#212 WIP - add short report template, update summary for PDFiD submodule

TheHive-Project · Jun 5, 2018 · 428b31d · 428b31d
1 parent 289dc12
commit 428b31d
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 2 deletions.
diff --git a/analyzers/FileInfo/submodules/submodule_base.py b/analyzers/FileInfo/submodules/submodule_base.py
@@ -58,6 +58,12 @@ def analyze_file(self, path):
 
 
     def module_summary(self):
+        """
+        Build summary info for a submodule from its reports. Should be defined in each submodule that needs to show minireports
+
+        :return:
+        :rtype: dict
+        """
         pass
 
     def add_result_subsection(self, subsection_header, results):

diff --git a/analyzers/FileInfo/submodules/submodule_pdfid.py b/analyzers/FileInfo/submodules/submodule_pdfid.py
@@ -19,14 +19,35 @@ def check_file(self, **kwargs):
         if kwargs.get('filetype') in ['PDF']:
             return True
 
+    def module_summary(self):
+        taxonomies = []
+        level = 'info'
+        namespace = 'FileInfo'
+        predicate = 'PDFiD'
+        value = ''
+        pdfid_version = ''
+        for section in self.results:
+            if section['submodule_section_header'] == 'PDFiD Information':
+                for subsection in section['submodule_section_content']:
+                    if subsection['pdfid']:
+                        pdfid_version = subsection['pdfid']['version']
+                        for keyword in subsection['pdfid']['keywords']['keyword']:
+                            if keyword['name'] in ['/JS', '/JavaScript', '/OpenAction'] and keyword['count'] > 0:
+                                level = 'suspicious'
+                                taxonomies.append(self.build_taxonomy(level, namespace, predicate, keyword['name']))
+
+        return {'taxonomies': taxonomies,
+                'pdfid': pdfid_version}
+
     def pdfid_cmd(self, path):
         try:
             j = json.loads(
-                PDFiD2JSON(PDFiD(path, allNames=True, extraData=True, disarm=True, force=True), force=True))
+                PDFiD2JSON(PDFiD(path, allNames=True, extraData=True, disarm=False, force=True), force=True))
         except Exception as e:
             return e
         return j
 
+
     def analyze_file(self, path):
         self.add_result_subsection('PDFiD Information', self.pdfid_cmd(path))
         return self.results
diff --git a/thehive-templates/FileInfo_3_0/long.html b/thehive-templates/FileInfo_3_0/long.html
@@ -56,7 +56,7 @@ <h4 class="panel-title">Summary</h4>
                                 <dl class="dl-horizontal">
                                         <dt>Oletools scanner</dt>
                                         <dd class="wrap">
-                                            <span class="label" ng-repeat="t in result['summary']['taxonomies']" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+                                            <span class="label mr-xxxs" ng-repeat="t in result['summary']['taxonomies']" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
                                                 {{t.namespace}}:{{t.predicate}}={{t.value}}
                                             </span>
                                         </dd>
@@ -195,6 +195,35 @@ <h4 class="panel-title">
             <!-- PDF Information (PDFiD)-->
             <div ng-if="result.submodule_name=='PDF Information'">
                 <div class="panel-body">
+
+                    <!-- summary -->
+
+                    <div class="panel panel-primary">
+                        <div class="panel-heading" ng-if="result.summary">
+                            <h4 class="panel-title">
+                               Summary
+                            </h4>
+                        </div>
+                        <div class="panel panel-body">
+
+                            <dl class="dl-horizontal" ng-if="result.summary.pdfid">
+                                <dt>PDFiD</dt>
+                                <dd class="wrap">{{result.summary.pdfid}}</dd>
+                            </dl>
+
+                            <dl class="dl-horizontal" ng-if="result.summary.taxonomies != []">
+                                <dt>PDFiD report</dt>
+                                <dd class="wrap">
+                                    <span class="label mr-xxxs" ng-repeat="t in result['summary']['taxonomies']" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+                                        {{t.namespace}}:{{t.predicate}}={{t.value}}
+                                    </span>
+                                </dd>
+                            </dl>
+
+                        </div>
+                    </div>
+
+                    <!-- PDFiD -->
                     <div ng-repeat="r in result.results" class="panel panel-primary">
                         <div class="panel-heading" ng-if="r.submodule_section_header=='PDFiD Information'">
                             <h4 class="panel-title">

diff --git a/thehive-templates/FileInfo_3_0/short.html b/thehive-templates/FileInfo_3_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>