forked from TheHive-Project/Cortex-Analyzers
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CIRCL Hashlookup analyzer
- Loading branch information
Showing
8 changed files
with
150 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| { | ||
| "name": "CIRCLHashlookup", | ||
| "author": "Mikael Keri", | ||
| "license": "AGPL-V3", | ||
| "url": "https://github.com/TheHive-Project/Cortex-Analyzers", | ||
| "version": "1.0", | ||
| "description": "CIRCL Hashlookup is a public service to lookup hash values against known database of good files", | ||
| "dataTypeList": ["hash"], | ||
| "baseConfig": "CIRCLHashlookup", | ||
| "config": { | ||
| "check_tlp": true, | ||
| "max_tlp": 2, | ||
| "check_pap": true, | ||
| "max_pap": 2 | ||
| }, | ||
| "command": "CIRCLHashlookup/circlhashlookup_analyzer.py", | ||
| "registration_required": false, | ||
| "subscription_required": false, | ||
| "free_subscription": true, | ||
| "service_homepage": "https://hashlookup.circl.lu/", | ||
| "service_logo": {"path":"assets/circlhashlookup_logo.png", "caption": "logo"}, | ||
| "screenshots": [ | ||
| { | ||
| "path": "assets/circlhashlookup_long_report.png", | ||
| "caption:":"CIRCL Hashlookup analyzer full report" | ||
| }, | ||
| { | ||
| "path": "assets/circlhashlookup_verdict.png", | ||
| "caption:":"CIRCL Hashlookup analyzer verdict" | ||
| }] | ||
| } |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| #!/usr/bin/env python3 | ||
| # encoding: utf-8 | ||
|
|
||
| import requests | ||
| from cortexutils.analyzer import Analyzer | ||
|
|
||
| class CIRCLHashlookupAnalyzer(Analyzer): | ||
| def __init__(self): | ||
| Analyzer.__init__(self) | ||
| self.url = 'https://hashlookup.circl.lu' | ||
|
|
||
| def summary(self, raw): | ||
| taxonomies = [] | ||
| namespace = "CIRCLHashlookup" | ||
|
|
||
| if raw.get('CRC32'): | ||
| verdict = "safe" | ||
| result = "known" | ||
| else: | ||
| verdict = "info" | ||
| result = "unkown" | ||
|
|
||
| taxonomies.append(self.build_taxonomy( | ||
| verdict, | ||
| namespace, | ||
| 'Result', | ||
| result, | ||
| )) | ||
|
|
||
| return {"taxonomies": taxonomies} | ||
|
|
||
| def run(self): | ||
| if self.data_type == 'hash': | ||
| data = self.get_param('data', None, 'Data is missing') | ||
|
|
||
| headers = {'Content-type': 'application/json', 'Accept': 'text/plain'} | ||
| session = requests.Session() | ||
| if len(data) == 32: | ||
| s = session.get(self.url + '/lookup/md5/' + data, headers=headers) | ||
| elif len(data) == 40: | ||
| s = session.get(self.url + '/lookup/sha1/' + data, headers=headers) | ||
| else: | ||
| self.error('Unsupported hash type') | ||
|
|
||
| s.close() | ||
| response = s.json() | ||
| try: | ||
| self.report(response) | ||
| except Exception as e: | ||
| self.error('Invalid data type') | ||
| else: | ||
| self.error('Invalid data type') | ||
|
|
||
| if __name__ == '__main__': | ||
| CIRCLHashlookupAnalyzer().run() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| cortexutils |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| <div class="panel panel-danger" ng-if="!success"> | ||
| <div class="panel-heading"> | ||
| <strong>{{(artifact.data || artifact.attachment.name) | fang}}</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| {{content.errorMessage}} | ||
| </div> | ||
| </div> | ||
|
|
||
| <div class="panel panel-info" ng-if="success && content.message == null"> | ||
| <div class="panel-heading">CIRCL Hashlookup results</div> | ||
| <dl class="dl-horizontal"> | ||
| <dt>Hashes</dt> | ||
| <dd class="wrap"> | ||
| <b>CRC32:</b> {{content.CRC32 || '-'}}<br /> | ||
| <b>MD5:</b> {{content.MD5 || '-'}}<br /> | ||
| <b>SHA1</b>: {{content['SHA-1'] || '-'}}<br /> | ||
| </dd> | ||
| <dt>File</dt> | ||
| <dd class="wrap"> | ||
| <b>Filename:</b> {{content.FileName || '-'}}<br /> | ||
| <b>Filesize:</b> {{content.FileSize || '-'}}<br /> | ||
| </dd> | ||
| <dt>OpSystemCode</dt> | ||
| <dd class="wrap"> | ||
| <b>MfgCode:</b> {{content.OpSystemCode.MfgCode || '-'}}<br /> | ||
| <b>OpSystemCode:</b> {{content.OpSystemCode.OpSystemCode || '-'}}<br /> | ||
| <b>OpSystemName:</b> {{content.OpSystemCode.OpSystemName || '-'}}<br /> | ||
| <b>OpSystemVersion:</b> {{content.OpSystemCode.OpSystemVersion || '-'}}<br /> | ||
| </dd> | ||
| <dt>ProductCode</dt> | ||
| <dd class="wrap"> | ||
| <b>ApplicationType:</b> {{content.ProductCode.ApplicationType || '-'}}<br /> | ||
| <b>Language:</b> {{content.ProductCode.Language || '-'}}<br /> | ||
| <b>MfgCode:</b> {{content.ProductCode.MfgCode || '-'}}<br /> | ||
| <b>OpSystemCode:</b> {{content.ProductCode.OpSystemCode || '-'}}<br /> | ||
| <b>ProductCode:</b> {{content.ProductCode.ProductCode || '-'}}<br /> | ||
| <b>ProductName:</b> {{content.ProductCode.ProductName || '-'}}<br /> | ||
| <b>ProductVersion:</b> {{content.ProductCode.ProductVersion || '-'}}<br /> | ||
| <b>SpecialCode:</b> {{content.ProductCode.SpecialCode || '-'}}<br /> | ||
| </dd> | ||
| </div> | ||
| <!-- No hits --> | ||
| <div class="panel panel-info" ng-if="success && content.message != null"> | ||
| <div class="panel-heading">No hits</div> | ||
| <dd>{{content.message}}</dd> | ||
| </div> | ||
|
|
||
| <!-- General error --> | ||
| <div class="panel panel-danger" ng-if="!success"> | ||
| <div class="panel-heading"> | ||
| <strong>General Error: Please try again</strong> | ||
| </div> | ||
| <div class="panel-body"> | ||
| <dl class="dl-horizontal" ng-if="content.errorMessage"> | ||
| <dt><i class="fa fa-warning"></i>CIRCL Hashlookup: </dt> | ||
| <dd class="wrap">{{content.errorMessage}}"</dd> | ||
| </dl> | ||
| </div> | ||
| </div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| <span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]"> | ||
| {{t.namespace}}:{{t.predicate}}="{{t.value}}" | ||
| </span> |