From 121f4595fd5d7cc3f1bdff8398ab16feb21cca4f Mon Sep 17 00:00:00 2001 From: Nils Kuhnert Date: Mon, 4 Jun 2018 11:21:58 +0200 Subject: [PATCH] Small changes to Staxx analyzer #263 --- analyzers/StaxxSearch/requirements.txt | 1 - analyzers/StaxxSearch/staxx-cortex.py | 105 +++++++++--------- analyzers/StaxxSearch/staxx.json | 6 +- .../{staxx_1_0 => Staxx_1_0}/long.html | 0 .../{staxx_1_0 => Staxx_1_0}/short.html | 0 5 files changed, 56 insertions(+), 56 deletions(-) rename thehive-templates/{staxx_1_0 => Staxx_1_0}/long.html (100%) rename thehive-templates/{staxx_1_0 => Staxx_1_0}/short.html (100%) diff --git a/analyzers/StaxxSearch/requirements.txt b/analyzers/StaxxSearch/requirements.txt index c13438ae1..6aabc3cfa 100644 --- a/analyzers/StaxxSearch/requirements.txt +++ b/analyzers/StaxxSearch/requirements.txt @@ -1,3 +1,2 @@ cortexutils requests -json diff --git a/analyzers/StaxxSearch/staxx-cortex.py b/analyzers/StaxxSearch/staxx-cortex.py index 8d6d4487a..e3c6a5450 100644 --- a/analyzers/StaxxSearch/staxx-cortex.py +++ b/analyzers/StaxxSearch/staxx-cortex.py @@ -2,70 +2,71 @@ # -*- coding: utf-8 -* import requests -import json from cortexutils.analyzer import Analyzer from requests.packages.urllib3.exceptions import InsecureRequestWarning + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + class StaxxAnalyzer(Analyzer): - def __init__(self): - Analyzer.__init__(self) - self.auth_url = self.get_param('config.auth_url', None, 'Missing URL for Staxx API auth') - self.query_url = self.get_param('config.query_url', None, 'Missing URL for Staxx API query') - self.username = self.get_param('config.username', None, 'Missing username for Staxx API') - self.password = self.get_param('config.password', None, 'Missing password for Staxx API') - if self.get_param('config.cert_check', True): - self.ssl = self.get_param('config.cert_path', True) - else: - self.ssl = False + def __init__(self): + Analyzer.__init__(self) + self.auth_url = self.get_param('config.auth_url', None, 'Missing URL for Staxx API auth') + self.query_url = self.get_param('config.query_url', None, 'Missing URL for Staxx API query') + self.username = self.get_param('config.username', None, 'Missing username for Staxx API') + self.password = self.get_param('config.password', None, 'Missing password for Staxx API') + if self.get_param('config.cert_check', True): + self.ssl = self.get_param('config.cert_path', True) + else: + self.ssl = False + + def _get_headers(self): + return { + 'Content-Type': 'application/json' + } + + def _get_auth_data(self): + return { + 'username': self.username, + 'password': self.password + } - def _get_headers(self): - return { - 'Content-Type': 'application/json' - } + def staxx_query(self, data): + headers = self._get_headers() + auth_data = self._get_auth_data() + r = requests.post(self.auth_url, json=auth_data, headers=headers, verify=self.ssl) + r.raise_for_status() # Raise exception on HTTP errors + token_id = r.json()['token_id'] + pull_data = {'token': token_id, 'query': data, 'type': 'json'} + p = requests.post(self.query_url, json=pull_data, headers=headers, verify=self.ssl) + p.raise_for_status() # Raise exception on HTTP errors + return p.json() - def _get_auth_data(self): - return { - 'username': self.username, - 'password': self.password - } + def summary(self, raw): + taxonomies = [] + namespace = "Staxx" + predicate = " Hits" + value = "\0\"" - def staxx_query(self, data): - headers = self._get_headers() - auth_data = self._get_auth_data() - r = requests.post(self.auth_url, json=auth_data, headers=headers, verify=self.ssl) - r.raise_for_status() #Raise exception on HTTP errors - token_id = r.json()['token_id'] - pull_data = {'token': token_id, 'query': data, 'type': 'json'} - p = requests.post(self.query_url, json=pull_data, headers=headers, verify=self.ssl) - p.raise_for_status() #Raise exception on HTTP errors - return p.json() + if 'count' in raw: + r = raw.get('count', 0) - def summary(self, raw): - taxonomies = [] - namespace = "Staxx" - predicate = " Hits" - value = "\0\"" + value = "\"{}\"".format(r) - if 'count' in raw: - r = raw.get('count', 0) + if r > 0: + level = "suspicious" + else: + level = "safe" + taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) + return {"taxonomies": taxonomies} - value = "\"{}\"".format(r) - - if r > 0: - level = "suspicious" - else: - level = "safe" - taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) - return {"taxonomies": taxonomies} + def run(self): + Analyzer.run(self) + data = self.get_param('data', None, 'Data is missing') + hits = self.staxx_query(data) + self.report({'hits': hits, 'count': len(hits)}) - def run(self): - Analyzer.run(self) - data = self.get_param('data', None, 'Data is missing') - hits = self.staxx_query(data) - self.report({'hits': hits, 'count': len(hits)}) - if __name__ == '__main__': - StaxxAnalyzer().run() + StaxxAnalyzer().run() diff --git a/analyzers/StaxxSearch/staxx.json b/analyzers/StaxxSearch/staxx.json index 28d3e85ef..40d1a4654 100644 --- a/analyzers/StaxxSearch/staxx.json +++ b/analyzers/StaxxSearch/staxx.json @@ -1,8 +1,8 @@ { - "name": "staxx", + "name": "Staxx", "author": "Robert Nixon", "license": "AGPL-V3", - "url": "https://github.com/CERT/cortex-analyzers", + "url": "https://github.com/robertnixon2003/Cortex-Analyzers", "version": "1.0", "description": "Fetch observable details from a Anomali STAXX instance.", "dataTypeList": ["domain", "fqdn", "ip", "url", "hash", "mail"], @@ -44,7 +44,7 @@ "type": "boolean", "multi": false, "required": true, - "defaultValue": false + "defaultValue": true }, { "name": "cert_path", diff --git a/thehive-templates/staxx_1_0/long.html b/thehive-templates/Staxx_1_0/long.html similarity index 100% rename from thehive-templates/staxx_1_0/long.html rename to thehive-templates/Staxx_1_0/long.html diff --git a/thehive-templates/staxx_1_0/short.html b/thehive-templates/Staxx_1_0/short.html similarity index 100% rename from thehive-templates/staxx_1_0/short.html rename to thehive-templates/Staxx_1_0/short.html