Merge branch 'circl-hashlookup' of https://github.com/nsmfoo/Cortex-A…

…nalyzers into nsmfoo-circl-hashlookup
TheHive-Project · Jan 24, 2022 · 0d6dd74 · 0d6dd74
2 parents f9788cb + 41b960e
commit 0d6dd74
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 70 deletions.
diff --git a/analyzers/CIRCLHashlookup/CIRCLHashlookup.json b/analyzers/CIRCLHashlookup/CIRCLHashlookup.json
@@ -3,8 +3,8 @@
   "author": "Mikael Keri",
   "license": "AGPL-V3",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
-  "version": "1.0",
-  "description": "CIRCL Hashlookup is a public service to lookup hash values against known database of good files",
+  "version": "1.1",
+  "description": "CIRCL hashlookup uses a public API to lookup hash values against databases of known good files",
   "dataTypeList": ["hash"],
   "baseConfig": "CIRCLHashlookup",
   "config": {
@@ -22,10 +22,10 @@
    "screenshots": [
      {
        "path": "assets/circlhashlookup_long_report.png",
-       "caption:":"CIRCL Hashlookup analyzer full report"
+       "caption:":"CIRCLHashlookup analyzer full report"
      },
      {
       "path": "assets/circlhashlookup_verdict.png",
-      "caption:":"CIRCL Hashlookup analyzer verdict"
+      "caption:":"CIRCLHashlookup analyzer verdict"
     }]
-}
+}
diff --git a/analyzers/CIRCLHashlookup/circlhashlookup_analyzer.py b/analyzers/CIRCLHashlookup/circlhashlookup_analyzer.py
@@ -2,6 +2,7 @@
 # encoding: utf-8
 
 import requests
+import re
 from cortexutils.analyzer import Analyzer
 
 class CIRCLHashlookupAnalyzer(Analyzer):
@@ -13,7 +14,7 @@ def summary(self, raw):
          taxonomies = []
          namespace = "CIRCLHashlookup"
 
-         if raw.get('CRC32'):
+         if raw.get('hashlookup:trust'):
             verdict = "safe"
             result = "known"
          else:
@@ -32,13 +33,17 @@ def summary(self, raw):
     def run(self):
             if self.data_type == 'hash':
                 data = self.get_param('data', None, 'Data is missing')
-
                 headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}
                 session = requests.Session()
-                if len(data) == 32:
+                # Type of hash
+                if re.search(r'^[0-9a-f]{32}$', data, re.IGNORECASE):
                     s = session.get(self.url + '/lookup/md5/' + data, headers=headers)
-                elif len(data) == 40:
+                elif re.search(r'^[a-f0-9]{40}$', data, re.IGNORECASE):
                     s = session.get(self.url + '/lookup/sha1/' + data, headers=headers)
+                elif re.search(r'^[a-f0-9]{64}$', data, re.IGNORECASE):
+                    s = session.get(self.url + '/lookup/sha256/' + data, headers=headers)
+                elif re.search(r'^[a-f0-9]{128}$', data, re.IGNORECASE):
+                    s = session.get(self.url + '/lookup/sha512/' + data, headers=headers)
                 else:
                     self.error('Unsupported hash type')
 
@@ -52,4 +57,4 @@ def run(self):
                 self.error('Invalid data type')
 
 if __name__ == '__main__':
-    CIRCLHashlookupAnalyzer().run()
+    CIRCLHashlookupAnalyzer().run()
diff --git a/thehive-templates/CIRCLHashlookup_1_0/long.html b/thehive-templates/CIRCLHashlookup_1_0/long.html
diff --git a/thehive-templates/CIRCLHashlookup_1_1/long.html b/thehive-templates/CIRCLHashlookup_1_1/long.html
@@ -0,0 +1,70 @@
+<div class="panel panel-info" ng-if="success && content.message == null ">
+    <div class="panel-heading">
+        CIRCL Hashlookup for: 
+        <strong>{{artifact.data}}</strong>
+        </div>
+</div>
+
+<! -- We have a result -->
+<div class="panel panel-info" ng-if="success && content.message == null ">
+<div ng-repeat = "(key, value) in content">
+
+    <div ng-if="key != 'parents' && key != 'OpSystemCode' && key != 'ProductCode' && key != 'children' ">
+       <td><b>{{key}}:</b></td> <td> {{ value }} </td>
+    </div>
+
+    <div ng-if="key == 'OpSystemCode' ">
+       <td><b>{{key}}:</b></td>
+       <div ng-repeat = "(op_x, op_y) in value">
+           <td><b> - {{op_x}}:</b></td> <td> {{ op_y }} </td>
+       </div>
+    </div>
+
+    <div ng-if="key == 'ProductCode' ">
+       <td><b>{{key}}:</b></td>
+       <div ng-repeat = "(prod_x, prod_y) in value">
+           <td><b> - {{prod_x}}:</b></td> <td> {{ prod_y }} </td>
+         </div>
+    </div>
+
+    <div ng-if="key == 'parents' ">
+       <td><b>{{key}}:</b></td>
+       <div ng-repeat = "r in value">
+        <div ng-repeat = "(par_x, par_y) in r">
+           <td><b>- {{par_x}}:</b></td> <td> {{ par_y }} </td>
+        </div>
+       </div>
+    </div>
+
+    <div ng-if="key == 'children' ">
+       <td><b>{{key}}:</b></td>
+       <div ng-repeat = "c in value">
+        <div ng-repeat = "(child_x, child_y) in c">
+           <td><b>- {{child_x}}:</b></td> <td> {{ child_y }} </td>
+        </div>
+       </div>
+    </div>
+
+</div>
+</div>
+
+
+<!-- No hits  -->
+<div class="panel panel-danger" ng-if="success && content.message != null ">
+     <div class="panel-heading">CIRCL Hashlookup: No hits </div>
+     Hash: {{artifact.data}}
+</div>
+
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>General Error: Please try again</strong>
+    </div>
+    <div class="panel-body">
+    	<dl class="dl-horizontal" ng-if="content.errorMessage">
+            <dt><i class="fa fa-warning"></i>CIRCLHashlookup: </dt>
+            <dd class="wrap">{{content.errorMessage}}"</dd>
+        </dl>
+    </div>
+</div>
diff --git a/...-templates/CIRCLHashlookup_1_0/short.html → ...-templates/CIRCLHashlookup_1_1/short.html b/...-templates/CIRCLHashlookup_1_0/short.html → ...-templates/CIRCLHashlookup_1_1/short.html