diff --git a/analyzers/Hashdd/Hashdd.py b/analyzers/Hashdd/Hashdd.py index aaeca3628..5b0589b0b 100755 --- a/analyzers/Hashdd/Hashdd.py +++ b/analyzers/Hashdd/Hashdd.py @@ -5,90 +5,75 @@ class HashddAnalyzer(Analyzer): - service = 'Status' - url = 'https://api.hashdd.com/' + service = "Status" + url = "https://api.hashdd.com/" hashdd_key = None def __init__(self): Analyzer.__init__(self) - self.service = self.get_param('config.service', None, 'Service parameter is missing') + self.service = self.get_param( + "config.service", None, "Service parameter is missing" + ) if self.service == "status": - self.url = 'https://api.hashdd.com/' + self.hashdd_key = self.get_param("config.api_key", None) + self.url = "https://api.hashdd.com/v1/knownlevel/" elif self.service == "detail": - self.hashdd_key = self.get_param('config.api_key', None, 'Missing hashdd API key') - self.url = 'https://api.hashdd.com/detail' + self.hashdd_key = self.get_param( + "config.api_key", None, "Missing hashdd API key" + ) + self.url = "https://api.hashdd.com/v1/detail/" def hashdd_check(self, data): if self.hashdd_key is None: - postdata = {'hash': self.get_data()} + headers = {} else: - postdata = {'hash': self.get_data(), 'api_key': self.hashdd_key} - - r = requests.post(self.url, data=postdata) + headers = {"X-API-KEY": self.hashdd_key} + r = requests.get("{}{}".format(self.url, data), headers=headers, verify=False) r.raise_for_status() # Raise exception on HTTP errors return r.json() def summary(self, raw): taxonomies = [] - namespace = 'Hashdd' - predicate = 'known_level' - value = "0" - - level = 'info' # Default level: this assigned when known_level is unknown - - if 'known_level' in raw: - known_level = raw['known_level'] - if known_level == 'Good': + namespace = "Hashdd" + predicate = "knownlevel" + value = "Unknown" + knownlevel = "Unknown" + level = "info" + if self.service == "status" and "knownlevel" in raw: + knownlevel = raw["knownlevel"] + if knownlevel == "Good": level = "safe" - elif known_level == 'Bad': + elif knownlevel == "Bad": level = "malicious" - # else: - # level = "suspicious" # this one is not used - - value = "{}".format(known_level) # Value must be enclosed with double quotes + value = "{}".format(knownlevel) + elif self.service == "detail": + if "Bad" in [x["knownlevel"] for x in raw["search_results"]]: + level = "malicious" + knownlevel = "Bad" + elif "Good" in [x["knownlevel"] for x in raw["search_results"]]: + level = "safe" + knownlevel = "Good" + value = "{}".format(knownlevel) taxonomies.append(self.build_taxonomy(level, namespace, predicate, value)) - return {"taxonomies": taxonomies} def run(self): - if self.data_type != 'hash': + if self.data_type != "hash": self.notSupported() - data = self.get_param('data', None, 'Data is missing') - hash = data.upper() - + data = self.get_param("data", None, "Data is missing") response = self.hashdd_check(data) - if response['result'] == 'SUCCESS': - + if response["result"] == "SUCCESS": if self.service == "status": - self.report({ - 'known_level': response[hash]['known_level'] - }) + self.report({"knownlevel": response["knownlevel"]}) elif self.service == "detail": - if response.get(hash).get('result') != "NOT_FOUND": - self.report({ - 'known_level': response[hash]['summary']['hashdd_known_level'], - 'file_name': response[hash]['summary']['hashdd_file_name'], - 'file_absolute_path': response[hash]['summary']['hashdd_file_absolute_path'], - 'size': response[hash]['summary']['hashdd_size'], - 'product_manufacturer': response[hash]['summary']['hashdd_product_manufacturer'], - 'product_name': response[hash]['summary']['hashdd_product_name'], - 'product_version': response[hash]['summary']['hashdd_product_version'], - 'architecture': response[hash]['summary']['hashdd_architecture'], - 'md5': response[hash]['summary']['hashdd_md5'], - 'sha1': response[hash]['summary']['hashdd_sha1'], - 'sha256': response[hash]['summary']['hashdd_sha256'], - 'ssdeep': response[hash]['summary']['hashdd_ssdeep'] - }) - else: - self.report({'known_level':'Unknown'}) - + self.report(response) else: - self.error('{}'.format(response['result'])) + self.error("{}".format(response["result"])) -if __name__ == '__main__': +if __name__ == "__main__": HashddAnalyzer().run() diff --git a/analyzers/Hashdd/Hashdd_Detail.json b/analyzers/Hashdd/Hashdd_Detail.json index 34521d56a..ef92f4877 100644 --- a/analyzers/Hashdd/Hashdd_Detail.json +++ b/analyzers/Hashdd/Hashdd_Detail.json @@ -1,23 +1,23 @@ { - "name": "Hashdd_Detail", - "version": "1.0", - "author": "iosonogio", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPLv3", - "description": "Determine whether a hash is good or bad; if good then list what it is.", - "dataTypeList": ["hash"], - "baseConfig": "Hashdd", - "config": { - "service": "detail" - }, - "command": "Hashdd/Hashdd.py", - "configurationItems": [ - { - "name": "api_key", - "description": "API key for hashdd", - "type": "string", - "multi": false, - "required": true - } - ] + "name": "Hashdd_Detail", + "version": "2.0", + "author": "iosonogio, dadokkio", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPLv3", + "description": "Determine whether a hash is good or bad; if good then list what it is.", + "dataTypeList": ["hash"], + "baseConfig": "Hashdd", + "config": { + "service": "detail" + }, + "command": "Hashdd/Hashdd.py", + "configurationItems": [ + { + "name": "api_key", + "description": "API key for hashdd", + "type": "string", + "multi": false, + "required": true + } + ] } diff --git a/analyzers/Hashdd/Hashdd_Status.json b/analyzers/Hashdd/Hashdd_Status.json index 104a6564c..76c65c030 100644 --- a/analyzers/Hashdd/Hashdd_Status.json +++ b/analyzers/Hashdd/Hashdd_Status.json @@ -1,23 +1,23 @@ { - "name": "Hashdd_Status", - "version": "1.0", - "author": "iosonogio", - "url": "https://github.com/TheHive-Project/Cortex-Analyzers", - "license": "AGPLv3", - "description": "Determine whether a hash is good or bad.", - "dataTypeList": ["hash"], - "baseConfig": "Hashdd", - "config": { - "service": "status" - }, - "command": "Hashdd/Hashdd.py", - "configurationItems": [ - { - "name": "api_key", - "description": "API key for hashdd", - "type": "string", - "multi": false, - "required": false - } - ] + "name": "Hashdd_Status", + "version": "2.0", + "author": "iosonogio, dadokkio", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPLv3", + "description": "Determine whether a hash is good or bad.", + "dataTypeList": ["hash"], + "baseConfig": "Hashdd", + "config": { + "service": "status" + }, + "command": "Hashdd/Hashdd.py", + "configurationItems": [ + { + "name": "api_key", + "description": "API key for hashdd", + "type": "string", + "multi": false, + "required": false + } + ] } diff --git a/thehive-templates/Hashdd_Detail_1_0/long.html b/thehive-templates/Hashdd_Detail_1_0/long.html deleted file mode 100644 index 58666c3b6..000000000 --- a/thehive-templates/Hashdd_Detail_1_0/long.html +++ /dev/null @@ -1,44 +0,0 @@ - -
-
- Hashdd report for {{artifact.data | fang}} -
-
-
-
Known Level
-
{{content.known_level || "No known level given."}}
-
File Name
-
{{content.file_name || "No file name given."}}
-
File Path
-
{{content.file_absolute_path || "No file path given."}}
-
File Size
-
{{content.size || "No size given."}}
-
Product Manufacturer
-
{{content.product_manufacturer || "No product manufacturer given."}}
-
Product Name
-
{{content.product_name || "No product name given."}}
-
Product Version
-
{{content.product_version || "No product version given."}}
-
Architecture
-
{{content.architecture || "No architecture given."}}
-
md5
-
{{content.md5 || "No md5 given."}}
-
sha1
-
{{content.sha1 || "No sha1 given."}}
-
sha256
-
{{content.sha256 || "No sha256 given."}}
-
ssdeep
-
{{content.ssdeep || "No ssdeep given."}}
-
-
-
- - -
-
- {{artifact.data | fang}} -
-
- {{content.errorMessage}} -
-
diff --git a/thehive-templates/Hashdd_Detail_2_0/long.html b/thehive-templates/Hashdd_Detail_2_0/long.html new file mode 100644 index 000000000..af34c3398 --- /dev/null +++ b/thehive-templates/Hashdd_Detail_2_0/long.html @@ -0,0 +1,53 @@ + +
+ + + + + +
+ Hashdd report for {{artifact.data | fang}} +
+
+ +
+
+
Knowlevel:
+
{{result.knownlevel}}
+
MD5:
+
{{result.details.hashdd_md5}}
+
SHA1:
+
{{result.details.hashdd_sha1}}
+
CRC32:
+
{{result.details.hashdd_crc32}}
+
Size:
+
{{result.details.hashdd_size}}
+
Results:
+
{{content.search_results.length}}
+
+
+ +
+
+ + +
+
+ {{artifact.data | fang}} +
+
+ {{content.errorMessage}} +
+
\ No newline at end of file diff --git a/thehive-templates/Hashdd_Detail_1_0/short.html b/thehive-templates/Hashdd_Detail_2_0/short.html similarity index 100% rename from thehive-templates/Hashdd_Detail_1_0/short.html rename to thehive-templates/Hashdd_Detail_2_0/short.html diff --git a/thehive-templates/Hashdd_Status_1_0/long.html b/thehive-templates/Hashdd_Status_2_0/long.html similarity index 69% rename from thehive-templates/Hashdd_Status_1_0/long.html rename to thehive-templates/Hashdd_Status_2_0/long.html index 7072c9681..19740eaa1 100644 --- a/thehive-templates/Hashdd_Status_1_0/long.html +++ b/thehive-templates/Hashdd_Status_2_0/long.html @@ -4,10 +4,10 @@ Hashdd report for {{artifact.data | fang}}
-
-
Known Level
-
{{content.known_level || "No known level given."}}
-
+
+
Known Level
+
{{content.knownlevel || "No known level given."}}
+
@@ -19,4 +19,4 @@
{{content.errorMessage}}
- + \ No newline at end of file diff --git a/thehive-templates/Hashdd_Status_1_0/short.html b/thehive-templates/Hashdd_Status_2_0/short.html similarity index 100% rename from thehive-templates/Hashdd_Status_1_0/short.html rename to thehive-templates/Hashdd_Status_2_0/short.html