#465 add IOC Parser feature for PDF files

TheHive-Project · Apr 25, 2019 · 76b9b49 · 76b9b49
1 parent d2ef8d6
commit 76b9b49
Show file tree

Hide file tree

Showing 5 changed files with 110 additions and 1 deletion.
diff --git a/analyzers/FileInfo/FileInfo.json b/analyzers/FileInfo/FileInfo.json
@@ -1,6 +1,6 @@
 {
   "name": "FileInfo",
-  "version": "5.0",
+  "version": 6.0",
   "author": "TheHive-Project",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",

diff --git a/analyzers/FileInfo/submodules/__init__.py b/analyzers/FileInfo/submodules/__init__.py
@@ -3,11 +3,13 @@
 from .submodule_pdfid import PDFIDSubmodule
 from .submodule_outlook import OutlookSubmodule
 from .submodule_rtfobj import RTFObjectSubmodule
+from .submodule_ioc_parser import IOCPSubmodule
 
 available_submodules = [
     PESubmodule(),
     OLEToolsSubmodule(),
     PDFIDSubmodule(),
+    IOCPSubmodule(),
     OutlookSubmodule(),
     RTFObjectSubmodule()
 ]
diff --git a/analyzers/FileInfo/submodules/submodule_ioc_parser.py b/analyzers/FileInfo/submodules/submodule_ioc_parser.py
@@ -0,0 +1,67 @@
+from iocp import Parser
+import sys
+from io import StringIO
+from contextlib import redirect_stdout
+
+import json
+
+from .submodule_base import SubmoduleBaseclass
+
+
+class IOCPSubmodule(SubmoduleBaseclass):
+    def __init__(self):
+        SubmoduleBaseclass.__init__(self)
+        self.name = 'IOC Parser'
+
+    def check_file(self, **kwargs):
+        """
+        IOCP submodule will analyze every supported file and deliver IOCs found in it
+
+        :return: True
+        """
+        if kwargs.get('filetype') in ['PDF']:
+            return True
+
+    def module_summary(self):
+        taxonomies = []
+        level = 'info'
+        namespace = 'FileInfo'
+        predicate = 'IOC Parser'
+        value = ''
+        #pdfid_version = ''
+        for section in self.results:
+            if section['submodule_section_header'] == 'IOC Parser Information':
+                #if section.get('submodule_section_content').get('iocp_result'):  
+                iocp_len = len(section.get('submodule_section_content').get('iocp_result')) 
+                taxonomies.append(self.build_taxonomy(level, namespace, predicate, iocp_len))
+        self.summary['taxonomies'] = taxonomies
+        return self.summary
+
+    def iocparser(self, path):
+        """
+        """
+        out = StringIO()
+        results = {'iocp_result': []}
+        P = Parser
+        oformat = 'json'
+        try:
+            with redirect_stdout(out):
+                P.Parser(output_format=oformat).parse(path)
+            oo = out.getvalue().split('\n')
+            if oo[-1] == '':
+                oo.pop()
+            for i in oo:
+                j = {}
+                for k,v in json.loads(i).items():
+                    if k in ['match','type']:
+                        j.update({k:v})
+                if j not in results['iocp_result']:
+                    results['iocp_result'].append(j)
+        except Exception as e:
+            return e
+        return results
+
+
+    def analyze_file(self, path):
+        self.add_result_subsection('IOC Parser Information', self.iocparser(path))
+        return self.results
diff --git a/thehive-templates/FileInfo_5_0/long.html → thehive-templates/FileInfo_6_0/long.html b/thehive-templates/FileInfo_5_0/long.html → thehive-templates/FileInfo_6_0/long.html
@@ -558,6 +558,46 @@ <h4 class="panel-title">Summary</h4>
                     </div>
                 </div>
             </div>
+
+            <!-- IOCParser submodule -->
+            <div ng-if="result.submodule_name=='IOC Parser'">
+                <div class="panel-body">  
+                    <div ng-repeat="r in result.results" class="panel panel-primary">
+                        <div class="panel-heading" ng-if="r.submodule_section_header=='IOC Parser Information'">
+                            <h4 class="panel-title">IOC Parser Information</h4>
+                        </div>
+                        <div class="panel panel-body">    
+                            <div>
+                                <h4>Summary</h4>
+                                <br>
+                                <p><b>Number of IOC found in the file: </b> <span class="label label-default">{{r.submodule_section_content.iocp_result.length}}</span>
+                                </p>
+                            </div>
+                            <br>
+                            <br>
+                            <div ng-if="r.submodule_section_content.iocp_result.length > 0">
+                                <h4>List of IOC</h4>
+                                <table class="table table-striped">
+                                    <thead>
+                                        <tr>
+                                            <th>#</th>
+                                            <th>Data Type</th>
+                                            <th>Data</th>
+                                        </tr>
+                                    </thead>
+                                    <tbody>
+                                        <tr ng-repeat="o in r.submodule_section_content.iocp_result">
+                                            <th>{{$index}}</th>
+                                            <td>{{o.type}}</td>
+                                            <td>{{o.match}}</td>
+                                        </tr>
+                                    </tbody>
+                                </table>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
         </uib-tab>
     </uib-tabset>
 </div>
diff --git a/thehive-templates/FileInfo_5_0/short.html → thehive-templates/FileInfo_6_0/short.html b/thehive-templates/FileInfo_5_0/short.html → thehive-templates/FileInfo_6_0/short.html