From 6a2d0dcfc848ce0d596b0e0fd2547e2bd0b5cdeb Mon Sep 17 00:00:00 2001 From: Jerome Leonard Date: Sun, 18 Jun 2017 20:12:28 +0200 Subject: [PATCH] #56 PassiveTotal summary() and short reports + bump version --- .../PassiveTotal/PassiveTotal_Enrichment.json | 2 +- .../PassiveTotal/PassiveTotal_Malware.json | 2 +- .../PassiveTotal/PassiveTotal_Osint.json | 2 +- .../PassiveTotal_Passive_Dns.json | 2 +- .../PassiveTotal_Ssl_Certificate_Details.json | 2 +- .../PassiveTotal_Ssl_Certificate_History.json | 2 +- .../PassiveTotal_Unique_Resolutions.json | 2 +- .../PassiveTotal_Whois_Details.json | 2 +- .../PassiveTotal/passivetotal_analyzer.py | 31 ++++++++++++++----- .../long.html | 0 .../PassiveTotal_Malware_1_0/short.html | 7 ----- .../long.html | 0 .../PassiveTotal_Malware_2_0/short.html | 3 ++ .../PassiveTotal_Osint_1_0/short.html | 7 ----- .../long.html | 0 .../PassiveTotal_Osint_2_0/short.html | 3 ++ .../PassiveTotal_Passive_Dns_1_0/short.html | 7 ----- .../long.html | 0 .../PassiveTotal_Passive_Dns_2_0/short.html | 3 ++ .../short.html | 7 ----- .../long.html | 0 .../short.html | 3 ++ .../short.html | 3 -- .../long.html | 0 .../short.html | 3 ++ .../short.html | 3 -- .../long.html | 0 .../short.html | 3 ++ .../PassiveTotal_Whois_Details_1_0/short.html | 2 -- .../long.html | 0 .../PassiveTotal_Whois_Details_2_0/short.html | 3 ++ 31 files changed, 53 insertions(+), 51 deletions(-) rename thehive-templates/{PassiveTotal_Enrichment_1_0 => PassiveTotal_Enrichment_2_0}/long.html (100%) delete mode 100644 thehive-templates/PassiveTotal_Malware_1_0/short.html rename thehive-templates/{PassiveTotal_Malware_1_0 => PassiveTotal_Malware_2_0}/long.html (100%) create mode 100644 thehive-templates/PassiveTotal_Malware_2_0/short.html delete mode 100644 thehive-templates/PassiveTotal_Osint_1_0/short.html rename thehive-templates/{PassiveTotal_Osint_1_0 => PassiveTotal_Osint_2_0}/long.html (100%) create mode 100644 thehive-templates/PassiveTotal_Osint_2_0/short.html delete mode 100644 thehive-templates/PassiveTotal_Passive_Dns_1_0/short.html rename thehive-templates/{PassiveTotal_Passive_Dns_1_0 => PassiveTotal_Passive_Dns_2_0}/long.html (100%) create mode 100644 thehive-templates/PassiveTotal_Passive_Dns_2_0/short.html delete mode 100644 thehive-templates/PassiveTotal_Ssl_Certificate_Details_1_0/short.html rename thehive-templates/{PassiveTotal_Ssl_Certificate_Details_1_0 => PassiveTotal_Ssl_Certificate_Details_2_0}/long.html (100%) create mode 100644 thehive-templates/PassiveTotal_Ssl_Certificate_Details_2_0/short.html delete mode 100644 thehive-templates/PassiveTotal_Ssl_Certificate_History_1_0/short.html rename thehive-templates/{PassiveTotal_Ssl_Certificate_History_1_0 => PassiveTotal_Ssl_Certificate_History_2_0}/long.html (100%) create mode 100644 thehive-templates/PassiveTotal_Ssl_Certificate_History_2_0/short.html delete mode 100644 thehive-templates/PassiveTotal_Unique_Resolutions_1_0/short.html rename thehive-templates/{PassiveTotal_Unique_Resolutions_1_0 => PassiveTotal_Unique_Resolutions_2_0}/long.html (100%) create mode 100644 thehive-templates/PassiveTotal_Unique_Resolutions_2_0/short.html delete mode 100644 thehive-templates/PassiveTotal_Whois_Details_1_0/short.html rename thehive-templates/{PassiveTotal_Whois_Details_1_0 => PassiveTotal_Whois_Details_2_0}/long.html (100%) create mode 100644 thehive-templates/PassiveTotal_Whois_Details_2_0/short.html diff --git a/analyzers/PassiveTotal/PassiveTotal_Enrichment.json b/analyzers/PassiveTotal/PassiveTotal_Enrichment.json index 6500cd13c..4072b8ff5 100644 --- a/analyzers/PassiveTotal/PassiveTotal_Enrichment.json +++ b/analyzers/PassiveTotal/PassiveTotal_Enrichment.json @@ -1,6 +1,6 @@ { "name": "PassiveTotal_Enrichment", - "version": "1.0", + "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", diff --git a/analyzers/PassiveTotal/PassiveTotal_Malware.json b/analyzers/PassiveTotal/PassiveTotal_Malware.json index 6739f5a81..07b03b378 100644 --- a/analyzers/PassiveTotal/PassiveTotal_Malware.json +++ b/analyzers/PassiveTotal/PassiveTotal_Malware.json @@ -1,6 +1,6 @@ { "name": "PassiveTotal_Malware", - "version": "1.0", + "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", diff --git a/analyzers/PassiveTotal/PassiveTotal_Osint.json b/analyzers/PassiveTotal/PassiveTotal_Osint.json index a20c7faf6..45b5d26c6 100644 --- a/analyzers/PassiveTotal/PassiveTotal_Osint.json +++ b/analyzers/PassiveTotal/PassiveTotal_Osint.json @@ -1,6 +1,6 @@ { "name": "PassiveTotal_Osint", - "version": "1.0", + "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", diff --git a/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json b/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json index 7dd27782d..d89edd454 100644 --- a/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json +++ b/analyzers/PassiveTotal/PassiveTotal_Passive_Dns.json @@ -1,6 +1,6 @@ { "name": "PassiveTotal_Passive_Dns", - "version": "1.0", + "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", diff --git a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json index bb2f3338c..20e7e3f9f 100644 --- a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json +++ b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_Details.json @@ -1,6 +1,6 @@ { "name": "PassiveTotal_Ssl_Certificate_Details", - "version": "1.0", + "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", diff --git a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json index ebc8a54f2..ead334521 100644 --- a/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json +++ b/analyzers/PassiveTotal/PassiveTotal_Ssl_Certificate_History.json @@ -1,6 +1,6 @@ { "name": "PassiveTotal_Ssl_Certificate_History", - "version": "1.0", + "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", diff --git a/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json b/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json index df5f6f668..757d23134 100644 --- a/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json +++ b/analyzers/PassiveTotal/PassiveTotal_Unique_Resolutions.json @@ -1,6 +1,6 @@ { "name": "PassiveTotal_Unique_Resolutions", - "version": "1.0", + "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", diff --git a/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json b/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json index f493f2874..f7096f943 100644 --- a/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json +++ b/analyzers/PassiveTotal/PassiveTotal_Whois_Details.json @@ -1,6 +1,6 @@ { "name": "PassiveTotal_Whois_Details", - "version": "1.0", + "version": "2.0", "author": "CERT-BDF", "url": "https://github.com/CERT-BDF/Cortex-Analyzers", "license": "AGPL-V3", diff --git a/analyzers/PassiveTotal/passivetotal_analyzer.py b/analyzers/PassiveTotal/passivetotal_analyzer.py index 13eea4e45..133ebc88c 100755 --- a/analyzers/PassiveTotal/passivetotal_analyzer.py +++ b/analyzers/PassiveTotal/passivetotal_analyzer.py @@ -55,35 +55,52 @@ def summary(self, raw): result['total'] = raw['totalRecords'] if result['total'] < 2: + taxonomy["value"] = "\"{} record\"".format(result['total']) + else: + taxonomy["value"] = "\"{} records\"".format(result['total']) + taxonomies.append(taxonomy) + - # ssl certificate details service + # ssl certificate details service elif self.service == 'ssl_certificate_details': + taxonomy["predicate"] = "SSL" if 'sha1' in raw: result['ssl'] = True - + else: + result['ssl'] = False + taxonomy["value"] = "\"{}\"".format(result['ssl']) + taxonomies.append(taxonomy) # ssl certificate history service elif self.service == 'ssl_certificate_history': + taxonomy["predicate"] = "SSLCertHistory" if 'results' in raw and raw['results']: result['ssl'] = True result['total'] = len(raw['results']) - + taxonomy["value"] = "\"{} record(s)\"".format(result['total']) + taxonomies.append(taxonomy) # unique resolutions service elif self.service == 'unique_resolutions': + taxonomy['predicate'] = "UniqueResolution" if 'total' in raw: result['total'] = raw['total'] - + taxonomy['value'] = "\"{} record(s)\"".format(result['total']) + taxonomies.append(taxonomy) # whois details service elif self.service == 'whois_details': + taxonomy['predicate'] = "Whois" if 'registrant' in raw and 'organization' in raw['registrant'] and raw['registrant']['organization']: result['registrant'] = raw['registrant']['organization'] + taxonomy['value'] = "\"REGISTRANT: {}\"".format(result['registrant']) + taxonomies.append(taxonomy) elif 'registrant' in raw and 'name' in raw['registrant'] and raw['registrant']['name']: result['registrant'] = raw['registrant']['name'] - + taxonomy['value'] = "\"REGISTRANT: {}\"".format(result['registrant']) + taxonomies.append(taxonomy) if 'registrar' in raw and raw['registrar']: result['registrar'] = raw['registrar'] - - + taxonomy['value'] = "\"REGISTRAR: {}\"".format(result['registrar']) + taxonomies.append(taxonomy) result.update({"taxonomies":taxonomies}) return result diff --git a/thehive-templates/PassiveTotal_Enrichment_1_0/long.html b/thehive-templates/PassiveTotal_Enrichment_2_0/long.html similarity index 100% rename from thehive-templates/PassiveTotal_Enrichment_1_0/long.html rename to thehive-templates/PassiveTotal_Enrichment_2_0/long.html diff --git a/thehive-templates/PassiveTotal_Malware_1_0/short.html b/thehive-templates/PassiveTotal_Malware_1_0/short.html deleted file mode 100644 index 733f0f9b6..000000000 --- a/thehive-templates/PassiveTotal_Malware_1_0/short.html +++ /dev/null @@ -1,7 +0,0 @@ - - PT:MALWARE=False - - - - PT:MALWARE=True - diff --git a/thehive-templates/PassiveTotal_Malware_1_0/long.html b/thehive-templates/PassiveTotal_Malware_2_0/long.html similarity index 100% rename from thehive-templates/PassiveTotal_Malware_1_0/long.html rename to thehive-templates/PassiveTotal_Malware_2_0/long.html diff --git a/thehive-templates/PassiveTotal_Malware_2_0/short.html b/thehive-templates/PassiveTotal_Malware_2_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/PassiveTotal_Malware_2_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +  diff --git a/thehive-templates/PassiveTotal_Osint_1_0/short.html b/thehive-templates/PassiveTotal_Osint_1_0/short.html deleted file mode 100644 index 0c7db25db..000000000 --- a/thehive-templates/PassiveTotal_Osint_1_0/short.html +++ /dev/null @@ -1,7 +0,0 @@ - - PT:OSINT=False - - - - PT:OSINT=True - diff --git a/thehive-templates/PassiveTotal_Osint_1_0/long.html b/thehive-templates/PassiveTotal_Osint_2_0/long.html similarity index 100% rename from thehive-templates/PassiveTotal_Osint_1_0/long.html rename to thehive-templates/PassiveTotal_Osint_2_0/long.html diff --git a/thehive-templates/PassiveTotal_Osint_2_0/short.html b/thehive-templates/PassiveTotal_Osint_2_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/PassiveTotal_Osint_2_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +  diff --git a/thehive-templates/PassiveTotal_Passive_Dns_1_0/short.html b/thehive-templates/PassiveTotal_Passive_Dns_1_0/short.html deleted file mode 100644 index 9de1bbc44..000000000 --- a/thehive-templates/PassiveTotal_Passive_Dns_1_0/short.html +++ /dev/null @@ -1,7 +0,0 @@ - - PT:PassiveDNS= {{content.total}} record - - - - PT:PassiveDNS= {{content.total}} record(s) - diff --git a/thehive-templates/PassiveTotal_Passive_Dns_1_0/long.html b/thehive-templates/PassiveTotal_Passive_Dns_2_0/long.html similarity index 100% rename from thehive-templates/PassiveTotal_Passive_Dns_1_0/long.html rename to thehive-templates/PassiveTotal_Passive_Dns_2_0/long.html diff --git a/thehive-templates/PassiveTotal_Passive_Dns_2_0/short.html b/thehive-templates/PassiveTotal_Passive_Dns_2_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/PassiveTotal_Passive_Dns_2_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +  diff --git a/thehive-templates/PassiveTotal_Ssl_Certificate_Details_1_0/short.html b/thehive-templates/PassiveTotal_Ssl_Certificate_Details_1_0/short.html deleted file mode 100644 index 6f79d3155..000000000 --- a/thehive-templates/PassiveTotal_Ssl_Certificate_Details_1_0/short.html +++ /dev/null @@ -1,7 +0,0 @@ - - PT:SSL=False - - - - PT:SSL=True - diff --git a/thehive-templates/PassiveTotal_Ssl_Certificate_Details_1_0/long.html b/thehive-templates/PassiveTotal_Ssl_Certificate_Details_2_0/long.html similarity index 100% rename from thehive-templates/PassiveTotal_Ssl_Certificate_Details_1_0/long.html rename to thehive-templates/PassiveTotal_Ssl_Certificate_Details_2_0/long.html diff --git a/thehive-templates/PassiveTotal_Ssl_Certificate_Details_2_0/short.html b/thehive-templates/PassiveTotal_Ssl_Certificate_Details_2_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/PassiveTotal_Ssl_Certificate_Details_2_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +  diff --git a/thehive-templates/PassiveTotal_Ssl_Certificate_History_1_0/short.html b/thehive-templates/PassiveTotal_Ssl_Certificate_History_1_0/short.html deleted file mode 100644 index 128ecbc3b..000000000 --- a/thehive-templates/PassiveTotal_Ssl_Certificate_History_1_0/short.html +++ /dev/null @@ -1,3 +0,0 @@ - - PT:SSLCertHistory= {{content.total}} record(s) - diff --git a/thehive-templates/PassiveTotal_Ssl_Certificate_History_1_0/long.html b/thehive-templates/PassiveTotal_Ssl_Certificate_History_2_0/long.html similarity index 100% rename from thehive-templates/PassiveTotal_Ssl_Certificate_History_1_0/long.html rename to thehive-templates/PassiveTotal_Ssl_Certificate_History_2_0/long.html diff --git a/thehive-templates/PassiveTotal_Ssl_Certificate_History_2_0/short.html b/thehive-templates/PassiveTotal_Ssl_Certificate_History_2_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/PassiveTotal_Ssl_Certificate_History_2_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +  diff --git a/thehive-templates/PassiveTotal_Unique_Resolutions_1_0/short.html b/thehive-templates/PassiveTotal_Unique_Resolutions_1_0/short.html deleted file mode 100644 index 54e803b3a..000000000 --- a/thehive-templates/PassiveTotal_Unique_Resolutions_1_0/short.html +++ /dev/null @@ -1,3 +0,0 @@ - - PT:UniqueResolution= {{content.total}} record(s) - diff --git a/thehive-templates/PassiveTotal_Unique_Resolutions_1_0/long.html b/thehive-templates/PassiveTotal_Unique_Resolutions_2_0/long.html similarity index 100% rename from thehive-templates/PassiveTotal_Unique_Resolutions_1_0/long.html rename to thehive-templates/PassiveTotal_Unique_Resolutions_2_0/long.html diff --git a/thehive-templates/PassiveTotal_Unique_Resolutions_2_0/short.html b/thehive-templates/PassiveTotal_Unique_Resolutions_2_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/PassiveTotal_Unique_Resolutions_2_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +  diff --git a/thehive-templates/PassiveTotal_Whois_Details_1_0/short.html b/thehive-templates/PassiveTotal_Whois_Details_1_0/short.html deleted file mode 100644 index 7353be9a4..000000000 --- a/thehive-templates/PassiveTotal_Whois_Details_1_0/short.html +++ /dev/null @@ -1,2 +0,0 @@ -PT:Whois:REGISTRANT= {{content.registrant}} -PT:Whois:REGISTRAR= {{content.registrar}} diff --git a/thehive-templates/PassiveTotal_Whois_Details_1_0/long.html b/thehive-templates/PassiveTotal_Whois_Details_2_0/long.html similarity index 100% rename from thehive-templates/PassiveTotal_Whois_Details_1_0/long.html rename to thehive-templates/PassiveTotal_Whois_Details_2_0/long.html diff --git a/thehive-templates/PassiveTotal_Whois_Details_2_0/short.html b/thehive-templates/PassiveTotal_Whois_Details_2_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/PassiveTotal_Whois_Details_2_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +