Merge branch 'release/3.0.0'

.drone.yml

@@ -74,7 +74,6 @@ steps:
         - analyzers/analyzers-stable.json
         - responders/responders.json
         - responders/responders-stable.json
-        - analyzers/report-templates.zip
       strip_components: 1
     when:
       event: [tag]

.gitignore

@@ -16,3 +16,9 @@ lib64
 pyvenv.cfg
 share
 
+test-doc
+analyzers/*/input
+analyzers/*/output
+responders/*/input
+responders/*/output
+analyzers/*/cortexutils

analyzers/AbuseIPDB/AbuseIPDB.json

@@ -29,5 +29,19 @@
         "check_tlp": true,
         "max_tlp": 2,
         "auto_extract": false
-    }
+    },
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": true,
+    "service_homepage": "https://www.abuseipdb.com/",
+    "service_logo": {
+        "path": "assets/abuseipdb.png",
+        "caption": "abuseipdb logo"
+    },
+    "screenshots": [
+        {
+            "path": "assets/long_report.png",
+            "caption": "AbuseIPDB: Long report template"
+        }
+    ]
 }

analyzers/AbuseIPDB/README.md

@@ -0,0 +1,10 @@
+### AbuseIPDB
+[AbuseIPDB](https://www.abuseipdb.com/) is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
+
+The analyzer comes in only one flavor.
+
+#### Requirements
+You need a valid AbuseIPDB API integration subscription to use the analyzer:
+
+- Provide your API key as a value for the `key` parameter.
+- Set the `days` parameter to limit temporal range in search

analyzers/Abuse_Finder/Abuse_Finder.json

@@ -1,11 +1,31 @@
 {
-  "name": "Abuse_Finder",
-  "version": "3.0",
-  "author": "CERT-BDF",
-  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
-  "license": "AGPL-V3",
-  "description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses.",
-  "dataTypeList": ["ip", "domain", "fqdn", "url", "mail"],
-  "baseConfig": "Abuse_Finder",
-  "command": "Abuse_Finder/abusefinder.py"
-}
+    "name": "Abuse_Finder",
+    "version": "3.0",
+    "author": "CERT-BDF",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses.",
+    "dataTypeList": [
+        "ip",
+        "domain",
+        "fqdn",
+        "url",
+        "mail"
+    ],
+    "baseConfig": "Abuse_Finder",
+    "command": "Abuse_Finder/abusefinder.py",
+    "registration_required": false,
+    "subscription_required": false,
+    "free_subscription": false,
+    "service_homepage": "https://github.com/certsocietegenerale/abuse_finder",
+    "service_logo": {
+        "path": "",
+        "caption": ""
+    },
+    "screenshots": [
+        {
+            "path": "assets/abuse_finder_longreport.png",
+            "caption": "Abuse_Finder: Long report template"
+        }
+    ]
+}

analyzers/Abuse_Finder/README.md

@@ -0,0 +1,9 @@
+### Abuse_Finder
+Use CERT-SG's [Abuse Finder](https://github.com/certsocietegenerale/abuse_finder)
+to find abuse contacts associated with domain names, URLs, IPs and email addresses.
+
+The analyzer comes in only one flavor.
+
+No configuration is required. It can be used out of the box.
+
+This Analyzer can only be run as a docker container or as process with Python <= 3.6.

analyzers/AnyRun/AnyRun_Sandbox_Analysis.json

@@ -16,6 +16,14 @@
       "multi": false,
       "required": false
     },
+    {
+      "name": "privacy_type",
+      "description": "Define the privacy setting (Allowed values: public, bylink, owner)",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "bylink"
+    },
     {
       "name": "verify_ssl",
       "description": "Verify SSL certificate",
@@ -24,5 +32,24 @@
       "required": true,
       "defaultValue": true
     }
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://any.run/",
+  "service_logo": {
+      "path": "assets/anyrun.png",
+      "caption": "AnyRun logo"
+  },
+  "screenshots": [
+      {
+          "path": "assets/short_report.png",
+          "caption": "AnyRun: Short report template"
+      },
+
+      {
+          "path": "assets/long_report.png",
+          "caption": "AnyRun: Long report template"
+      }
   ]
 }

analyzers/AnyRun/README.md

@@ -0,0 +1,15 @@
+### AnyRun
+[ANY.RUN](https://any.run/) is a malware sandbox service in the cloud. By using this analyzer, an analyst can submit a suspicious file or URL to the service for analysis and get a report. The report can contain various information such as:
+
+- Interactive access
+- Research threats by filter in public submissions
+- File and URL dynamic analysis
+- Mitre ATT&CK mapping
+- Detailed malware reports
+
+#### Requirements
+You need a valid AnyRun API integration subscription to use the analyzer. Free plan does not provide API access.
+
+- Provide your API token as a value for the `token` parameter.
+- Define the privacy setting in `privacy_type` parameter.
+- Set `verify_ssl` parameter as false if you connection requires it

analyzers/AnyRun/anyrun_analyzer.py

@@ -12,6 +12,7 @@ def __init__(self):
         Analyzer.__init__(self)
         self.url = "https://api.any.run/v1"
         self.token = self.get_param("config.token", None, "Service token is missing")
+        self.privacy_type = self.get_param("config.privacy_type", None, "Privacy type is missing")
         self.verify_ssl = self.get_param("config.verify_ssl", True, None)
         if not self.verify_ssl:
             requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
@@ -49,9 +50,11 @@ def run(self):
                 while status_code in (None, 429) and tries <= 15:
                     with open(filepath, "rb") as sample:
                         files = {"file": (filename, sample)}
+                        data = {"opt_privacy_type": self.privacy_type}
                         response = requests.post(
                             "{0}/analysis".format(self.url),
                             files=files,
+                            data=data,
                             headers=headers,
                             verify=self.verify_ssl,
                         )
@@ -68,7 +71,7 @@ def run(self):
                         self.error(response.json()["message"])
             elif self.data_type == "url":
                 url = self.get_param("data", None, "Url is missing")
-                data = {"obj_type": "url", "obj_url": url}
+                data = {"obj_type": "url", "obj_url": url, "opt_privacy_type": self.privacy_type}
                 while status_code in (None, 429) and tries <= 15:
                     response = requests.post(
                         "{0}/analysis".format(self.url),
@@ -127,4 +130,4 @@ def run(self):
 
 
 if __name__ == "__main__":
-    AnyRunAnalyzer().run()
+    AnyRunAnalyzer().run()

analyzers/CIRCLHashlookup/CIRCLHashlookup.json

@@ -0,0 +1,31 @@
+{
+  "name": "CIRCLHashlookup",
+  "author": "Mikael Keri",
+  "license": "AGPL-V3",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "version": "1.0",
+  "description": "CIRCL Hashlookup is a public service to lookup hash values against known database of good files",
+  "dataTypeList": ["hash"],
+  "baseConfig": "CIRCLHashlookup",
+  "config": {
+      "check_tlp": true,
+      "max_tlp": 2,
+      "check_pap": true,
+      "max_pap": 2
+   },
+  "command": "CIRCLHashlookup/circlhashlookup_analyzer.py",
+   "registration_required": false,
+   "subscription_required": false,
+   "free_subscription": true,
+   "service_homepage": "https://hashlookup.circl.lu/",
+   "service_logo": {"path":"assets/circlhashlookup_logo.png", "caption": "logo"},
+   "screenshots": [
+     {
+       "path": "assets/circlhashlookup_long_report.png",
+       "caption:":"CIRCL Hashlookup analyzer full report"
+     },
+     {
+      "path": "assets/circlhashlookup_verdict.png",
+      "caption:":"CIRCL Hashlookup analyzer verdict"
+    }]
+}

analyzers/CIRCLHashlookup/circlhashlookup_analyzer.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+import requests
+from cortexutils.analyzer import Analyzer
+
+class CIRCLHashlookupAnalyzer(Analyzer):
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.url = 'https://hashlookup.circl.lu'
+
+    def summary(self, raw):
+         taxonomies = []
+         namespace = "CIRCLHashlookup"
+
+         if raw.get('CRC32'):
+            verdict = "safe"
+            result = "known"
+         else:
+            verdict = "info"
+            result = "unkown"
+
+         taxonomies.append(self.build_taxonomy(
+         verdict,
+         namespace,
+         'Result',
+         result,
+         ))
+
+         return {"taxonomies": taxonomies}
+
+    def run(self):
+            if self.data_type == 'hash':
+                data = self.get_param('data', None, 'Data is missing')
+
+                headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}
+                session = requests.Session()
+                if len(data) == 32:
+                    s = session.get(self.url + '/lookup/md5/' + data, headers=headers)
+                elif len(data) == 40:
+                    s = session.get(self.url + '/lookup/sha1/' + data, headers=headers)
+                else:
+                    self.error('Unsupported hash type')
+
+                s.close()
+                response = s.json()
+                try:
+                   self.report(response)
+                except Exception as e:
+                   self.error('Invalid data type')
+            else:
+                self.error('Invalid data type')
+
+if __name__ == '__main__':
+    CIRCLHashlookupAnalyzer().run()

analyzers/CIRCLHashlookup/requirments.txt

@@ -0,0 +1 @@
+cortexutils

analyzers/CIRCLPassiveDNS/CIRCLPassiveDNS.json

@@ -1,27 +1,49 @@
 {
-  "name": "CIRCLPassiveDNS",
-  "author": "Nils Kuhnert, CERT-Bund",
-  "license": "AGPL-V3",
-  "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
-  "version": "2.0",
-  "description": "Check CIRCL's Passive DNS for a given domain or URL.",
-  "dataTypeList": ["domain", "url", "ip"],
-  "baseConfig": "CIRCL",
-  "command": "CIRCLPassiveDNS/circl_passivedns.py",
-  "configurationItems": [
-    {
-      "name": "user",
-      "description": "Username",
-      "type": "string",
-      "multi": false,
-      "required": true
+    "name": "CIRCLPassiveDNS",
+    "author": "Nils Kuhnert, CERT-Bund",
+    "license": "AGPL-V3",
+    "url": "https://github.com/BSI-CERT-Bund/cortex-analyzers",
+    "version": "2.0",
+    "description": "Check CIRCL's Passive DNS for a given domain or URL.",
+    "dataTypeList": [
+        "domain",
+        "url",
+        "ip"
+    ],
+    "baseConfig": "CIRCL",
+    "command": "CIRCLPassiveDNS/circl_passivedns.py",
+    "configurationItems": [
+        {
+            "name": "user",
+            "description": "Username",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "password",
+            "description": "Password",
+            "type": "string",
+            "multi": false,
+            "required": true
+        }
+    ],
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": true,
+    "service_homepage": "https://www.circl.lu/services/passive-dns/",
+    "service_logo": {
+        "path": "assets/passivedns.png",
+        "caption": "logo"
     },
-    {
-      "name": "password",
-      "description": "Password",
-      "type": "string",
-      "multi": false,
-      "required": true
-    }
-  ]
-}
+    "screenshots": [
+        {
+            "path": "assets/sc-short-circlpassivedns.png",
+            "caption": "CIRCLPassiveDNS: short report"
+        },
+        {
+            "path": "assets/sc-long-circlpassivedns.png",
+            "caption": "CIRCLPassiveDNS: long report"
+        }
+    ]
+}

analyzers/CIRCLPassiveDNS/README.md

@@ -0,0 +1,19 @@
+### CIRCLPassiveDNS
+
+Check [CIRCL's Passive DNS](https://www.circl.lu/services/passive-dns/) for a
+ given domain.
+
+This analyzer comes in only one flavor.
+
+#### Requirements
+
+Access to CIRCL Passive DNS is only allowed to trusted partners in Luxembourg
+and abroad. [Contact CIRCL](https://www.circl.lu/contact/) if you would like
+access. Include your affiliation and the foreseen use of the Passive DNS
+data.
+
+If the CIRCL positively answers your access request, you'll obtain a username
+ and password which are needed to make the analyzer work.
+
+supply your username as the value for the `user` parameter and your password
+as the value for the `password` parameter.