Fixes #258: Merge remote-tracking branch 'ant1/fixetmalwareinfo' into…

… release/1.10.0
TheHive-Project · Jun 4, 2018 · 4d9332b · 4d9332b
2 parents dd3e836 + fc9aa7f
commit 4d9332b
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 6 deletions.
diff --git a/analyzers/EmergingThreats/EmergingThreats_DomainInfo.json b/analyzers/EmergingThreats/EmergingThreats_DomainInfo.json
@@ -5,7 +5,7 @@
   "url": "https://github.com/dadokkio/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Retrieve ET reputation, related malware, and IDS requests for a given domain.",
-  "dataTypeList": ["domain"],
+  "dataTypeList": ["domain", "fqdn"],
   "command": "EmergingThreats/emergingthreats_analyzer.py",
   "baseConfig": "EmergingThreats",
   "configurationItems": [

diff --git a/analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json b/analyzers/EmergingThreats/EmergingThreats_MalwareInfo.json
@@ -5,7 +5,7 @@
   "url": "https://github.com/dadokkio/Cortex-Analyzers",
   "license": "AGPL-V3",
   "description": "Retrieve ET details and info related to a malware hash.",
-  "dataTypeList": ["hash"],
+  "dataTypeList": ["file", "hash"],
   "command": "EmergingThreats/emergingthreats_analyzer.py",
   "baseConfig": "EmergingThreats",
   "configurationItems": [

diff --git a/analyzers/EmergingThreats/emergingthreats_analyzer.py b/analyzers/EmergingThreats/emergingthreats_analyzer.py
@@ -3,6 +3,7 @@
 
 from cortexutils.analyzer import Analyzer
 
+import hashlib
 import requests
 import time
 
@@ -59,18 +60,32 @@ def run(self):
         Analyzer.run(self)
         info = {}
         try:
-            object_name = self.get_data()
-            if self.data_type == 'domain':
+            if self.data_type != 'file':
+                object_name = self.get_data()
+
+            if self.data_type in ['domain', 'fqdn']:
                 url = "https://api.emergingthreats.net/v1/domains/"
                 features = {'reputation', 'urls', 'samples', 'ips', 'events', 'nameservers', 'whois', 'geoloc'}
 
             elif self.data_type == 'ip':
                 url = "https://api.emergingthreats.net/v1/ips/"
                 features = {'reputation', 'urls', 'samples', 'domains', 'events', 'geoloc'}
 
-            elif self.data_type == 'malware':
+            elif self.data_type == 'hash':
+                url = "https://api.emergingthreats.net/v1/samples/"
+                features = {'', 'connections', 'dns', 'http', 'events'}
+
+            elif self.data_type == 'file':
                 url = "https://api.emergingthreats.net/v1/samples/"
-                features = {'', 'connections', 'dns', 'events'}
+                features = {'', 'connections', 'dns', 'http', 'events'}
+                hashes = self.get_param('attachment.hashes', None)
+                if hashes is None:
+                    filepath = self.get_param('file', None, 'File is missing')
+                    object_name = hashlib.md5(open(filepath, 'r').read()).hexdigest()
+                else:
+                    # find MD5 hash
+                    object_name = next(h for h in hashes if len(h) == 32)
+
             else:
                 self.error('Invalid data type !')
 

diff --git a/thehive-templates/EmergingThreats_MalwareInfo_1_0/long.html b/thehive-templates/EmergingThreats_MalwareInfo_1_0/long.html
@@ -88,6 +88,40 @@
         </div>
     </div>
 
+    <div class="panel panel-info" ng-if="content.http && content.http != '-' && content.http != 'Error'">
+        <div class="panel-heading">
+            <strong>Http</strong>
+        </div>
+        <div class="panel-body">
+            <table class="table table-hover">
+                <tr>
+                    <th>Source</th>
+                    <th>Date</th>
+                    <th>Domain</th>
+                    <th>Source ip</th>
+                    <th>Destination ip</th>
+                    <th>Source port</th>
+                    <th>Destination port</th>
+                    <th>Method</th>
+                    <th>Url</th>
+                    <th>User agent</th>
+                </tr>
+                <tr ng-repeat="http in content.http track by $index">
+                    <td>{{ http.source }}</td>
+                    <td>{{ http.date }}</td>
+                    <td>{{ http.domain }}</td>
+                    <td>{{ http.source_ip }}</td>
+                    <td>{{ http.destination_ip }}</td>
+                    <td>{{ http.source_port }}</td>
+                    <td>{{ http.destination_port }}</td>
+                    <td>{{ http.method }}</td>
+                    <td>{{ http.url }}</td>
+                    <td>{{ http.user_agent }}</td>
+                </tr>
+            </table>
+        </div>
+    </div>
+
     <div class="panel panel-info" ng-if="content.connections && content.connections != '-' && content.connections != 'Error'">
         <div class="panel-heading">
             <strong>Connections</strong>