Add URLhaus analyzer

TheHive-Project · Apr 12, 2018 · 79dc4d1 · 79dc4d1
1 parent cc4c462
commit 79dc4d1
Show file tree

Hide file tree

Showing 6 changed files with 154 additions and 0 deletions.
diff --git a/analyzers/URLhaus/URLhaus.json b/analyzers/URLhaus/URLhaus.json
@@ -0,0 +1,10 @@
+{
+  "name": "URLhaus",
+  "author": "ninoseki",
+  "license": "MIT",
+  "url": "https://github.com/ninoseki/cortex_URLhaus_analyzer",
+  "version": "0.1.0",
+  "description": "Search domains, URLs or hashes on URLhaus",
+  "dataTypeList": ["domain", "url", "hash"],
+  "command": "URLhaus/URLhaus_analyzer.py"
+}
diff --git a/analyzers/URLhaus/URLhaus.py b/analyzers/URLhaus/URLhaus.py
@@ -0,0 +1,39 @@
+from requests_html import HTMLSession
+import urllib
+
+
+class URLhaus:
+    def __init__(self, query):
+        self.URL = "https://urlhaus.abuse.ch/browse.php"
+        self.query = query
+
+    def search(self):
+        res = self.fetch()
+        return self.parse(res)
+
+    def fetch(self):
+        session = HTMLSession()
+        return session.get(self.target_url())
+
+    def parse(self, res):
+        results = []
+        table = res.html.find("table.table", first=True)
+        rows = table.find("tr")[1:]
+        for row in rows:
+            cols = row.find("td")
+            results.append({
+                "dateadded": cols[0].text,
+                "malware_url": cols[1].text,
+                "link": cols[1].find("a", first=True).attrs.get("href"),
+                "status": cols[2].text,
+                "tags": cols[3].text.split(),
+                "gsb": cols[4].text,
+                "reporter": cols[5].text
+            })
+        return results
+
+    def target_url(self):
+        return "{}?{}".format(
+            self.URL,
+            urllib.parse.urlencode({"search": self.query})
+        )
diff --git a/analyzers/URLhaus/URLhaus_analyzer.py b/analyzers/URLhaus/URLhaus_analyzer.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+from cortexutils.analyzer import Analyzer
+from URLhaus import URLhaus
+
+
+class URLhausAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def search(self, indicator):
+        """
+        Searches for a website using the indicator
+        :param indicator: domain, url, hash
+        :type indicator: str
+        :return: dict
+        """
+        return URLhaus(indicator).search()
+
+    def run(self):
+        targets = ["domain", "url", "hash"]
+        if self.get_data() is not None and self.data_type in targets:
+            self.report({
+                'results': self.search(self.get_data())
+            })
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "info"
+        namespace = "URLhaus"
+        predicate = "Search"
+        value = "\"0 result\""
+
+        results = raw["results"]
+        if len(results) >= 1:
+            level = "malicious"
+
+        if len(results) <= 1:
+            value = "\"{} result\"".format(len(results))
+        else:
+            value = "\"{} results\"".format(len(results))
+
+        taxonomies.append(
+            self.build_taxonomy(level, namespace, predicate, value)
+        )
+
+        return {"taxonomies": taxonomies}
+
+
+if __name__ == '__main__':
+    URLhausAnalyzer().run()
diff --git a/analyzers/URLhaus/requirements.txt b/analyzers/URLhaus/requirements.txt
@@ -0,0 +1 @@
+requests-html
diff --git a/thehive-templates/URLhaus_0_1_0/long.html b/thehive-templates/URLhaus_0_1_0/long.html
@@ -0,0 +1,51 @@
+<div class="panel panel-info" ng-if="success">
+  <div class="panel-heading">
+    URLhaus search resutls for
+    <strong>{{artifact.data}}</strong>
+  </div>
+  <div class="panel-body">
+    <p ng-if="content.results.length == 0">
+      No result found.
+    </p>
+    <table class="table" ng-if="content.results">
+      <thead>
+        <th>Dateadded (UTC)</th>
+        <th>Malware URL</th>
+        <th>Status</th>
+        <th>Tags</th>
+        <th>GSB</th>
+        <th>Reporter</th>
+      </thead>
+      <tbody ng-repeat="r in content.results">
+        <tr>
+          <td>{{r.dateadded}}</td>
+          <td>
+            <a href="https://urlhaus.abuse.ch{{r.link}}" target=”_blank”>
+              {{r.malware_url}}
+            </a>
+          </td>
+          <td>{{r.status}}</td>
+          <td>
+            <span ng-repeat="tag in r.tags"> {{tag}} </span>
+          </td>
+          <td>{{r.gsb}}</td>
+          <td>{{r.reporter}}</td>
+        </tr>
+      </tbody>
+    </table>
+  </div>
+</div>
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+  <div class="panel-heading">
+    <strong>{{artifact.data | fang}}</strong>
+  </div>
+  <div class="panel-body">
+    <dl class="dl-horizontal" ng-if="content.errorMessage">
+      <dt>
+        <i class="fa fa-warning"></i> urlscan.io: </dt>
+      <dd class="wrap">{{content.errorMessage}}</dd>
+    </dl>
+  </div>
+</div>
diff --git a/thehive-templates/URLhaus_0_1_0/short.html b/thehive-templates/URLhaus_0_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>