Merge pull request #141 from TheHive-Project/joeapiv2

Joe Sandbox API version 2 support
TheHive-Project · Dec 22, 2017 · d53f282 · d53f282
2 parents b5062be + 5a70b44
commit d53f282
Showing 1 changed file with 141 additions and 63 deletions.
diff --git a/analyzers/JoeSandbox/joesandbox_analyzer.py b/analyzers/JoeSandbox/joesandbox_analyzer.py
@@ -3,6 +3,7 @@
 
 from cortexutils.analyzer import Analyzer
 
+import os.path
 import requests
 import time
 
@@ -12,11 +13,10 @@ def __init__(self):
         Analyzer.__init__(self)
         self.service = self.get_param('config.service', None, 'JoeSandbox service is missing')
         self.url = self.get_param('config.url', None, 'JoeSandbox url is missing')
-        # self.apikey = self.get_param('config.key', None, 'JoeSandbox apikey is missing')
         if self.get_param('config.key'):
             self.apikey = self.get_param('config.key')
         else:
-            self.apikey = self.get_param('config.apikey', None, 'MISP key for API is missing')
+            self.apikey = self.get_param('config.apikey', None, 'JoeSandbox API key is missing')
         self.analysistimeout = self.get_param('config.analysistimeout', 30*60, None)
         self.networktimeout = self.get_param('config.networktimeout', 30, None)
 
@@ -55,74 +55,152 @@ def summary(self, raw):
 
         return result
 
+    def runv1(self):
+        data = {
+            'apikey': self.apikey,
+            'tandc': 1,
+            'auto': 1,
+            'comments': 'Submitted by Cortex'
+        }
+        files = {}
+
+        # file analysis with internet access
+        if self.service == 'file_analysis_inet':
+            extension = os.path.splitext(self.get_param('filename', ''))[1]
+            filepath = self.get_param('file', None, 'File is missing')
+            files['sample'] = (filepath + extension, open(filepath, 'rb'))
+            data['type'] = 'file'
+            data['inet'] = 1
+
+        # file analysis without internet access
+        elif self.service == 'file_analysis_noinet':
+            extension = os.path.splitext(self.get_param('filename', ''))[1]
+            filepath = self.get_param('file', None, 'File is missing')
+            files['sample'] = (filepath + extension, open(filepath, 'rb'))
+            data['type'] = 'file'
+            data['inet'] = 0
+
+        # url analysis
+        elif self.service == 'url_analysis':
+            data['url'] = self.getData()
+            data['type'] = 'url'
+            data['inet'] = 1
+
+        else:
+            self.error('Unknown JoeSandbox service')
+
+        # Submit the file/url for analysis
+        response = requests.post(self.url + 'api/analysis', files=files, data=data, timeout=self.networktimeout)
+        webid = response.json()['webid']
+
+        # Wait for the analysis to finish
+        data = {
+            'apikey': self.apikey,
+            'webid': webid
+        }
+        finished = False
+        tries = 0
+        while not finished and tries <= self.analysistimeout/60:
+            time.sleep(60)
+            response = requests.post(self.url + 'api/analysis/check', data=data, timeout=self.networktimeout)
+            content = response.json()
+            if content['status'] == 'finished':
+                finished = True
+            tries += 1
+        if not finished:
+            self.error('JoeSandbox analysis timed out')
+
+        # Download the report
+        data = {
+            'apikey': self.apikey,
+            'webid': webid,
+            'type': 'irjsonfixed',
+            'run': 0
+        }
+        response = requests.post(self.url + 'api/analysis/download', data=data, timeout=self.networktimeout)
+        analysis = response.json()['analysis']
+        analysis['htmlreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/html'
+        analysis['pdfreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/pdf'
+        self.report(analysis)
+
+    def runv2(self):
+        data = {
+            'apikey': self.apikey,
+            'accept-tac': '1',
+            'systems': None,
+            'comments': 'Submitted by Cortex'
+        }
+        files = {}
+
+        # file analysis with internet access
+        if self.service == 'file_analysis_inet':
+            extension = os.path.splitext(self.get_param('filename', ''))[1]
+            filepath = self.get_param('file', None, 'File is missing')
+            files['sample'] = (filepath + extension, open(filepath, 'rb'))
+            data['internet-access'] = '1'
+
+        # file analysis without internet access
+        elif self.service == 'file_analysis_noinet':
+            extension = os.path.splitext(self.get_param('filename', ''))[1]
+            filepath = self.get_param('file', None, 'File is missing')
+            files['sample'] = (filepath + extension, open(filepath, 'rb'))
+            data['internet-access'] = '0'
+
+        # url analysis
+        elif self.service == 'url_analysis':
+            data['url'] = self.getData()
+            data['internet-access'] = '1'
+
+        else:
+            self.error('Unknown JoeSandbox service')
+
+        # Submit the file/url for analysis
+        response = requests.post(self.url + 'api/v2/analysis/submit', files=files, data=data, timeout=self.networktimeout)
+        webid = response.json()['data']['webids'][0]
+
+        # Wait for the analysis to finish
+        data = {
+            'apikey': self.apikey,
+            'webid': webid
+        }
+        finished = False
+        tries = 0
+        while not finished and tries <= self.analysistimeout/60:
+            time.sleep(60)
+            response = requests.post(self.url + 'api/v2/analysis/info', data=data, timeout=self.networktimeout)
+            content = response.json()
+            if content['data']['status'] == 'finished':
+                finished = True
+            tries += 1
+        if not finished:
+            self.error('JoeSandbox analysis timed out')
+
+        # Download the report
+        data = {
+            'apikey': self.apikey,
+            'webid': webid,
+            'type': 'irjsonfixed',
+            'run': 0
+        }
+        response = requests.post(self.url + 'api/v2/analysis/download', data=data, timeout=self.networktimeout)
+        analysis = response.json()['analysis']
+        analysis['htmlreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/html'
+        analysis['pdfreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/pdf'
+        self.report(analysis)
+
     def run(self):
         Analyzer.run(self)
 
         try:
             data = {
-                'apikey': self.apikey,
-                'tandc': 1,
-                'auto': 1,
-                'comments': 'Submitted by Cortex'
+                'apikey': self.apikey
             }
-            files = {}
-
-            # file analysis with internet access
-            if self.service == 'file_analysis_inet':
-                filepath = self.get_param('file', None, 'File is missing')
-                files['sample'] = open(filepath, 'rb')
-                data['type'] = 'file'
-                data['inet'] = 1
-
-            # file analysis without internet access
-            elif self.service == 'file_analysis_noinet':
-                filepath = self.get_param('file', None, 'File is missing')
-                files['sample'] = open(filepath, 'rb')
-                data['type'] = 'file'
-                data['inet'] = 0
-
-            # url analysis
-            elif self.service == 'url_analysis':
-                data['url'] = self.getData()
-                data['type'] = 'url'
-                data['inet'] = 1
-
+            # Check whether API v2 is supported or not
+            response = requests.post(self.url + 'api/v2/server/online', data=data, timeout=self.networktimeout, allow_redirects=False)
+            if response.status_code == 200:
+                self.runv2()
             else:
-                self.error('Unknown JoeSandbox service')
-
-            # Submit the file/url for analysis
-            response = requests.post(self.url + 'api/analysis', files=files, data=data, timeout=self.networktimeout)
-            webid = response.json()['webid']
-
-            # Wait for the analysis to finish
-            data = {
-                'apikey': self.apikey,
-                'webid': webid
-            }
-            finished = False
-            tries = 0
-            while not finished and tries <= self.analysistimeout/60:
-                time.sleep(60)
-                response = requests.post(self.url + 'api/analysis/check', data=data, timeout=self.networktimeout)
-                content = response.json()
-                if content['status'] == 'finished':
-                    finished = True
-                tries += 1
-            if not finished:
-                self.error('JoeSandbox analysis timed out')
-
-            # Download the report
-            data = {
-                'apikey': self.apikey,
-                'webid': webid,
-                'type': 'irjsonfixed',
-                'run': 0
-            }
-            response = requests.post(self.url + 'api/analysis/download', data=data, timeout=self.networktimeout)
-            analysis = response.json()['analysis']
-            analysis['htmlreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/html'
-            analysis['pdfreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/pdf'
-            self.report(analysis)
+                self.runv1()
 
         except Exception as e:
             self.unexpectedError(e)