diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml index 6e67f1918..bd74da7ec 100644 --- a/salt/sensoroni/defaults.yaml +++ b/salt/sensoroni/defaults.yaml @@ -51,6 +51,8 @@ sensoroni: live_flow: False mailbox_email_address: message_source_id: + threatfox: + api_key: urlscan: base_url: https://urlscan.io/api/v1/ api_key: diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2023.11.17-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2023.11.17-py3-none-any.whl deleted file mode 100644 index de0787f64..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2023.11.17-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.6-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.6-py3-none-any.whl deleted file mode 100644 index fdf65ae30..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.6-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.1.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.1.0-py3-none-any.whl deleted file mode 100644 index 0951ac354..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.1.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox.json b/salt/sensoroni/files/analyzers/threatfox/threatfox.json index 076e7619d..2ae3ca909 100644 --- a/salt/sensoroni/files/analyzers/threatfox/threatfox.json +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox.json @@ -1,6 +1,6 @@ { "name": "Threatfox", - "version": "0.1", + "version": "0.2", "author": "Security Onion Solutions", "description": "This analyzer queries Threatfox to see if a domain, hash, or IP is considered malicious.", "supportedTypes" : ["domain","hash","ip"], diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox.py b/salt/sensoroni/files/analyzers/threatfox/threatfox.py index 134ad99ec..a20f072ed 100644 --- a/salt/sensoroni/files/analyzers/threatfox/threatfox.py +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox.py @@ -2,6 +2,8 @@ import requests import helpers import json import sys +import argparse +import os def buildReq(observ_type, observ_value): @@ -13,10 +15,20 @@ def buildReq(observ_type, observ_value): return qterms -def sendReq(meta, query): +def checkConfigRequirements(conf): + if not conf.get('api_key'): + sys.exit(126) + else: + return True + + +def sendReq(conf, meta, query): # send a post request based off of our compiled query url = meta['baseUrl'] - response = requests.post(url, json.dumps(query)) + headers = {} + if conf.get('api_key'): + headers['Auth-Key'] = conf['api_key'] + response = requests.post(url, json.dumps(query), headers=headers) return response.json() @@ -51,23 +63,30 @@ def prepareResults(raw): return results -def analyze(input): +def analyze(conf, input): # put all of our methods together, pass them input, and return # properly formatted json/python dict output - data = json.loads(input) + checkConfigRequirements(conf) meta = helpers.loadMetadata(__file__) + data = helpers.parseArtifact(input) helpers.checkSupportedType(meta, data["artifactType"]) query = buildReq(data['artifactType'], data['value']) - response = sendReq(meta, query) + response = sendReq(conf, meta, query) return prepareResults(response) def main(): - if len(sys.argv) == 2: - results = analyze(sys.argv[1]) + dir = os.path.dirname(os.path.realpath(__file__)) + parser = argparse.ArgumentParser( + description='Search ThreatFox for a given artifact') + parser.add_argument( + 'artifact', help='the artifact represented in JSON format') + parser.add_argument('-c', '--config', metavar='CONFIG_FILE', default=dir + '/threatfox.yaml', + help='optional config file to use instead of the default config file') + args = parser.parse_args() + if args.artifact: + results = analyze(helpers.loadConfig(args.config), args.artifact) print(json.dumps(results)) - else: - print("ERROR: Input is not in proper JSON format") if __name__ == '__main__': diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox.yaml b/salt/sensoroni/files/analyzers/threatfox/threatfox.yaml new file mode 100644 index 000000000..051fc8e74 --- /dev/null +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox.yaml @@ -0,0 +1 @@ +api_key: "{{ salt['pillar.get']('sensoroni:analyzers:threatfox:api_key', '') }}" \ No newline at end of file diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index d97a35bbd..6326e90da 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -263,6 +263,14 @@ sensoroni: sensitive: False advanced: True forcedType: string + threatfox: + api_key: + description: API key for the threatfox analyzer. + helpLink: sensoroni.html + global: False + sensitive: True + advanced: False + forcedType: string urlscan: api_key: description: API key for the Urlscan analyzer.