Skip to content

Commit

Permalink
Merge pull request #2 from Nclose-ZA/greynoise_analyzer_v3
Browse files Browse the repository at this point in the history 
Greynoise analyzer v3
  • Loading branch information
@markus-nclose
markus-nclose authored Dec 8, 2020
2 parents ab032eb + 5cdd640 commit a931f79
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 18 deletions.
2 changes: 1 addition & 1 deletion analyzers/GreyNoise/GreyNoise.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"description": "Determine whether an IP has known scanning activity using GreyNoise.",
"dataTypeList": ["ip"],
"baseConfig": "GreyNoise",
"command": "GreyNoise/greynoise.py",
"command": "GreyNoise/greynoisev3.py",
"configurationItems": [
{
"name": "key",
Expand Down
56 changes: 39 additions & 17 deletions analyzers/GreyNoise/greynoise.py → analyzers/GreyNoise/greynoisev3.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ def summary(self, raw):
Input
{
"seen": True,
"actor": "SCANNER1",
"classification": "benign",
"tags": ['a', 'b', 'c']
Expand All @@ -43,6 +44,7 @@ def summary(self, raw):
Input
{
"seen": True,
"actor": "SCANNER1",
"classification": "unknown",
"tags": ['a', 'b', 'c']
Expand All @@ -53,6 +55,7 @@ def summary(self, raw):
Input
{
"seen": True,
"actor": "SCANNER1",
"classification": "unknown",
"tags": ['a', 'b']
Expand All @@ -63,13 +66,21 @@ def summary(self, raw):
Input
{
"seen": True,
"actor": "SCANNER1",
"classification": "malicious",
"tags": ['a', 'b', 'c']
}
Output
GreyNoise:tags = 3 (Malicious)
GreyNoise:classification = malicious (Malicious)
Input
{
"seen": "False"
}
Output
GreyNoise:Seen last 60 days = False (Info)
"""


Expand All @@ -82,23 +93,34 @@ def summary(self, raw):
try:
taxonomies = []

tag_count = len(raw.get('tags', []))
classification = raw.get('classification', 'unknown')
actor = raw.get('actor')

t1_level = classification_level_map.get(classification)(tag_count)
t1_namespace = 'GreyNoise'
t1_predicate = 'tags'
t1_value = tag_count
# print('{}:{} = {} ({})'.format(t1_namespace, t1_predicate, t1_value, t1_level))
taxonomies.append(self.build_taxonomy(t1_level, t1_namespace, t1_predicate, t1_value))

t2_level = classification_level_map.get(classification)(None)
t2_namespace = 'GreyNoise'
t2_predicate = 'actor' if classification == 'benign' else 'classification'
t2_value = actor if classification == 'benign' else classification
# print('{}:{} = {} ({})'.format(t2_namespace, t2_predicate, t2_value, t2_level))
taxonomies.append(self.build_taxonomy(t2_level, t2_namespace, t2_predicate, t2_value))
seen = raw.get('seen', False)
if seen:
tag_count = len(raw.get('tags', []))
classification = raw.get('classification', 'unknown')
actor = raw.get('actor')

t1_level = classification_level_map.get(classification)(tag_count)
t1_namespace = 'GreyNoise'
t1_predicate = 'tags'
t1_value = tag_count
# print('{}:{} = {} ({})'.format(t1_namespace, t1_predicate, t1_value, t1_level))
taxonomies.append(self.build_taxonomy(t1_level, t1_namespace, t1_predicate, t1_value))

t2_level = classification_level_map.get(classification)(None)
t2_namespace = 'GreyNoise'
t2_predicate = 'actor' if classification == 'benign' else 'classification'
t2_value = actor if classification == 'benign' else classification
# print('{}:{} = {} ({})'.format(t2_namespace, t2_predicate, t2_value, t2_level))
taxonomies.append(self.build_taxonomy(t2_level, t2_namespace, t2_predicate, t2_value))
else:
taxonomies.append(
self.build_taxonomy(
classification_level_map.get('unknown')(None),
'GreyNoise',
'Seen last 60 days',
False
)
)

return {"taxonomies": taxonomies}

Expand Down

0 comments on commit a931f79

Please sign in to comment.