#212 WIP - improve summary and mini reports

TheHive-Project · Jun 4, 2018 · 289dc12 · 289dc12
1 parent d4b58e8
commit 289dc12
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 80 deletions.
diff --git a/analyzers/FileInfo/fileinfo_analyzer.py b/analyzers/FileInfo/fileinfo_analyzer.py
@@ -15,45 +15,39 @@ def __init__(self):
         self.filetype = pyexifinfo.fileType(self.filepath)
         self.mimetype = magic.Magic(mime=True).from_file(self.filepath)
 
+    def summary(self, raw):
+        taxonomies = []
+        for submodule in raw['results']:
+            taxonomies += submodule['summary']['taxonomies']
+        return {'taxonomies': taxonomies}
 
-    def build_summary(self, module_results):
 
-        summary = []
-        for m in module_results:
-            if m["submodule_section_summary"]["taxonomies"] != []:
-
-                summary += m["submodule_section_summary"]["taxonomies"]
-
-        return summary
 
     def run(self):
         results = []
-        summary = []
 
         # Add metadata to result directly as it's mandatory
         m = MetadataSubmodule()
-        matadata_results = m.analyze_file(self.filepath)
+        metadata_results = m.analyze_file(self.filepath)
         results.append({
             'submodule_name': m.name,
-            'results': matadata_results,
-            'summary': self.build_summary(matadata_results)
-
+            'results': metadata_results,
+            'summary': m.module_summary()
         })
-        # self.build_summary(summary, matadata_results)
 
         for module in available_submodules:
             if module.check_file(file=self.filepath, filetype=self.filetype, filename=self.filename,
                                  mimetype=self.mimetype):
                 module_results = module.analyze_file(self.filepath)
+                module_summaries = module.module_summary()
                 results.append({
                    'submodule_name': module.name,
                    'results': module_results,
-                    'summary': self.build_summary(module_results)
+                    'summary': module_summaries
                 })
 
-                # self.build_summary(summary, module_results)
 
-        self.report({'results': results, 'summary': summary})
+        self.report({'results': results})
 
 
 if __name__ == '__main__':

diff --git a/analyzers/FileInfo/submodules/submodule_base.py b/analyzers/FileInfo/submodules/submodule_base.py
@@ -54,11 +54,13 @@ def analyze_file(self, path):
         :return:
         :rtype: dict
         """
-        pass
+        return {}
+
 
-    def section_summary(self, report):
+    def module_summary(self):
+        pass
 
-    def add_result_subsection(self, subsection_header, results, summary={"taxonomies": []}):
+    def add_result_subsection(self, subsection_header, results):
         """
         Adding a subsection to the section of the analyzer module
 
@@ -69,6 +71,5 @@ def add_result_subsection(self, subsection_header, results, summary={"taxonomies
         """
         self.results.append({
             "submodule_section_header": subsection_header,
-            "submodule_section_content": results,
-            "submodule_section_summary": summary
+            "submodule_section_content": results
         })
diff --git a/analyzers/FileInfo/submodules/submodule_metadata.py b/analyzers/FileInfo/submodules/submodule_metadata.py
@@ -28,6 +28,20 @@ def exif(self, path):
                       not (key.startswith("File") or key.startswith("SourceFile")))
         return result
 
+    def module_summary(self):
+        taxonomy = {'level': 'info', 'namespace': 'FileInfo', 'predicate': 'Filetype', 'value': ''}
+        taxonomies = []
+
+        for section in self.results:
+            if section['submodule_section_header'] == 'File information':
+                t = taxonomy
+                t['value'] = section['submodule_section_content']['Filetype']
+                taxonomies.append(t)
+            else:
+                pass
+        return {'taxonomies': taxonomies}
+
+
     def analyze_file(self, path):
         # Hash the file
         with io.open(path, 'rb') as fh:
@@ -53,14 +67,14 @@ def analyze_file(self, path):
         # Get libmagic info
         magicliteral = magic.Magic().from_file(path)
         mimetype = magic.Magic(mime=True).from_file(path)
-        filetype = pyexifinfo.fileType(path)
-        taxonomy = {'level': 'info', 'namespace': 'FileInfo', 'predicate': 'Filetype', 'value': filetype}
+        # filetype = pyexifinfo.fileType(path)
+
 
         self.add_result_subsection('File information', {
             'Magic literal': magicliteral,
             'MimeType': mimetype,
             'Filetype': pyexifinfo.fileType(path),
-            'Filesize': os.path.getsize(path)},{'taxonomies': [taxonomy]}
+            'Filesize': os.path.getsize(path)}
                                    )
 
         return self.results
diff --git a/analyzers/FileInfo/submodules/submodule_oletools.py b/analyzers/FileInfo/submodules/submodule_oletools.py
@@ -43,39 +43,46 @@ def analyze_file(self, path):
 
 
 
-    def olevba_summary(self, analysis):
-        """ Build summary for Olevba part of the submodule"""
-
-        version = {'Olevba version': olevba_version}
-        summary = {'taxonomies': [],
-                   'version': [version]}
-
-
-        type_list = []
-        for a in analysis:
-            if a["type"] not in type_list:
-                type_list.append(a["type"])
-
-        predicate = "Olevba"
-        namespace = "FileInfo"
-        level = "info"
-
-        if "Suspicious" in type_list:
-            level = 'suspicious'
-        if "VBA string" in type_list:
-            summary["taxonomies"].append(self.build_taxonomy(level, namespace, predicate, "VBA string"))
-        if "Base64 String" in type_list:
-            summary["taxonomies"].append(self.build_taxonomy(level, namespace, predicate, "Base64 string"))
-        if "Hex String" in type_list:
-            summary["taxonomies"].append(self.build_taxonomy(level, namespace, predicate, "Hex string"))
-
-        return summary
+    def module_summary(self):
+        taxonomies = []
+        level = 'info'
+        namespace = 'FileInfo'
+        predicate = ''
+        value = ''
+
+        for section in self.results:
+            if section['submodule_section_header'] == 'Olevba':
+                predicate = 'Olevba'
+                type_list = []
+                for a in section['submodule_section_content']['analysis']:
+                    if a["type"] not in type_list:
+                        type_list.append(a["type"])
+
+                if "Suspicious" in type_list:
+                    level = 'suspicious'
+                if "VBA string" in type_list:
+                    taxonomies.append(self.build_taxonomy(level, namespace, predicate, "VBA string"))
+                if "Base64 String" in type_list:
+                    taxonomies.append(self.build_taxonomy(level, namespace, predicate, "Base64 string"))
+                if "Hex String" in type_list:
+                    taxonomies.append(self.build_taxonomy(level, namespace, predicate, "Hex string"))
+
+            if section['submodule_section_header'] == 'DDE Analysis':
+                predicate = 'DDE'
+                if section['submodule_section_content']['Info']:
+                    level = 'info'
+                    taxonomies.append(self.build_taxonomy(level, namespace, predicate, 'None'))
+                else:
+                    level = 'suspicious'
+                    taxonomies.append(self.build_taxonomy(level, namespace, predicate, 'URL found'))
+
+        return {'taxonomies': taxonomies,
+                'Olevba': olevba_version,
+                'Msodde': msodde_version}
 
     def analyze_vba(self, path):
         """Analyze a given sample for malicious vba."""
 
-
-
         try:
 
             vba_parser = VBA_Parser_CLI(path, relaxed=True)
@@ -86,22 +93,18 @@ def analyze_vba(self, path):
                                                             show_deobfuscated_code=True,
                                                             deobfuscate=True)
 
-            self.add_result_subsection('Olevba', vbaparser_result, self.olevba_summary(vbaparser_result["analysis"]))
+            self.add_result_subsection('Olevba', vbaparser_result)
         except TypeError:
             self.add_result_subsection('Oletools VBA Analysis failed', 'Analysis failed due to an filetype error.'
                                                                        'The file does not seem to be a valid MS-Office '
                                                                        'file.')
 
     def analyze_dde(self, path):
         version = {'Msodde version': msodde_version}
-        summary = {'taxonomies':[],
-                   'version': [version]}
         results = process_file(path)
         if len(results) > 0:
-            summary["taxonomies"].append(self.build_taxonomy('suspicious', 'FileInfo', 'DDE', 'URL found'))
-            self.add_result_subsection('Oletools DDE Analysis', {'DDEUrl': results}, summary)
+            self.add_result_subsection('DDE Analysis', {'DDEUrl': results})
         else:
-            summary["taxonomies"].append(self.build_taxonomy('info', 'FileInfo', 'DDE', 'Not found'))
-            self.add_result_subsection('Oletools DDE Analysis', {'Info': 'No DDE URLs found.'}, summary)
+            self.add_result_subsection('DDE Analysis', {'Info': 'No DDE URLs found.'})
 
 
diff --git a/analyzers/FileInfo/submodules/submodule_pe.py b/analyzers/FileInfo/submodules/submodule_pe.py
@@ -1,5 +1,6 @@
 import pefile
 import pehashng
+from pefile import __version__ as pefile_version
 
 from .submodule_base import SubmoduleBaseclass
 
@@ -115,6 +116,10 @@ def pe_sections(pe):
                 table.append(sect)
         return table
 
+
+    def module_summary(self):
+        return {'pefile': pefile_version}
+
     def analyze_file(self, path):
         try:
             pe = pefile.PE(path)

diff --git a/thehive-templates/FileInfo_3_0/long.html b/thehive-templates/FileInfo_3_0/long.html
@@ -34,30 +34,29 @@ <h4 class="panel-title">
             <!--  Oletools -->
             <div ng-if="result.submodule_name=='Oletools Submodule'">
 
-
                 <div class="panel-body">
 
                     <!-- summary -->
                     <div>
-                        <div ngif=result.summary class="panel panel-primary">
+                        <div ng-if="result['summary']" class="panel panel-primary">
                             <div class="panel-heading">
                                 <h4 class="panel-title">Summary</h4>
                             </div>
-                            <div class="panel-body">
+                            <div class="panel-body" >
                                 <dl class="dl-horizontal">
                                     <dt>Olevba version</dt>
-                                    <dd class="wrap">{{result.summary["Olevba version"]}}</dd>
+                                    <dd class="wrap">{{result['summary']['Olevba']}}</dd>
                                 </dl>
                                 <dl class="dl-horizontal">
                                     <dt>Msodde version</dt>
-                                    <dd class="wrap">{{result.summary["Msodde version"]}}</dd>
+                                    <dd class="wrap">{{result['summary']['Msodde']}}</dd>
                                 </dl>
 
 
                                 <dl class="dl-horizontal">
                                         <dt>Oletools scanner</dt>
                                         <dd class="wrap">
-                                            <span class="label" ng-repeat="t in result.summary.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+                                            <span class="label" ng-repeat="t in result['summary']['taxonomies']" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
                                                 {{t.namespace}}:{{t.predicate}}={{t.value}}
                                             </span>
                                         </dd>
@@ -241,6 +240,21 @@ <h4 class="panel-title">
             <!-- PE Information submodule-->
             <div ng-if="result.submodule_name=='PE Information'">
                 <div class="panel-body">
+
+                    <div class="panel panel-primary">
+                        <div class="panel-heading">
+                            <h4 class="panel-title">
+                               Summary
+                            </h4>
+                        </div>
+                        <div class="panel-body">
+                            <dl class="dl-horizontal">
+                                    <dt>pefile version</dt>
+                                    <dd class="wrap">{{result['summary']['pefile']}}</dd>
+                                </dl>
+                        </div>
+
+                    </div>
                     <div  ng-repeat="r in result.results">
                         <uib-accordion>
 
@@ -337,21 +351,8 @@ <h4 class="panel-title">
                                 </pre>
                             </div>
 
-                    <!--<div ng-repeat="r in result.results" class="panel panel-primary">-->
-                            <!--<div class="panel-heading" ng-if="r.submodule_section_header=='Headers'">-->
-                                <!--<h4 class="panel-title">-->
-                                   <!--{{r.submodule_section_header}}-->
-                                <!--</h4>-->
-                            <!--</div>-->
-                            <!--<div class="panel-body">-->
-                                <!--<div ng-repeat="(k,v) in r.submodule_section_content">-->
-
-                                <!--</div>-->
-                            <!--</div>-->
-
                         </uib-accordion>
 
-                        <!--</div>-->
                     </div>
                 </div>
             </div>