From 8a501398ec07c8334c675abc7a5ba1150725b710 Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Wed, 18 Oct 2017 09:02:40 +0200 Subject: [PATCH 1/2] Fixed: hide empty panel from template Using the same template for Ip and Domain require existence check for particular section that are not present in both --- .../EmergingThreats_DomainInfo_1_0/long.html | 248 ++++++++++++++++++ .../EmergingThreats_IPInfo_1_0/long.html | 248 ++++++++++++++++++ 2 files changed, 496 insertions(+) create mode 100644 thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_DomainInfo_1_0/long.html create mode 100644 thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_IPInfo_1_0/long.html diff --git a/thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_DomainInfo_1_0/long.html b/thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_DomainInfo_1_0/long.html new file mode 100644 index 000000000..5502439ad --- /dev/null +++ b/thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_DomainInfo_1_0/long.html @@ -0,0 +1,248 @@ + + + + + +
+ +
+
+ Reputation +
+
+
+
{{ reputation.category }}
+
{{ reputation.score }}
+
+
+
+ +
+
+ Events +
+
+ + + + + + + + + + + + + + + + + +
CountDateDomainSidSignatureSource
{{ events.count }}{{ events.date }}{{ events.domain }}{{ events.sid }}{{ events.signature }}{{ events.source }}
+
+
+ +
+
+ Geoloc +
+ +
+
+
+
City
+
{{ geo.city }}
+
+
+
country
+
{{ geo.country }} [{{ geo.country_code }}]
+
+
+
IP
+
{{ geo.ip }}
+
+
+
Coordinates
+
{{ geo.latitude }} / {{ geo.longitude }}
+
+
+ +
+ + +
+
+
+ +
+
+ IPs +
+
+ + + + + + + + + + + +
First seenIPLast seen
{{ ip.first_seen }}{{ ip.ip }}{{ ip.last_seen }}
+
+
+ +
+
+ Domains +
+
+ + + + + + + + + + + +
First seenNameLast seen
{{ domain.first_seen }}{{ domain.domain }}{{ domain.last_seen }}
+
+
+ +
+
+ Samples +
+
+ + + + + + + + + + + +
First seenLast seenSource
{{ sample.first_seen }}{{ sample.last_seen }}{{ sample.source }}
+
+
+ +
+
+ Nameservers +
+
+ + + + + + + + + + + +
First seenLast seenServer
{{ nameserver.first_seen }}{{ nameserver.last_seen }}{{ nameserver.server }}
+
+
+ +
+
+ Urls +
+
+
+
{{ url }}
+
+
+
+ +
+
+ Whois +
+
+

Domain

+
+
{{ content.whois.domain }}
+
+

Registrant

+
+
Created
+
{{ content.whois.registrant.created }}
+
+
+
Expires
+
{{ content.whois.registrant.expires }}
+
+
+
Updated
+
{{ content.whois.registrant.updated }}
+
+

Registrar

+
+
Country
+
{{ content.whois.registrar.country }}
+
+
+
Name
+
{{ content.whois.registrar.name }}
+
+
+
Website
+
{{ content.whois.registrar.website }}
+
+
+
+ + + + + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.errorMessage}} +
+
\ No newline at end of file diff --git a/thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_IPInfo_1_0/long.html b/thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_IPInfo_1_0/long.html new file mode 100644 index 000000000..5502439ad --- /dev/null +++ b/thehive-templates/DomainTools_WhoisLookup_2_0/EmergingThreats_IPInfo_1_0/long.html @@ -0,0 +1,248 @@ + + + + + +
+ +
+
+ Reputation +
+
+
+
{{ reputation.category }}
+
{{ reputation.score }}
+
+
+
+ +
+
+ Events +
+
+ + + + + + + + + + + + + + + + + +
CountDateDomainSidSignatureSource
{{ events.count }}{{ events.date }}{{ events.domain }}{{ events.sid }}{{ events.signature }}{{ events.source }}
+
+
+ +
+
+ Geoloc +
+ +
+
+
+
City
+
{{ geo.city }}
+
+
+
country
+
{{ geo.country }} [{{ geo.country_code }}]
+
+
+
IP
+
{{ geo.ip }}
+
+
+
Coordinates
+
{{ geo.latitude }} / {{ geo.longitude }}
+
+
+ +
+ + +
+
+
+ +
+
+ IPs +
+
+ + + + + + + + + + + +
First seenIPLast seen
{{ ip.first_seen }}{{ ip.ip }}{{ ip.last_seen }}
+
+
+ +
+
+ Domains +
+
+ + + + + + + + + + + +
First seenNameLast seen
{{ domain.first_seen }}{{ domain.domain }}{{ domain.last_seen }}
+
+
+ +
+
+ Samples +
+
+ + + + + + + + + + + +
First seenLast seenSource
{{ sample.first_seen }}{{ sample.last_seen }}{{ sample.source }}
+
+
+ +
+
+ Nameservers +
+
+ + + + + + + + + + + +
First seenLast seenServer
{{ nameserver.first_seen }}{{ nameserver.last_seen }}{{ nameserver.server }}
+
+
+ +
+
+ Urls +
+
+
+
{{ url }}
+
+
+
+ +
+
+ Whois +
+
+

Domain

+
+
{{ content.whois.domain }}
+
+

Registrant

+
+
Created
+
{{ content.whois.registrant.created }}
+
+
+
Expires
+
{{ content.whois.registrant.expires }}
+
+
+
Updated
+
{{ content.whois.registrant.updated }}
+
+

Registrar

+
+
Country
+
{{ content.whois.registrar.country }}
+
+
+
Name
+
{{ content.whois.registrar.name }}
+
+
+
Website
+
{{ content.whois.registrar.website }}
+
+
+
+ + + + + +
+
+ {{(artifact.data || artifact.attachment.name) | fang}} +
+
+ {{content.errorMessage}} +
+
\ No newline at end of file From db7f8ce2a22c5d814f0e461790bd95e8b1443e20 Mon Sep 17 00:00:00 2001 From: Arcuri Davide Date: Mon, 23 Oct 2017 16:15:02 +0200 Subject: [PATCH 2/2] Fixed: Error should not create taxonomies --- analyzers/EmergingThreats/emergingthreats_analyzer.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/analyzers/EmergingThreats/emergingthreats_analyzer.py b/analyzers/EmergingThreats/emergingthreats_analyzer.py index 195364f0d..dd81ea061 100644 --- a/analyzers/EmergingThreats/emergingthreats_analyzer.py +++ b/analyzers/EmergingThreats/emergingthreats_analyzer.py @@ -40,7 +40,7 @@ def summary(self, raw): namespace = "ET" predicate = self.service - if predicate in ['domain-info', 'ip-info'] and raw['reputation'] != "-": + if predicate in ['domain-info', 'ip-info'] and raw['reputation'] not in ["-", "Error"]: for x in raw["reputation"]: value = "%s=%d" % (x['category'], x['score']) if x['category'] in RED_CATEGORIES and x['score'] >= 70: @@ -50,7 +50,7 @@ def summary(self, raw): else: level = "safe" taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) - elif predicate == 'malware-info' and raw['events'] != "-": + elif predicate == 'malware-info' and raw['events'] not in ["-", "Error"]: value = str(len(raw['events'])) + " signatures" taxonomies.append(self.build_taxonomy("malicious", namespace, predicate, value))