Merge pull request #455 from jdsnape/develop

Added IPVoid IP reputation API analyzer

analyzers/IPVoid/IPVoid.json

@@ -0,0 +1,25 @@
+{
+    "name": "IPVoid",
+    "version": "1.0",
+    "author": "Joel Snape @ Nettitude",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-v3",
+    "description": "Determine whether an IP is present on any of the feeds consumed by IPVoid",
+    "dataTypeList": ["ip"],
+    "baseConfig": "IPVoid",
+    "command": "IPVoid/ipvoid.py",
+    "configurationItems": [
+      {
+        "name": "key",
+        "description": "API key for IPVoid",
+        "type": "string",
+        "multi": false,
+        "required": true
+      }
+    ],
+    "config": {
+        "check_tlp": true,
+        "max_tlp": 2,
+        "auto_extract": false
+    }
+}

analyzers/IPVoid/ipvoid.py

@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+
+import requests
+
+from cortexutils.analyzer import Analyzer
+
+class IPVoid(Analyzer):
+    """
+    IPVoid API docs - https://app.apivoid.com/dashboard/api/ip-reputation/documentation/
+    """
+
+    def run(self):
+        try:
+            if self.data_type == 'ip':
+                api_key = self.get_param('config.key',None, 'Missing API key')
+                ip = self.get_data()
+
+                url = 'https://endpoint.apivoid.com/iprep/v1/pay-as-you-go/?key={}&ip={}'.format(api_key,ip)
+                response = requests.get(url)
+
+                if not (200 <= response.status_code < 300):
+                    self.error('Unable to query IPVoid API\n{}'.format(response.text))
+
+                json_response = response.json()
+
+                self.report(json_response)
+
+            else:
+                self.notSupported()
+        except Exception as e:
+            self.unexpectedError(e)
+
+
+    def summary(self, raw):
+        try:
+            taxonomies = list()
+
+            #Parse the information section of the report into a Location taxonomy. Only a subset of keys included for now
+
+            info = raw['data']['report']['information']
+
+            location = info['city_name']+'/'+info['country_name']
+            taxonomies = taxonomies + [self.build_taxonomy('info','IPVoid','Location',location)]
+
+            #Parse blacklists info 
+            detections = raw['data']['report']['blacklists']['detections']
+            engines = raw['data']['report']['blacklists']['engines_count']
+
+            if detections > 0:
+                taxonomies  = taxonomies + [self.build_taxonomy('suspicious','IPVoid','Blacklists',str(detections)+"/"+str(engines))]
+            else:
+                taxonomies  = taxonomies + [self.build_taxonomy('info','IPVoid','Blacklists',str(detections)+"/"+str(engines))]
+
+            return({'taxonomies':taxonomies})
+
+        except Exception as e:
+            if 'error' in raw:
+                self.unexpectedError(raw['error'])
+            else:
+                self.unexpectedError(e)
+
+if __name__ == '__main__':
+    IPVoid().run()
+

analyzers/IPVoid/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

thehive-templates/IPVoid_1_0/long.html

@@ -0,0 +1,60 @@
+<div class="panel panel-info" ng-if="success">
+	<div class="panel-heading">
+		IPVoid lookup of <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+	</div>
+	<div class="panel-body">
+		<div ng-show="content.data.report.anonymity.is_vpn" class="alert alert-warning">VPN</div>
+		<div ng-show="content.data.report.anonymity.is_proxy" class="alert alert-warning">Proxy</div>
+		<div ng-show="content.data.report.anonymity.is_webproxy" class="alert alert-warning">Web-proxy</div>
+		<div ng-show="content.data.report.anonymity.is_hosting" class="alert alert-info">Hosting provider</div>	
+		<div ng-show="content.data.report.anonymity.is_tor" class="alert alert-warning">Tor</div>				
+
+            <dl class="dl-horizontal" >
+
+            <dt>Location:</dt>
+            <dd> 
+            	{{[content.data.report.information.city_name, content.data.report.information.region_name, content.data.report.information.country_name, content.data.report.information.continent_name].join(' / ')}}
+            </dd>
+
+            <dt ng-if="content.data.report.information.reverse_dns!=''">
+            RDNS:
+            </dt>
+            <dd ng-if="content.data.report.information.reverse_dns!=''">
+            {{content.data.report.information.reverse_dns}}
+            </dd>
+
+            <dt ng-if="content.data.report.information.isp!=''">
+            ISP:
+            </dt>
+            <dd ng-if="content.data.report.information.isp!=''">
+            {{content.data.report.information.isp}}
+            </dd>
+
+            <dt>Blocklists {{content.data.report.blacklists.detections}}/{{content.data.report.blacklists.engines_count}}:
+            </dt>
+
+            <dd ng-if="content.data.report.blacklists.detections > 0">
+                <div ng-repeat="value in content.data.report.blacklists.engines" ng-if="value.detected==true">
+
+                <a href="{{value.reference}}">{{value.engine}}</a>
+                </div>
+            </dd>
+
+            <dd ng-if="content.data.report.blacklists.detections==0">
+                None
+            </dd>
+
+            </dl>
+
+	</div>
+</div>
+
+<div class="panel panel-danger" ng-if="!success">
+	<div class="panel-heading">
+		    <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong>
+	</div>
+	<div class="panel-body">
+		{{content.errorMessage}}
+	</div>
+</div>
+

thehive-templates/IPVoid_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+	    {{t.namespace}}:{{t.predicate}}={{t.value}}
+</span>