#212 WIP fix Office identification, add outlook mail parser

TheHive-Project · Apr 18, 2018 · cbe54c1 · cbe54c1
1 parent bf9b4bc
commit cbe54c1
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 10 deletions.
diff --git a/analyzers/FileInfo/fileinfo_analyzer.py b/analyzers/FileInfo/fileinfo_analyzer.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python
 import pyexifinfo
+import magic
 
 from cortexutils.analyzer import Analyzer
 from submodules import available_submodules
@@ -12,6 +13,7 @@ def __init__(self):
         self.filepath = self.get_param('file', None, 'File parameter is missing.')
         self.filename = self.get_param('filename', None, 'Filename is missing.')
         self.filetype = pyexifinfo.fileType(self.filepath)
+        self.mimtype = magic.Magic(mime=True).from_file(path)
 
     def run(self):
         results = []

diff --git a/analyzers/FileInfo/submodules/submodule_oletools.py b/analyzers/FileInfo/submodules/submodule_oletools.py
@@ -15,16 +15,29 @@ def __init__(self):
 
     def check_file(self, **kwargs):
         """Oletools accepts MS office documents."""
+
         try:
-            self.fileextension = kwargs.get('filename').rsplit('.', 1)[1]
-            if self.fileextension in [
-                'doc',
-                'docx',
-                'xls',
-                'xlsx',
-                'ppt',
-                'pptx'
+            if kwargs.get('filetype') in [
+                'DOC',
+                'DOCM',
+                'DOCX',
+                'XLS',
+                'XLSM',
+                'XLSX',
+                'PPT',
+                'PPTM',
+                'PPTX'
             ]:
+        # try:
+        #     self.fileextension = kwargs.get('filename').rsplit('.', 1)[1]
+        #     if self.fileextension in [
+        #         'doc',
+        #         'docx',
+        #         'xls',
+        #         'xlsx',
+        #         'ppt',
+        #         'pptx'
+        #     ]:
                 return True
         except KeyError:
             return False

diff --git a/analyzers/FileInfo/submodules/submodule_outlook.py b/analyzers/FileInfo/submodules/submodule_outlook.py
@@ -0,0 +1,18 @@
+from .submodule_base import SubmoduleBaseclass
+
+
+class OutlookSubmodule(SubmoduleBaseclass):
+    """This is just for showing how to include a submodule. No real functionality here."""
+
+    def __init__(self):
+        SubmoduleBaseclass.__init__(self)
+        self.name = 'Outlook mail Information'
+
+    def check_file(self, **kwargs):
+        if kwargs.get('filetype') == 'GZIP':
+            return True
+        return False
+
+    def analyze_file(self, path):
+        self.add_result_subsection('TEST', {})
+        return self.resul
diff --git a/analyzers/FileInfo/submodules/submodule_pe.py b/analyzers/FileInfo/submodules/submodule_pe.py
@@ -15,8 +15,12 @@ def check_file(self, **kwargs):
 
         :return: True
         """
-        if kwargs.get('filetype') in ['Win32 EXE']:
-            return True
+        try:
+            if kwargs.get('filetype') in ['Win32 EXE']:
+                return True
+        except KeyError:
+            return False
+        return False
 
     @staticmethod
     def pe_machine(pedict):