Merge pull request #49 from certego/develop

mainly added "run_all_available_analyzers" option + get_analyzer_conf API

Author: mlodic

.lgtm.yml

@@ -10,7 +10,6 @@ queries:
   - include: py/unused-global-variable
   - include: py/hardcoded-credentials
   - include: py/import-of-mutable-attribute
-  - include: py/cyclic-import
   - include: py/empty-except
   - include: py/unnecessary-lambda
   - include: py/print-during-import

README.md

@@ -45,11 +45,13 @@ Main features:
 * Intezer
 * Farsight DNSDB
 * Hunter.io - Email Hunting
+* ONYPHE 
+* Censys.io
 #### required free api key
 * GoogleSafeBrowsing
 * AbuseIPDB
 * Shodan
-* HoneyDB - Twitter Threat Feed Scan
+* HoneyDB
 * AlienVault OTX
 * MaxMind
 #### needed access request
@@ -60,6 +62,8 @@ Main features:
 * Talos Reputation
 * Tor Project
 * Robtex
+* Threatminer
+* Abuse.ch MalwareBazaar
 
 ### Documentation
 [![Documentation Status](https://readthedocs.org/projects/intelowl/badge/?version=latest)](https://intelowl.readthedocs.io/en/latest/?badge=latest)

api_app/models.py

@@ -19,7 +19,8 @@ class Job(models.Model):
     file_name = models.CharField(max_length=50, blank=True)
     file_mimetype = models.CharField(max_length=50, blank=True)
     status = models.CharField(max_length=50, blank=False, choices=STATUS, default="pending")
-    analyzers_requested = postgres_fields.ArrayField(models.CharField(max_length=900), blank=False)
+    analyzers_requested = postgres_fields.ArrayField(models.CharField(max_length=900), blank=True, default=list)
+    run_all_available_analyzers = models.BooleanField(blank=False, default=False)
     analyzers_to_execute = postgres_fields.ArrayField(models.CharField(max_length=900), blank=True, default=list)
     analysis_reports = postgres_fields.JSONField(default=list, null=True, blank=True)
     received_request_time = models.DateTimeField(auto_now_add=True)

api_app/script_analyzers/file_analyzers/cuckoo_scan.py

@@ -117,7 +117,7 @@ def _cuckoo_poll_result(cuckoo_analysis, filename, md5, additional_config_params
     logger.info("polling result for {} {}, task_id {}".format(filename, md5, cuckoo_analysis.task_id))
 
     # poll for the result
-    max_get_tries = additional_config_params.get('max_poll_tries', 50)
+    max_get_tries = additional_config_params.get('max_poll_tries', 20)
     poll_time = 15
     get_success = False
     for chance in range(max_get_tries):

api_app/script_analyzers/observable_analyzers/censys.py

@@ -0,0 +1,71 @@
+import traceback
+import logging
+import requests
+
+from api_app.exceptions import AnalyzerRunException
+from api_app.script_analyzers import general
+from intel_owl import secrets
+
+logger = logging.getLogger(__name__)
+
+base_url = 'https://www.censys.io/api/v1'
+
+
+def run(analyzer_name, job_id, observable_name, observable_classification, additional_config_params):
+    logger.info("started analyzer {} job_id {} observable {}"
+                "".format(analyzer_name, job_id, observable_name))
+    report = general.get_basic_report_template(analyzer_name)
+    try:
+        api_id_name = additional_config_params.get('api_id_name', '')
+        api_secret_name = additional_config_params.get('api_secret_name', '')
+        if not api_id_name:
+            api_id_name = "CENSYS_API_ID"
+            api_secret_name = "CENSYS_API_SECRET"
+        api_id = secrets.get_secret(api_id_name)
+        api_secret = secrets.get_secret(api_secret_name)
+        if not (api_id and api_secret):
+            raise AnalyzerRunException("no api credentials retrieved")
+
+        result = _censys_get_report((api_id, api_secret), observable_name, observable_classification,
+                                    additional_config_params)
+
+        # pprint.pprint(result)
+        report['report'] = result        
+    except AnalyzerRunException as e:
+        error_message = "job_id:{} analyzer:{} observable_name:{} Analyzer error {}" \
+                        "".format(job_id, analyzer_name, observable_name, e)
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+    except Exception as e:
+        traceback.print_exc()
+        error_message = "job_id:{} analyzer:{} observable_name:{} Unexpected error {}" \
+                        "".format(job_id, analyzer_name, observable_name, e)
+        logger.exception(error_message)
+        report['errors'].append(str(e))
+        report['success'] = False
+    else:
+        report['success'] = True
+
+    general.set_report_and_cleanup(job_id, report)
+
+    logger.info("ended analyzer {} job_id {} observable {}"
+                "".format(analyzer_name, job_id, observable_name))
+
+    return report
+
+
+def _censys_get_report(api_creds, observable_name, observable_classification, additional_config_params):
+    censys_analysis = additional_config_params.get('censys_analysis', 'search')
+    if censys_analysis == 'search':
+        uri = '/view/ipv4/{}'.format(observable_name)
+    else:
+        raise AnalyzerRunException("not supported observable type {}. Supported is IP"
+                                   "".format(observable_classification))        
+    try:
+        response = requests.get(base_url + uri, auth=api_creds)
+        response.raise_for_status()
+    except requests.RequestException as e:
+        raise AnalyzerRunException(e)
+    result = response.json()
+    return result

api_app/script_analyzers/observable_analyzers/mb_get.py

@@ -0,0 +1,55 @@
+import traceback
+import requests
+
+from celery.utils.log import get_task_logger
+
+from api_app.exceptions import AnalyzerRunException
+from api_app.script_analyzers import general
+
+logger = get_task_logger(__name__)
+
+
+def run(analyzer_name, job_id, observable_name, observable_classification, additional_config_params):
+    logger.info("started analyzer {} job_id {} observable {}"
+                "".format(analyzer_name, job_id, observable_name))
+    report = general.get_basic_report_template(analyzer_name)
+    try:
+        if observable_classification=="hash":
+            filehash = observable_name
+        else: 
+            raise AnalyzerRunException(f"not supported observable type {observable_classification}. Supported: hash only")
+
+        post_data = {
+            "query": "get_info",
+            "hash": filehash
+        }
+
+        url = 'https://mb-api.abuse.ch/api/v1/'
+        response = requests.post(url, data=post_data)
+        response.raise_for_status()
+
+        json_response = response.json()
+        report['report'] = json_response
+      
+    except AnalyzerRunException as e:
+        error_message = "job_id:{} analyzer:{} observable_name:{} Analyzer error {}" \
+                        "".format(job_id, analyzer_name, observable_name, e)
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+    except Exception as e:
+        traceback.print_exc()
+        error_message = "job_id:{} analyzer:{} observable_name:{} Unexpected error {}" \
+                        "".format(job_id, analyzer_name, observable_name, e)
+        logger.exception(error_message)
+        report['errors'].append(str(e))
+        report['success'] = False
+    else:
+        report['success'] = True
+
+    general.set_report_and_cleanup(job_id, report)
+
+    logger.info("ended analyzer {} job_id {} observable {}"
+                "".format(analyzer_name, job_id, observable_name))
+
+    return report

api_app/script_analyzers/observable_analyzers/onyphe.py

@@ -0,0 +1,73 @@
+import traceback
+
+import requests
+from celery.utils.log import get_task_logger
+
+from api_app.exceptions import AnalyzerRunException
+from api_app.script_analyzers import general
+from intel_owl import secrets
+
+logger = get_task_logger(__name__)
+
+base_url = "https://www.onyphe.io/api/v2/summary/"
+
+
+def run(analyzer_name, job_id, observable_name, observable_classification, additional_config_params):
+    logger.info("started analyzer {} job_id {} observable {}"
+                "".format(analyzer_name, job_id, observable_name))
+    report = general.get_basic_report_template(analyzer_name)
+    try:
+        api_key_name = additional_config_params.get('api_key_name', 'ONYPHE_KEY')
+        api_key = secrets.get_secret(api_key_name)
+        if not api_key:
+            raise AnalyzerRunException("no ONYPHE's API key retrieved")
+
+        result = _onyphe_get_report(api_key, observable_name, observable_classification)
+
+        report['report'] = result
+
+    except AnalyzerRunException as e:
+        error_message = "job_id:{} analyzer:{} observable_name:{} Analyzer error {}" \
+                        "".format(job_id, analyzer_name, observable_name, e)
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+    except Exception as e:
+        traceback.print_exc()
+        error_message = "job_id:{} analyzer:{} observable_name:{} Unexpected error {}" \
+                        "".format(job_id, analyzer_name, observable_name, e)
+        logger.exception(error_message)
+        report['errors'].append(str(e))
+        report['success'] = False
+    else:
+        report['success'] = True
+
+    general.set_report_and_cleanup(job_id, report)
+
+    logger.info("ended analyzer {} job_id {} observable {}"
+                "".format(analyzer_name, job_id, observable_name))
+
+    return report
+
+
+def _onyphe_get_report(api_key, observable_name, observable_classification):
+    headers = {
+        'Authorization': f'apikey {api_key}',
+        'Content-Type': 'application/json'
+    }
+    if observable_classification == 'domain':
+        uri = f'domain/{observable_name}'
+    elif observable_classification == 'ip':
+        uri = f'ip/{observable_name}'
+    elif observable_classification == 'url':
+        uri = f'hostname/{observable_name}'
+    else:
+        raise AnalyzerRunException(f"not supported observable type {observable_classification}. Supported are: ip, domain and url.")
+
+    try:
+        response = requests.get(base_url + uri, headers=headers)
+        response.raise_for_status()
+    except requests.RequestException as e:
+        raise AnalyzerRunException(e)
+    result = response.json()
+    return result

api_app/script_analyzers/observable_analyzers/threatminer.py

@@ -0,0 +1,63 @@
+import traceback
+import logging
+import requests
+
+from api_app.exceptions import AnalyzerRunException
+from api_app.script_analyzers import general
+
+logger = logging.getLogger(__name__)
+
+base_url = "https://api.threatminer.org/v2/"
+
+
+def run(analyzer_name, job_id, observable_name, observable_classification, additional_config_params):
+    logger.info("started analyzer {} job_id {} observable {}"
+                "".format(analyzer_name, job_id, observable_name))
+    report = general.get_basic_report_template(analyzer_name)
+    try:
+        rt_value = additional_config_params.get('rt_value', '')
+        params = {
+            'q': observable_name
+        }
+        if rt_value:
+            params['rt'] = rt_value
+
+        if observable_classification == 'domain':
+            uri = 'domain.php'
+        elif observable_classification == 'ip':
+            uri = 'host.php'
+        else:
+            raise AnalyzerRunException("not supported observable type {}. Supported are IP and Domain"
+                                       "".format(observable_classification))
+        
+        try:
+            response = requests.get(base_url + uri, params=params)
+            response.raise_for_status()
+        except requests.RequestException as e:
+            raise AnalyzerRunException(e)
+        result = response.json()
+
+        # pprint.pprint(result)
+        report['report'] = result
+    except AnalyzerRunException as e:
+        error_message = "job_id:{} analyzer:{} observable_name:{} Analyzer error {}" \
+                        "".format(job_id, analyzer_name, observable_name, e)
+        logger.error(error_message)
+        report['errors'].append(error_message)
+        report['success'] = False
+    except Exception as e:
+        traceback.print_exc()
+        error_message = "job_id:{} analyzer:{} observable_name:{} Unexpected error {}" \
+                        "".format(job_id, analyzer_name, observable_name, e)
+        logger.exception(error_message)
+        report['errors'].append(str(e))
+        report['success'] = False
+    else:
+        report['success'] = True
+
+    general.set_report_and_cleanup(job_id, report)
+
+    logger.info("ended analyzer {} job_id {} observable {}"
+                "".format(analyzer_name, job_id, observable_name))
+
+    return report

api_app/utilities.py

@@ -32,9 +32,9 @@ def file_directory_path(instance, filename):
     return 'job_{}_{}'.format(get_now_str(), filename)
 
 
-def filter_analyzers(serialized_data, analyzers_config, warnings):
+def filter_analyzers(serialized_data, analyzers_requested, analyzers_config, warnings, run_all=False):
     cleaned_analyzer_list = []
-    for analyzer in serialized_data['analyzers_requested']:
+    for analyzer in analyzers_requested:
         try:
             if analyzer not in analyzers_config:
                 raise NotRunnableAnalyzer("{} not available in configuration".format(analyzer))
@@ -65,8 +65,12 @@ def filter_analyzers(serialized_data, analyzers_config, warnings):
             if serialized_data['disable_external_analyzers'] and analyzers_config[analyzer].get('external_service', ''):
                 raise NotRunnableAnalyzer("{} won't be run because you filtered external analyzers".format(analyzer))
         except NotRunnableAnalyzer as e:
-            logger.warning(e)
-            warnings.append(str(e))
+            if run_all:
+                # in this case, they are not warnings but excepted and wanted behavior
+                logger.debug(e)
+            else:
+                logger.warning(e)
+                warnings.append(str(e))
         else:
             cleaned_analyzer_list.append(analyzer)