Skip to content

Commit

Permalink
#214 add reputation service
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeromeleonard
jeromeleonard committed Jun 9, 2018
1 parent e94162a commit 146a7da
Show file tree
Hide file tree
Showing 5 changed files with 99 additions and 4 deletions.
30 changes: 30 additions & 0 deletions analyzers/DomainTools/DomainTools_Reputation.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"name": "DomainTools_Reputation",
"version": "2.0",
"author": "CERT-BDF",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Use DomainTools to get a reputation score on a domain or fqdn",
"dataTypeList": ["domain","fqdn"],
"command": "DomainTools/domaintools_analyzer.py",
"baseConfig": "DomainTools",
"config": {
"service": "reputation"
},
"configurationItems": [
{
"name": "username",
"description": "DomainTools API credentials",
"type": "string",
"multi": false,
"required": true
},
{
"name": "key",
"description": "DomainTools API credentials",
"type": "string",
"multi": false,
"required": true
}
]
}
2 changes: 1 addition & 1 deletion analyzers/DomainTools/DomainTools_RiskEvidenceScore.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"author": "CERT-BDF",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Use DomainTools to get a risk score and evidence details",
"description": "Use DomainTools to get a risk score and evidence details on a domain or fqdn",
"dataTypeList": ["domain","fqdn"],
"command": "DomainTools/domaintools_analyzer.py",
"baseConfig": "DomainTools",
Expand Down
12 changes: 9 additions & 3 deletions analyzers/DomainTools/domaintools_analyzer.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ def domaintools(self, data):
elif self.service == 'risk_evidence_score' and self.data_type == 'domain':
response = api.risk_evidence(data).response()

elif self.service == 'reputation' and self.data_type == 'domain':
response = api.reputation(data).response()

elif self.service == 'reverse-whois':
response = api.reverse_whois(data, mode='purchase').response()

Expand Down Expand Up @@ -97,7 +100,7 @@ def summary(self, raw):
r["name_server"] = raw["name_server"]["hostname"]
r["domain_count"] = raw["name_server"]["total"]

if "risk_score" in raw and raw["risk_score"] >= 0:
if "risk_score" in raw:
r["risk_score"] = raw["risk_score"]

taxonomies = []
Expand Down Expand Up @@ -129,15 +132,18 @@ def summary(self, raw):
taxonomies.append(
self.build_taxonomy("info", "DT", "Whois", "\"REGISTRANT:{}\"".format(r["registrant"])))

if r["risk_score"]:
if "risk_score" in r:
risk_service = "Risk"
if "reasons" in r:
risk_service = r["reasons"]
if r["risk_score"] == 0:
level = "safe"
elif 0 < r["risk_score"] <= 50:
level = "suspicious"
elif r["risk_score"] > 50:
level = "malicious"
taxonomies.append(
self.build_taxonomy(level, "DT", "Risk", "\"{}\"".format(r["risk_score"])))
self.build_taxonomy(level, "DT", risk_service, "\"{}\"".format(r["risk_score"])))

result = {'taxonomies': taxonomies}
return result
Expand Down
56 changes: 56 additions & 0 deletions thehive-templates/DomainTools_Reputation_2_0/long.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
<div class="panel panel-danger" ng-if="!success">
<div class="panel-heading">
<strong>{{artifact.data | fang}}</strong>
</div>
<div class="panel-body">
{{content.errorMessage}}
</div>
</div>


<div class="panel panel-info" ng-if="success">
<div class="panel-heading">
<strong>{{artifact.data | fang}}</strong>
</div>
<div class="panel-body">
<dl class="dl-horizontal">
<dt>Domaintools Risk Score</dt>
<dd>
<span class="label" ng-class="{'label-success' : content.risk_score == 0, 'label-warning' : content.risk_score > 0 && content.risk_score <= 50,
'label-danger': content.risk_score > 50}">
{{content.risk_score}}
</span>

</dd>
</dl>
<br><br>
<h4 class="panel-title">Reasons</h4>
<br>
<table class="table table-striped table-bordered">
<thead>
<tr>
<th>Domain</th>
<th>Risk Score</th>
<th>Reasons</th>
</tr>
</thead>
<tbody ng-repeat="r in content.components">
<tr>
<td>{{r.domain}}</td>
<td>
<span class="label" ng-class="{'label-success' : content.risk_score == 0, 'label-warning' : content.risk_score > 0 && content.risk_score <= 50,
'label-danger': content.risk_score > 50}">
{{r.risk_score}}
</span>
</td>
<td >
<ul class="list-unstyled">
<li ng-repeat="reason in r.reasons">{{reason}}</li>
</ul>
</td>
</tr>
</tbody>
</table>

</div>
</div>
3 changes: 3 additions & 0 deletions thehive-templates/DomainTools_Reputation_2_0/short.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
{{t.namespace}}:{{t.predicate}}={{t.value}}
</span>

0 comments on commit 146a7da

Please sign in to comment.