CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-15 05:32:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add UrlHaus analyzer and helpers script

Browse Source
This commit is contained in:
Wes Lambert
2022-04-01 21:11:57 +00:00
parent 2dc370c8b6
commit 39101cafd1
5 changed files with 78 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
salt/sensoroni/files/analyzers/helpers.py Normal file
View File

@@ -0,0 +1,24 @@
import os
import json
import inspect
def checkSupportedType(meta, artifact_type):
if artifact_type not in meta['supportedTypes']:
sys.exit("No supported type detected!")
else:
return True
def loadData(artifact):
request_data = json.loads(artifact)
artifact_value = request_data['value']
artifact_type = request_data['artifactType']
return artifact_type, artifact_value
def loadMeta(file):
dir = os.path.dirname(os.path.realpath(file))
filename = os.path.realpath(file).rsplit('/', 1)[1].split('.')[0]
with open(str(dir + "/" + filename + ".json"), "r") as metafile:
return json.load(metafile)

0
salt/sensoroni/files/analyzers/urlhaus/__init__.py Normal file
View File

2
salt/sensoroni/files/analyzers/urlhaus/requirements.txt Normal file
View File

@@ -0,0 +1,2 @@
requests>=2.27.1
pyyaml

8
salt/sensoroni/files/analyzers/urlhaus/urlhaus.json Normal file
View File

@@ -0,0 +1,8 @@
{
"name": "Urlhaus",
"version": "0.1",
"author": "Wes",
"description": "This analyzer queries URLHaus to see if a URL is consdered malicious",
"supportedTypes" : ["url"],
"baseUrl": "https://urlhaus-api.abuse.ch/v1/url/"
}

44
salt/sensoroni/files/analyzers/urlhaus/urlhaus.py Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/python3
import json
import requests
import sys
import helpers
def buildReq(meta, artifact_value):
base_url = meta['baseUrl']
url = base_url
payload = {"url": artifact_value}
return payload, url
def sendReq(meta, payload, url):
response = requests.request('POST', url, data=payload)
raw = response.json()
if raw['query_status'] == "no_results":
summaryinfo = "No results available."
elif raw['query_status'] == "invalid_url":
summaryinfo = "Invalid URL."
if 'threat' in raw:
threat = raw['threat']
if threat == 'malware_download':
summaryinfo = "Threat: Malware"
else:
summaryinfo = threat
summary = summaryinfo
results = {'response': raw, 'summary': summary}
print(json.dumps(results))
def main():
meta = helpers.loadMeta(__file__)
data = helpers.loadData(sys.argv[1])
helpers.checkSupportedType(meta, data[0])
request = buildReq(meta, data[1])
payload = request[0]
url = request[1]
sendReq(meta, payload, url)
if __name__ == "__main__":
main()