Merge pull request #1006 from pjuhas/develop

ThreatMiner analyzer

analyzers/ThreatMiner/ThreatMiner.json

@@ -0,0 +1,11 @@
+{
+  "name": "ThreatMiner",
+  "version": "1.0",
+  "author": "Peter Juhas",
+  "url": "https://github.com/pjuhas/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "WHOIS queries from threatminer.org",
+  "dataTypeList": ["ip", "domain"],
+  "baseConfig": "ThreatMiner",
+  "command": "ThreatMiner/ThreatMiner.py"
+}

analyzers/ThreatMiner/ThreatMiner.py

@@ -0,0 +1,57 @@
+#!/usr/bin/env python
+import requests
+from cortexutils.analyzer import Analyzer
+
+
+class ThreatMiner(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+
+    def summary(self, raw):
+        taxonomies = []
+        level = 'suspicious'
+        namespace = 'ThreatMiner'
+        predicate = ':'
+        value = "Not found."
+        if len(raw["results"]) != 0:
+            value = "Success"
+            level = "safe"
+        taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        return {'taxonomies': taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+        if self.data_type == 'domain':
+            try:
+                data = self.get_data()
+                s = requests.Session()
+                response_details = s.get("https://api.threatminer.org/v2/domain.php?q={}&rt=1".format(data))
+                if response_details.status_code == 200:
+                    result = response_details.json()
+                    self.report(result if len(result) > 0 else {})
+                else:
+                    self.error(
+                        'Failed to query ThreatMiner details. Status_code {}'.format(response_details.status_code))
+            except Exception as e:
+                self.unexpectedError(e)
+        elif self.data_type == 'ip':
+            try:
+                data = self.get_data()
+                s = requests.Session()
+                response_details = s.get("https://api.threatminer.org/v2/host.php?q={}&rt=1".format(data))
+                if response_details.status_code == 200:
+                    result = response_details.json()
+                    self.report(result if len(result) > 0 else {})
+                else:
+                    self.error(
+                        'Failed to query ThreatMiner details. Status_code {}'.format(response_details.status_code))
+            except Exception as e:
+                self.unexpectedError(e)
+
+        else:
+            self.notSupported()
+
+
+if __name__ == '__main__':
+    ThreatMiner().run()

analyzers/ThreatMiner/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

thehive-templates/ThreatMiner_1_0/long.html

@@ -0,0 +1,88 @@
+<div ng-if="success">
+    <div ng-if="content.results">
+        <div class="panel panel-info">
+            <div class="panel-heading">
+                <strong>Summary</strong>
+            </div>
+            <div class="panel-body">
+                <dl class="dl-horizontal" ng-if="content.status_message">
+                    <dt>Status</dt>
+                    <dd>{{content.status_message}}</dd>
+                </dl>
+            </div>
+        </div>
+
+
+        <div class="panel panel-info" ng-if="artifact.dataType === 'domain'">
+            <div class="panel-heading">
+                <strong>WhoIS about domain.</strong>
+            </div>
+            <div class="panel-body">
+                <table class="table table-hover" ng-repeat="r in content.results">
+                    <tr>
+                        <th>Updated date</th>
+                        <td>{{r.whois.updated_date}}</td>
+                    </tr>
+                    <tr>
+                        <th>WhoIS MD5</th>
+                        <td>{{r.whois.whois_md5}}</td>
+                    </tr>
+                    <tr>
+                        <th>Creation date</th>
+                        <td>{{r.whois.creation_date}}</td>
+                    </tr>
+                    <tr>
+                        <th>Expiration date</th>
+                        <td>{{r.whois.expiration_date}}</td>
+                    </tr>
+                    <tr>
+                        <th>Registrar</th>
+                        <td>{{r.whois.registrar}}</td>
+                    </tr>
+                </table>
+            </div>
+        </div>
+
+
+        <div class="panel panel-info" ng-if="artifact.dataType === 'ip'">
+            <div class="panel-heading">
+                <strong>WhoIS about domain.</strong>
+            </div>
+            <div class="panel-body">
+                <table class="table table-hover" ng-repeat="r in content.results">
+                    <tr>
+                        <th>Reverse name</th>
+                        <td>{{r.reverse_name}}</td>
+                    </tr>
+                    <tr>
+                        <th>Prefix</th>
+                        <td>{{r.bgp_prefix}}</td>
+                    </tr>
+                    <tr>
+                        <th>Organization name</th>
+                        <td>{{r.org_name}}</td>
+                    </tr>
+                </table>
+            </div>
+        </div>
+
+        <div ng-switch-default>
+            <div class="panel panel-danger">
+                <div class="panel-heading">
+                    <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+                </div>
+                <div class="panel-body">
+                    {{content.verbose_msg}}
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+    <div class="panel panel-danger" ng-if="!success">
+        <div class="panel-heading">
+            <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+        </div>
+        <div class="panel-body">
+            {{content.errorMessage}}
+        </div>
+    </div>

thehive-templates/ThreatMiner_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>