-
Notifications
You must be signed in to change notification settings - Fork 385
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #967 from nachorpaez/master
- Loading branch information
Showing
13 changed files
with
375 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| { | ||
| "name": "Diario_GetReport", | ||
| "version": "1.0", | ||
| "author": "Ignacio Rodriguez Paez", | ||
| "url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
| "license": "AGPL-V3", | ||
| "description": "Get the latest Diario report for a file or hash.", | ||
| "dataTypeList": ["file", "hash"], | ||
| "command": "Diario/diario_analyzer.py", | ||
| "baseConfig": "Diario", | ||
| "config": { | ||
| "service": "get" | ||
| }, | ||
| "configurationItems": [ | ||
| { | ||
| "name": "client_id", | ||
| "description": "Client id for Diario", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "secret", | ||
| "description": "Secret for Diario", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "polling_interval", | ||
| "description": "Define time interval between two requests attempts for the report", | ||
| "type": "number", | ||
| "multi": false, | ||
| "required": false, | ||
| "defaultValue": 60 | ||
| } | ||
| ], | ||
| "registration_required": true, | ||
| "subscription_required": true, | ||
| "service_homepage": "https://diario.elevenpaths.com/", | ||
| "service_logo": { | ||
| "path": "assets/logo.png", | ||
| "caption": "DIARIO logo" | ||
| }, | ||
| "screenshots": [ | ||
| { | ||
| "path": "assets/diario_get_report_short.png", | ||
| "caption": "DIARIO: short report" | ||
| }, | ||
| { | ||
| "path": "assets/diario_get_report_long.png", | ||
| "caption": "DIARIO: long report" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| { | ||
| "name": "Diario_Scan", | ||
| "version": "1.0", | ||
| "author": "Ignacio Rodriguez Paez", | ||
| "url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
| "license": "AGPL-V3", | ||
| "description": "Use Diario to scan a file, it can be DOC*, XLS*, PPTX or PDF.", | ||
| "dataTypeList": ["file"], | ||
| "command": "Diario/diario_analyzer.py", | ||
| "baseConfig": "Diario", | ||
| "config": { | ||
| "service": "scan" | ||
| }, | ||
| "configurationItems": [ | ||
| { | ||
| "name": "client_id", | ||
| "description": "Client id for Diario", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "secret", | ||
| "description": "Secret for Diario", | ||
| "type": "string", | ||
| "multi": false, | ||
| "required": true | ||
| }, | ||
| { | ||
| "name": "polling_interval", | ||
| "description": "Define time interval between two requests attempts for the report", | ||
| "type": "number", | ||
| "multi": false, | ||
| "required": false, | ||
| "defaultValue": 60 | ||
| } | ||
| ], | ||
| "registration_required": true, | ||
| "subscription_required": true, | ||
| "service_homepage": "https://diario.elevenpaths.com/", | ||
| "service_logo": { | ||
| "path": "assets/logo.png", | ||
| "caption": "DIARIO logo" | ||
| }, | ||
| "screenshots": [ | ||
| { | ||
| "path": "assets/diario_scan_short.png", | ||
| "caption": "DIARIO: short report" | ||
| }, | ||
| { | ||
| "path": "assets/diario_scan_long.png", | ||
| "caption": "DIARIO: long report" | ||
| } | ||
| ] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| #!/usr/bin/env python3 | ||
| # encoding: utf-8 | ||
|
|
||
| import time | ||
| import hashlib | ||
| from diario import Diario | ||
| from cortexutils.analyzer import Analyzer | ||
|
|
||
|
|
||
| class DiarioAnalyzer(Analyzer): | ||
|
|
||
| def __init__(self): | ||
| Analyzer.__init__(self) | ||
| self.service = self.get_param('config.service', None, 'Service parameter is missing') | ||
| self.client_id = self.get_param('config.client_id', None, 'Missing Client ID') | ||
| self.secret = self.get_param('config.secret', None, 'Missing Secret') | ||
| self.polling_interval = self.get_param('config.polling_interval', 60) | ||
| self.api = Diario(self.client_id, self.secret) | ||
|
|
||
| _predictions = { | ||
| "M": "Malware", | ||
| "G": "Goodware", | ||
| "NM": "No Macros present", # Only applies to office documents | ||
| "U": "Unknown" | ||
| } | ||
|
|
||
| _stages = { | ||
| "A": "Analyzed", | ||
| "Q": "Queued", | ||
| "P": "Processing", | ||
| "F": "Failed" | ||
| } | ||
|
|
||
| def check_response(self, document_hash): | ||
| response = self.api.search(document_hash) | ||
| if response.error: | ||
| if response.error.code == 413: | ||
| time.sleep(self.polling_interval) | ||
| return self.check_response(document_hash) | ||
| elif response.error.code in (406, 409): | ||
| return dict(message=response.error.message) | ||
| else: | ||
| self.error(response.error) | ||
| if response.data["status"] in ("P", "Q"): | ||
| time.sleep(self.polling_interval) | ||
| return self.check_response(document_hash) | ||
| elif response.data["status"] == "F": | ||
| self.error(response.data) | ||
|
|
||
| data = response.data | ||
| data["prediction"] = self._predictions.get(data["prediction"]) | ||
| data["status"] = self._stages.get(data["status"]) | ||
| return dict(data) | ||
|
|
||
| def summary(self, raw): | ||
| taxonomies = [] | ||
| level = "info" | ||
| namespace = "Diario" | ||
| predicate = "GetReport" | ||
| value = "Not Found" | ||
|
|
||
| if self.service == "scan": | ||
| predicate = "Scan" | ||
|
|
||
| verdicts = { | ||
| "Goodware": "safe", | ||
| "Malware": "malicious", | ||
| "Unknown": "suspicious", | ||
| "No Macros present": "info", | ||
| } | ||
|
|
||
| if "sha256" in raw: | ||
| value = raw["prediction"] | ||
| level = verdicts.get(value) | ||
|
|
||
| taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) | ||
| return {"taxonomies": taxonomies} | ||
|
|
||
| def run(self): | ||
|
|
||
| if self.service == "scan": | ||
| if self.data_type == "file": | ||
| filepath = self.get_param('file', None, 'File is missing') | ||
| response = self.api.upload(filepath) | ||
| if response.error: | ||
| self.error(response.error["message"]) | ||
| data = response.data.get("hash", None) | ||
| else: | ||
| self.error("Data type has to be a File") | ||
| return | ||
|
|
||
| elif self.service == "get": | ||
| # If we want to only get the report of a file we get the | ||
| # SHA256 hash and check if there is a report | ||
| if self.data_type == "file": | ||
| filepath = self.get_param('file', None, 'File is missing') | ||
| sha256_hash = hashlib.sha256() | ||
| with open(filepath, "rb") as f: | ||
| # Read and update hash string value in blocks of 4K | ||
| for byte_block in iter(lambda: f.read(4096), b""): | ||
| sha256_hash.update(byte_block) | ||
| data = sha256_hash.hexdigest() | ||
| elif self.data_type == "hash": | ||
| data = self.get_param('data', None, 'Data is missing') | ||
| else: | ||
| self.error("Data type has to be a File or Hash") | ||
| return | ||
|
|
||
| else: | ||
| self.error("Service doesn't exists") | ||
| return | ||
|
|
||
| self.report(self.check_response(data)) | ||
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| DiarioAnalyzer().run() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| cortexutils | ||
| diario |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| <div class="panel panel-info" ng-if="success"> | ||
| <div class="panel-heading"> | ||
| Diario information for <strong>{{artifact.data}}</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| <div class="document-results" ng-if="content.sha256"> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold" ng-if="content.type">Type</dt> | ||
| <dd>{{content.type}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">Document Type</dt> | ||
| <dd>{{content.documentType}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">Status</dt> | ||
| <dd>{{content.status}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">Prediction</dt> | ||
| <dd>{{content.prediction}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">MD5</dt> | ||
| <dd>{{content.md5}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">SHA1</dt> | ||
| <dd>{{content.sha1}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">SHA256</dt> | ||
| <dd>{{content.sha256}}</dd> | ||
| </dl> | ||
| <div ng-repeat="protocol in content.ip.ports"> | ||
| <dl class="dl-horizontal"> | ||
| <dt>Info on port {{protocol}}</dt> | ||
| <dd> | ||
| <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapse-{{protocol}}" aria-expanded="false" aria-controls="collapse-{{protocol}}"> | ||
| Show/hide | ||
| </button> | ||
| <br /> | ||
| <div class="collapse" id="collapse-{{protocol}}"> | ||
| <pre style="overflow-x:scroll;">{{content.ip[protocol] | json}}</pre> | ||
| <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapse-{{protocol}}" aria-expanded="false" aria-controls="collapse-{{protocol}}"> | ||
| Show/hide | ||
| </button> | ||
| </div> | ||
| </dd> | ||
| </dl> | ||
| </div> | ||
| </div> | ||
| <div class="document-results" ng-if="content.message"> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">Message</dt> | ||
| <dd>{{content.message}}</dd> | ||
| </dl> | ||
| </div> | ||
| </div> | ||
| </div> | ||
|
|
||
| <!-- General error --> | ||
| <div class="panel panel-danger" ng-if="!success"> | ||
| <div class="panel-heading"> | ||
| <strong>{{artifact.data | fang}}</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| {{content.errorMessage}} | ||
| </div> | ||
| </div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]"> | ||
| {{t.namespace}}:{{t.predicate}}="{{t.value}}" | ||
| </span> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| <div class="panel panel-info" ng-if="success"> | ||
| <div class="panel-heading"> | ||
| Diario information for <strong>{{artifact.data}}</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| <div class="document-results" ng-if="content.sha256"> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold" ng-if="content.type">Type</dt> | ||
| <dd>{{content.type}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">Document Type</dt> | ||
| <dd>{{content.documentType}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">Status</dt> | ||
| <dd>{{content.status}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">Prediction</dt> | ||
| <dd>{{content.prediction}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">MD5</dt> | ||
| <dd>{{content.md5}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">SHA1</dt> | ||
| <dd>{{content.sha1}}</dd> | ||
| </dl> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">SHA256</dt> | ||
| <dd>{{content.sha256}}</dd> | ||
| </dl> | ||
| <div ng-repeat="protocol in content.ip.ports"> | ||
| <dl class="dl-horizontal"> | ||
| <dt>Info on port {{protocol}}</dt> | ||
| <dd> | ||
| <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapse-{{protocol}}" aria-expanded="false" aria-controls="collapse-{{protocol}}"> | ||
| Show/hide | ||
| </button> | ||
| <br /> | ||
| <div class="collapse" id="collapse-{{protocol}}"> | ||
| <pre style="overflow-x:scroll;">{{content.ip[protocol] | json}}</pre> | ||
| <button class="btn btn-primary" type="button" data-toggle="collapse" data-target="#collapse-{{protocol}}" aria-expanded="false" aria-controls="collapse-{{protocol}}"> | ||
| Show/hide | ||
| </button> | ||
| </div> | ||
| </dd> | ||
| </dl> | ||
| </div> | ||
| </div> | ||
| <div class="document-results" ng-if="content.message"> | ||
| <dl class="dl-horizontal"> | ||
| <dt class="text-bold">Message</dt> | ||
| <dd>{{content.message}}</dd> | ||
| </dl> | ||
| </div> | ||
| </div> | ||
| </div> | ||
|
|
||
| <!-- General error --> | ||
| <div class="panel panel-danger" ng-if="!success"> | ||
| <div class="panel-heading"> | ||
| <strong>{{artifact.data | fang}}</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| {{content.errorMessage}} | ||
| </div> | ||
| </div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]"> | ||
| {{t.namespace}}:{{t.predicate}}="{{t.value}}" | ||
| </span> |