From 69dd9aa446fae19ec11f0ec90825e9b2a34de695 Mon Sep 17 00:00:00 2001 From: Mehdi Termoul Date: Mon, 20 Mar 2023 17:58:25 +0100 Subject: [PATCH 1/3] 1173 Added the requirement (requests module) --- analyzers/Crowdsec/requirements.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 analyzers/Crowdsec/requirements.txt diff --git a/analyzers/Crowdsec/requirements.txt b/analyzers/Crowdsec/requirements.txt new file mode 100644 index 000000000..4a21dbf63 --- /dev/null +++ b/analyzers/Crowdsec/requirements.txt @@ -0,0 +1,2 @@ +cortexutils +requests \ No newline at end of file From 6a265539e3dd2e05348081341b558ac48f09bd37 Mon Sep 17 00:00:00 2001 From: Mehdi Termoul Date: Mon, 20 Mar 2023 20:43:20 +0100 Subject: [PATCH 2/3] Added the checks to some analyzer's json file but still have some issues with EmlParser and Virusshare --- analyzers/AbuseIPDB/AbuseIPDB.json | 165 +++++++++++++----- analyzers/Abuse_Finder/Abuse_Finder.json | 46 +++++ .../CIRCLHashlookup/CIRCLHashlookup.json | 104 ++++++++--- analyzers/Crowdsec/Crowdsec_analyzer.json | 47 ++++- .../Cyberprotect_ThreatScore.json | 70 +++++++- .../DNSLookingglass/DNSLookingglass.json | 38 +++- analyzers/DShield/DShield_lookup.json | 49 +++++- .../domainMailSPFDMARC_get_reports.json | 45 ++++- analyzers/EmailRep/EmailRep.json | 40 ++++- analyzers/FileInfo/FileInfo.json | 32 +++- .../FireHOLBlocklists/FireHOLBlocklists.json | 55 +++++- analyzers/GoogleDNS/GoogleDNS_resolve.json | 39 ++++- analyzers/GreyNoise/GreyNoise.json | 66 ++++++- analyzers/Hunterio/Hunterio_domainsearch.json | 77 +++++++- analyzers/IP-API/IP-API.json | 59 ++++++- analyzers/Maltiverse/Maltiverse_Report.json | 94 +++++++++- analyzers/MaxMind/MaxMind_GeoIP.json | 60 ++++++- analyzers/SpamhausDBL/SpamhausDBL.json | 56 +++++- analyzers/StopForumSpam/StopForumSpam.json | 115 ++++++++---- analyzers/ThreatMiner/ThreatMiner.json | 55 +++++- analyzers/URLhaus/URLhaus.json | 39 ++++- analyzers/UnshortenLink/UnshortenLink.json | 52 +++++- .../VirusTotal/VirusTotal_GetReport.json | 38 +++- analyzers/VirusTotal/VirusTotal_Rescan.json | 38 +++- analyzers/VirusTotal/VirusTotal_Scan.json | 44 ++++- 25 files changed, 1382 insertions(+), 141 deletions(-) diff --git a/analyzers/AbuseIPDB/AbuseIPDB.json b/analyzers/AbuseIPDB/AbuseIPDB.json index a0334cecd..69b3fa192 100644 --- a/analyzers/AbuseIPDB/AbuseIPDB.json +++ b/analyzers/AbuseIPDB/AbuseIPDB.json @@ -1,47 +1,128 @@ { - "name": "AbuseIPDB", - "version": "1.0", - "author": "Matteo Lodi", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPL-v3", - "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB", - "dataTypeList": ["ip"], - "baseConfig": "AbuseIPDB", - "command": "AbuseIPDB/abuseipdb.py", - "configurationItems": [ - { - "name": "key", - "description": "API key for AbuseIPDB", - "type": "string", - "multi": false, - "required": true - }, - { - "name": "days", - "description": "Check for IP Reports in the last X days", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 30 - } - ], - "config": { - "check_tlp": true, - "max_tlp": 2, - "auto_extract": false - }, - "registration_required": true, - "subscription_required": true, - "free_subscription": true, - "service_homepage": "https://www.abuseipdb.com/", - "service_logo": { - "path": "assets/abuseipdb.png", - "caption": "abuseipdb logo" + "name": "AbuseIPDB", + "version": "1.0", + "author": "Matteo Lodi", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-v3", + "description": "Determine whether an IP was reported or not as malicious by AbuseIPDB", + "dataTypeList": [ + "ip" + ], + "baseConfig": "AbuseIPDB", + "command": "AbuseIPDB/abuseipdb.py", + "configurationItems": [ + { + "name": "key", + "description": "API key for AbuseIPDB", + "type": "string", + "multi": false, + "required": true }, - "screenshots": [ + { + "name": "days", + "description": "Check for IP Reports in the last X days", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 30 + } + ], + "config": { + "check_tlp": true, + "max_tlp": 2, + "auto_extract": false + }, + "registration_required": true, + "subscription_required": true, + "free_subscription": true, + "service_homepage": "https://www.abuseipdb.com/", + "service_logo": { + "path": "assets/abuseipdb.png", + "caption": "abuseipdb logo" + }, + "screenshots": [ + { + "path": "assets/long_report.png", + "caption": "AbuseIPDB: Long report template" + } + ], + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip", + "config": { + "key": "ENV:AbuseIPDB", + "days": 30, + "check_tlp": true, + "max_tlp": 2, + "auto_extract": false + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.summary.taxonomies[*].level", + "expected": [ + "malicious" + ] + }, + { + "path": "$.summary.taxonomies[*].namespace", + "expected": [ + "AbuseIPDB" + ] + }, + { + "path": "$.summary.taxonomies[*].predicate", + "expected": [ + "Records" + ] + }, + { + "path": "$.summary.taxonomies[*].value", + "expected": [ + 22 + ] + }, + { + "path": "$.full.values[*].data.ipAddress", + "expected": [ + "8.8.8.8" + ] + }, + { + "path": "$.full.values[*].data.usageType", + "expected": [ + "Data Center/Web Hosting/Transit" + ] + }, + { + "path": "$.full.values[*].data.domain", + "expected": [ + "google.com" + ] + }, { - "path": "assets/long_report.png", - "caption": "AbuseIPDB: Long report template" + "path": "$.full.values[*].categories_strings[*]", + "expected": [ + "Port Scan", + "Hacking", + "Brute Force", + "Exploited Host", + "SSH", + "unknown category", + "Web App Attack", + "IoT Targeted", + "Web Spam" + ] } - ] + ] + } + ] } \ No newline at end of file diff --git a/analyzers/Abuse_Finder/Abuse_Finder.json b/analyzers/Abuse_Finder/Abuse_Finder.json index 71a9f3f17..f64f93f00 100644 --- a/analyzers/Abuse_Finder/Abuse_Finder.json +++ b/analyzers/Abuse_Finder/Abuse_Finder.json @@ -27,5 +27,51 @@ "path": "assets/abuse_finder_longreport.png", "caption": "Abuse_Finder: Long report template" } + ], + "checks": [ + { + "input": { + "data": "strangebee.com", + "dataType": "domain" + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.artifacts[*].data", + "expected": [ + "abuse@support.gandi.net" + ] + }, + { + "path": "$.artifacts[*].dataType", + "expected": [ + "mail" + ] + }, + { + "path": "$.full.abuse_finder.value", + "expected": [ + "strangebee.com" + ] + }, + { + "path": "$.full.abuse_finder.names[*]", + "expected": [ + "Gandi SAS" + ] + }, + { + "path": "$.full.abuse_finder.abuse[*]", + "expected": [ + "abuse@support.gandi.net" + ] + } + ] + } ] } \ No newline at end of file diff --git a/analyzers/CIRCLHashlookup/CIRCLHashlookup.json b/analyzers/CIRCLHashlookup/CIRCLHashlookup.json index 567a75a9a..0c0226ea4 100644 --- a/analyzers/CIRCLHashlookup/CIRCLHashlookup.json +++ b/analyzers/CIRCLHashlookup/CIRCLHashlookup.json @@ -5,27 +5,91 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "version": "1.1", "description": "CIRCL hashlookup uses a public API to lookup hash values against databases of known good files", - "dataTypeList": ["hash"], + "dataTypeList": [ + "hash" + ], "baseConfig": "CIRCLHashlookup", "config": { - "check_tlp": true, - "max_tlp": 2, - "check_pap": true, - "max_pap": 2 - }, + "check_tlp": true, + "max_tlp": 2, + "check_pap": true, + "max_pap": 2 + }, "command": "CIRCLHashlookup/circlhashlookup_analyzer.py", - "registration_required": false, - "subscription_required": false, - "free_subscription": true, - "service_homepage": "https://hashlookup.circl.lu/", - "service_logo": {"path":"assets/circlhashlookup_logo.png", "caption": "logo"}, - "screenshots": [ - { - "path": "assets/circlhashlookup_long_report.png", - "caption:":"CIRCLHashlookup analyzer full report" - }, - { + "registration_required": false, + "subscription_required": false, + "free_subscription": true, + "service_homepage": "https://hashlookup.circl.lu/", + "service_logo": { + "path": "assets/circlhashlookup_logo.png", + "caption": "logo" + }, + "screenshots": [ + { + "path": "assets/circlhashlookup_long_report.png", + "caption:": "CIRCLHashlookup analyzer full report" + }, + { "path": "assets/circlhashlookup_verdict.png", - "caption:":"CIRCLHashlookup analyzer verdict" - }] -} + "caption:": "CIRCLHashlookup analyzer verdict" + } + ], + "checks": [ + { + "input": { + "data": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9", + "dataType": "hash", + "config": { + "check_tlp": true, + "max_tlp": 2, + "check_pap": true, + "max_pap": 2 + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.summary.taxonomies[*].level", + "expected": [ + "info" + ] + }, + { + "path": "$.summary.taxonomies[*].namespace", + "expected": [ + "CIRCLHashlookup" + ] + }, + { + "path": "$.summary.taxonomies[*].predicate", + "expected": [ + "Result" + ] + }, + { + "path": "$.summary.taxonomies[*].value", + "expected": [ + "unkown" + ] + }, + { + "path": "$.full.message", + "expected": [ + "Non existing MD5" + ] + }, + { + "path": "$.full.query", + "expected": [ + "f26d3fb255f843fd977ca4a4000cb782" + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/analyzers/Crowdsec/Crowdsec_analyzer.json b/analyzers/Crowdsec/Crowdsec_analyzer.json index ed30a2028..2432fe860 100644 --- a/analyzers/Crowdsec/Crowdsec_analyzer.json +++ b/analyzers/Crowdsec/Crowdsec_analyzer.json @@ -36,5 +36,50 @@ "path": "assets/crowdsec-analyzer-result-example.png", "caption": "" } + ], + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip", + "config": { + "api_key": "ENV:Crowdsec" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.artifacts[*].data", + "expected": [ + "8.8.8.0/24", + "dns.google" + ] + }, + { + "path": "$.artifacts[*].dataType", + "expected": [ + "ip", + "domain" + ] + }, + { + "path": "$.full.ip", + "expected": [ + "8.8.8.8" + ] + }, + { + "path": "$.full.as_name", + "expected": [ + "GOOGLE" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json b/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json index 70aa0221b..c22de612c 100755 --- a/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json +++ b/analyzers/Cyberprotect/Cyberprotect_ThreatScore.json @@ -5,7 +5,13 @@ "url": "https://github.com/Cyberprotect/Cortex-Analyzers", "version": "3.0", "description": "ThreatScore is a cyber threat scoring system provided by Cyberprotect", - "dataTypeList": ["domain", "hash", "ip", "url", "user-agent"], + "dataTypeList": [ + "domain", + "hash", + "ip", + "url", + "user-agent" + ], "command": "Cyberprotect/CyberprotectAnalyzer.py", "baseConfig": "Cyberprotect", "config": { @@ -25,5 +31,65 @@ "path": "assets/long_report.png", "caption": "cyberprotect: long report" } + ], + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip", + "config": { + "service": "ThreatScore", + "check_tlp": true + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.threatscore.categories[*]", + "expected": [ + "blocklist", + "general_business", + "malicious_host", + "spam", + "malspam" + ] + }, + { + "path": "$.full.threatscore.indicators.blocklist", + "expected": [ + true + ] + }, + { + "path": "$.full.threatscore.indicators.compromission", + "expected": [ + true + ] + }, + { + "path": "$.full.threatscore.value", + "expected": [ + 0.44026315789473686 + ] + }, + { + "path": "$.full.threatscore.level", + "expected": [ + "suspicious" + ] + }, + { + "path": "$.full.tags[*]", + "expected": [ + "dns" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/DNSLookingglass/DNSLookingglass.json b/analyzers/DNSLookingglass/DNSLookingglass.json index 926bf3dc6..8f78e8bb9 100644 --- a/analyzers/DNSLookingglass/DNSLookingglass.json +++ b/analyzers/DNSLookingglass/DNSLookingglass.json @@ -5,7 +5,10 @@ "url": "https://github.com/xme/thehive/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query the SANS ISC Global DNS Lookingglass API to check a domain name for resolved IP addresses.", - "dataTypeList": ["domain", "fqdn"], + "dataTypeList": [ + "domain", + "fqdn" + ], "command": "DNSLookingglass/DNSLookingglass_lookup.py", "baseConfig": "DNSLookingglass.json", "config": { @@ -28,5 +31,36 @@ "path": "assets/DNS_Lookingglass_artifacts.png", "caption": "DNS Lookingglass: artifacts" } + ], + "checks": [ + { + "input": { + "data": "strangebee.com", + "dataType": "domain", + "config": { + "service": "query" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.artifacts[*].dataType", + "expected": [ + "ip" + ] + }, + { + "path": "$.artifacts[*].data", + "expected": [ + "217.70.184.55" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/DShield/DShield_lookup.json b/analyzers/DShield/DShield_lookup.json index 15419897c..728b094b1 100644 --- a/analyzers/DShield/DShield_lookup.json +++ b/analyzers/DShield/DShield_lookup.json @@ -5,7 +5,9 @@ "url": "https://github.com/xme/thehive/Cortex-Analyzers", "license": "AGPL-V3", "description": "Query the SANS ISC DShield API to check for an IP address reputation.", - "dataTypeList": ["ip"], + "dataTypeList": [ + "ip" + ], "command": "DShield/DShield_lookup.py", "baseConfig": "DShield", "config": { @@ -24,5 +26,48 @@ "path": "assets/long_report.png", "caption": "DShield: long report" } + ], + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip", + "config": { + "service": "query" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.ip", + "expected": [ + "8.8.8.8" + ] + }, + { + "path": "$.full.asname", + "expected": [ + "GOOGLE" + ] + }, + { + "path": "$.full.maxrisk", + "expected": [ + 3 + ] + }, + { + "path": "$.full.reputation", + "expected": [ + "Suspicious" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC_get_reports.json b/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC_get_reports.json index 4b8dbab2c..76dfad5ab 100644 --- a/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC_get_reports.json +++ b/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC_get_reports.json @@ -5,7 +5,10 @@ "author": "torsolaso", "license": "AGPL-V3", "description": "DomainMailSPFDMARC", - "dataTypeList": ["domain", "fqdn"], + "dataTypeList": [ + "domain", + "fqdn" + ], "command": "DomainMailSPFDMARC/domainMailSPFDMARC.py", "baseConfig": "DomainMailSPFDMARC", "config": { @@ -24,5 +27,43 @@ "path": "assets/DomainMailSPFDMARC_short.png", "caption": "DomainMailSPFDMARC mini report sample" } + ], + "checks": [ + { + "input": { + "data": "strangebee.com", + "dataType": "domain", + "config": { + "service": "get" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.DomainMailSPFDMARC.domain", + "expected": [ + "strangebee.com" + ] + }, + { + "path": "$.full.DomainMailSPFDMARC.mx.hosts[*].hostname", + "expected": [ + "strangebee-com.mail.protection.outlook.com" + ] + }, + { + "path": "$.full.DomainMailSPFDMARC.mx.hosts[*].addresses[*]", + "expected": [ + "104.47.24.36", + "104.47.25.36" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/EmailRep/EmailRep.json b/analyzers/EmailRep/EmailRep.json index 1b1357899..60bdfa50f 100644 --- a/analyzers/EmailRep/EmailRep.json +++ b/analyzers/EmailRep/EmailRep.json @@ -5,7 +5,9 @@ "url": "https://github.com/ninoseki/emailrep-analyzer", "license": "MIT", "description": "emailrep.io lookup.", - "dataTypeList": ["mail"], + "dataTypeList": [ + "mail" + ], "command": "EmailRep/emailrep_analyzer.py", "baseConfig": "EmailRep", "configurationItems": [ @@ -30,5 +32,39 @@ "path": "assets/long_report.png", "caption": "Emailrep: long report" } + ], + "checks": [ + { + "input": { + "data": "mehdi.termoul@strangebee.com", + "dataType": "mail" + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.email", + "expected": [ + "mehdi.termoul@strangebee.com" + ] + }, + { + "path": "$.full.reputation", + "expected": [ + "medium" + ] + }, + { + "path": "$.full.suspicious", + "expected": [ + false + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/FileInfo/FileInfo.json b/analyzers/FileInfo/FileInfo.json index 396434f69..6acc8464d 100644 --- a/analyzers/FileInfo/FileInfo.json +++ b/analyzers/FileInfo/FileInfo.json @@ -5,7 +5,9 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files...", - "dataTypeList": ["file"], + "dataTypeList": [ + "file" + ], "baseConfig": "FileInfo", "command": "FileInfo/fileinfo_analyzer.py", "configurationItems": [ @@ -65,5 +67,31 @@ "multi": false, "default": 4 } + ], + "checks": [ + { + "input": { + "file": "catalog.json", + "contentType": "application/json", + "filename": "catalog.json", + "dataType": "file", + "config": { + "manalyze_enable": false, + "manalyze_enable_docker": false, + "manalyze_binary_path": "/worker/Manalyze/bin/manalyze", + "floss_enable": false, + "floss_binary_path": "/usr/bin/floss", + "floss_minimal_string_length": 4 + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/FireHOLBlocklists/FireHOLBlocklists.json b/analyzers/FireHOLBlocklists/FireHOLBlocklists.json index ebda218fb..4a90cd323 100644 --- a/analyzers/FireHOLBlocklists/FireHOLBlocklists.json +++ b/analyzers/FireHOLBlocklists/FireHOLBlocklists.json @@ -5,7 +5,9 @@ "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers", "version": "2.0", "description": "Check IP addresses against the FireHOL blocklists", - "dataTypeList": ["ip"], + "dataTypeList": [ + "ip" + ], "baseConfig": "FireHOLBlocklists", "command": "FireHOLBlocklists/firehol_blocklists.py", "configurationItems": [ @@ -30,5 +32,54 @@ "path": "assets/long_report.png", "caption": "FireHOL Blocklists: long report" } + ], + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip", + "config": { + "blocklistpath": "blocklist" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.summary.taxonomies[*].level", + "expected": [ + "safe" + ] + }, + { + "path": "$.summary.taxonomies[*].namespace", + "expected": [ + "Firehol" + ] + }, + { + "path": "$.summary.taxonomies[*].predicate", + "expected": [ + "Blocklists" + ] + }, + { + "path": "$.summary.taxonomies[*].value", + "expected": [ + "0 hit" + ] + }, + { + "path": "$.full.count", + "expected": [ + 0 + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/GoogleDNS/GoogleDNS_resolve.json b/analyzers/GoogleDNS/GoogleDNS_resolve.json index 3599cf7d3..426a00859 100644 --- a/analyzers/GoogleDNS/GoogleDNS_resolve.json +++ b/analyzers/GoogleDNS/GoogleDNS_resolve.json @@ -5,13 +5,46 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Request Google DNS over HTTPS service", - "dataTypeList": ["domain", "ip", "fqdn"], + "dataTypeList": [ + "domain", + "ip", + "fqdn" + ], "command": "GoogleDNS/GoogleDNS_resolve.py", "baseConfig": "GoogleDNS", "config": { "service": "get" }, - "configurationItems": [ - + "configurationItems": [], + "checks": [ + { + "input": { + "data": "strangebee.com", + "dataType": "domain", + "config": { + "service": "get" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.artifacts[*].data", + "expected": [ + "217.70.184.55" + ] + }, + { + "path": "$.full.Status", + "expected": [ + "No Error" + ] + } + ] + } ] } \ No newline at end of file diff --git a/analyzers/GreyNoise/GreyNoise.json b/analyzers/GreyNoise/GreyNoise.json index e3a87e4ae..a17f50ee8 100644 --- a/analyzers/GreyNoise/GreyNoise.json +++ b/analyzers/GreyNoise/GreyNoise.json @@ -5,7 +5,9 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "APLv2", "description": "Determine whether an IP has known scanning activity using GreyNoise.", - "dataTypeList": ["ip"], + "dataTypeList": [ + "ip" + ], "baseConfig": "GreyNoise", "command": "GreyNoise/greynoisev3.py", "configurationItems": [ @@ -42,5 +44,65 @@ "path": "assets/long_report.png", "caption": "GreyNoise: long report" } + ], + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip", + "config": { + "key": "ENV:GreyNoise", + "api_type": "community", + "check_tlp": true, + "service": "scan", + "max_tlp": 2, + "auto_extract": false + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.ip", + "expected": [ + "8.8.8.8" + ] + }, + { + "path": "$.full.noise", + "expected": [ + false + ] + }, + { + "path": "$.full.riot", + "expected": [ + true + ] + }, + { + "path": "$.full.classification", + "expected": [ + "benign" + ] + }, + { + "path": "$.full.name", + "expected": [ + "Google Public DNS" + ] + }, + { + "path": "$.full.message", + "expected": [ + "Success" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/Hunterio/Hunterio_domainsearch.json b/analyzers/Hunterio/Hunterio_domainsearch.json index 149867da4..1fba82342 100644 --- a/analyzers/Hunterio/Hunterio_domainsearch.json +++ b/analyzers/Hunterio/Hunterio_domainsearch.json @@ -5,7 +5,10 @@ "url": "https://github.com/Cyberprotect/Cortex-Analyzers", "version": "1.0", "description": "hunter.io is a service to find email addresses from a domain.", - "dataTypeList": ["domain", "fqdn"], + "dataTypeList": [ + "domain", + "fqdn" + ], "command": "Hunterio/hunterio_analyzer.py", "baseConfig": "Hunterio", "config": { @@ -34,5 +37,75 @@ "path": "assets/long_report.png", "caption": "Hunter: long report" } + ], + "checks": [ + { + "input": { + "data": "strangebee.com", + "dataType": "domain", + "config": { + "service": "domainsearch", + "check_tlp": false, + "key": "ENV:Hunterio" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.artifacts[*].type", + "expected": [ + "email", + "email", + "email" + ] + }, + { + "path": "$.artifacts[*].value", + "expected": [ + "contact@strangebee.com", + "hiring@strangebee.com", + "thehive5@strangebee.com" + ] + }, + { + "path": "$.full.data.domain", + "expected": [ + "strangebee.com" + ] + }, + { + "path": "$.full.data.organization", + "expected": [ + "Strange Bee" + ] + }, + { + "path": "$.full.data.technologies[*]", + "expected": [ + "apache", + "google-analytics", + "react", + "ubuntu" + ] + }, + { + "path": "$.full.meta.results", + "expected": [ + 3 + ] + }, + { + "path": "$.full.meta.params.domain", + "expected": [ + "strangebee.com" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/IP-API/IP-API.json b/analyzers/IP-API/IP-API.json index 6768feae8..e73f065b4 100644 --- a/analyzers/IP-API/IP-API.json +++ b/analyzers/IP-API/IP-API.json @@ -5,7 +5,62 @@ "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "description": "Check IP address or domain using ip-api.com", - "dataTypeList": ["ip", "domain"], + "dataTypeList": [ + "ip", + "domain" + ], "baseConfig": "IP-API", - "command": "IP-API/IP-API.py" + "command": "IP-API/IP-API.py", + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip" + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.status", + "expected": [ + "success" + ] + }, + { + "path": "$.full.country", + "expected": [ + "United States" + ] + }, + { + "path": "$.full.regionName", + "expected": [ + "Virginia" + ] + }, + { + "path": "$.full.city", + "expected": [ + "Ashburn" + ] + }, + { + "path": "$.full.org", + "expected": [ + "Google Public DNS" + ] + }, + { + "path": "$.full.query", + "expected": [ + "8.8.8.8" + ] + } + ] + } + ] } \ No newline at end of file diff --git a/analyzers/Maltiverse/Maltiverse_Report.json b/analyzers/Maltiverse/Maltiverse_Report.json index eece5e8ac..ab3b45318 100644 --- a/analyzers/Maltiverse/Maltiverse_Report.json +++ b/analyzers/Maltiverse/Maltiverse_Report.json @@ -5,7 +5,12 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest Maltiverse report for an hash, domain or an IP address.", - "dataTypeList": ["hash", "domain", "ip", "url"], + "dataTypeList": [ + "hash", + "domain", + "ip", + "url" + ], "command": "Maltiverse/maltiverse-client.py", "baseConfig": "Maltiverse", "config": { @@ -42,5 +47,90 @@ "path": "assets/long_report.png", "caption": "Maltiverse: long report" } + ], + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip", + "config": { + "service": "get", + "polling_interval": 60, + "api_key": "" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.summary.taxonomies[*].level", + "expected": [ + "safe" + ] + }, + { + "path": "$.summary.taxonomies[*].namespace", + "expected": [ + "Maltiverse" + ] + }, + { + "path": "$.summary.taxonomies[*].predicate", + "expected": [ + "Report" + ] + }, + { + "path": "$.summary.taxonomies[*].value", + "expected": [ + "whitelist" + ] + }, + { + "path": "$.full.ip_addr", + "expected": [ + "8.8.8.8" + ] + }, + { + "path": "$.full.tag[*]", + "expected": [ + "dns", + "reflection", + "abuse", + "bot", + "gh0strat", + "port:443", + "farfli", + "gh0st rat", + "pcrat", + "phishing", + "c&c", + "c2", + "dga", + "open resolver", + "https://www.threatminer.org/report.php?q=jpcert_cc blog_ malware tscookie_jp-cert.pdf&y=2018", + "doc", + "covid19", + "coronavirus", + "scam", + "sector:retail/service", + "americanas.com s/a comercio electrnico" + ] + }, + { + "path": "$.full.email[*]", + "expected": [ + "abuse@aup.lumen.com", + "abuse@level3.com", + "ipaddressing@level3.com" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/MaxMind/MaxMind_GeoIP.json b/analyzers/MaxMind/MaxMind_GeoIP.json index fc6b94e17..8e2240b67 100644 --- a/analyzers/MaxMind/MaxMind_GeoIP.json +++ b/analyzers/MaxMind/MaxMind_GeoIP.json @@ -5,7 +5,61 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use MaxMind to geolocate an IP address.", - "dataTypeList": ["ip"], + "dataTypeList": [ + "ip" + ], "baseConfig": "MaxMind", - "command": "MaxMind/geo.py" -} + "command": "MaxMind/geo.py", + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip" + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.city.name", + "expected": [ + "Mountain View" + ] + }, + { + "path": "$.full.continent.name", + "expected": [ + "North America" + ] + }, + { + "path": "$.full.country.name", + "expected": [ + "United States" + ] + }, + { + "path": "$.full.location.time_zone", + "expected": [ + "America/Los_Angeles" + ] + }, + { + "path": "$.full.registered_country.name", + "expected": [ + "United States" + ] + }, + { + "path": "$.full.subdivisions.name", + "expected": [ + "California" + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/analyzers/SpamhausDBL/SpamhausDBL.json b/analyzers/SpamhausDBL/SpamhausDBL.json index 79821f2c7..91a0ba9d0 100644 --- a/analyzers/SpamhausDBL/SpamhausDBL.json +++ b/analyzers/SpamhausDBL/SpamhausDBL.json @@ -5,11 +5,59 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Perform domain lookup to Spamhaus DBL", - "dataTypeList": ["domain", "fqdn"], + "dataTypeList": [ + "domain", + "fqdn" + ], "baseConfig": "SpamhausDBL", "config": { - "service": "DBLLookup" + "service": "DBLLookup" }, "command": "SpamhausDBL/spamhausdbl.py", - "configurationItems": [] -} + "configurationItems": [], + "checks": [ + { + "input": { + "data": "strangebee.com", + "dataType": "domain", + "config": { + "service": "DBLLookup" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.summary.taxonomies[*].predicate", + "expected": [ + "return_code", + "classification" + ] + }, + { + "path": "$.summary.taxonomies[*].value", + "expected": [ + "NXDOMAIN", + "Clean" + ] + }, + { + "path": "$.full.return_code", + "expected": [ + "NXDOMAIN" + ] + }, + { + "path": "$.full.classification", + "expected": [ + "Clean" + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/analyzers/StopForumSpam/StopForumSpam.json b/analyzers/StopForumSpam/StopForumSpam.json index b8c3b6be6..b57fa97a5 100644 --- a/analyzers/StopForumSpam/StopForumSpam.json +++ b/analyzers/StopForumSpam/StopForumSpam.json @@ -1,33 +1,88 @@ { - "name": "StopForumSpam", - "author": "Marc-Andre Doll, STARC by EXAPROBE", - "license": "AGPL-V3", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "version": "1.0", - "baseConfig": "StopForumSpam", - "config": { - "check_tlp": true, - "max_tlp": 2 + "name": "StopForumSpam", + "author": "Marc-Andre Doll, STARC by EXAPROBE", + "license": "AGPL-V3", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "version": "1.0", + "baseConfig": "StopForumSpam", + "config": { + "check_tlp": true, + "max_tlp": 2 + }, + "configurationItems": [ + { + "name": "suspicious_confidence_level", + "description": "Confidence threshold above which the artifact should be marked as suspicious", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 0.0 }, - "configurationItems": [ - { - "name": "suspicious_confidence_level", - "description": "Confidence threshold above which the artifact should be marked as suspicious", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 0.0 + { + "name": "malicious_confidence_level", + "description": "Confidence threshold above which the artifact should be marked as malicious", + "type": "number", + "multi": false, + "required": false, + "defaultValue": 90.0 + } + ], + "description": "Query http://www.stopforumspam.com to check if an IP or email address is a known spammer.", + "dataTypeList": [ + "ip", + "mail" + ], + "command": "StopForumSpam/stopforumspam_analyzer.py", + "checks": [ + { + "input": { + "data": "mehdi.termoul@strangebee.com", + "dataType": "mail", + "config": { + "check_tlp": true, + "max_tlp": 2, + "suspicious_confidence_level": 0, + "malicious_confidence_level": 90 + } }, - { - "name": "malicious_confidence_level", - "description": "Confidence threshold above which the artifact should be marked as malicious", - "type": "number", - "multi": false, - "required": false, - "defaultValue": 90.0 - } - ], - "description": "Query http://www.stopforumspam.com to check if an IP or email address is a known spammer.", - "dataTypeList": ["ip", "mail"], - "command": "StopForumSpam/stopforumspam_analyzer.py" -} + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.summary.taxonomies[*].predicate", + "expected": [ + "mail" + ] + }, + { + "path": "$.summary.taxonomies[*].value", + "expected": [ + "Not found" + ] + }, + { + "path": "$.full.value", + "expected": [ + "mehdi.termoul@strangebee.com" + ] + }, + { + "path": "$.full.frequency", + "expected": [ + 0 + ] + }, + { + "path": "$.full.appears", + "expected": [ + false + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/analyzers/ThreatMiner/ThreatMiner.json b/analyzers/ThreatMiner/ThreatMiner.json index 92af58c8e..c0e261255 100644 --- a/analyzers/ThreatMiner/ThreatMiner.json +++ b/analyzers/ThreatMiner/ThreatMiner.json @@ -5,7 +5,58 @@ "url": "https://github.com/pjuhas/Cortex-Analyzers", "license": "AGPL-V3", "description": "WHOIS queries from threatminer.org", - "dataTypeList": ["ip", "domain"], + "dataTypeList": [ + "ip", + "domain" + ], "baseConfig": "ThreatMiner", - "command": "ThreatMiner/ThreatMiner.py" + "command": "ThreatMiner/ThreatMiner.py", + "checks": [ + { + "input": { + "data": "8.8.8.8", + "dataType": "ip" + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.artifacts[*].dataType", + "expected": [ + "ip", + "domain" + ] + }, + { + "path": "$.artifacts[*].data", + "expected": [ + "8.8.8.0/24", + "google.com" + ] + }, + { + "path": "$.full.status_code", + "expected": [ + "200" + ] + }, + { + "path": "$.full.status_message", + "expected": [ + "Results found." + ] + }, + { + "path": "$.full.results[*].org_name", + "expected": [ + "Google Inc." + ] + } + ] + } + ] } \ No newline at end of file diff --git a/analyzers/URLhaus/URLhaus.json b/analyzers/URLhaus/URLhaus.json index 1562e56b1..e0ff770e4 100644 --- a/analyzers/URLhaus/URLhaus.json +++ b/analyzers/URLhaus/URLhaus.json @@ -6,8 +6,41 @@ "version": "2.0", "baseConfig": "URLhaus", "description": "Search domains, IPs, URLs or hashes on URLhaus.", - "dataTypeList": ["domain", "fqdn", "url", "hash", "ip"], + "dataTypeList": [ + "domain", + "fqdn", + "url", + "hash", + "ip" + ], "command": "URLhaus/URLhaus_analyzer.py", - "configurationItems": [ + "configurationItems": [], + "checks": [ + { + "input": { + "data": "google.com", + "dataType": "domain" + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.query_status", + "expected": [ + "no_results" + ] + }, + { + "path": "$.full.data_type", + "expected": [ + "domain" + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/UnshortenLink/UnshortenLink.json b/analyzers/UnshortenLink/UnshortenLink.json index c368e9c9f..49ea71e33 100644 --- a/analyzers/UnshortenLink/UnshortenLink.json +++ b/analyzers/UnshortenLink/UnshortenLink.json @@ -5,7 +5,53 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use UnshortenLink to reveal the real URL.", - "dataTypeList": ["url"], + "dataTypeList": [ + "url" + ], "baseConfig": "UnshortenLink", - "command": "UnshortenLink/unshortenlink.py" -} + "command": "UnshortenLink/unshortenlink.py", + "checks": [ + { + "input": { + "data": "https://t.ly/ROWb?", + "dataType": "url", + "config": { + "check_tlp": false, + "service": "get" + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.artifacts[*].type", + "expected": [ + "url" + ] + }, + { + "path": "$.artifacts[*].value", + "expected": [ + "https://www.strangebee.com/services/" + ] + }, + { + "path": "$.full.found", + "expected": [ + true + ] + }, + { + "path": "$.full.url", + "expected": [ + "https://www.strangebee.com/services/" + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/analyzers/VirusTotal/VirusTotal_GetReport.json b/analyzers/VirusTotal/VirusTotal_GetReport.json index 6ef470fc9..782edf7c0 100644 --- a/analyzers/VirusTotal/VirusTotal_GetReport.json +++ b/analyzers/VirusTotal/VirusTotal_GetReport.json @@ -5,7 +5,14 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Get the latest VirusTotal report for a file, hash, domain or an IP address.", - "dataTypeList": ["file", "hash", "domain", "fqdn", "ip", "url"], + "dataTypeList": [ + "file", + "hash", + "domain", + "fqdn", + "ip", + "url" + ], "command": "VirusTotal/virustotal.py", "baseConfig": "VirusTotal", "config": { @@ -69,5 +76,32 @@ "path": "assets/virustotal-scan.png", "caption": "VirusTotal: long report" } + ], + "checks": [ + { + "input": { + "file": "catalog.json", + "contentType": "'application/json", + "filename": "catalog.json", + "dataType": "file", + "config": { + "service": "get", + "key": "ENV:virTot", + "polling_interval": 60, + "rescan_hash_older_than_days": 0, + "highlighted_antivirus": "taxonomy", + "download_sample": false, + "download_sample_if_highlighted": false + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + } + ] + } ] -} +} \ No newline at end of file diff --git a/analyzers/VirusTotal/VirusTotal_Rescan.json b/analyzers/VirusTotal/VirusTotal_Rescan.json index 7266c5d8c..b65aab0f9 100644 --- a/analyzers/VirusTotal/VirusTotal_Rescan.json +++ b/analyzers/VirusTotal/VirusTotal_Rescan.json @@ -5,7 +5,9 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use VirusTotal to run new analysis on hash.", - "dataTypeList": ["hash"], + "dataTypeList": [ + "hash" + ], "baseConfig": "VirusTotal", "config": { "service": "rescan" @@ -55,5 +57,35 @@ "path": "assets/virustotal-logo.png", "caption": "logo" }, - "command": "VirusTotal/virustotal.py" -} + "command": "VirusTotal/virustotal.py", + "checks": [ + { + "input": { + "data": "SGVsbG8gV29ybGQ=", + "dataType": "hash", + "config": { + "service": "rescan", + "key": "ENV:virTot", + "polling_interval": 60, + "highlighted_antivirus": "taxonomy", + "download_sample": false, + "download_sample_if_highlighted": false + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.", + "expected": [ + "" + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/analyzers/VirusTotal/VirusTotal_Scan.json b/analyzers/VirusTotal/VirusTotal_Scan.json index 9b855d633..7bcd86406 100644 --- a/analyzers/VirusTotal/VirusTotal_Scan.json +++ b/analyzers/VirusTotal/VirusTotal_Scan.json @@ -5,7 +5,10 @@ "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Use VirusTotal to scan a file or URL.", - "dataTypeList": ["file", "url"], + "dataTypeList": [ + "file", + "url" + ], "baseConfig": "VirusTotal", "config": { "service": "scan" @@ -41,5 +44,40 @@ "path": "assets/virustotal-logo.png", "caption": "logo" }, - "command": "VirusTotal/virustotal.py" -} + "command": "VirusTotal/virustotal.py", + "checks": [ + { + "input": { + "file": "catalog.json", + "contentType": "application/json", + "filename": "catalog.json", + "dataType": "file", + "config": { + "service": "scan", + "key": "ENV:virTot", + "polling_interval": 60 + } + }, + "rules": [ + { + "path": "$.success", + "expected": [ + true + ] + }, + { + "path": "$.full.type", + "expected": [ + "analysis" + ] + }, + { + "path": "$.full.attributes.status", + "expected": [ + "completed" + ] + } + ] + } + ] +} \ No newline at end of file From b2dd31b653a8eabfe94fd9fe3dff3d363758c9d7 Mon Sep 17 00:00:00 2001 From: Mehdi Termoul Date: Mon, 27 Mar 2023 08:57:25 +0200 Subject: [PATCH 3/3] #1173 +1 --- .../DNSLookingglass/DNSLookingglass.json | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/analyzers/DNSLookingglass/DNSLookingglass.json b/analyzers/DNSLookingglass/DNSLookingglass.json index 8f78e8bb9..764aa1be3 100644 --- a/analyzers/DNSLookingglass/DNSLookingglass.json +++ b/analyzers/DNSLookingglass/DNSLookingglass.json @@ -59,6 +59,42 @@ "expected": [ "217.70.184.55" ] + }, + { + "path": "$.full.results[*].answer", + "expected": [ + "217.70.184.55", + "217.70.184.55", + "217.70.184.55" + ] + }, + { + "path": "$.full.results[*].status", + "expected": [ + "ok v4 failed v6", + "ok v4 failed v6", + "ok v4 failed v6" + ] + }, + { + "path": "$.full.results[*].country", + "expected": [ + "GLOBAL", + "GLOBAL", + "GLOBAL" + ] + }, + { + "path": "$.full.hits", + "expected": [ + "DomainExist" + ] + }, + { + "path": "$.full.count", + "expected": [ + 3 + ] } ] }