Merge remote-tracking branch 'iosonogio/master' into develop

TheHive-Project · Jul 10, 2018 · 0cbfa74 · 0cbfa74
2 parents a16dfda + 7e00bd4
commit 0cbfa74
Show file tree

Hide file tree

Showing 8 changed files with 215 additions and 0 deletions.
diff --git a/analyzers/Hashdd/Hashdd.py b/analyzers/Hashdd/Hashdd.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python
+# encoding: utf-8
+import requests
+from cortexutils.analyzer import Analyzer
+
+class HashddAnalyzer(Analyzer):
+
+    service = 'Status'
+    url = 'https://api.hashdd.com/'
+    hashdd_key = None
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.service = self.get_param('config.service', None, 'Service parameter is missing')
+
+        if self.service == "status":
+            self.url = 'https://api.hashdd.com/'
+        elif self.service == "detail":
+            self.hashdd_key = self.get_param('config.api_key', None, 'Missing hashdd API key')
+            self.url = 'https://api.hashdd.com/detail'
+
+
+    def hashdd_check(self, data):
+        if self.hashdd_key is None:
+            postdata = {'hash': self.get_data()}
+        else:
+            postdata = {'hash': self.get_data(), 'api_key': self.hashdd_key}
+
+        r = requests.post(self.url, data=postdata)
+        r.raise_for_status() # Raise exception on HTTP errors
+        return r.json()
+
+
+    def summary(self, raw):
+
+        taxonomies = []
+        namespace = 'Hashdd'
+        predicate = 'known_level'
+        value = "\0\""
+
+        level = 'info' # Default level: this assigned when known_level is unknown
+
+        if 'known_level' in raw:
+            known_level = raw['known_level']
+            if known_level == 'Good':
+                level = "safe"
+            elif known_level == 'Bad':
+                level = "malicious"
+            # else:
+            #     level = "suspicious" # this one is not used
+
+            value = "\"{}\"".format(known_level) # Value must be enclosed with double quotes
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        return {"taxonomies": taxonomies}
+
+
+    def run(self):
+
+        if self.data_type != 'hash':
+            self.notSupported()
+
+        data = self.get_param('data', None, 'Data is missing')
+        hash = data.upper()
+
+        response = self.hashdd_check(data)
+
+        if response['result'] == 'SUCCESS':
+
+            if self.service == "status":
+                self.report({
+                    'known_level': response[hash]['known_level']
+                })
+            elif self.service == "detail":
+                self.report({
+                'known_level': response[hash]['summary']['hashdd_known_level'],
+                'file_name': response[hash]['summary']['hashdd_file_name'],
+                'file_absolute_path': response[hash]['summary']['hashdd_file_absolute_path'],
+                'size': response[hash]['summary']['hashdd_size'],
+                'product_manufacturer': response[hash]['summary']['hashdd_product_manufacturer'],
+                'product_name': response[hash]['summary']['hashdd_product_name'],
+                'product_version': response[hash]['summary']['hashdd_product_version'],
+                'architecture': response[hash]['summary']['hashdd_architecture'],
+                'md5': response[hash]['summary']['hashdd_md5'],
+                'sha1': response[hash]['summary']['hashdd_sha1'],
+                'sha256': response[hash]['summary']['hashdd_sha256'],
+                'ssdeep': response[hash]['summary']['hashdd_ssdeep']
+                })
+        else:
+            self.error('{}'.format(response['result']))
+
+
+if __name__ == '__main__':
+    HashddAnalyzer().run()
diff --git a/analyzers/Hashdd/Hashdd_Detail.json b/analyzers/Hashdd/Hashdd_Detail.json
@@ -0,0 +1,23 @@
+{
+    "name": "Hashdd_Detail",
+    "version": "1.0",
+    "author": "iosonogio",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPLv3",
+    "description": "Determine whether a hash is good or bad; if good then list what it is.",
+    "dataTypeList": ["hash"],
+    "baseConfig": "Hashdd",
+    "config": {
+      "service": "detail"
+    },
+    "command": "Hashdd/Hashdd.py",
+    "configurationItems": [
+      {
+        "name": "api_key",
+        "description": "API key for hashdd",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+    ]
+}
diff --git a/analyzers/Hashdd/Hashdd_Status.json b/analyzers/Hashdd/Hashdd_Status.json
@@ -0,0 +1,23 @@
+{
+    "name": "Hashdd_Status",
+    "version": "1.0",
+    "author": "iosonogio",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPLv3",
+    "description": "Determine whether a hash is good or bad.",
+    "dataTypeList": ["hash"],
+    "baseConfig": "Hashdd",
+    "config": {
+      "service": "status"
+    },
+    "command": "Hashdd/Hashdd.py",
+    "configurationItems": [
+      {
+        "name": "api_key",
+        "description": "API key for hashdd",
+        "type": "string",
+        "multi": false,
+        "required": false
+      }
+    ]
+}
diff --git a/analyzers/Hashdd/requirements.txt b/analyzers/Hashdd/requirements.txt
@@ -0,0 +1,2 @@
+requests
+cortexutils
diff --git a/thehive-templates/Hashdd_Detail_1_0/long.html b/thehive-templates/Hashdd_Detail_1_0/long.html
@@ -0,0 +1,44 @@
+<!-- Success -->
+<div class="panel panel-danger" ng-if="success">
+    <div class="panel-heading">
+        Hashdd report for <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+            <dl class="dl-horizontal" ng-if="content.known_level">
+                <dt>Known Level</dt>
+                <dd>{{content.known_level || "No known level given."}}</dd>
+                <dt>File Name</dt>
+                <dd>{{content.file_name || "No file name given."}}</dd>
+                <dt>File Path</dt>
+                <dd>{{content.file_absolute_path || "No file path given."}}</dd>
+                <dt>File Size</dt>
+                <dd>{{content.size || "No size given."}}</dd>
+                <dt>Product Manufacturer</dt>
+                <dd>{{content.product_manufacturer || "No product manufacturer given."}}</dd>
+                <dt>Product Name</dt>
+                <dd>{{content.product_name || "No product name given."}}</dd>
+                <dt>Product Version</dt>
+                <dd>{{content.product_version || "No product version given."}}</dd>
+                <dt>Architecture</dt>
+                <dd>{{content.architecture || "No architecture given."}}</dd>
+                <dt>md5</dt>
+                <dd>{{content.md5 || "No md5 given."}}</dd>
+                <dt>sha1</dt>
+                <dd>{{content.sha1 || "No sha1 given."}}</dd>
+                <dt>sha256</dt>
+                <dd>{{content.sha256 || "No sha256 given."}}</dd>
+                <dt>ssdeep</dt>
+                <dd>{{content.ssdeep || "No ssdeep given."}}</dd>
+            </dl>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
diff --git a/thehive-templates/Hashdd_Detail_1_0/short.html b/thehive-templates/Hashdd_Detail_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>
diff --git a/thehive-templates/Hashdd_Status_1_0/long.html b/thehive-templates/Hashdd_Status_1_0/long.html
@@ -0,0 +1,22 @@
+<!-- Success -->
+<div class="panel panel-danger" ng-if="success">
+    <div class="panel-heading">
+        Hashdd report for <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+            <dl class="dl-horizontal" ng-if="content.known_level">
+                <dt>Known Level</dt>
+                <dd>{{content.known_level || "No known level given."}}</dd>
+            </dl>
+    </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{artifact.data | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
diff --git a/thehive-templates/Hashdd_Status_1_0/short.html b/thehive-templates/Hashdd_Status_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>