From 3a5c9d132c676ab711e683b041471a32c09ab1d4 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 3 Jan 2020 00:54:13 +0000 Subject: [PATCH] Add TeamCymruMHR Analyzer --- analyzers/TeamCymruMHR/TeamCymruMHR.json | 15 +++++++ analyzers/TeamCymruMHR/TeamCymruMHR.py | 39 +++++++++++++++++++ analyzers/TeamCymruMHR/requirements.txt | 1 + thehive-templates/TeamCymruMHR_1_0/long.html | 16 ++++++++ thehive-templates/TeamCymruMHR_1_0/short.html | 3 ++ 5 files changed, 74 insertions(+) create mode 100644 analyzers/TeamCymruMHR/TeamCymruMHR.json create mode 100644 analyzers/TeamCymruMHR/TeamCymruMHR.py create mode 100644 analyzers/TeamCymruMHR/requirements.txt create mode 100644 thehive-templates/TeamCymruMHR_1_0/long.html create mode 100644 thehive-templates/TeamCymruMHR_1_0/short.html diff --git a/analyzers/TeamCymruMHR/TeamCymruMHR.json b/analyzers/TeamCymruMHR/TeamCymruMHR.json new file mode 100644 index 000000000..9f5f8c278 --- /dev/null +++ b/analyzers/TeamCymruMHR/TeamCymruMHR.json @@ -0,0 +1,15 @@ +{ + "name": "TeamCymruMHR", + "version": "1.0", + "author": "Wes Lambert", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Submit hash to Team Cymru's Malware Hash Registry", + "dataTypeList": ["hash"], + "baseConfig": "TeamCymruMHR", + "config": { + "service": "HashLookup" + }, + "command": "TeamCymruMHR/TeamCymruMHR.py", + "configurationItems": [] +} diff --git a/analyzers/TeamCymruMHR/TeamCymruMHR.py b/analyzers/TeamCymruMHR/TeamCymruMHR.py new file mode 100644 index 000000000..e4ec04789 --- /dev/null +++ b/analyzers/TeamCymruMHR/TeamCymruMHR.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 +# encoding: utf-8 + +from cortexutils.analyzer import Analyzer +import dns.resolver +import time + +class TeamCymruMHRAnalyzer(Analyzer): + def __init__(self): + Analyzer.__init__(self) + self.observable = self.get_param('data', None, 'Data missing!') + + def summary(self, raw): + taxonomies = [] + level = 'info' + namespace = 'TeamCymruMHR' + + # Set predicate for last_seen + predicate = 'last_seen' + taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['last_seen'])) + + # Set predicate for detection percentage + predicate = 'detection_pct' + taxonomies.append(self.build_taxonomy(level, namespace, predicate, raw['detection_pct'])) + + return {"taxonomies": taxonomies} + + def run(self): + lookup = dns.resolver.query(self.observable + '.malware.hash.cymru.com', 'TXT') + for rdata in lookup: + for txt_string in rdata.strings: + last_seen_epoch = str(txt_string).split("\'")[1].split(" ")[0] + # Make timestamp mor readable for humans, but maintain UTC + last_seen = time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(int(last_seen_epoch))) + detection_pct = str(txt_string).split("\'")[1].split(" ")[1] + self.report({ 'last_seen': last_seen, 'detection_pct': detection_pct }) + +if __name__ == '__main__': + TeamCymruMHRAnalyzer().run() diff --git a/analyzers/TeamCymruMHR/requirements.txt b/analyzers/TeamCymruMHR/requirements.txt new file mode 100644 index 000000000..2f7359679 --- /dev/null +++ b/analyzers/TeamCymruMHR/requirements.txt @@ -0,0 +1 @@ +dnspython diff --git a/thehive-templates/TeamCymruMHR_1_0/long.html b/thehive-templates/TeamCymruMHR_1_0/long.html new file mode 100644 index 000000000..9070c0744 --- /dev/null +++ b/thehive-templates/TeamCymruMHR_1_0/long.html @@ -0,0 +1,16 @@ +
+
+ TeamCymru Search Results +
+
+ + + + + + + + +
Last SeenDetection Percentage
{{content.last_seen | ellipsis:40}}{{content.detection_pct}}
+
+
diff --git a/thehive-templates/TeamCymruMHR_1_0/short.html b/thehive-templates/TeamCymruMHR_1_0/short.html new file mode 100644 index 000000000..5fc0dabfb --- /dev/null +++ b/thehive-templates/TeamCymruMHR_1_0/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" +