From 3a970f3bf419dc96653fd04ccfef7eb2f9790cad Mon Sep 17 00:00:00 2001
From: garanews <puntogtg@tiscali.it>
Date: Fri, 6 Oct 2017 12:43:39 +0200
Subject: [PATCH 1/6] support both cuckoo versions

official cuckoo:  https://github.com/cuckoosandbox/cuckoo
modified cuckoo: https://github.com/doomedraven/cuckoo-modified
---
 .../CuckooSandbox/cuckoosandbox_analyzer.py     | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
index 279389044..38edfe72d 100644
--- a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
+++ b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
@@ -54,7 +54,7 @@ def run(self):
                 with open(filepath, "rb") as sample:
                     files = {"file": (filename, sample)}
                     response = requests.post(self.url + 'tasks/create/file', files=files)
-                task_id = response.json()['task_ids'][0]
+                task_id = response.json()['task_ids'][0] if 'task_ids' in response.json().keys() else response.json()['task_id']
 
             # url analysis
             elif self.service == 'url_analysis':
@@ -85,16 +85,19 @@ def run(self):
                 suri_alerts = [(x['signature'],x['dstip'],x['dstport'],x['severity']) for x in resp_json['suricata']['alerts']]
             else:
                 suri_alerts = []
-            hosts = [(x['ip'],x['hostname'],x['country_name']) for x in resp_json['network']['hosts']]
-            uri = [(x['uri']) for x in resp_json['network']['http']]
+            try:
+                hosts = [(x['ip'],x['hostname'],x['country_name']) for x in resp_json['network']['hosts']] if 'hosts' in resp_json['network'].keys() else None
+            except TypeError as e:
+                hosts = [x for x in resp_json['network']['hosts']] if 'hosts' in resp_json['network'].keys() else []
+            uri = [(x['uri']) for x in resp_json['network']['http']] if 'http' in resp_json['network'].keys() else []
             if self.service == 'url_analysis':
                 self.report({
                     'signatures': list_description,
                     'suricata_alerts': suri_alerts,
                     'hosts': hosts,
                     'uri': uri,
-                    'malscore': resp_json['malscore'],
-                    'malfamily': resp_json['malfamily'],
+                    'malscore': resp_json['malscore'] if 'malscore' in resp_json.keys() else resp_json['info'].get('score', None),
+                    'malfamily': resp_json.get('malfamily', None),
                     'file_type': 'url',
                     'yara': resp_json['target']['url'] if 'target' in resp_json.keys() and 'url' in resp_json['target'].keys() else '-'
                 })
@@ -104,8 +107,8 @@ def run(self):
                     'suricata_alerts': suri_alerts,
                     'hosts': hosts,
                     'uri': uri,
-                    'malscore': resp_json['malscore'],
-                    'malfamily': resp_json['malfamily'],
+                    'malscore': resp_json['malscore'] if 'malscore' in resp_json.keys() else resp_json['info'].get('score', None),
+                    'malfamily': resp_json.get('malfamily', None),
                     'file_type': "".join([x for x in resp_json['target']['file']['type']]),
                     'yara': [ x['name'] + " - " + x['meta']['description'] if 'description' in x['meta'].keys() else x['name'] for x in resp_json['target']['file']['yara'] ]
                 })

From 18a9b9253deefc79c2cc81ff693fb494aa75347c Mon Sep 17 00:00:00 2001
From: garanews <puntogtg@tiscali.it>
Date: Tue, 17 Oct 2017 16:12:47 +0200
Subject: [PATCH 2/6] added support for snort

---
 analyzers/CuckooSandbox/cuckoosandbox_analyzer.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
index 38edfe72d..678f58c76 100644
--- a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
+++ b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
@@ -82,9 +82,19 @@ def run(self):
             resp_json = response.json()
             list_description = [x['description'] for x in resp_json['signatures']]
             if 'suricata' in resp_json.keys() and 'alerts' in resp_json['suricata'].keys():
-                suri_alerts = [(x['signature'],x['dstip'],x['dstport'],x['severity']) for x in resp_json['suricata']['alerts']]
+				if 'dstport' in resp_json['suricata']['alerts'].keys():
+					suri_alerts = [(x['signature'],x['dstip'],x['dstport'],x['severity']) for x in resp_json['suricata']['alerts']]
+				elif 'dst_port' in resp_json['suricata']['alerts'].keys():
+					suri_alerts = [(x['signature'],x['dst_ip'],x['dst_port'],x['severity']) for x in resp_json['suricata']['alerts']]
             else:
                 suri_alerts = []
+            if 'snort' in resp_json.keys() and 'alerts' in resp_json['snort'].keys():
+				if 'dstport' in resp_json['snort']['alerts'].keys():
+					snort_alerts = [(x['message'],x['dstip'],x['dstport'],x['priority']) for x in resp_json['snort']['alerts']]
+				elif 'dst_port' in resp_json['snort']['alerts'].keys():
+					snort_alerts = [(x['message'],x['dst_ip'],x['dst_port'],x['priority']) for x in resp_json['snort']['alerts']]
+            else:
+                snort_alerts = []				
             try:
                 hosts = [(x['ip'],x['hostname'],x['country_name']) for x in resp_json['network']['hosts']] if 'hosts' in resp_json['network'].keys() else None
             except TypeError as e:
@@ -94,6 +104,7 @@ def run(self):
                 self.report({
                     'signatures': list_description,
                     'suricata_alerts': suri_alerts,
+					'snort_alerts': snort_alerts,
                     'hosts': hosts,
                     'uri': uri,
                     'malscore': resp_json['malscore'] if 'malscore' in resp_json.keys() else resp_json['info'].get('score', None),
@@ -105,6 +116,7 @@ def run(self):
                 self.report({
                     'signatures': list_description,
                     'suricata_alerts': suri_alerts,
+					'snort_alerts': snort_alerts,					
                     'hosts': hosts,
                     'uri': uri,
                     'malscore': resp_json['malscore'] if 'malscore' in resp_json.keys() else resp_json['info'].get('score', None),
@@ -121,4 +133,3 @@ def run(self):
 
 if __name__ == '__main__':
     CuckooSandboxAnalyzer().run()
-

From 84c7021b48d68d072ed4d825acf2bc6907e24f0b Mon Sep 17 00:00:00 2001
From: garanews <puntogtg@tiscali.it>
Date: Tue, 17 Oct 2017 16:16:27 +0200
Subject: [PATCH 3/6] added support for snort

---
 .../long.html                                 | 25 ++++++++++++++-----
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html
index 244e258d3..3baada470 100644
--- a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html
+++ b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html
@@ -116,24 +116,37 @@ <h4>Yara</h4>
         </div>
     </div>
 
-    <div class="panel panel-info">
+    <div class="panel panel-info" ng-if="content.suricata_alerts">
         <div class="panel-heading">
             <strong>Suricata</strong>
         </div>
         <div class="panel-body">
-
-            <div ng-if="content.suricata_alerts">
+            <div>
                 <h4>Suricata Alerts</h4>
                 <br>
                 <dl class="dl-horizontal" ng-repeat="suri in content.suricata_alerts track by $index">
                     <dd>{{ suri }}<dd>
                 </dl>
             </div>
-            <div ng-if="!content.suricata_alerts">
-                No suspicious suricata alerts reported
-            </div>
         </div>
     </div>
+	
+    <div class="panel panel-info" ng-if="content.snort_alerts">
+        <div class="panel-heading">
+            <strong>Snort</strong>
+        </div>
+        <div class="panel-body">
+
+            <div>
+                <h4>Suricata Alerts</h4>
+                <br>
+                <dl class="dl-horizontal" ng-repeat="snort in content.snort_alerts track by $index">
+                    <dd>{{ snort }}<dd>
+                </dl>
+            </div>
+			
+        </div>
+    </div>	
 </div>
 
 

From 4af32545a5c91c0672c4aabebf309161bf0b40d5 Mon Sep 17 00:00:00 2001
From: garanews <puntogtg@tiscali.it>
Date: Tue, 17 Oct 2017 16:17:55 +0200
Subject: [PATCH 4/6] added support for snort

---
 .../CuckooSandbox_Url_Analysis_1_0/long.html  | 25 ++++++++++++++-----
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html
index 9331a2a1b..97b5238e3 100644
--- a/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html
+++ b/thehive-templates/CuckooSandbox_Url_Analysis_1_0/long.html
@@ -116,24 +116,37 @@ <h4>Yara</h4>
         </div>
     </div>
 
-    <div class="panel panel-info">
+    <div class="panel panel-info" ng-if="content.suricata_alerts">
         <div class="panel-heading">
             <strong>Suricata</strong>
         </div>
         <div class="panel-body">
-
-            <div ng-if="content.suricata_alerts">
+            <div>
                 <h4>Suricata Alerts</h4>
                 <br>
                 <dl class="dl-horizontal" ng-repeat="suri in content.suricata_alerts track by $index">
                     <dd>{{ suri }}<dd>
                 </dl>
             </div>
-            <div ng-if="!content.suricata_alerts">
-                No suspicious suricata alerts reported
-            </div>
         </div>
     </div>
+	
+    <div class="panel panel-info" ng-if="content.snort_alerts">
+        <div class="panel-heading">
+            <strong>Snort</strong>
+        </div>
+        <div class="panel-body">
+
+            <div>
+                <h4>Snort Alerts</h4>
+                <br>
+                <dl class="dl-horizontal" ng-repeat="snort in content.snort_alerts track by $index">
+                    <dd>{{ snort }}<dd>
+                </dl>
+            </div>
+			
+        </div>
+    </div>	
 </div>
 
 

From 2c0c83b4dc41a297a19eff4166279c368e3b0be3 Mon Sep 17 00:00:00 2001
From: garanews <puntogtg@tiscali.it>
Date: Tue, 17 Oct 2017 16:18:42 +0200
Subject: [PATCH 5/6] Update long.html

---
 .../CuckooSandbox_File_Analysis_Inet_1_0/long.html              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html
index 3baada470..365a3652e 100644
--- a/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html
+++ b/thehive-templates/CuckooSandbox_File_Analysis_Inet_1_0/long.html
@@ -138,7 +138,7 @@ <h4>Suricata Alerts</h4>
         <div class="panel-body">
 
             <div>
-                <h4>Suricata Alerts</h4>
+                <h4>Snort Alerts</h4>
                 <br>
                 <dl class="dl-horizontal" ng-repeat="snort in content.snort_alerts track by $index">
                     <dd>{{ snort }}<dd>

From 9d65fb9993e2a052ef328c9508a1844f0ff8e49f Mon Sep 17 00:00:00 2001
From: garanews <puntogtg@tiscali.it>
Date: Fri, 20 Oct 2017 16:15:38 +0200
Subject: [PATCH 6/6] fix issue #113

---
 analyzers/CuckooSandbox/cuckoosandbox_analyzer.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
index 678f58c76..d5fdebefd 100644
--- a/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
+++ b/analyzers/CuckooSandbox/cuckoosandbox_analyzer.py
@@ -13,6 +13,7 @@ def __init__(self):
         Analyzer.__init__(self)
         self.service = self.getParam('config.service', None, 'CuckooSandbox service is missing')
         self.url = self.getParam('config.url', None, 'CuckooSandbox url is missing')
+	self.url = self.url + "/" if not self.url.endswith("/") else self.url
         #self.analysistimeout = self.getParam('config.analysistimeout', 30*60, None)
         #self.networktimeout = self.getParam('config.networktimeout', 30, None)