From 1cda7eab955866e07a07b53dd893e7c66106ae58 Mon Sep 17 00:00:00 2001 From: garanews Date: Tue, 9 Jan 2018 14:39:37 +0100 Subject: [PATCH] fix snort alerts (#163) --- .../CuckooSandbox/cuckoosandbox_analyzer.py | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py index d5fdebefd..18fd52de0 100644 --- a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py +++ b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py @@ -13,7 +13,7 @@ def __init__(self): Analyzer.__init__(self) self.service = self.getParam('config.service', None, 'CuckooSandbox service is missing') self.url = self.getParam('config.url', None, 'CuckooSandbox url is missing') - self.url = self.url + "/" if not self.url.endswith("/") else self.url + self.url = self.url + "/" if not self.url.endswith("/") else self.url #self.analysistimeout = self.getParam('config.analysistimeout', 30*60, None) #self.networktimeout = self.getParam('config.networktimeout', 30, None) @@ -83,19 +83,23 @@ def run(self): resp_json = response.json() list_description = [x['description'] for x in resp_json['signatures']] if 'suricata' in resp_json.keys() and 'alerts' in resp_json['suricata'].keys(): - if 'dstport' in resp_json['suricata']['alerts'].keys(): - suri_alerts = [(x['signature'],x['dstip'],x['dstport'],x['severity']) for x in resp_json['suricata']['alerts']] - elif 'dst_port' in resp_json['suricata']['alerts'].keys(): - suri_alerts = [(x['signature'],x['dst_ip'],x['dst_port'],x['severity']) for x in resp_json['suricata']['alerts']] + if any('dstport' in x for x in resp_json['suricata']['alerts']): + suri_alerts = [(x['signature'],x['dstip'],x['dstport'],x['severity']) for x in resp_json['suricata']['alerts'] if 'dstport' in x.keys()] + elif any('dst_port' in x for x in resp_json['suricata']['alerts']): + suri_alerts = [(x['signature'],x['dst_ip'],x['dst_port'],x['severity']) for x in resp_json['suricata']['alerts']] + else: + suri_alerts = [] else: suri_alerts = [] if 'snort' in resp_json.keys() and 'alerts' in resp_json['snort'].keys(): - if 'dstport' in resp_json['snort']['alerts'].keys(): - snort_alerts = [(x['message'],x['dstip'],x['dstport'],x['priority']) for x in resp_json['snort']['alerts']] - elif 'dst_port' in resp_json['snort']['alerts'].keys(): - snort_alerts = [(x['message'],x['dst_ip'],x['dst_port'],x['priority']) for x in resp_json['snort']['alerts']] + if any('dstport' in x for x in resp_json['snort']['alerts']): + snort_alerts = [(x['message'],x['dstip'],x['dstport'],x['priority']) for x in resp_json['snort']['alerts']] + elif any('dst_port' in x for x in resp_json['snort']['alerts']): + snort_alerts = [(x['message'],x['dst_ip'],x['dst_port'],x['priority']) for x in resp_json['snort']['alerts']] + else: + snort_alerts = [] else: - snort_alerts = [] + snort_alerts = [] try: hosts = [(x['ip'],x['hostname'],x['country_name']) for x in resp_json['network']['hosts']] if 'hosts' in resp_json['network'].keys() else None except TypeError as e: @@ -105,7 +109,7 @@ def run(self): self.report({ 'signatures': list_description, 'suricata_alerts': suri_alerts, - 'snort_alerts': snort_alerts, + 'snort_alerts': snort_alerts, 'hosts': hosts, 'uri': uri, 'malscore': resp_json['malscore'] if 'malscore' in resp_json.keys() else resp_json['info'].get('score', None), @@ -117,7 +121,7 @@ def run(self): self.report({ 'signatures': list_description, 'suricata_alerts': suri_alerts, - 'snort_alerts': snort_alerts, + 'snort_alerts': snort_alerts, 'hosts': hosts, 'uri': uri, 'malscore': resp_json['malscore'] if 'malscore' in resp_json.keys() else resp_json['info'].get('score', None),