TheHive-Project · ilyaglow · Sep 26, 2017 · Oct 18, 2017 · Oct 19, 2017 · Oct 19, 2017
diff --git a/README.md b/README.md
@@ -1,10 +1,14 @@
-The following repository is used by [TheHive Project](https://thehive-project.org) to develop and store [Cortex](https://github.com/CERT-BDF/Cortex/blob/master/README.md) analyzers.
+The following repository is used by [TheHive Project](https://thehive-project.org)
+to develop and store [Cortex](https://github.com/CERT-BDF/Cortex/blob/master/README.md)
+analyzers.
 
 ![](images/cortex-main.png)
 
-Analyzers can be written in any programming language supported by Linux such as Python, Ruby, Perl, etc.
+Analyzers can be written in any programming language supported by Linux such 
+as Python, Ruby, Perl, etc. Refer to the [How to Write and Submit an Analyzer](https://github.com/CERT-BDF/CortexDocs/blob/master/api/how-to-create-an-analyzer.md)
+page for details on how to write and submit one.
 
-For further details, please refer to the [Cortex README](https://github.com/CERT-BDF/Cortex/blob/master/README.md) or to [the project website](https://thehive-project.org).
+To configure analyzers, please read the [Cortex Analyzer Requirements Guide](https://github.com/CERT-BDF/CortexDocs/blob/master/analyzer_requirements.md).
 
 # License
 **Unless specified otherwise**, analyzers are released under the [AGPL](https://github.com/CERT-BDF/Cortex-analyzers/blob/master/LICENSE) (Affero General Public License).
@@ -15,7 +19,8 @@ If an analyzer is released by its author under a different license, the subfolde
 Information, news and updates are regularly posted on [TheHive Project Twitter account](https://twitter.com/thehive_project) and on [the blog](https://blog.thehive-project.org/).
 
 # Contributing
-We welcome your contributions for new analyzers that can take away the load off overworked fellow analysts or improvements to existing ones. Please feel free to fork the code, play with it, make some patches and send us pull requests using [issues](https://github.com/CERT-BDF/Cortex-analyzers/issues).
+We welcome your **[contributions for new analyzers](https://github.com/CERT-BDF/CortexDocs/blob/master/api/how-to-create-an-analyzer.md)**
+that can take away the load off overworked fellow analysts or improvements to existing ones. Please feel free to fork the code, play with it, make some patches and send us pull requests using [issues](https://github.com/CERT-BDF/Cortex-analyzers/issues).
 
 **Important**: To make it easy for every one, please send **one** pull request per analyzer. It will help us reviewing the code, and merging as soon as feasible.
 

diff --git a/analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json b/analyzers/CuckooSandbox/CuckooSandbox_File_Analysis.json
@@ -10,7 +10,7 @@
         "max_tlp":1,
         "service": "file_analysis"
     },
-    "description": "Cuckoo Sandbox file analysis with Internet access",
+    "description": "Cuckoo Sandbox file analysis with Internet access.",
     "dataTypeList": ["file"],
     "command": "CuckooSandbox/cuckoosandbox_analyzer.py"
 }
diff --git a/analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json b/analyzers/CuckooSandbox/CuckooSandbox_Url_Analysis.json
@@ -10,7 +10,7 @@
         "max_tlp":1,
         "service": "url_analysis"
     },
-    "description": "Cuckoo Sandbox URL analysis",
+    "description": "Cuckoo Sandbox URL analysis.",
     "dataTypeList": ["url"],
     "command": "CuckooSandbox/cuckoosandbox_analyzer.py"
 }
diff --git a/analyzers/EmergingThreats/EmergingThreats_DomainInfo.json b/analyzers/EmergingThreats/EmergingThreats_DomainInfo.json
@@ -0,0 +1,14 @@
+{
+    "name": "EmergingThreats_DomainInfo",
+    "version": "1.0",
+    "author": "Arcuri Davide, Garavaglia Andrea [LDO-CERT]",
+    "url": "https://github.com/dadokkio/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "baseConfig": "EmergingThreats",
+    "config": { 
+        "service": "domain-info"
+    },
+    "description": "Retrieves reputation and related malware and IDS requests related to domain",
+    "dataTypeList": ["domain"],
+    "command": "EmergingThreats/emergingthreats_analyzer.py"
+}
diff --git a/analyzers/EmergingThreats/EmergingThreats_IPInfo.json b/analyzers/EmergingThreats/EmergingThreats_IPInfo.json
@@ -0,0 +1,16 @@
+{
+    "name": "EmergingThreats_IPInfo",
+    "version": "1.0",
+    "author": "Arcuri Davide, Garavaglia Andrea [LDO-CERT]",
+    "url": "https://github.com/dadokkio/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "baseConfig": "EmergingThreats",
+    "config": {
+        "check_tlp": true,
+        "max-tlp": 1,
+        "service": "ip-info"
+    },
+    "description": "Retrieves reputation and related malware and IDS requests related to IP address",
+    "dataTypeList": ["ip"],
+    "command": "EmergingThreats/emergingthreats_analyzer.py"
+}
diff --git a/analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json b/analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json
@@ -0,0 +1,14 @@
+{
+    "name": "EmergingThreats_MalwareInfo",
+    "version": "1.0",
+    "author": "Arcuri Davide, Garavaglia Andrea [LDO-CERT]",
+    "url": "https://github.com/dadokkio/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "baseConfig": "EmergingThreats",
+    "config": { 
+        "service": "domain-info"
+    },
+    "description": "Retrieves details and info related to malware",
+    "dataTypeList": ["hash"],
+    "command": "EmergingThreats/emergingthreats_analyzer.py"
+}
diff --git a/analyzers/EmergingThreats/emergingthreats_analyzer.py b/analyzers/EmergingThreats/emergingthreats_analyzer.py
@@ -0,0 +1,101 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+from cortexutils.analyzer import Analyzer
+
+import requests
+import time
+
+RED_CATEGORIES = [
+    "Blackhole", "Bot", "Brute_Forcer", "CnC", 
+    "Compromised", "DDoSAttacker", "DDoSTarget", 
+    "DriveBySrc", "Drop", "EXE_Source", 
+    "FakeAV", "Mobile_CnC", "Mobile_Spyware_CnC", 
+    "P2PCnC", "Scanner", "Spam", "SpywareCnC"
+]
+
+YELLOW_CATEGORIES = [
+    "AbusedTLD", "Bitcoin_Related", "ChatServer",
+    "DynDNS",  "IPCheck", "OnlineGaming", "P2P", 
+    "Parking", "Proxy", "RemoteAccessService",
+    "SelfSignedSSL", "Skype_SuperNode", "TorNode", 
+    "Undesirable",  "VPN"
+]
+
+GREEN_CATEGORIES = [
+    "Utility"
+]
+
+class EmergingThreatsAnalyzer(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.service = self.get_param('config.service', None, 'EmergingThreats service is missing')
+        self.apikey = self.get_param('config.key', None, 'EmergingThreats apikey is missing')
+        self.session = requests.Session()
+        self.session.headers.update({"Authorization": self.apikey})
+
+    def summary(self, raw):
+        taxonomies = []
+        namespace = "ET"
+        predicate = self.service
+
+        if predicate in ['domain-info', 'ip-info'] and raw['reputation'] != "-":
+            for x in raw["reputation"]:
+                value = "%s=%d" % (x['category'], x['score'])
+                if x['category'] in RED_CATEGORIES and x['score'] >= 70:
+                    level = "malicious"
+                elif (70 <= x['score'] < 100 and x['category'] in RED_CATEGORIES) or (x['score'] >= 100 and x['category'] in YELLOW_CATEGORIES):    
+                    level = "suspicious"
+                else:
+                    level = "safe"
+                taxonomies.append(self.build_taxonomy(level, namespace, predicate, value))
+        elif predicate == 'malware-info' and raw['events'] != "-":
+            value = str(len(raw['events'])) + " signatures" 
+            taxonomies.append(self.build_taxonomy("malicious", namespace, predicate, value))
+
+        return {"taxonomies":taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+        info = {}
+        try:
+            objectName = self.getData()
+            if self.service == 'domain-info':
+                self.data_type = 'domain'
+                url = "https://api.emergingthreats.net/v1/domains/"
+                features = {'reputation', 'urls', 'samples', 'ips', 'events', 'nameservers', 'whois', 'geoloc'}
+
+            elif self.service == 'ip-info':
+                self.data_type = 'ip'
+                url = "https://api.emergingthreats.net/v1/ips/"
+                features = {'reputation', 'urls', 'samples', 'domains', 'events', 'geoloc'}
+
+            elif self.service == 'malware-info':
+                self.data_type = 'malware'
+                url = "https://api.emergingthreats.net/v1/samples/"
+                features = {'', 'connections', 'dns', 'events'}              
+            else:
+                self.error('Unknown EmergingThreats service')
+
+            for feature in features:
+                end = '/' if feature else ''
+                time.sleep(1)
+                r = self.session.get(url + objectName + end + feature)
+                if feature == '':
+                    feature = 'main'
+                r_json= r.json()
+                if r.status_code == 200 and r_json['response'] not in [{}, []]:
+                    info[feature] = r_json['response']
+                elif r.status_code != 200:
+                    info[feature] = "Error"
+                else:
+                    info[feature] = "-"
+
+            self.report(info)
+
+        except Exception as e:
+            self.unexpectedError(e)
+
+if __name__ == '__main__':
+    EmergingThreatsAnalyzer().run()
diff --git a/analyzers/EmergingThreats/requirements.txt b/analyzers/EmergingThreats/requirements.txt
@@ -0,0 +1,2 @@
+cortexutils
+requests
diff --git a/analyzers/Nessus/requirements.txt b/analyzers/Nessus/requirements.txt
@@ -1,2 +1,3 @@
 cortexutils
 nessrest
+netaddr
diff --git a/analyzers/PhishTank/PhishTank_CheckURL.json b/analyzers/PhishTank/PhishTank_CheckURL.json
@@ -1,6 +1,6 @@
 {
     "name": "PhishTank_CheckURL",
-    "version": "2.0",
+    "version": "2.1",
     "author": "Eric Capuano",
     "url": "https://github.com/CERT-BDF/Cortex-Analyzers",
     "license": "AGPL-V3",

diff --git a/analyzers/PhishTank/phishtank_checkurl.py b/analyzers/PhishTank/phishtank_checkurl.py
@@ -19,7 +19,7 @@ def __init__(self):
                                     'Missing PhishTank API key')
 
     def phishtank_checkurl(self, data):
-        url = 'http://checkurl.phishtank.com/checkurl/'
+        url = 'https://checkurl.phishtank.com/checkurl/'
         postdata = {'url': data, 'format':'json','app_key': self.phishtank_key}
         r = requests.post(url, data=postdata)
         return json.loads(r.content)
@@ -78,4 +78,3 @@ def run(self):
 
 if __name__ == '__main__':
     phishtankAnalyzer().run()
-    phishtankAnalyzer().summary()
diff --git a/analyzers/WOT/WOT_lookup.json b/analyzers/WOT/WOT_lookup.json
@@ -1,10 +1,10 @@
 {
     "name": "WOT_Lookup",
     "version": "1.0",
-    "author": "Andrea Garavaglia - LDO-CERT",
+    "author": "Andrea Garavaglia, LDO-CERT",
     "url": "https://github.com/garanews/Cortex-Analyzers",
     "license": "AGPL-V3",
-    "description": "Check a Domain against Web of Trust (WOT) a website reputation service",
+    "description": "Check the reputation of a domain or fqdn against Web of Trust (WOT).",
     "dataTypeList": ["domain", "fqdn"],
     "baseConfig": "WOT",
     "config": {

diff --git a/analyzers/Yeti/Yeti.json b/analyzers/Yeti/Yeti.json
@@ -9,7 +9,7 @@
         "check_tlp": false,
         "max_tlp": 3
     },
-    "description": "Fetch observable details from a Yeti",
+    "description": "Fetch all information related to an observable stored on a YETI instance.",
     "dataTypeList": ["domain", "fqdn", "ip", "url", "hash"],
     "command": "Yeti/yeti.py"
 }