Merge pull request #467 from ninoseki/add-emailrep-analyzer

add Emailrep analyzer
TheHive-Project · Dec 17, 2019 · 56f6141 · 56f6141
2 parents e02c866 + 7f33dac
commit 56f6141
Show file tree

Hide file tree

Showing 6 changed files with 141 additions and 0 deletions.
diff --git a/analyzers/EmailRep/EmailRep.json b/analyzers/EmailRep/EmailRep.json
@@ -0,0 +1,11 @@
+{
+  "name": "EmailRep",
+  "version": "1.0",
+  "author": "Manabu Niseki",
+  "url": "https://github.com/ninoseki/emailrep-analyzer",
+  "license": "MIT",
+  "description": "emailrep.io lookup.",
+  "dataTypeList": ["mail"],
+  "command": "EmailRep/emailrep_analyzer.py",
+  "baseConfig": "EmailRep"
+}
diff --git a/analyzers/EmailRep/emailrep.py b/analyzers/EmailRep/emailrep.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+
+import requests
+
+
+class EmailRepException(Exception):
+    pass
+
+
+class EmailRep():
+    def __init__(self):
+        self.base_url = "https://emailrep.io"
+
+    def get(self, email_address):
+        url = "{}/{}".format(self.base_url, email_address)
+        json = self._request(url)
+        json["mail"] = email_address
+        return json
+
+    def _request(self, url):
+        res = requests.request("GET", url)
+
+        if res.status_code != 200:
+            raise EmailRepException(
+                "emailrep returns {}".format(res.status_code))
+
+        json = res.json()
+        status = json.get("status")
+        if status == "fail":
+            reason = json.get("reason")
+            raise EmailRepException(reason)
+
+        return json
diff --git a/analyzers/EmailRep/emailrep_analyzer.py b/analyzers/EmailRep/emailrep_analyzer.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.analyzer import Analyzer
+from emailrep import EmailRepException, EmailRep
+
+
+class EmailRepAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "info"
+        namespace = "EmailRep"
+
+        score = raw.get("score")
+        if score is not None:
+            score = int(score)
+            if score < 50:
+                level = "suspicious"
+            else:
+                level = "safe"
+
+            taxonomies.append(
+                self.build_taxonomy(level, namespace, "Reputation", score)
+            )
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        data = self.get_data()
+
+        try:
+            emailRep = EmailRep()
+            result = emailRep.get(data)
+            self.report(result)
+        except EmailRepException as e:
+            self.error(str(e))
+
+
+if __name__ == "__main__":
+    EmailRepAnalyzer().run()
diff --git a/analyzers/EmailRep/requirements.txt b/analyzers/EmailRep/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/thehive-templates/EmailRep_1_0/long.html b/thehive-templates/EmailRep_1_0/long.html
@@ -0,0 +1,45 @@
+<div class="report" ng-if="success">
+  <div class="panel panel-info">
+    <div class="panel-heading">
+      emailrep.io lookup ({{ content.mail || "-" }})
+    </div>
+    <div class="panel-body">
+      <div ng-if="(content | json) === '{}'">
+        No data found
+      </div>
+      <div ng-if="(content | json) !== '{}'">
+        <dl class=" dl-horizontal">
+          <dt>Score:</dt>
+          <dd class="wrap">{{ content.score || "-" }}</dd>
+        </dl>
+        <dl class="dl-horizontal">
+          <dt>References:</dt>
+          <dd class="wrap">{{ content.references || "-" }}</dd>
+        </dl>
+        <dl class="dl-horizontal" ng-if="content.profiles.length !== 0">
+          <dt>Profiles:</dt>
+          <dd class="wrap">
+            <ul ng-repeat="profile in content.profiles">
+              <li>{{ profile }}</li>
+            </ul>
+          </dd>
+        </dl>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+  <div class="panel-heading">
+    <strong>{{ artifact.data | fang }}</strong>
+  </div>
+  <div class="panel-body">
+    <dl class="dl-horizontal" ng-if="content.errorMessage">
+      <dt>
+        <i class="fa fa-warning"></i>
+      </dt>
+      <dd class="wrap">{{ content.errorMessage }}</dd>
+    </dl>
+  </div>
+</div>
diff --git a/thehive-templates/EmailRep_1_0/short.html b/thehive-templates/EmailRep_1_0/short.html
@@ -0,0 +1,7 @@
+<span
+  class="label"
+  ng-repeat="t in content.taxonomies"
+  ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]"
+>
+  {{ t.namespace }}:{{ t.predicate }}="{{ t.value }}"
+</span>