threatfox dep upgrade + use auth for api access

salt/sensoroni/defaults.yaml

@@ -51,6 +51,8 @@ sensoroni:
         live_flow: False
         mailbox_email_address:
         message_source_id:
+      threatfox:
+        api_key:
       urlscan:
         base_url: https://urlscan.io/api/v1/
         api_key:

salt/sensoroni/files/analyzers/threatfox/threatfox.json

@@ -1,6 +1,6 @@
 {
   "name": "Threatfox",
-  "version": "0.1",
+  "version": "0.2",
   "author": "Security Onion Solutions",
   "description": "This analyzer queries Threatfox to see if a domain, hash, or IP is considered malicious.",
   "supportedTypes" :  ["domain","hash","ip"],

salt/sensoroni/files/analyzers/threatfox/threatfox.py

@@ -2,6 +2,8 @@ import requests
 import helpers
 import json
 import sys
+import argparse
+import os
 
 
 def buildReq(observ_type, observ_value):
@@ -13,10 +15,20 @@ def buildReq(observ_type, observ_value):
     return qterms
 
 
-def sendReq(meta, query):
+def checkConfigRequirements(conf):
+    if not conf.get('api_key'):
+        sys.exit(126)
+    else:
+        return True
+
+
+def sendReq(conf, meta, query):
     # send a post request based off of our compiled query
     url = meta['baseUrl']
-    response = requests.post(url, json.dumps(query))
+    headers = {}
+    if conf.get('api_key'):
+        headers['Auth-Key'] = conf['api_key']
+    response = requests.post(url, json.dumps(query), headers=headers)
     return response.json()
 
 
@@ -51,23 +63,30 @@ def prepareResults(raw):
     return results
 
 
-def analyze(input):
+def analyze(conf, input):
     # put all of our methods together, pass them input, and return
     # properly formatted json/python dict output
-    data = json.loads(input)
+    checkConfigRequirements(conf)
     meta = helpers.loadMetadata(__file__)
+    data = helpers.parseArtifact(input)
     helpers.checkSupportedType(meta, data["artifactType"])
     query = buildReq(data['artifactType'], data['value'])
-    response = sendReq(meta, query)
+    response = sendReq(conf, meta, query)
     return prepareResults(response)
 
 
 def main():
-    if len(sys.argv) == 2:
+    dir = os.path.dirname(os.path.realpath(__file__))
-        results = analyze(sys.argv[1])
+    parser = argparse.ArgumentParser(
+        description='Search ThreatFox for a given artifact')
+    parser.add_argument(
+        'artifact', help='the artifact represented in JSON format')
+    parser.add_argument('-c', '--config', metavar='CONFIG_FILE', default=dir + '/threatfox.yaml',
+                        help='optional config file to use instead of the default config file')
+    args = parser.parse_args()
+    if args.artifact:
+        results = analyze(helpers.loadConfig(args.config), args.artifact)
         print(json.dumps(results))
-    else:
-        print("ERROR: Input is not in proper JSON format")
 
 
 if __name__ == '__main__':

salt/sensoroni/files/analyzers/threatfox/threatfox.yaml

@@ -0,0 +1 @@
+api_key: "{{ salt['pillar.get']('sensoroni:analyzers:threatfox:api_key', '') }}"

salt/sensoroni/soc_sensoroni.yaml

@@ -263,6 +263,14 @@ sensoroni:
         sensitive: False
         advanced: True
         forcedType: string
+    threatfox:
+      api_key:
+        description: API key for the threatfox analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: True
+        advanced: False
+        forcedType: string
     urlscan:
       api_key:
         description: API key for the Urlscan analyzer.