diff --git a/analyzers/WOT/WOT_lookup.json b/analyzers/WOT/WOT_lookup.json new file mode 100644 index 000000000..b890170cf --- /dev/null +++ b/analyzers/WOT/WOT_lookup.json @@ -0,0 +1,16 @@ +{ + "name": "WOT_Lookup", + "version": "1.0", + "author": "Andrea Garavaglia - LDO-CERT", + "url": "https://github.com/garanews/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Check a Domain against Web of Trust (WOT) a website reputation service", + "dataTypeList": ["domain"], + "baseConfig": "WOT", + "config": { + "check_tlp": true, + "max_tlp": 1, + "service": "query" + }, + "command": "WOT/WOT_lookup.py" +} diff --git a/analyzers/WOT/WOT_lookup.py b/analyzers/WOT/WOT_lookup.py new file mode 100644 index 000000000..9faddb04a --- /dev/null +++ b/analyzers/WOT/WOT_lookup.py @@ -0,0 +1,121 @@ +#!/usr/bin/env python +# encoding: utf-8 +import sys +import os +import json +import codecs +import time +import re +import requests +import datetime +import ast +from cortexutils.analyzer import Analyzer + +class WOTAnalyzer(Analyzer): + + def __init__(self): + Analyzer.__init__(self) + self.service = self.getParam( + 'config.service', None, 'Service parameter is missing') + self.WOT_key = self.getParam('config.key', None, + 'Missing WOT API key') + self.categories = { + "101": "Malware or viruses", + "102": "Poor customer experience", + "103": "Phishing", + "104": "Scam", + "105": "Potentially illegal", + "201": "Misleading claims or unethical", + "202": "Privacy risks", + "203": "Suspicious", + "204": "Hate, discrimination", + "205": "Spam", + "206": "Potentially unwanted programs", + "207": "Ads / pop-ups", + "301": "Online tracking", + "302": "Alternative or controversial medicine", + "303": "Opinions, religion, politics", + "304": "Other", + "501": "Good site", + "401": "Adult content", + "402": "Incidental nudity", + "403": "Gruesome or shocking", + "404": "Site for kids", + "501": "Good site" + } + + def points_to_verbose(self, points): + if points >= 80: + return "Excellent" + elif points >= 60: + return "Good" + elif points >= 40: + return "Unsatisfactory" + elif points >= 20: + return "Poor" + else: + return "Very poor" + + def WOT_checkurl(self, data): + url = 'http://api.mywot.com/0.4/public_link_json2?hosts=' + data + '/&callback=process&key=' + self.WOT_key + r = requests.get(url) + return json.loads(r.text.replace("process(","").replace(")","")) + + def summary(self, raw): + taxonomies = [] + level = "safe" + value = "-" + + categories = raw.get("Categories", None) + blacklists = raw.get("Blacklists", None) + num_categories = raw.get("Categories Identifier", None) + + if categories: + value = "|".join(categories) + if blacklists: + value = "|".join([x[0] for x in blacklists]) + level = "malicious" + else: + if num_categories: + min_cat = min([int(x) for x in num_categories]) + else: + min_cat = 501 + if min_cat > 300: + level = "safe" + elif min_cat > 200: + level = "suspicious" + else: + level = "malicious" + + taxonomies.append(self.build_taxonomy(level, "WOT", "Category", value)) + return {"taxonomies": taxonomies} + + def run(self): + if self.service == 'query': + if self.data_type == 'url': + data = self.getParam('data', None, 'Data is missing') + r = self.WOT_checkurl(data) + if data in r.keys(): + info = r[data] + r_dict = {} + if '0' in info.keys(): + r_dict['Trustworthiness'] = {} + r_dict['Trustworthiness']['Reputation'] = self.points_to_verbose(info['0'][0]) + r_dict['Trustworthiness']['Confidence'] = self.points_to_verbose(info['0'][1]) + if '4' in info.keys(): + r_dict['Child_Safety'] = {} + r_dict['Child_Safety']['Reputation'] = self.points_to_verbose(info['4'][0]) + r_dict['Child_Safety']['Confidence'] = self.points_to_verbose(info['4'][1]) + if 'blacklists' in info.keys(): + r_dict['Blacklists'] = [(k, datetime.datetime.fromtimestamp(v).strftime('%Y-%m-%d %H:%M:%S') ) for k,v in info['blacklists'].items()] + if 'categories' in info.keys(): + r_dict['Categories'] = [self.categories[x] for x in list(info['categories'].keys())] + r_dict['Categories Identifier'] = list(info['categories'].keys()) + self.report(r_dict) + else: + self.error('Invalid data type') + else: + self.error('Invalid service') + +if __name__ == '__main__': + WOTAnalyzer().run() diff --git a/analyzers/WOT/requirements.txt b/analyzers/WOT/requirements.txt new file mode 100644 index 000000000..37dfee161 --- /dev/null +++ b/analyzers/WOT/requirements.txt @@ -0,0 +1 @@ +cortexutils \ No newline at end of file diff --git a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html index 9852a13f4..244e258d3 100644 --- a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html +++ b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html @@ -129,7 +129,7 @@

Suricata Alerts

{{ suri }}
-
+
No suspicious suricata alerts reported
diff --git a/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html index 9852a13f4..9331a2a1b 100644 --- a/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html +++ b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html @@ -105,8 +105,8 @@

URI

Yara


-
-
{{ yara }}
+
+
{{ content.yara }}
@@ -129,7 +129,7 @@

Suricata Alerts

{{ suri }}
-
+
No suspicious suricata alerts reported
diff --git a/thehive-templates/WOT_lookup_1_0/long.html b/thehive-templates/WOT_lookup_1_0/long.html new file mode 100644 index 000000000..ce4abe93e --- /dev/null +++ b/thehive-templates/WOT_lookup_1_0/long.html @@ -0,0 +1,69 @@ +
+ + +
+
+ General Information +
+
+ +
+

Trustworthiness

+
+
Reputation
+
{{content.Trustworthiness.Reputation}}
+
+
+
Confidence
+
{{content.Trustworthiness.Confidence}}
+
+
+ +
+

Child Safety

+
+
Reputation
+
{{content.Child_Safety.Reputation}}
+
+
+
Confidence
+
{{content.Child_Safety.Confidence}}
+
+
+ +
+

Blacklists

+
+
+
{{ blk[0] }}
+
{{ blk[1] }}
+
+
+ +
+

Categories

+
+
+
{{ ctg }}
+
+
+ +
+
+ +
+ + + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.errorMessage}} +
+
\ No newline at end of file diff --git a/thehive-templates/WOT_lookup_1_0/short.html b/thehive-templates/WOT_lookup_1_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/WOT_lookup_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +