Added SinkDB analyzer (#134)

TheHive-Project · Dec 21, 2017 · b5062be · b5062be
1 parent b888932
commit b5062be
Show file tree

Hide file tree

Showing 5 changed files with 98 additions and 0 deletions.
diff --git a/analyzers/SinkDB/SinkDB.json b/analyzers/SinkDB/SinkDB.json
@@ -0,0 +1,12 @@
+{
+  "name": "SinkDB",
+  "author": "Nils Kuhnert, CERT-Bund",
+  "license": "AGPL-V3",
+  "url": "https://github.com/BSI-CERT-Bund/sinkdb-analyzer",
+  "version": "1.0",
+  "baseConfig": "SinkDB",
+  "config": {},
+  "description": "Check if ip is sinkholed via sinkdb.abuse.ch",
+  "dataTypeList": ["ip"],
+  "command": "SinkDB/sinkdb.py"
+}
diff --git a/analyzers/SinkDB/requirements.txt b/analyzers/SinkDB/requirements.txt
@@ -0,0 +1 @@
+cortexutils
diff --git a/analyzers/SinkDB/sinkdb.py b/analyzers/SinkDB/sinkdb.py
@@ -0,0 +1,52 @@
+#!/usr/bin/env python
+import subprocess
+
+from cortexutils.analyzer import Analyzer
+
+
+class SinkDBAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+
+        if self.data_type != 'ip':
+            self.error('SinkDB Analyzer only usable with ip data type.')
+
+        self.apikey = self.get_param('config.key', None, 'API Key needed for querying SinkDB.')
+        self.data = self.get_data().split('.')
+        self.data.reverse()
+        self.data = '.'.join(self.data)
+
+    def dig(self, ip):
+        proc = subprocess.Popen(['dig', '+short', '{}.{}.sinkdb-api.abuse.ch'.format(ip, self.apikey)],
+                                stdout=subprocess.PIPE,
+                                stderr=subprocess.PIPE)
+        out, err = proc.communicate()
+        out = out.decode('utf-8').strip('\n')
+
+        if err:
+            self.error('Error while calling dig: {}.'.format(err))
+
+        if out == '127.0.0.2':
+            return True
+
+        return False
+
+    def run(self):
+        self.report({
+            "is_sinkhole": self.dig(self.data)
+        })
+
+    def summary(self, raw):
+        taxonomies = []
+
+        if raw.get('is_sinkhole'):
+            taxonomies.append(self.build_taxonomy('safe', 'SinkDB', 'IsSinkhole', 'True'))
+        else:
+            taxonomies.append(self.build_taxonomy('suspicious', 'SinkDB', 'IsSinkhole', 'False'))
+        return {
+            "taxonomies": taxonomies
+        }
+
+
+if __name__ == '__main__':
+    SinkDBAnalyzer().run()
diff --git a/thehive-templates/SinkDB_1_0/long.html b/thehive-templates/SinkDB_1_0/long.html
@@ -0,0 +1,30 @@
+<div class="panel panel-info" ng-if="success">
+    <div class="panel-heading">
+        SinkDB information for <strong>{{artifact.data}}</strong>
+    </div>
+    <div class="panel-body">
+      <dl class="dl-horizontal">
+        <dt>Status</dt>
+        <dd>
+            <p style="font-size: 1.5em;">
+                <span class="label label-success" ng-if="content.is_sinkhole">
+                    IP is sinkholed.
+                </span>
+                <span class="label label-warning" ng-if="!content.is_sinkhole">
+                    IP is <strong>not</strong> sinkholed.
+                </span>
+            </p>
+        </dd>
+      </dl>
+    </div>
+</div>
+
+<!-- General error -->
+<div class="panel panel-danger" ng-if="!success">
+    <div class="panel-heading">
+        <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+    </div>
+    <div class="panel-body">
+        {{content.errorMessage}}
+    </div>
+</div>
diff --git a/thehive-templates/SinkDB_1_0/short.html b/thehive-templates/SinkDB_1_0/short.html
@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>