter.
-- Default url of NERD instance is provided for `url` parameter but you could override it.
+- Default url of NERD instance is provided for `url` parameter, but you could override it.
diff --git a/analyzers/NERD/nerd.json b/analyzers/NERD/nerd.json
@@ -1,6 +1,6 @@
 {
   "name": "NERD",
-  "version": "1.0",
+  "version": "1.1",
   "author": "Vaclav Bartos, CESNET",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",

diff --git a/analyzers/NERD/nerd_analyzer.py b/analyzers/NERD/nerd_analyzer.py
@@ -19,6 +19,7 @@
     'tor': ('Tor exit node', 'info'),
     'spam': ('Spam', 'malicious'),
     'reserved_ip': ('Reserved IP', 'info'),
+    'whitelist': ("Whitelisted", 'safe'),
 }
 
 
@@ -41,6 +42,9 @@ def summary(self, raw):
             # Reputation score (set level/color according to the score)
             rep = round(raw['rep'], 3)
             rep_level = 'safe' if rep < 0.02 else ('suspicious' if rep <= 0.5 else 'malicious')
+            # if the IP is on whitelist, keep the "rep" number as is, but override level to "safe", so it shows as green
+            if any(t[0] == "Whitelisted" for t in raw['translated_tags']):
+                rep_level = 'safe'
             taxonomies.append(self.build_taxonomy(rep_level, 'NERD', 'Rep', rep))
 
             # Number of blacklists
@@ -82,7 +86,7 @@ def run(self):
             self.error("Unexpected or invalid response received from server (can't parse as JSON). A possible reason can be wrong URL.")
             return
 
-        if resp.status_code == 404:
+        if resp.status_code == 404 and data.get("error") == "IP address not found":
             # IP not found in NERD's DB (i.e. it wasn't reported as malicious)
             self.report({
                 'rep': 0.0,