Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve EmergingThreats analyzers #259

Merged
merged 4 commits into from
Jun 4, 2018
+55 −6
Merged

Improve EmergingThreats analyzers #259

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
58adb6f
Fix EmergingThreats_MalwareInfo data type check
ant1 May 29, 2018
380d6ee
Allow analyzing fqdn with EmergingThreats_DomainInfo
ant1 May 29, 2018
9bf2fcd
Allow analyzing file with EmergingThreats_MalwareInfo
ant1 May 29, 2018
fc9aa7f
Add HTTP requests to EmergingThreats_MalwareInfo
ant1 May 30, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion analyzers/EmergingThreats/EmergingThreats_DomainInfo.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"url": "https://github.com/dadokkio/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Retrieve ET reputation, related malware, and IDS requests for a given domain.",
"dataTypeList": ["domain"],
"dataTypeList": ["domain", "fqdn"],
"command": "EmergingThreats/emergingthreats_analyzer.py",
"baseConfig": "EmergingThreats",
"configurationItems": [
Expand Down
2 changes: 1 addition & 1 deletion analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"url": "https://github.com/dadokkio/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Retrieve ET details and info related to a malware hash.",
"dataTypeList": ["hash"],
"dataTypeList": ["file", "hash"],
"command": "EmergingThreats/emergingthreats_analyzer.py",
"baseConfig": "EmergingThreats",
"configurationItems": [
Expand Down
21 changes: 18 additions & 3 deletions analyzers/EmergingThreats/emergingthreats_analyzer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

from cortexutils.analyzer import Analyzer

import hashlib
import requests
import time

Expand Down Expand Up @@ -59,18 +60,32 @@ def run(self):
Analyzer.run(self)
info = {}
try:
object_name = self.get_data()
if self.data_type == 'domain':
if self.data_type != 'file':
object_name = self.get_data()

if self.data_type in ['domain', 'fqdn']:
url = "https://api.emergingthreats.net/v1/domains/"
features = {'reputation', 'urls', 'samples', 'ips', 'events', 'nameservers', 'whois', 'geoloc'}

elif self.data_type == 'ip':
url = "https://api.emergingthreats.net/v1/ips/"
features = {'reputation', 'urls', 'samples', 'domains', 'events', 'geoloc'}

elif self.data_type == 'malware':
elif self.data_type == 'hash':
url = "https://api.emergingthreats.net/v1/samples/"
features = {'', 'connections', 'dns', 'events'}

elif self.data_type == 'file':
url = "https://api.emergingthreats.net/v1/samples/"
features = {'', 'connections', 'dns', 'events'}
hashes = self.get_param('attachment.hashes', None)
if hashes is None:
filepath = self.get_param('file', None, 'File is missing')
object_name = hashlib.md5(open(filepath, 'r').read()).hexdigest()
else:
# find MD5 hash
object_name = next(h for h in hashes if len(h) == 32)

else:
self.error('Invalid data type !')

Expand Down