Merge branch 'release/1.10.0'

TheHive-Project · Jun 6, 2018 · 3c55ba2 · 3c55ba2
2 parents 13778d7 + 0ea5c2d
commit 3c55ba2
Show file tree

Hide file tree

Showing 92 changed files with 3,395 additions and 66 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -1,27 +1,35 @@
 Authors
 -------
 
-* Thomas Franco <[email protected]> (lead developer, back-end)
-* Saâd Kadhi <[email protected]> (project leader, product management & design)
-* Jérôme Leonard <[email protected]> (developer, analyzers)
+* Nabil Adouani <[email protected]>
+* Thomas Franco <[email protected]>
+* Saâd Kadhi <[email protected]> (project leader)
+* Jérôme Leonard <[email protected]>
 
 Contributors
 ------------
 
-* Nabil Adouani
+* Danni Co <[email protected]>
+* Nils Kuhnert <[email protected]>
 * CERT Banque de France (CERT-BDF)
 
-Contributed Analyzers
----------------------
+* Adrien Barchapt
+* Andrea Garavaglia (LDO-CERT)
+* Antoine Brodin
+* Arcuri Davide (LDO-CERT)
+* Daniil Yugoslavskiy Tieto
+* Emmanuel Torquato
+* etz69
+* Eric Capuano
+* Guillaume Rousse
+* Julian Gonzalez
+* Marc-André oll Starc (EXAPROBE)
+* Mehdy Aschy
+* Pierre Baudry
+* Sebastien Larinier
+* Réii Pointel
 
-* Fortiguard : Eric Capuano
-* Hippocampe : Danni Co
-* MsgParser : Mehdi Aschy
-* OTXQuery : Eric Capuano
-* PassiveTotal : Antoine Brodin
-* PhishingInitiative : Rémi Pointel
-* PhishTank : Eric Capuano
-
-Copyright (C) 2016-2017 Thomas Franco
-Copyright (C) 2016-2017 Saâd Kadhi
-Copyright (C) 2016-2017 Jérôme Leonard
+Copyright (C) 2017-2018 Nabil Adouani
+Copyright (C) 2014-2018 Thomas Franco
+Copyright (C) 2014-2018 Saâd Kadhi
+Copyright (C) 2014-2018 Jérôme Leonard
diff --git a/analyzers/CERTatPassiveDNS/CERTatPassiveDNS.json b/analyzers/CERTatPassiveDNS/CERTatPassiveDNS.json
@@ -5,7 +5,7 @@
   "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
   "version": "2.0",
   "description": "Checks CERT.at Passive DNS for a given domain.",
-  "dataTypeList": ["domain", "fqdn"],
+  "dataTypeList": ["domain", "fqdn", "ip"],
   "baseConfig": "CERTatPassiveDNS",
   "command": "CERTatPassiveDNS/certat_passivedns.py",
   "configurationItems": [

diff --git a/analyzers/Crtsh/Crtsh.json b/analyzers/Crtsh/Crtsh.json
@@ -0,0 +1,18 @@
+{
+  "name": "Crt_sh_Transparency_Logs",
+  "author": "crackytsi",
+  "license": "AGPL-V3",
+  "url": "https://crt.sh",
+  "version": "1.0",
+  "baseConfig": "Crtsh",
+  "config": {
+        "check_tlp": false,
+        "max_tlp": 3
+  },
+  "description": "Query domains against the certificate transparency lists available at crt.sh.",
+  "dataTypeList": ["domain"],
+  "command": "Crtsh/crtshquery.py",
+  "configurationItems": [
+  ]
+
+}
diff --git a/analyzers/Crtsh/crtshquery.py b/analyzers/Crtsh/crtshquery.py
@@ -0,0 +1,88 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+import requests
+import json
+from cortexutils.analyzer import Analyzer
+
+
+class CrtshAnalyzer(Analyzer):
+    def search(self, domain, wildcard=True):
+        """
+        Search crt.sh for the given domain.
+
+        domain -- Domain to search for
+        wildcard -- Whether or not to prepend a wildcard to the domain
+                    (default: True)
+
+        Return a list of a certificate dict:
+
+        {
+            "issuer_ca_id": 16418,
+            "issuer_name": "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3",
+            "name_value": "hatch.uber.com",
+            "min_cert_id": 325717795,
+            "min_entry_timestamp": "2018-02-08T16:47:39.089",
+            "not_before": "2018-02-08T15:47:39"
+        }
+
+        XML notation would also include the base64 cert:
+        https://crt.sh/atom?q={}
+        """
+        base_url = "https://crt.sh/?q={}&output=json"
+        if wildcard:
+            domain = "%25.{}".format(domain)
+        url = base_url.format(domain)
+
+        ua = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1'
+        req = requests.get(url, headers={'User-Agent': ua})
+
+        if req.ok:
+            try:
+                content = req.content.decode('utf-8')
+                data = json.loads("[{}]".format(content.replace('}{', '},{')))
+                return data
+            except Exception:
+                self.error("Error retrieving information.")
+        return None
+
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def dump_data(self, domain):
+        return {
+            'domain': domain,
+            'result': self.search(domain)
+        }
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "info"
+        namespace = "crt.sh"
+        predicate = "Certificates"
+        value = "\"\""
+
+        if "certobj" in raw:
+            value = "\"{}\"".format(len(raw["certobj"]["result"]))
+            taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+
+        if self.data_type == 'domain':
+            try:
+                data = self.getData()
+                mydata = data
+                self.report({
+                    'certobj': self.dump_data(mydata)
+                })
+            except Exception as e:
+                self.unexpectedError(e)
+        else:
+            self.notSupported()
+
+
+if __name__ == '__main__':
+    CrtshAnalyzer().run()
diff --git a/analyzers/Crtsh/requirements.txt b/analyzers/Crtsh/requirements.txt
@@ -0,0 +1,3 @@
+cortexutils
+requests
+
diff --git a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
diff --git a/analyzers/CyberCrime-Tracker/CyberCrimeTracker.json b/analyzers/CyberCrime-Tracker/CyberCrimeTracker.json
@@ -0,0 +1,16 @@
+{
+  "name": "CyberCrime-Tracker",
+  "author": "ph34tur3",
+  "license": "AGPL-V3",
+  "url": "https://github.com/ph34tur3/Cortex-Analyzers",
+  "version": "1.0",
+  "description": "Search cybercrime-tracker.net for C2 servers.",
+  "dataTypeList": ["domain", "fqdn", "ip", "url", "other"],
+  "command": "CyberCrime-Tracker/cct.py",
+  "baseConfig": "CyberCrimeTracker",
+  "config": {
+    "check_tlp": true,
+    "max_tlp": 2
+  },
+  "configurationItems": []
+}
diff --git a/analyzers/CyberCrime-Tracker/cct.py b/analyzers/CyberCrime-Tracker/cct.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from cortexutils.analyzer import Analyzer
+from cybercrimetracker.cybercrimeTrackerAPI import cybercrimeTrackerAPI
+
+
+class CyberCrimeTrackerAnalyzer(Analyzer):
+    """
+    This analyzer searches 
+    http://cybercrime-tracker.net
+    for possible c2 servers.
+    """
+
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def summary(self, raw):
+        level = 'info'
+        namespace = 'CCT'
+        predicate = 'C2 Search'
+
+        hit_count = len(raw.get('results', []))
+        value = "\"{} hits\"".format(hit_count)
+        if hit_count == 1:
+            value = value[:-2] + "\""
+
+        if hit_count > 0:
+            level = 'malicious'
+
+        taxonomies = []
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {
+            "taxonomies": taxonomies
+        }
+
+    def run(self):
+        observable = self.get_data()
+        limit = 40
+        offset = 0
+
+        results = []
+
+        try:
+            while True:
+                new_results = cybercrimeTrackerAPI().search(query=observable, offset=offset, limit=limit)
+                results.extend(new_results)
+
+                current_hit_count = len(new_results)
+                no_more_results = current_hit_count < limit
+                if no_more_results:
+                    break
+                offset += limit
+
+            self.report({
+                'results': results
+            })
+        except Exception:
+            self.error('An error occured while scraping cybercrime-tracker.')
+
+
+if __name__ == '__main__':
+    CyberCrimeTrackerAnalyzer().run()
diff --git a/analyzers/CyberCrime-Tracker/requirements.txt b/analyzers/CyberCrime-Tracker/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+cybercrimetracker
diff --git a/analyzers/Cymon/Cymon_Check_IP.json b/analyzers/Cymon/Cymon_Check_IP.json
@@ -1,10 +1,10 @@
 {
     "name": "Cymon_Check_IP",
-    "version": "2.0",
+    "version": "2.1",
     "author": "Julian Gonzalez",
     "url": "https://github.com/ST2labs/Analyzers",
     "license": "AGPL-V3",
-    "description": "Cymon.io Database Search / Report for IP",
+    "description": "Check an IP addr against Cymon.io.",
     "dataTypeList": ["ip"],
     "command": "Cymon/cymon_analyzer.py",
     "baseConfig": "Cymon",

diff --git a/analyzers/EmergingThreats/EmergingThreats_DomainInfo.json b/analyzers/EmergingThreats/EmergingThreats_DomainInfo.json
@@ -1,11 +1,11 @@
 {
   "name": "EmergingThreats_DomainInfo",
   "version": "1.0",
-  "author": "Arcuri Davide, Garavaglia Andrea [LDO-CERT]",
+  "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT",
   "url": "https://github.com/dadokkio/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Retrieve ET reputation, related malware, and IDS requests for a given domain.",
-  "dataTypeList": ["domain"],
+  "dataTypeList": ["domain", "fqdn"],
   "command": "EmergingThreats/emergingthreats_analyzer.py",
   "baseConfig": "EmergingThreats",
   "configurationItems": [

diff --git a/analyzers/EmergingThreats/EmergingThreats_IPInfo.json b/analyzers/EmergingThreats/EmergingThreats_IPInfo.json
@@ -1,7 +1,7 @@
 {
   "name": "EmergingThreats_IPInfo",
   "version": "1.0",
-  "author": "Arcuri Davide, Garavaglia Andrea [LDO-CERT]",
+  "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT",
   "url": "https://github.com/dadokkio/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Retrieve ET reputation, related malware, and IDS requests for a given IP address.",

diff --git a/analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json b/analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json
@@ -1,11 +1,11 @@
 {
   "name": "EmergingThreats_MalwareInfo",
   "version": "1.0",
-  "author": "Arcuri Davide, Garavaglia Andrea [LDO-CERT]",
+  "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT",
   "url": "https://github.com/dadokkio/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Retrieve ET details and info related to a malware hash.",
-  "dataTypeList": ["hash"],
+  "dataTypeList": ["file", "hash"],
   "command": "EmergingThreats/emergingthreats_analyzer.py",
   "baseConfig": "EmergingThreats",
   "configurationItems": [

diff --git a/analyzers/EmergingThreats/emergingthreats_analyzer.py b/analyzers/EmergingThreats/emergingthreats_analyzer.py
@@ -3,6 +3,7 @@
 
 from cortexutils.analyzer import Analyzer
 
+import hashlib
 import requests
 import time
 
@@ -59,18 +60,32 @@ def run(self):
         Analyzer.run(self)
         info = {}
         try:
-            object_name = self.get_data()
-            if self.data_type == 'domain':
+            if self.data_type != 'file':
+                object_name = self.get_data()
+
+            if self.data_type in ['domain', 'fqdn']:
                 url = "https://api.emergingthreats.net/v1/domains/"
                 features = {'reputation', 'urls', 'samples', 'ips', 'events', 'nameservers', 'whois', 'geoloc'}
 
             elif self.data_type == 'ip':
                 url = "https://api.emergingthreats.net/v1/ips/"
                 features = {'reputation', 'urls', 'samples', 'domains', 'events', 'geoloc'}
 
-            elif self.data_type == 'malware':
+            elif self.data_type == 'hash':
+                url = "https://api.emergingthreats.net/v1/samples/"
+                features = {'', 'connections', 'dns', 'http', 'events'}
+
+            elif self.data_type == 'file':
                 url = "https://api.emergingthreats.net/v1/samples/"
-                features = {'', 'connections', 'dns', 'events'}
+                features = {'', 'connections', 'dns', 'http', 'events'}
+                hashes = self.get_param('attachment.hashes', None)
+                if hashes is None:
+                    filepath = self.get_param('file', None, 'File is missing')
+                    object_name = hashlib.md5(open(filepath, 'r').read()).hexdigest()
+                else:
+                    # find MD5 hash
+                    object_name = next(h for h in hashes if len(h) == 32)
+
             else:
                 self.error('Invalid data type !')
 

diff --git a/analyzers/FireEyeiSight/FireEyeiSight.json b/analyzers/FireEyeiSight/FireEyeiSight.json
@@ -0,0 +1,32 @@
+{
+    "name": "FireEyeiSight",
+    "version": "1.0",
+    "author": "Davide Arcuri and Andrea Garavaglia, LDO-CERT",
+    "url": "https://github.com/LDO-CERT/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Query domains, IPs, hashes and URLs on FireEye's iSIGHT threat intelligence service.",
+    "dataTypeList": ["domain", "ip", "hash", "url"],
+    "baseConfig": "FireEyeiSight",
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "service": "query"
+    },
+    "command": "FireEyeiSight/fireeyeisight_lookup.py",
+    "configurationItems": [
+        {
+            "name": "key",
+            "description": "API key for FireEye iSIGHT.",
+            "required": true,
+            "type": "string",
+            "multi": false
+        },
+        {
+            "name": "pwd",
+            "description": "Password associated to the API key.",
+            "required": true,
+            "type": "string",
+            "multi": false
+        }
+    ]
+}