Merge branch 'develop' of https://github.com/CERT-BDF/Cortex-Analyzers …

…into develop

.github/issue_template.md

@@ -1,10 +1,11 @@
 # EDIT THIS TITLE BEFORE POSTING. Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template except the first section (Request Type)
 
 ### Request Type
-(select Bug or Feature Request and **remove this line**)
-Bug / Feature Request
+(select Bug, Analyzer or Feature and **remove this line**)
+Bug / Analyzer / Feature
 
 ### Work Environment
+(replace with N/A if not applicable)
 
 | Question              | Answer
 |---------------------------|--------------------
@@ -16,10 +17,11 @@ Bug / Feature Request
 | Browser type & version    | If applicable
 
 
-### Problem Description
-Describe the problem/bug as clearly as possible.
+### Description
+Describe your request as clearly as possible.
 
 ### Steps to Reproduce
+(keep this section only if the issue relates to a bug)
 1. step 1
 1. step 2
 1. step 3...

.gitignore

@@ -5,3 +5,5 @@ thehive-templates/*.sh
 
 .idea
 .DS_Store
+
+Cortex-analyzers.iml

analyzers/Abuse_Finder/Abuse_Finder.json

@@ -1,6 +1,6 @@
 {
     "name": "Abuse_Finder",
-    "version": "1.0",
+    "version": "2.0",
     "author": "CERT-BDF",
     "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
     "license": "AGPL-V3",
@@ -10,7 +10,7 @@
       "max_tlp":3,
       "service":""
     },
-    "description": "Use CERT-SG's Abuse Finder to find the abuse contact associated with domain names, URLs, IPs and email addresses",
-    "dataTypeList": ["ip", "domain", "url","email"],
+    "description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses",
+    "dataTypeList": ["ip", "domain", "url", "mail"],
     "command": "Abuse_Finder/abusefinder.py"
 }

analyzers/Abuse_Finder/abusefinder.py

@@ -1,6 +1,9 @@
 #!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
+# -*- coding: utf-8 -*
+"""This analyzer leverages abuse_finder, an Open Source Python library provided by CERT Société Générale to help
+automatically find the most appropriate contact for abuse reports.
+See https://github.com/certsocietegenerale/abuse_finder for further reference.
+"""
 
 import sys
 import json
@@ -14,6 +17,14 @@
 
 class AbuseFinderAnalyzer(Analyzer):
 
+    def summary(self, raw):
+
+        taxonomies = []
+        if raw['abuse_finder'] and raw['abuse_finder'].get('abuse'):
+            for abuse in raw['abuse_finder']['abuse']:
+                taxonomies.append(self.build_taxonomy("info", "Abuse_Finder", "Address", abuse))
+            return {"taxonomies": taxonomies}
+
     def abuse(self):
         if self.data_type == "ip":
             return ip_abuse(self.getData())
@@ -24,7 +35,7 @@ def abuse(self):
         elif self.data_type == "url":
             return url_abuse(self.getData())
         else:
-            self.error("datatype not handled")
+            self.error("invalid datatype")
 
     def run(self):
         self.report({'abuse_finder':self.abuse()})

analyzers/CERTatPassiveDNS/CERTatPassiveDNS.json

@@ -0,0 +1,12 @@
+{
+    "name": "CERTatPassiveDNS",
+    "author": "Nils Kuhnert, CERT-Bund",
+    "license": "AGPL-V3",
+    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
+    "version": "2.0",
+    "baseConfig": "CERTatPassiveDNS",
+    "config": {},
+    "description": "Checks CERT.at Passive DNS for a given domain, API Key via cert.at.",
+    "dataTypeList": ["domain", "fqdn"],
+    "command": "CERTatPassiveDNS/certat_passivedns.py"
+}

analyzers/CERTatPassiveDNS/certat_passivedns.py

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+from cortexutils.analyzer import Analyzer
+from whois_wrapper import query
+
+
+class CERTatPassiveDNSAnalyzer(Analyzer):
+    """Very simple passive dns wrapper for pdns.cert.at. Needs no credentials because access is controlled through
+    firewall rules. If you want to get access, you have to contact CERT.AT, but:
+    
+    CERT.AT pDNS is not a public service. It is only available for national / governmental CERTs in good standing with
+    CERT.AT. For access, you have to get in contact with CERT.AT.
+    """
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.limit = self.get_param('config.limit', '100')
+
+    def run(self):
+        self.report({'results': query(self.getData(), int(self.limit))})
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "info"
+        namespace = "CERT.at"
+        predicate = "PassiveDNS"
+
+        results = raw.get('results')
+        r = len(results)
+        if r == 0 or r == 1:
+            value = "\"{} hit\"".format(r)
+        else:
+            value = "\"{} hits\"".format(r)
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {"taxonomies": taxonomies}
+
+if __name__ == '__main__':
+    CERTatPassiveDNSAnalyzer().run()

analyzers/CERTatPassiveDNS/requirements.txt

@@ -0,0 +1 @@
+cortexutils

analyzers/CERTatPassiveDNS/whois.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+whois -h pdns.cert.at "  $1"

analyzers/CERTatPassiveDNS/whois_wrapper.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+from re import findall
+from subprocess import check_output
+
+
+def __query(domain, limit=100):
+    """Using the shell script to query pdns.cert.at is a hack, but python raises an error every time using subprocess
+    functions to call whois. So this hack is avoiding calling whois directly. Ugly, but works.
+
+    :param domain: The domain pdns is queried with.
+    :type domain: str
+    :param limit: Maximum number of results
+    :type limit: int
+    :returns: str -- Console output from whois call.
+    :rtype: str
+    """
+    s = check_output(['./whois.sh', '--limit {} {}'.format(limit, domain)], universal_newlines=True)
+    return s
+
+
+def __process_results(results):
+    """Processes the result from __query to get valid json from every entry.
+
+    :param results: Results from __query
+    :type results: str
+    :returns: python list of dictionaries containing the relevant results.
+    :rtype: list
+    """
+    result_list = []
+
+    # Splts the result and cuts first and last dataset which are comments
+    split = results.split(sep='\n\n')[1:-1]
+
+    for entry in split:
+        entry_dict = {}
+        for value in entry.split('\n'):
+            if len(value) < 1:
+                continue
+            (desc, val) = value.split(': ')
+            entry_dict[desc.replace('-', '')] = val.strip(' ')
+        result_list.append(entry_dict)
+    return result_list
+
+
+def query(domain: str, limit: int=100):
+    """Queries and returns a python dict with results.
+
+    :param domain: domain that should be queried
+    :type domain: str
+    :param limit: number of entries to return
+    :type limit: int
+    :returns: query results
+    :rtype: list
+    """
+    return __process_results(__query(domain, limit))

analyzers/CIRCLPassiveDNS/CIRCLPassiveDNS.json

@@ -3,7 +3,7 @@
     "author": "Nils Kuhnert, CERT-Bund",
     "license": "AGPL-V3",
     "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
     "baseConfig": "CIRCLPassiveDNS",
     "config": {},
     "description": "Check CIRCL's Passive DNS for a given domain or URL",

analyzers/CIRCLPassiveDNS/circl_passivedns.py

@@ -37,7 +37,25 @@ def query(self, domain):
         return clean_result
 
     def summary(self, raw):
-        return {'hits': len(raw.get('results'))}
+        taxonomies = []
+        level = "info"
+        namespace = "CIRCL"
+        predicate = "PassiveDNS"
+
+        if ("results" in raw):
+            r = len(raw.get('results'))
+
+        if r == 0 or r == 1:
+            value = "\"{} record\"".format(r)
+        else:
+            value = "\"{} records\"".format(r)
+
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {"taxonomies": taxonomies}
+
+
+
+
 
     def run(self):
         query = ''
@@ -50,9 +68,9 @@ def run(self):
         elif self.data_type == 'domain':
             query = self.getData()
             if '/' in query:
-                self.error('\'/\' in domain. use url data type instead.')
+                self.error('\'/\' found in the supplied domain. use the URL datatype instead')
         else:
-            self.error('Incompatible data type.')
+            self.error('invalid datatype')
         self.report({'results': self.query(query)})
 
 if __name__ == '__main__':

analyzers/CIRCLPassiveSSL/CIRCLPassiveSSL.json

@@ -3,7 +3,7 @@
     "author": "Nils Kuhnert, CERT-Bund",
     "license": "AGPL-V3",
     "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-    "version": "1.0",
+    "version": "2.0",
     "baseConfig": "CIRCLPassiveSSL",
     "config": {},
     "description": "Check CIRCL's Passive SSL for a given IP address or a X509 certificate hash",

analyzers/CIRCLPassiveSSL/circl_passivessl.py

@@ -66,17 +66,27 @@ def query_certificate(self, cert_hash):
         return {'query': cquery,
                 'cert': cfetch}
 
+
     def summary(self, raw):
-        if raw.get('cert', None):
-            result = {'num_ips_used_cert': raw.get('query').get('hits')}
-
-            # Not available for all certificates
-            if raw.get('cert').get('icsi', None):
-                result['validated'] = raw.get('cert').get('icsi').get('validated')
-                result['lastseen'] = raw.get('cert').get('icsi').get('last_seen')
-            return result
+        taxonomies = []
+        level = "info"
+        namespace = "CIRCL"
+        predicate = "PassiveSSL"
+
+        if (self.data_type == 'hash') and ("query" in raw):
+            r = raw.get('query', 0).get('hits', 0)
+        if (self.data_type == 'ip') and ("certificates" in raw):
+            r = len(raw['certificates'])
+
+        if r == 0 or r == 1:
+            value = "\"{} record\"".format(r)
         else:
-            return {'num_certs_by_ip': len(raw.get(self.getData()).get('certificates'))}
+            value = "\"{} records\"".format(r)
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+
+        return {"taxonomies": taxonomies}
+
+
 
     def run(self):
         if self.data_type == 'certificate_hash' or self.data_type == 'hash':

analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json

@@ -0,0 +1,16 @@
+{
+    "name": "CuckooSandbox_File_Analysis_Inet",
+    "version": "1.0",
+    "author": "Andrea Garavaglia, LDO-CERT",
+    "url": "https://github.com/garanews/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "baseConfig": "CuckooSandbox",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "file_analysis"
+    },
+    "description": "Cuckoo Sandbox file analysis with Internet access.",
+    "dataTypeList": ["file"],
+    "command": "CuckooSandbox/cuckoosandbox_analyzer.py"
+}

analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json

@@ -0,0 +1,16 @@
+{
+    "name": "CuckooSandbox_Url_Analysis",
+    "version": "1.0",
+    "author": "Andrea Garavaglia, LDO-CERT",
+    "url": "https://github.com/garanews/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "baseConfig": "CuckooSandbox",
+    "config": {
+        "check_tlp": true,
+        "max_tlp":1,
+        "service": "url_analysis"
+    },
+    "description": "Cuckoo Sandbox URL analysis.",
+    "dataTypeList": ["url"],
+    "command": "CuckooSandbox/cuckoosandbox_analyzer.py"
+}