Merge branch 'hotfix/1.15.3'

analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json

@@ -1,6 +1,6 @@
 {
   "name": "CuckooSandbox_File_Analysis_Inet",
-  "version": "1.0",
+  "version": "1.1",
   "author": "Andrea Garavaglia, LDO-CERT",
   "url": "https://github.com/garanews/Cortex-Analyzers",
   "license": "AGPL-V3",

analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json

@@ -1,6 +1,6 @@
 {
   "name": "CuckooSandbox_Url_Analysis",
-  "version": "1.0",
+  "version": "1.1",
   "author": "Andrea Garavaglia, LDO-CERT",
   "url": "https://github.com/garanews/Cortex-Analyzers",
   "license": "AGPL-V3",

analyzers/CuckooSandbox/cuckoosandbox_analyzer.py

@@ -105,17 +105,17 @@ def run(self):
             else:
                 snort_alerts = []
             try:
-                hosts = [(x['ip'], x['hostname'], x['country_name']) for x in
-                         resp_json['network']['hosts']] if 'hosts' in resp_json['network'].keys() else None
+                domains = [(x['ip'], x['domain']) for x in
+                         resp_json['network']['domains']] if 'domains' in resp_json['network'].keys() else None
             except TypeError as e:
-                hosts = [x for x in resp_json['network']['hosts']] if 'hosts' in resp_json['network'].keys() else []
+                domains = [x for x in resp_json['network']['domains']] if 'domains' in resp_json['network'].keys() else []
             uri = [(x['uri']) for x in resp_json['network']['http']] if 'http' in resp_json['network'].keys() else []
             if self.data_type == 'url':
                 self.report({
                     'signatures': list_description,
                     'suricata_alerts': suri_alerts,
                     'snort_alerts': snort_alerts,
-                    'hosts': hosts,
+                    'domains': domains,
                     'uri': uri,
                     'malscore': resp_json['malscore'] if 'malscore' in resp_json.keys() else resp_json['info'].get(
                         'score', None),
@@ -129,7 +129,7 @@ def run(self):
                     'signatures': list_description,
                     'suricata_alerts': suri_alerts,
                     'snort_alerts': snort_alerts,
-                    'hosts': hosts,
+                    'domains': domains,
                     'uri': uri,
                     'malscore': resp_json['malscore'] if 'malscore' in resp_json.keys() else resp_json['info'].get(
                         'score', None),

analyzers/ProofPoint/proofpoint_lookup.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # encoding: utf-8
 
 from cortexutils.analyzer import Analyzer

analyzers/URLhaus/URLhaus.json

@@ -1,27 +1,12 @@
 {
   "name": "URLhaus",
-  "author": "ninoseki",
+  "author": "ninoseki, Nils Kuhnert",
   "license": "MIT",
   "url": "https://github.com/ninoseki/cortex_URLhaus_analyzer",
-  "version": "1.1",
-  "description": "Search domains, URLs or hashes on URLhaus.",
-  "dataTypeList": ["domain", "url", "hash"],
+  "version": "2.0",
+  "description": "Search domains, IPs, URLs or hashes on URLhaus.",
+  "dataTypeList": ["domain", "url", "hash", "ip"],
   "command": "URLhaus/URLhaus_analyzer.py",
   "configurationItems": [
-    {
-      "name": "cache.duration",
-      "description": "Define the cache duration",
-      "type": "number",
-      "multi": false,
-      "required": true,
-      "defaultValue": 300
-    },
-    {
-      "name": "cache.root",
-      "description": "Define the path to the stored data",
-      "type": "string",
-      "multi": false,
-      "required": false
-    }
   ]
 }

analyzers/URLhaus/URLhaus_analyzer.py

@@ -1,48 +1,72 @@
 #!/usr/bin/env python3
 from cortexutils.analyzer import Analyzer
-from URLhaus import URLhaus
+from URLhaus_client import URLhausClient
 
 
 class URLhausAnalyzer(Analyzer):
     def __init__(self):
         Analyzer.__init__(self)
 
-    def search(self, indicator):
-        """
-        Searches for a website using the indicator
-        :param indicator: domain, url, hash
-        :type indicator: str
-        :return: dict
-        """
-        return URLhaus(indicator).search()
-
     def run(self):
-        targets = ["domain", "url", "hash"]
-        if self.get_data() is not None and self.data_type in targets:
-            self.report({
-                'results': self.search(self.get_data())
-            })
+        data = self.get_data()
+        if not data:
+            self.error('No observable or file given.')
+
+        results = {}
+        if self.data_type == 'url':
+            results = URLhausClient.search_url(data)
+        elif self.data_type in ['domain', 'ip']:
+            results = URLhausClient.search_host(data)
+        elif self.data_type == 'hash':
+            if len(data) in [32, 64]:
+                results = URLhausClient.search_payload(data)
+            else:
+                self.error('Only sha256 and md5 supported by URLhaus.')
+        else:
+            self.error('Datatype not supported.')
+
+        results.update({
+            'data_type': self.data_type
+        })
+        self.report(results)
 
     def summary(self, raw):
         taxonomies = []
-        level = "info"
         namespace = "URLhaus"
-        predicate = "Search"
-        value = "0 result"
 
-        results = raw["results"]
-        if len(results) >= 1:
-            level = "malicious"
-
-        if len(results) <= 1:
-            value = "{} result".format(len(results))
+        if raw['query_status'] == 'no_results':
+            taxonomies.append(self.build_taxonomy(
+                'info',
+                namespace,
+                'Search',
+                'No results'
+            ))
         else:
-            value = "{} results".format(len(results))
-
-        taxonomies.append(
-            self.build_taxonomy(level, namespace, predicate, value)
-        )
-
+            if self.data_type == 'url':
+                taxonomies.append(self.build_taxonomy(
+                    'malicious',
+                    namespace,
+                    'Threat',
+                    raw['threat']
+                ))
+            elif self.data_type in ['domain', 'ip']:
+                threat_types = []
+                for url in raw['urls']:
+                    if url['threat'] not in threat_types:
+                        threat_types.append(url['threat'])
+                taxonomies.append(self.build_taxonomy(
+                    'malicious',
+                    namespace,
+                    'Threat' if len(threat_types) == 1 else 'Threats',
+                    ','.join(threat_types)
+                ))
+            elif self.data_type == 'hash':
+                taxonomies.append(self.build_taxonomy(
+                    'malicious',
+                    namespace,
+                    'Signature',
+                    raw['signature'] if raw['signature'] and raw['signature'] != 'null' else 'Unknown'
+                ))
         return {"taxonomies": taxonomies}
 
 

analyzers/URLhaus/URLhaus_client.py

@@ -0,0 +1,51 @@
+import requests
+
+
+BASEURL = 'https://urlhaus-api.abuse.ch/v1/'
+
+
+class URLhausClient(object):
+    @staticmethod
+    def __request(endpoint, key, value) -> dict:
+        results = requests.post(
+            BASEURL + endpoint + '/',
+            {key: value}
+        ).json()
+
+        if results['query_status'] in ['ok', 'no_results']:
+            return results
+        else:
+            raise ValueError('Given value seems not to be valuid: <{}: {}>.'.format(key, value))
+
+    @staticmethod
+    def search_url(url: str) -> dict:
+        return URLhausClient.__request(
+            'url',
+            'url',
+            url
+        )
+
+    @staticmethod
+    def search_host(host: str) -> dict:
+        return URLhausClient.__request(
+            'host',
+            'host',
+            host
+        )
+
+    @staticmethod
+    def search_payload(payload_hash: str) -> dict:
+        if len(payload_hash) == 32:
+            return URLhausClient.__request(
+                'payload',
+                'md5_hash',
+                payload_hash
+            )
+        elif len(payload_hash) == 64:
+            return URLhausClient.__request(
+                'payload',
+                'sha256_hash',
+                payload_hash
+            )
+        else:
+            raise ValueError('Only sha256 and md5 hashes are allowed.')

analyzers/URLhaus/requirements.txt

@@ -1,4 +1,2 @@
-beautifulsoup4
 cortexutils
-diskcache
 requests

thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html → thehive-templates/CuckooSandbox_File_Analysis_Inet_1_1/long.html

@@ -59,20 +59,18 @@ <h4>Signatures</h4>
         </div>
         <div class="panel-body">
 
-            <div ng-if="content.hosts">
+            <div ng-if="content.domains">
                 <h4>Remote connections</h4>
                 <br>
                 <div>
                     <table class="table table-hover">
                         <tr>
-                            <th>Domain</th>
                             <th>IP</th>
-                            <th>Location</th>
+                            <th>Domain</th>
                         </tr>
-                        <tr ng-repeat="host in content.hosts track by $index">
-                            <td>{{host[1]}}</td>
-                            <td>{{host[0]}}</td>
-                            <td>{{host[2]}}</td>
+                        <tr ng-repeat="domains in content.domains track by $index">
+                            <td>{{domains[0]}}</td>
+                            <td>{{domains[1]}}</td>
                         </tr>
                     </table>
                 </div>

thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html → thehive-templates/CuckooSandbox_Url_Analysis_1_1/long.html

@@ -59,20 +59,18 @@ <h4>Signatures</h4>
         </div>
         <div class="panel-body">
 
-            <div ng-if="content.hosts">
+            <div ng-if="content.domains">
                 <h4>Remote connections</h4>
                 <br>
                 <div>
                     <table class="table table-hover">
                         <tr>
-                            <th>Domain</th>
                             <th>IP</th>
-                            <th>Location</th>
+                            <th>Domain</th>
                         </tr>
-                        <tr ng-repeat="host in content.hosts track by $index">
-                            <td>{{host[1]}}</td>
-                            <td>{{host[0]}}</td>
-                            <td>{{host[2]}}</td>
+                        <tr ng-repeat="domains in content.domains track by $index">
+                            <td>{{domains[0]}}</td>
+                            <td>{{domains[1]}}</td>
                         </tr>
                     </table>
                 </div>
@@ -105,8 +103,8 @@ <h4>URI</h4>
             <div ng-if="content.yara">
                 <h4>Yara</h4>
                 <br>
-                <dl class="dl-horizontal" ng-repeat="yara in content.yara track by $index">
-                    <dd>{{ yara }}<dd>
+                <dl class="dl-horizontal">
+                    <dd>{{ content.yara }}<dd>
                 </dl>
             </div>
             <div ng-if="!content.yara">