Merge pull request #77 from garanews/master

added WOT analyzer & fixed cuckoo templates issue
TheHive-Project · Jul 25, 2017 · a372d13 · a372d13
2 parents d622fa0 + 478be79
commit a372d13
Show file tree

Hide file tree

Showing 7 changed files with 214 additions and 4 deletions.
diff --git a/analyzers/WOT/WOT_lookup.json b/analyzers/WOT/WOT_lookup.json
@@ -0,0 +1,16 @@
+{
+    "name": "WOT_Lookup",
+    "version": "1.0",
+    "author": "Andrea Garavaglia - LDO-CERT",
+    "url": "https://github.com/garanews/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Check a Domain against Web of Trust (WOT) a website reputation service",
+    "dataTypeList": ["domain"],
+    "baseConfig": "WOT",
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 1,
+        "service": "query"
+    },
+    "command": "WOT/WOT_lookup.py"
+}
diff --git a/analyzers/WOT/WOT_lookup.py b/analyzers/WOT/WOT_lookup.py
@@ -0,0 +1,121 @@
+#!/usr/bin/env python
+# encoding: utf-8
+import sys
+import os
+import json
+import codecs
+import time
+import re
+import requests
+import datetime
+import ast
+from cortexutils.analyzer import Analyzer
+
+class WOTAnalyzer(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.service = self.getParam(
+            'config.service', None, 'Service parameter is missing')
+        self.WOT_key = self.getParam('config.key', None,
+                                    'Missing WOT API key')
+        self.categories = {
+            "101": "Malware or viruses",
+            "102": "Poor customer experience",
+            "103": "Phishing",
+            "104": "Scam",
+            "105": "Potentially illegal",
+            "201": "Misleading claims or unethical",
+            "202": "Privacy risks",
+            "203": "Suspicious",
+            "204": "Hate, discrimination",
+            "205": "Spam",
+            "206": "Potentially unwanted programs",
+            "207": "Ads / pop-ups",
+            "301": "Online tracking",
+            "302": "Alternative or controversial medicine",
+            "303": "Opinions, religion, politics",
+            "304": "Other",
+            "501": "Good site",
+            "401": "Adult content",
+            "402": "Incidental nudity",
+            "403": "Gruesome or shocking",
+            "404": "Site for kids",
+            "501": "Good site"
+        }
+
+    def points_to_verbose(self, points):
+        if points >= 80:
+            return "Excellent"
+        elif points >= 60:
+            return "Good"
+        elif points >= 40:
+            return "Unsatisfactory"
+        elif points >= 20:
+            return "Poor"
+        else:
+            return "Very poor"
+
+    def WOT_checkurl(self, data):
+        url = 'http://api.mywot.com/0.4/public_link_json2?hosts=' + data + '/&callback=process&key=' + self.WOT_key
+        r = requests.get(url)
+        return json.loads(r.text.replace("process(","").replace(")",""))
+
+    def summary(self, raw):
+        taxonomies = []
+        level = "safe"
+        value = "-"
+
+        categories = raw.get("Categories", None)
+        blacklists = raw.get("Blacklists", None)
+        num_categories = raw.get("Categories Identifier", None)
+
+        if categories:
+            value = "|".join(categories)
+        if blacklists:
+            value = "|".join([x[0] for x in blacklists])
+            level = "malicious"
+        else:
+            if num_categories:
+                min_cat = min([int(x) for x in num_categories])
+            else:
+                min_cat = 501
+            if min_cat > 300:
+                level = "safe"
+            elif min_cat > 200:
+                level = "suspicious"
+            else:
+                level = "malicious"
+
+        taxonomies.append(self.build_taxonomy(level, "WOT", "Category", value))
+        return {"taxonomies": taxonomies}
+
+    def run(self):
+        if self.service == 'query':
+            if self.data_type == 'url':
+                data = self.getParam('data', None, 'Data is missing')
+                r = self.WOT_checkurl(data)
+                if data in r.keys():
+                    info = r[data]
+                    r_dict = {}
+                    if '0' in info.keys():
+                        r_dict['Trustworthiness'] = {}
+                        r_dict['Trustworthiness']['Reputation'] = self.points_to_verbose(info['0'][0])
+                        r_dict['Trustworthiness']['Confidence'] = self.points_to_verbose(info['0'][1])
+                    if '4' in info.keys():
+                        r_dict['Child_Safety'] = {}
+                        r_dict['Child_Safety']['Reputation'] = self.points_to_verbose(info['4'][0]) 
+                        r_dict['Child_Safety']['Confidence'] = self.points_to_verbose(info['4'][1]) 
+                    if 'blacklists' in info.keys():
+                        r_dict['Blacklists'] = [(k, datetime.datetime.fromtimestamp(v).strftime('%Y-%m-%d %H:%M:%S') ) for k,v in info['blacklists'].items()]
+                    if 'categories' in info.keys():
+                        r_dict['Categories'] = [self.categories[x] for x in list(info['categories'].keys())]
+                        r_dict['Categories Identifier'] = list(info['categories'].keys())
+                    self.report(r_dict)
+            else:
+                self.error('Invalid data type')
+        else:
+            self.error('Invalid service')
+
+if __name__ == '__main__':
+    WOTAnalyzer().run()
diff --git a/analyzers/WOT/requirements.txt b/analyzers/WOT/requirements.txt
@@ -0,0 +1 @@
+cortexutils
diff --git a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html
@@ -129,7 +129,7 @@ <h4>Suricata Alerts</h4>
                     <dd>{{ suri }}<dd>
                 </dl>
             </div>
-            <div ng-if="!content.suri">
+            <div ng-if="!content.suricata_alerts">
                 No suspicious suricata alerts reported
             </div>
         </div>

diff --git a/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html
@@ -105,8 +105,8 @@ <h4>URI</h4>
             <div ng-if="content.yara">
                 <h4>Yara</h4>
                 <br>
-                <dl class="dl-horizontal" ng-repeat="yara in content.yara track by $index">
-                    <dd>{{ yara }}<dd>
+                <dl class="dl-horizontal">
+                    <dd>{{ content.yara }}<dd>
                 </dl>
             </div>
             <div ng-if="!content.yara">
@@ -129,7 +129,7 @@ <h4>Suricata Alerts</h4>
                     <dd>{{ suri }}<dd>
                 </dl>
             </div>
-            <div ng-if="!content.suri">
+            <div ng-if="!content.suricata_alerts">
                 No suspicious suricata alerts reported
             </div>
         </div>

diff --git a/thehive-templates/WOT_lookup_1_0/long.html b/thehive-templates/WOT_lookup_1_0/long.html
@@ -0,0 +1,69 @@
+<div class="report-WOT" ng-if="success">
+    <style>
+        .report-WOT dl {
+            margin-bottom: 2px;
+        }
+    </style>
+
+    <div class="panel panel-info">
+        <div class="panel-heading">
+            <strong>General Information</strong>
+        </div>
+        <div class="panel-body">
+
+            <div ng-if="content.Trustworthiness">
+                <h4>Trustworthiness</h4>
+                <dl class="dl-horizontal">
+                    <dt>Reputation</dt>
+                    <dd>{{content.Trustworthiness.Reputation}}</dd>
+                </dl>
+                <dl class="dl-horizontal">
+                    <dt>Confidence</dt>
+                    <dd>{{content.Trustworthiness.Confidence}}</dd>
+                </dl>   
+            </div>
+
+            <div ng-if="content.Child_Safety">
+                <h4>Child Safety</h4>
+                <dl class="dl-horizontal">
+                    <dt>Reputation</dt>
+                    <dd>{{content.Child_Safety.Reputation}}</dd>
+                </dl>
+                <dl class="dl-horizontal">
+                    <dt>Confidence</dt>
+                    <dd>{{content.Child_Safety.Confidence}}</dd>
+                </dl>   
+            </div>
+
+            <div ng-if="content.Blacklists">
+                <h4>Blacklists</h4>
+                <br>
+                <dl class="dl-horizontal" ng-repeat="blk in content.Blacklists track by $index">
+                    <dt>{{ blk[0] }}</dt>
+                    <dd>{{ blk[1] }}</dd>
+                </dl>
+            </div>           
+
+            <div ng-if="content.Categories">
+                <h4>Categories</h4>
+                <br>
+                <dl class="dl-horizontal" ng-repeat="ctg in content.Categories track by $index">
+                    <dd>{{ ctg }}</dd>
+                </dl>
+            </div>  
+
+        </div>
+    </div>
+
+</div>
+
+
+<!-- General error  -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
diff --git a/thehive-templates/WOT_lookup_1_0/short.html b/thehive-templates/WOT_lookup_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>&nbsp;