Merge branch 'release/2.3.0'

TheHive-Project · Nov 28, 2019 · 8e7e43f · 8e7e43f
2 parents 9d926b1 + 8eeeee9
commit 8e7e43f
Show file tree

Hide file tree

Showing 38 changed files with 2,150 additions and 182 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json b/analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json
@@ -16,13 +16,27 @@
       "multi": false,
       "required": true
     },
+    {
+      "name": "token",
+      "description": "API token",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
     {
       "name": "verifyssl",
       "description": "Verify SSL certificate",
       "type": "boolean",
       "multi": false,
       "required": true,
       "defaultValue": true
+    },
+    {
+      "name": "cert_path",
+      "description": "Path to the CA on the system used to check server certificate",
+      "type": "string",
+      "multi": false,
+      "required": false
     }
   ]
 }
diff --git a/analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json b/analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json
@@ -16,13 +16,27 @@
       "multi": false,
       "required": true
     },
+    {
+      "name": "token",
+      "description": "API token",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
     {
       "name": "verifyssl",
       "description": "Verify SSL certificate",
       "type": "boolean",
       "multi": false,
       "required": true,
       "defaultValue": true
+    },
+    {
+      "name": "cert_path",
+      "description": "Path to the CA on the system used to check server certificate",
+      "type": "string",
+      "multi": false,
+      "required": false
     }
   ]
 

diff --git a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
@@ -13,10 +13,11 @@ def __init__(self):
         Analyzer.__init__(self)
         self.url = self.get_param('config.url', None, 'CuckooSandbox url is missing')
         self.url = self.url + "/" if not self.url.endswith("/") else self.url
+        self.token = self.get_param('config.token', None, None)
         # self.analysistimeout = self.get_param('config.analysistimeout', 30*60, None)
         # self.networktimeout = self.get_param('config.networktimeout', 30, None)
-        self.verify = self.get_param('config.verifyssl', True, None)
-        if not self.verify:
+        self.verify_ssl = self.get_param('config.verifyssl', True, None)
+        if not self.verify_ssl:
             from requests.packages.urllib3.exceptions import InsecureRequestWarning
             requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 
@@ -50,23 +51,36 @@ def run(self):
         Analyzer.run(self)
 
         try:
+            headers = dict()
+            if self.token and self.token != "":
+                headers['Authorization'] = "Bearer {0}".format(self.token)
 
             # file analysis
             if self.data_type == 'file':
                 filepath = self.get_param('file', None, 'File is missing')
                 filename = self.get_param('filename', basename(filepath))
                 with open(filepath, "rb") as sample:
                     files = {"file": (filename, sample)}
-                    response = requests.post(self.url + 'tasks/create/file', files=files, verify=self.verify)
-                task_id = response.json()['task_ids'][0] if 'task_ids' in response.json().keys() \
-                    else response.json()['task_id']
+                    response = requests.post(self.url + 'tasks/create/file', files=files, headers=headers, verify=self.verify_ssl)
+                if 'task_ids' in response.json().keys():
+                    task_id = response.json()['task_ids'][0]
+                elif 'task_id' in response.json().keys():
+                    task_id = response.json()['task_id']
+                elif response.status_code == 401:
+                    self.error("API token is required by this Cuckoo instance.")
+                else:
+                    self.error(response.json()['message'])
 
             # url analysis
             elif self.data_type == 'url':
                 data = {"url": self.get_data()}
-                response = requests.post(
-                    self.url + 'tasks/create/url', data=data, verify=self.verify)
-                task_id = response.json()['task_id']
+                response = requests.post(self.url + 'tasks/create/url', data=data, headers=headers, verify=self.verify_ssl)
+                if 'task_id' in response.json().keys():
+                    task_id = response.json()['task_id']
+                elif response.status_code == 401:
+                    self.error("API token is required by this Cuckoo instance.")
+                else:
+                    self.error(response.json()['message'])
 
             else:
                 self.error('Invalid data type !')
@@ -75,8 +89,7 @@ def run(self):
             tries = 0
             while not finished and tries <= 15:  # wait max 15 mins
                 time.sleep(60)
-                response = requests.get(
-                    self.url + 'tasks/view/' + str(task_id), verify=self.verify)
+                response = requests.get(self.url + 'tasks/view/' + str(task_id), headers=headers, verify=self.verify_ssl)
                 content = response.json()['task']['status']
                 if content == 'reported':
                     finished = True
@@ -85,8 +98,7 @@ def run(self):
                 self.error('CuckooSandbox analysis timed out')
 
             # Download the report
-            response = requests.get(
-                self.url + 'tasks/report/' + str(task_id) + '/json', verify=self.verify)
+            response = requests.get(self.url + 'tasks/report/' + str(task_id) + '/json', headers=headers, verify=self.verify_ssl)
             resp_json = response.json()
             list_description = [x['description'] for x in resp_json['signatures']]
             if 'suricata' in resp_json.keys() and 'alerts' in resp_json['suricata'].keys():
@@ -148,7 +160,7 @@ def run(self):
                 })
 
         except requests.exceptions.RequestException as e:
-            self.error(e)
+            self.error(str(e))
 
         except Exception as e:
             self.unexpectedError(e)

diff --git a/analyzers/FileInfo/submodules/submodule_oletools.py b/analyzers/FileInfo/submodules/submodule_oletools.py
@@ -30,7 +30,8 @@ def check_file(self, **kwargs):
                 'PPTX'
             ] or (kwargs.get('mimetype').startswith("application/vnd.openxmlformats-officedocument") or
                  kwargs.get('mimetype').startswith("application/encrypted") or
-                 kwargs.get('mimetype').startswith("application/vnd.ms-")
+                 kwargs.get('mimetype').startswith("application/vnd.ms-") or
+                 kwargs.get('mimetype').startswith("application/msword")
             ):
                 if kwargs.get('mimetype').startswith("application/encrypted") and not is_encrypted(kwargs.get('file')):
                     return False

diff --git a/analyzers/Fortiguard/urlcategory.py b/analyzers/Fortiguard/urlcategory.py
@@ -35,7 +35,7 @@ def run(self):
 
         if self.data_type == 'domain' or self.data_type == 'url' or self.data_type == 'fqdn':
             try:
-                pattern = re.compile("(?:Category: )([\w\s]+)")
+                pattern = re.compile("(?:Category: )([-\w\s]+)")
                 baseurl = 'https://www.fortiguard.com/webfilter?q='
                 url = baseurl + self.get_data()
                 req = requests.get(url)