Merge pull request #69 from certego/develop

0.4.0

Author: mlodic

.env_template

@@ -0,0 +1,20 @@
+### ---- Environment variables for docker-compose ----
+### All services specified in all compose-files in variable COMPOSE_FILE will be built/ran
+### By default, when you use `docker-compose up` only docker-compose.yml is read
+### For each additional integration, the location of it's docker-compose.<>.yml file should be appended to 
+### the COMPOSE_FILE variable each seperated with ':'. If you are on windows, replace all ':' with ';'.
+### Reference to Docker's official Docs: https://docs.docker.com/compose/reference/envvars/#compose_file#compose_file
+
+## Default
+COMPOSE_FILE=docker-compose.yml
+
+## To run all additional integrations
+#COMPOSE_FILE=docker-compose.yml:./integrations/docker-compose.peframe.yml
+
+## To run tests or for local development
+#COMPOSE_FILE=docker-compose-for-tests.yml
+#COMPOSE_FILE=docker-compose-for-tests.yml:./integrations/docker-compose-for-tests.peframe.yml
+
+## For travis
+#COMPOSE_FILE=docker-compose-for-travis.yml
+#COMPOSE_FILE=docker-compose-for-travis.yml./integrations/docker-compose.peframe.yml

.gitignore

@@ -1,5 +1,8 @@
 .idea
+.vscode
 __pycache__
 test_files
 env_file_app
-env_file_postgres
+env_file_postgres
+env_file_integrations
+.env

Dockerfile

@@ -18,7 +18,7 @@ RUN pip3 install --compile -r requirements.txt
 COPY . $PYTHONPATH
 
 RUN touch /var/log/intel_owl/django/api_app.log /var/log/intel_owl/django/api_app_errors.log \
-    touch /var/log/intel_owl/django/celery.log /var/log/intel_owl/django/celery_errors.log \
+    && touch /var/log/intel_owl/django/celery.log /var/log/intel_owl/django/celery_errors.log \
     && chown -R www-data:www-data /var/log/intel_owl /opt/deploy/ \
 # this is cause stringstifer creates this directory during the build and cause celery to crash
     && rm -rf /root/.local

Dockerfile_nginx

@@ -0,0 +1,2 @@
+FROM library/nginx:1.16.1-alpine
+VOLUME /var/log/nginx

README.md

@@ -39,6 +39,8 @@ Main features:
 * Yara (Community, Neo23x0 and Intezer rules are already available. There's the chance to add your own rules)
 
 ### External services available
+#### required paid or trial api key
+* GreyNoise v2
 #### required paid or free api key
 * VirusTotal v2 + v3
 * HybridAnalysis
@@ -47,23 +49,27 @@ Main features:
 * Hunter.io - Email Hunting
 * ONYPHE 
 * Censys.io
+* SecurityTrails
 #### required free api key
 * GoogleSafeBrowsing
 * AbuseIPDB
 * Shodan
 * HoneyDB
 * AlienVault OTX
 * MaxMind
+* Auth0
 #### needed access request
 * CIRCL PassiveDNS + PassiveSSL
 #### without api key
 * Fortiguard URL Analyzer
-* GreyNoise Alpha API
+* GreyNoise Alpha API v1
 * Talos Reputation
 * Tor Project
 * Robtex
 * Threatminer
 * Abuse.ch MalwareBazaar
+* Abuse.ch URLhaus
+* Active DNS
 
 ### Documentation
 [![Documentation Status](https://readthedocs.org/projects/intelowl/badge/?version=latest)](https://intelowl.readthedocs.io/en/latest/?badge=latest)

api_app/script_analyzers/file_analyzers/peframe.py

@@ -0,0 +1,88 @@
+import requests
+import traceback
+import logging
+import time
+
+from api_app.exceptions import AnalyzerRunException
+from api_app.script_analyzers import general
+
+logger = logging.getLogger(__name__)
+
+
+def run(analyzer_name, job_id, filepath, filename, md5, additional_config_params):
+    logger.info("started analyzer {} job_id {}"
+                "".format(analyzer_name, job_id))
+    report = general.get_basic_report_template(analyzer_name)
+    try:
+        # get binary
+        binary = general.get_binary(job_id)
+        # run analysis
+        files = {
+            "file": binary
+        }
+        r = requests.post("http://peframe:4000/run_analysis", files=files)
+        r_data = r.json()
+        if r.status_code == 200:
+            max_tries = additional_config_params.get('max_tries', 15)
+            res = _poll_for_result(job_id, r_data['md5'], max_tries)
+        else:
+            raise AnalyzerRunException(r_data['error'])
+
+        # limit the length of the strings dump
+        if 'strings' in res and 'dump' in res['strings']:
+            res['strings']['dump'] = res['strings']['dump'][:100]
+
+        report['report'] = res
+    except AnalyzerRunException as e:
+        error_message = f"job_id:{job_id} analyzer:{analyzer_name} md5:{md5} filename:{filename} Analyzer Error: {e}"
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+    except Exception as e:
+        traceback.print_exc()
+        error_message = f"job_id:{job_id} analyzer:{analyzer_name} md5:{md5} filename:{filename} Unexpected Error: {e}"
+        logger.exception(error_message)
+        report['errors'].append(str(e))
+        report['success'] = False
+    else:
+        report['success'] = True
+
+    general.set_report_and_cleanup(job_id, report)
+
+    logger.info(f"ended analyzer:{analyzer_name} job_id:{job_id}")
+
+    return report
+
+
+def _poll_for_result(job_id, hash, max_tries):
+    poll_distance = 5
+    got_result = False
+    for chance in range(max_tries):
+        time.sleep(poll_distance)
+        logger.info(f"PEframe polling. Try n:{chance+1}, job_id:{job_id}. Starting the query")
+        try:
+            status_code, json_data = _query_for_result(hash)
+        except requests.RequestException as e:
+            raise AnalyzerRunException(e)
+        analysis_status = json_data.get('status', None)
+        if analysis_status in ["success", "reported_with_fails", "failed"]:
+            got_result = True
+            break
+        elif status_code == 404:
+            pass
+        else:
+            logger.info(f"PEframe polling. Try n:{chance+1}, job_id:{job_id}, status:{analysis_status}")
+    
+    if got_result:
+        return json_data
+    else:
+        raise AnalyzerRunException(f"max peframe polls tried without getting any result. job_id:{job_id}")
+
+
+def _query_for_result(hash):
+    headers = {
+        'Accept': 'application/json'
+    }
+    resp = requests.get(f"http://peframe:4000/get_report/{hash}", headers=headers)
+    data = resp.json()
+    return resp.status_code, data

api_app/script_analyzers/observable_analyzers/active_dns.py

@@ -0,0 +1,176 @@
+"""Module to retrieve active DNS resolution
+"""
+
+import traceback
+import requests
+import ipaddress
+import socket
+
+from api_app.exceptions import AnalyzerConfigurationException, AnalyzerRunException
+from api_app.script_analyzers import general
+
+import logging
+logger = logging.getLogger(__name__)
+
+
+def run(analyzer_name, job_id, observable_name, observable_classification, additional_config_params):
+    """Run ActiveDNS analyzer
+
+    Admit:
+    * additional_config_params[service]: google - Google DoH (DNS over HTTPS)
+    * additional_config_params[service]: cloudflare - CloudFlare DoH (DNS over HTTPS)
+    * additional_config_params[service]: classic - classic DNS query
+
+    Google and CloudFlare return an IP (or NXDOMAIN) from a domain.
+    Classic support also reverse lookup (domain from IP)
+
+    :param analyzer_name: Analyzer configuration in analyzer_config.json
+    :type analyzer_name: str
+    :param job_id: job identifier
+    :type job_id: str
+    :param observable_name: analyzed observable
+    :type observable_name: str
+    :param observable_classification: observable classification (allow: ip or domain) ip only classic
+    :type observable_classification: str
+    :param additional_config_params: params service to select the service
+    :type additional_config_params: dict
+    :return: report: name: observable_name, resolution: ip,NXDOMAIN, ''
+    :rtype: report: dict
+    """
+    logger.info(f"started analyzer {analyzer_name} job_id {job_id} observable {observable_name}")
+    report = general.get_basic_report_template(analyzer_name)
+
+    try:
+        dns_type = additional_config_params.get('service', '')
+        if dns_type == 'google':
+            _doh_google(job_id, analyzer_name, observable_classification, observable_name, report)
+        elif dns_type == 'cloudflare':
+            _doh_cloudflare(job_id, analyzer_name, observable_classification, observable_name,
+                            report)
+        elif dns_type == 'classic':
+            _classic_dns(job_id, analyzer_name, observable_classification, observable_name, report)
+        else:
+            raise AnalyzerConfigurationException(f'Service selected: {dns_type} is not available')
+
+    except (AnalyzerConfigurationException, AnalyzerRunException) as e:
+        error_message = f"job_id:{job_id} analyzer:{analyzer_name} " \
+                        f"observable_name:{observable_name} Analyzer error {e}"
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+    except Exception as e:
+        traceback.print_exc()
+        error_message = f"job_id:{job_id} analyzer:{analyzer_name} " \
+                        f"observable_name:{observable_name} Unexpected error {e}"
+        logger.exception(error_message)
+        report['errors'].append(str(e))
+        report['success'] = False
+
+    general.set_report_and_cleanup(job_id, report)
+
+    logger.info(f"ended analyzer {analyzer_name} job_id {job_id} observable {observable_name}")
+
+    return report
+
+
+def _doh_google(job_id, analyzer_name, observable_classification, observable_name, report):
+    if observable_classification == 'domain':
+        try:
+            params = {
+                "name": observable_name,
+                # this filter should work but it is not
+                "type": 1
+            }
+            response = requests.get('https://dns.google.com/resolve', params=params)
+            response.raise_for_status()
+            data = response.json()
+            ip = ''
+            answers = data.get("Answer", [])
+            for answer in answers:
+                if answer.get('type', 1) == 1:
+                    ip = answer.get('data', 'NXDOMAIN')
+                    break
+            if not ip:
+                logger.error(f"observable {observable_name} active_dns query retrieved no valid A answer: {answers}")
+            report['report'] = {'name': observable_name, 'resolution': ip}
+            report['success'] = True
+        except requests.exceptions.RequestException as error:
+            error_message = f"job_id:{job_id}, analyzer:{analyzer_name}, " \
+                            f"observable_classification:{observable_classification}, " \
+                            f"observable_name:{observable_name}, RequestException {error}"
+            logger.error(error_message)
+            report['errors'].append(error_message)
+            report['success'] = False
+    else:
+        error_message = f"job_id:{job_id}, analyzer:{analyzer_name}, " \
+                        f"observable_classification:{observable_classification}, " \
+                        f"observable_name:{observable_name}, " \
+                        f"cannot analyze something different from domain"
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+
+
+def _doh_cloudflare(job_id, analyzer_name, observable_classification, observable_name, report):
+    if observable_classification == 'domain':
+        try:
+            client = requests.session()
+            params = {
+                'name': observable_name,
+                'type': 'A',
+                'ct': 'application/dns-json',
+            }
+            response = client.get('https://cloudflare-dns.com/dns-query', params=params)
+            response.raise_for_status()
+            response_dict = response.json()
+            response_answer = response_dict.get('Answer', [])
+            # first resolution or NXDOMAIN if domain does not exist
+            result_data = response_answer[0].get('data', 'NXDOMAIN') if response_answer else 'NXDOMAIN'
+            report['report'] = {'name': observable_name, 'resolution': result_data}
+            report['success'] = True
+        except requests.exceptions.RequestException as error:
+            error_message = f"job_id:{job_id}, analyzer:{analyzer_name}, " \
+                            f"observable_classification:{observable_classification}, " \
+                            f"observable_name:{observable_name}, RequestException {error}"
+            logger.error(error_message)
+            report['errors'].append(error_message)
+            report['success'] = False
+    else:
+        error_message = f"job_id:{job_id}, analyzer:{analyzer_name}, " \
+                        f"observable_classification:{observable_classification}, " \
+                        f"observable_name:{observable_name}, " \
+                        f"cannot analyze something different from domain"
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+
+
+def _classic_dns(job_id, analyzer_name, observable_classification, observable_name, report):
+    result = {}
+    if observable_classification == 'ip':
+        ipaddress.ip_address(observable_name)
+        try:
+            domains = socket.gethostbyaddr(observable_name)
+            # return a tuple (hostname, aliaslist, ipaddrlist), select hostname
+            # if does not exist return socket.herror
+            if domains:
+                resolution = domains[0]
+        except socket.herror:
+            resolution = ''
+        result = {'name': observable_name, 'resolution': resolution}
+    elif observable_classification == 'domain':
+        try:
+            resolution = socket.gethostbyname(observable_name)
+        except socket.gaierror:
+            resolution = 'NXDOMAIN'
+        result = {'name': observable_name, 'resolution': resolution}
+    else:
+        error_message = f"job_id:{job_id}, analyzer:{analyzer_name}, " \
+                        f"observable_classification: {observable_classification}, " \
+                        f"observable_name:{observable_name}, not analyzable"
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+
+    report['report'] = result
+    report['success'] = True

api_app/script_analyzers/observable_analyzers/honeydb_twitter_scan.py renamed to api_app/script_analyzers/observable_analyzers/auth0.py

@@ -15,24 +15,22 @@ def run(analyzer_name, job_id, observable_name, observable_classification, addit
                 "".format(analyzer_name, job_id, observable_name))
     report = general.get_basic_report_template(analyzer_name)
     try:
-        api_key_name = additional_config_params.get('api_key_name', 'HONEYDB_API_KEY')
-        api_id_name = additional_config_params.get('api_id_name', 'HONEYDB_API_ID')
+        api_key_name = additional_config_params.get('api_key_name', '')
+        if not api_key_name:
+            api_key_name = "AUTH0_KEY"
         api_key = secrets.get_secret(api_key_name)
-        api_id = secrets.get_secret(api_id_name)
         if not api_key:
-            raise AnalyzerRunException("no HoneyDB API Key retrieved")
-        if not api_id:
-            raise AnalyzerRunException("no HoneyDB API ID retrieved")
+            raise AnalyzerRunException("no api key retrieved")
 
         headers = {
-            'X-HoneyDb-ApiKey': api_key,
-            'X-HoneyDb-ApiId': api_id
+            'X-Auth-Token': api_key
         }
-        url = f'https://honeydb.io/api/twitter-threat-feed/{observable_name}'
+        url = 'https://signals.api.auth0.com/v2.0/ip/{}'.format(observable_name)
         response = requests.get(url, headers=headers)
         response.raise_for_status()
 
         json_response = response.json()
+        # pprint.pprint(json_response)
         report['report'] = json_response
     except AnalyzerRunException as e:
         error_message = "job_id:{} analyzer:{} observable_name:{} Analyzer error {}" \
@@ -55,4 +53,5 @@ def run(analyzer_name, job_id, observable_name, observable_classification, addit
     logger.info("ended analyzer {} job_id {} observable {}"
                 "".format(analyzer_name, job_id, observable_name))
 
-    return report
+    return report
+