From 654b5fd5579b293b8a277673ba0e3c267687dd7a Mon Sep 17 00:00:00 2001 From: garanews Date: Mon, 10 Jul 2017 12:14:13 +0200 Subject: [PATCH 1/6] Update long.html fixed suricata template --- .../CuckooSandbox_File_Analysis_Inet_1_0/long.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html index c981893a0..e9bbe39ab 100644 --- a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html +++ b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html @@ -125,11 +125,11 @@

Yara

Suricata Alerts


-
+
{{ suri }}
-
+
No suspicious suricata alerts reported
@@ -145,4 +145,4 @@

Suricata Alerts

{{content.errorMessage}}
- \ No newline at end of file + From 885400a0986d6e4091d79b8caa0ec08c9010855a Mon Sep 17 00:00:00 2001 From: garanews Date: Thu, 13 Jul 2017 17:27:11 +0100 Subject: [PATCH 2/6] added WOT analyzer The WOT (Web Of Trust) reputation system computes website reputations using ratings received from users and information from third-party sources. --- analyzers/WOT/WOT_lookup.json | 16 +++ analyzers/WOT/WOT_lookup.py | 121 ++++++++++++++++++++ analyzers/WOT/requirements.txt | 1 + thehive-templates/WOT_lookup_1_0/long.html | 69 +++++++++++ thehive-templates/WOT_lookup_1_0/short.html | 3 + 5 files changed, 210 insertions(+) create mode 100644 analyzers/WOT/WOT_lookup.json create mode 100644 analyzers/WOT/WOT_lookup.py create mode 100644 analyzers/WOT/requirements.txt create mode 100644 thehive-templates/WOT_lookup_1_0/long.html create mode 100644 thehive-templates/WOT_lookup_1_0/short.html diff --git a/analyzers/WOT/WOT_lookup.json b/analyzers/WOT/WOT_lookup.json new file mode 100644 index 000000000..3905d2db9 --- /dev/null +++ b/analyzers/WOT/WOT_lookup.json @@ -0,0 +1,16 @@ +{ + "name": "WOT_Lookup", + "version": "1.0", + "author": "Andrea Garavaglia - CERT-LDO", + "url": "https://github.com/garanews/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Check a URL against Web of Trust (WOT) a website reputation service", + "dataTypeList": ["url"], + "baseConfig": "WOT", + "config": { + "check_tlp": true, + "max_tlp": 1, + "service": "query" + }, + "command": "WOT/WOT_lookup.py" +} diff --git a/analyzers/WOT/WOT_lookup.py b/analyzers/WOT/WOT_lookup.py new file mode 100644 index 000000000..9faddb04a --- /dev/null +++ b/analyzers/WOT/WOT_lookup.py @@ -0,0 +1,121 @@ +#!/usr/bin/env python +# encoding: utf-8 +import sys +import os +import json +import codecs +import time +import re +import requests +import datetime +import ast +from cortexutils.analyzer import Analyzer + +class WOTAnalyzer(Analyzer): + + def __init__(self): + Analyzer.__init__(self) + self.service = self.getParam( + 'config.service', None, 'Service parameter is missing') + self.WOT_key = self.getParam('config.key', None, + 'Missing WOT API key') + self.categories = { + "101": "Malware or viruses", + "102": "Poor customer experience", + "103": "Phishing", + "104": "Scam", + "105": "Potentially illegal", + "201": "Misleading claims or unethical", + "202": "Privacy risks", + "203": "Suspicious", + "204": "Hate, discrimination", + "205": "Spam", + "206": "Potentially unwanted programs", + "207": "Ads / pop-ups", + "301": "Online tracking", + "302": "Alternative or controversial medicine", + "303": "Opinions, religion, politics", + "304": "Other", + "501": "Good site", + "401": "Adult content", + "402": "Incidental nudity", + "403": "Gruesome or shocking", + "404": "Site for kids", + "501": "Good site" + } + + def points_to_verbose(self, points): + if points >= 80: + return "Excellent" + elif points >= 60: + return "Good" + elif points >= 40: + return "Unsatisfactory" + elif points >= 20: + return "Poor" + else: + return "Very poor" + + def WOT_checkurl(self, data): + url = 'http://api.mywot.com/0.4/public_link_json2?hosts=' + data + '/&callback=process&key=' + self.WOT_key + r = requests.get(url) + return json.loads(r.text.replace("process(","").replace(")","")) + + def summary(self, raw): + taxonomies = [] + level = "safe" + value = "-" + + categories = raw.get("Categories", None) + blacklists = raw.get("Blacklists", None) + num_categories = raw.get("Categories Identifier", None) + + if categories: + value = "|".join(categories) + if blacklists: + value = "|".join([x[0] for x in blacklists]) + level = "malicious" + else: + if num_categories: + min_cat = min([int(x) for x in num_categories]) + else: + min_cat = 501 + if min_cat > 300: + level = "safe" + elif min_cat > 200: + level = "suspicious" + else: + level = "malicious" + + taxonomies.append(self.build_taxonomy(level, "WOT", "Category", value)) + return {"taxonomies": taxonomies} + + def run(self): + if self.service == 'query': + if self.data_type == 'url': + data = self.getParam('data', None, 'Data is missing') + r = self.WOT_checkurl(data) + if data in r.keys(): + info = r[data] + r_dict = {} + if '0' in info.keys(): + r_dict['Trustworthiness'] = {} + r_dict['Trustworthiness']['Reputation'] = self.points_to_verbose(info['0'][0]) + r_dict['Trustworthiness']['Confidence'] = self.points_to_verbose(info['0'][1]) + if '4' in info.keys(): + r_dict['Child_Safety'] = {} + r_dict['Child_Safety']['Reputation'] = self.points_to_verbose(info['4'][0]) + r_dict['Child_Safety']['Confidence'] = self.points_to_verbose(info['4'][1]) + if 'blacklists' in info.keys(): + r_dict['Blacklists'] = [(k, datetime.datetime.fromtimestamp(v).strftime('%Y-%m-%d %H:%M:%S') ) for k,v in info['blacklists'].items()] + if 'categories' in info.keys(): + r_dict['Categories'] = [self.categories[x] for x in list(info['categories'].keys())] + r_dict['Categories Identifier'] = list(info['categories'].keys()) + self.report(r_dict) + else: + self.error('Invalid data type') + else: + self.error('Invalid service') + +if __name__ == '__main__': + WOTAnalyzer().run() diff --git a/analyzers/WOT/requirements.txt b/analyzers/WOT/requirements.txt new file mode 100644 index 000000000..37dfee161 --- /dev/null +++ b/analyzers/WOT/requirements.txt @@ -0,0 +1 @@ +cortexutils \ No newline at end of file diff --git a/thehive-templates/WOT_lookup_1_0/long.html b/thehive-templates/WOT_lookup_1_0/long.html new file mode 100644 index 000000000..ce4abe93e --- /dev/null +++ b/thehive-templates/WOT_lookup_1_0/long.html @@ -0,0 +1,69 @@ +
+ + +
+
+ General Information +
+
+ +
+

Trustworthiness

+
+
Reputation
+
{{content.Trustworthiness.Reputation}}
+
+
+
Confidence
+
{{content.Trustworthiness.Confidence}}
+
+
+ +
+

Child Safety

+
+
Reputation
+
{{content.Child_Safety.Reputation}}
+
+
+
Confidence
+
{{content.Child_Safety.Confidence}}
+
+
+ +
+

Blacklists

+
+
+
{{ blk[0] }}
+
{{ blk[1] }}
+
+
+ +
+

Categories

+
+
+
{{ ctg }}
+
+
+ +
+
+ +
+ + + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.errorMessage}} +
+
\ No newline at end of file diff --git a/thehive-templates/WOT_lookup_1_0/short.html b/thehive-templates/WOT_lookup_1_0/short.html new file mode 100644 index 000000000..563ca58f3 --- /dev/null +++ b/thehive-templates/WOT_lookup_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +  From e1d1791352d7199a0dfc14cf3c3daab368e2ec20 Mon Sep 17 00:00:00 2001 From: garanews Date: Thu, 13 Jul 2017 17:36:28 +0100 Subject: [PATCH 3/6] added Cuckoo url template --- .../CuckooSandbox_Url_Analysis_1_0/long.html | 148 ++++++++++++++++++ .../CuckooSandbox_Url_Analysis_1_0/short.html | 3 + 2 files changed, 151 insertions(+) create mode 100644 thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html create mode 100644 thehive-templates/CuckooSandbox_Url_Analysis_1_0/short.html diff --git a/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html new file mode 100644 index 000000000..9331a2a1b --- /dev/null +++ b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html @@ -0,0 +1,148 @@ +
+ + +
+
+ General Information +
+
+ +

File information

+
+
+
FileType
+
{{content.file_type}}
+
+ +
+
Malfamily
+
{{content.malfamily}}
+
+ +
+
Malscore
+
+ + {{content.malscore}} + +
+
+
+
+ +
+
+ Analysis +
+
+ +
+

Signatures

+
+
+
{{ signature }}
+
+
+
+ No suspicious signature reported +
+
+
+ +
+
+ Analysis +
+
+ +
+

Remote connections

+
+
+ + + + + + + + + + + +
DomainIPLocation
{{host[1]}}{{host[0]}}{{host[2]}}
+
+
+ +
+
+
+ +
+

URI

+
+
+
{{ uri }}
+
+
+
+ No suspicious uri reported +
+ +
+
+ +
+
+ Yara +
+
+ +
+

Yara

+
+
+
{{ content.yara }}
+
+
+
+ No suspicious activity reported +
+ +
+
+ +
+
+ Suricata +
+
+ +
+

Suricata Alerts

+
+
+
{{ suri }}
+
+
+
+ No suspicious suricata alerts reported +
+
+
+
+ + + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.errorMessage}} +
+
diff --git a/thehive-templates/CuckooSandbox_Url_Analysis_1_0/short.html b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/short.html new file mode 100644 index 000000000..010657f89 --- /dev/null +++ b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}={{t.value}} +  From 509b9a73bccc3a7f9d8257357bea025e1533cf3a Mon Sep 17 00:00:00 2001 From: garanews Date: Fri, 14 Jul 2017 08:04:37 +0200 Subject: [PATCH 4/6] Update WOT_lookup.json --- analyzers/WOT/WOT_lookup.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/WOT/WOT_lookup.json b/analyzers/WOT/WOT_lookup.json index 3905d2db9..3baac6865 100644 --- a/analyzers/WOT/WOT_lookup.json +++ b/analyzers/WOT/WOT_lookup.json @@ -1,7 +1,7 @@ { "name": "WOT_Lookup", "version": "1.0", - "author": "Andrea Garavaglia - CERT-LDO", + "author": "Andrea Garavaglia - LDO-CERT", "url": "https://github.com/garanews/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check a URL against Web of Trust (WOT) a website reputation service", From 485d593d9e75401ff71b5684eda59e65fcbbfb5f Mon Sep 17 00:00:00 2001 From: garanews Date: Fri, 14 Jul 2017 08:21:25 +0200 Subject: [PATCH 5/6] Update WOT_lookup.json --- analyzers/WOT/WOT_lookup.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/WOT/WOT_lookup.json b/analyzers/WOT/WOT_lookup.json index 3baac6865..7b2d4ac0a 100644 --- a/analyzers/WOT/WOT_lookup.json +++ b/analyzers/WOT/WOT_lookup.json @@ -4,7 +4,7 @@ "author": "Andrea Garavaglia - LDO-CERT", "url": "https://github.com/garanews/Cortex-Analyzers", "license": "AGPL-V3", - "description": "Check a URL against Web of Trust (WOT) a website reputation service", + "description": "Check a Domain against Web of Trust (WOT) a website reputation service", "dataTypeList": ["url"], "baseConfig": "WOT", "config": { From 478be79efb75f7745f1f672e55b58e6ee02252dc Mon Sep 17 00:00:00 2001 From: garanews Date: Fri, 14 Jul 2017 08:21:45 +0200 Subject: [PATCH 6/6] Update WOT_lookup.json --- analyzers/WOT/WOT_lookup.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/analyzers/WOT/WOT_lookup.json b/analyzers/WOT/WOT_lookup.json index 7b2d4ac0a..b890170cf 100644 --- a/analyzers/WOT/WOT_lookup.json +++ b/analyzers/WOT/WOT_lookup.json @@ -5,7 +5,7 @@ "url": "https://github.com/garanews/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check a Domain against Web of Trust (WOT) a website reputation service", - "dataTypeList": ["url"], + "dataTypeList": ["domain"], "baseConfig": "WOT", "config": { "check_tlp": true,