Add TeamCymruMHR Analyzer (#580)

TheHive-Project · Jan 14, 2020 · 8197824 · 8197824
1 parent eec68ea
commit 8197824
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 0 deletions.
diff --git a/analyzers/TeamCymruMHR/TeamCymruMHR.json b/analyzers/TeamCymruMHR/TeamCymruMHR.json
@@ -0,0 +1,15 @@
+{
+    "name": "TeamCymruMHR",
+    "version": "1.0",
+    "author": "Wes Lambert",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Submit hash to Team Cymru's Malware Hash Registry",
+    "dataTypeList": ["hash"],
+    "baseConfig": "TeamCymruMHR",
+    "config": {
+       "service": "HashLookup"
+    },
+    "command": "TeamCymruMHR/TeamCymruMHR.py",
+    "configurationItems": []
+}
diff --git a/analyzers/TeamCymruMHR/TeamCymruMHR.py b/analyzers/TeamCymruMHR/TeamCymruMHR.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.analyzer import Analyzer
+import dns.resolver
+import time
+
+class TeamCymruMHRAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.observable = self.get_param('data', None, 'Data missing!')
+
+    def summary(self, raw):
+        taxonomies = []
+        level = 'info'
+        namespace = 'TeamCymruMHR'
+
+        # Set predicate for last_seen
+        predicate = 'last_seen'
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['last_seen']))
+
+        # Set predicate for detection percentage
+        predicate = 'detection_pct'
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['detection_pct']))
+
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        lookup = dns.resolver.query(self.observable + '.malware.hash.cymru.com', 'TXT')
+        for rdata in lookup:
+            for txt_string in rdata.strings:
+                last_seen_epoch = str(txt_string).split("\'")[1].split(" ")[0]
+                # Make timestamp mor readable for humans, but maintain UTC
+                last_seen = time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(int(last_seen_epoch)))
+                detection_pct = str(txt_string).split("\'")[1].split(" ")[1]
+        self.report({ 'last_seen': last_seen, 'detection_pct': detection_pct })
+
+if __name__ == '__main__':
+    TeamCymruMHRAnalyzer().run()
diff --git a/analyzers/TeamCymruMHR/requirements.txt b/analyzers/TeamCymruMHR/requirements.txt
@@ -0,0 +1 @@
+dnspython
diff --git a/thehive-templates/TeamCymruMHR_1_0/long.html b/thehive-templates/TeamCymruMHR_1_0/long.html
@@ -0,0 +1,16 @@
+<div class="panel panel-info">
+    <div class="panel-heading">
+        TeamCymru Search Results
+    </div>
+    <div class="panel-body">
+        <table class="table table-hover">
+            <tr>
+                <th>Last Seen</th>
+                <th>Detection Percentage</th>
+            </tr>
+                <td>{{content.last_seen | ellipsis:40}}</td>
+                <td>{{content.detection_pct}}</a></td>
+            </tr>
+        </table>
+    </div>
+</div>
diff --git a/thehive-templates/TeamCymruMHR_1_0/short.html b/thehive-templates/TeamCymruMHR_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>