Merge branch 'passivetotal' into develop

analyzers/PassiveTotal/PassiveTotal_Enrichment.json

@@ -0,0 +1,13 @@
+{
+    "name": "PassiveTotal_Enrichment",
+    "version": "1.0",
+    "baseConfig": "PassiveTotal",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "enrichment"
+    },
+    "description": "PassiveTotal Enrichment Lookup",
+    "dataTypeList": ["domain", "fqdn", "ip"],
+    "command": "PassiveTotal/passivetotal_analyzer.py"
+}

analyzers/PassiveTotal/PassiveTotal_Malware.json

@@ -0,0 +1,13 @@
+{
+    "name": "PassiveTotal_Malware",
+    "version": "1.0",
+    "baseConfig": "PassiveTotal",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "malware"
+    },
+    "description": "PassiveTotal Malware Lookup",
+    "dataTypeList": ["domain", "fqdn", "ip"],
+    "command": "PassiveTotal/passivetotal_analyzer.py"
+}

analyzers/PassiveTotal/PassiveTotal_Osint.json

@@ -0,0 +1,13 @@
+{
+    "name": "PassiveTotal_Osint",
+    "version": "1.0",
+    "baseConfig": "PassiveTotal",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "osint"
+    },
+    "description": "PassiveTotal Osint Lookup",
+    "dataTypeList": ["domain", "fqdn", "ip"],
+    "command": "PassiveTotal/passivetotal_analyzer.py"
+}

analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json

@@ -0,0 +1,13 @@
+{
+    "name": "PassiveTotal_Passive_Dns",
+    "version": "1.0",
+    "baseConfig": "PassiveTotal",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "passive_dns"
+    },
+    "description": "PassiveTotal Passive DNS Lookup",
+    "dataTypeList": ["domain", "fqdn", "ip"],
+    "command": "PassiveTotal/passivetotal_analyzer.py"
+}

analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json

@@ -0,0 +1,13 @@
+{
+    "name": "PassiveTotal_Ssl_Certificate_Details",
+    "version": "1.0",
+    "baseConfig": "PassiveTotal",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "ssl_certificate_details"
+    },
+    "description": "PassiveTotal Ssl Certificate Details Lookup",
+    "dataTypeList": ["hash", "ip"],
+    "command": "PassiveTotal/passivetotal_analyzer.py"
+}

analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json

@@ -0,0 +1,13 @@
+{
+    "name": "PassiveTotal_Ssl_Certificate_History",
+    "version": "1.0",
+    "baseConfig": "PassiveTotal",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "ssl_certificate_history"
+    },
+    "description": "PassiveTotal Ssl Certificate History Lookup",
+    "dataTypeList": ["hash", "ip"],
+    "command": "PassiveTotal/passivetotal_analyzer.py"
+}

analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json

@@ -0,0 +1,13 @@
+{
+    "name": "PassiveTotal_Unique_Resolutions",
+    "version": "1.0",
+    "baseConfig": "PassiveTotal",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "unique_resolutions"
+    },
+    "description": "PassiveTotal Unique Resolutions Lookup",
+    "dataTypeList": ["domain", "fqdn", "ip"],
+    "command": "PassiveTotal/passivetotal_analyzer.py"
+}

analyzers/PassiveTotal/PassiveTotal_Whois_Details.json

@@ -0,0 +1,13 @@
+{
+    "name": "PassiveTotal_Whois_Details",
+    "version": "1.0",
+    "baseConfig": "PassiveTotal",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "whois_details"
+    },
+    "description": "PassiveTotal Whois Details Lookup",
+    "dataTypeList": ["domain", "fqdn", "ip"],
+    "command": "PassiveTotal/passivetotal_analyzer.py"
+}

analyzers/PassiveTotal/passivetotal_analyzer.py

@@ -0,0 +1,132 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+from cortexutils.analyzer import Analyzer
+
+from passivetotal.libs.dns import DnsRequest
+from passivetotal.libs.enrichment import EnrichmentRequest
+from passivetotal.libs.ssl import SslRequest
+from passivetotal.libs.whois import WhoisRequest
+
+class PassiveTotalAnalyzer(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.service = self.getParam('config.service', None, 'PassiveTotal service is missing')
+        self.username = self.getParam('config.username', None, 'PassiveTotal username is missing')
+        self.api_key = self.getParam('config.api_key', None, 'PassiveTotal api_key is missing')
+
+    def summary(self, raw):
+        result = {
+            'service': self.service,
+            'dataType': self.data_type
+        }
+
+        # malware service
+        if self.service == 'malware':
+            if 'results' in raw and raw['results']:
+                result['malware'] = True
+
+        # osint service
+        elif self.service == 'osint':
+            if 'results' in raw and raw['results']:
+                result['osint'] = True
+
+        # passive dns service
+        elif self.service == 'passive_dns':
+            if 'firstSeen' in raw and raw['firstSeen']:
+                result['firstSeen'] = raw['firstSeen']
+            if 'lastSeen' in raw and raw['lastSeen']:
+                result['lastSeen'] = raw['lastSeen']
+            if 'totalRecords' in raw and raw['totalRecords']:
+                result['total'] = raw['totalRecords']
+
+        # ssl certificate details service
+        elif self.service == 'ssl_certificate_details':
+            if 'sha1' in raw:
+                result['ssl'] = True
+
+        # ssl certificate history service
+        elif self.service == 'ssl_certificate_history':
+            if 'results' in raw and raw['results']:
+                result['ssl'] = True
+
+        # unique resolutions service
+        elif self.service == 'unique_resolutions':
+            if 'total' in raw:
+                result['total'] = raw['total']
+
+        # whois details service
+        elif self.service == 'whois_details':
+            if 'registrant' in raw and 'organization' in raw['registrant'] and raw['registrant']['organization']:
+                result['registrant'] = raw['registrant']['organization']
+            elif 'registrant' in raw and 'name' in raw['registrant'] and raw['registrant']['name']:
+                result['registrant'] = raw['registrant']['name']
+
+            if 'registrar' in raw and raw['registrar']:
+                result['registrar'] = raw['registrar']
+
+        return result
+
+    def run(self):
+        Analyzer.run(self)
+
+        data = self.getData()
+
+        try:
+            # enrichment service
+            if self.service == 'enrichment':
+                enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
+                result = enrichment_request.get_enrichment(query=data)
+                self.report(result)
+
+            # malware service
+            elif self.service == 'malware':
+                enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
+                result = enrichment_request.get_malware(query=data)
+                self.report(result)
+
+            # osint service
+            elif self.service == 'osint':
+                enrichment_request = EnrichmentRequest(username=self.username, api_key=self.api_key)
+                result = enrichment_request.get_osint(query=data)
+                self.report(result)
+
+            # passive dns service
+            elif self.service == 'passive_dns':
+                dns_request = DnsRequest(username=self.username, api_key=self.api_key)
+                result = dns_request.get_passive_dns(query=data)
+                self.report(result)
+
+            # ssl certificate details service
+            elif self.service == 'ssl_certificate_details':
+                ssl_request = SslRequest(username=self.username, api_key=self.api_key)
+                result = ssl_request.get_ssl_certificate_details(query=data)
+                self.report(result)
+
+            # ssl certificate history service
+            elif self.service == 'ssl_certificate_history':
+                ssl_request = SslRequest(username=self.username, api_key=self.api_key)
+                result = ssl_request.get_ssl_certificate_history(query=data)
+                self.report(result)
+
+            # unique resolutions service
+            elif self.service == 'unique_resolutions':
+                dns_request = DnsRequest(username=self.username, api_key=self.api_key)
+                result = dns_request.get_unique_resolutions(query=data)
+                self.report(result)
+
+            # whois details service
+            elif self.service == 'whois_details':
+                whois_request = WhoisRequest(username=self.username, api_key=self.api_key)
+                result = whois_request.get_whois_details(query=data)
+                self.report(result)
+
+            else:
+                self.error('Unknown PassiveTotal service')
+
+        except Exception as e:
+            self.unexpectedError(e)
+
+if __name__ == '__main__':
+    PassiveTotalAnalyzer().run()

analyzers/PassiveTotal/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+passivetotal