Add UrlHaus analyzer and helpers script

2025-12-15 13:42:48 +01:00 · 2022-04-01 21:11:57 +00:00
parent 2dc370c8b6
commit 39101cafd1
5 changed files with 78 additions and 0 deletions
--- a/salt/sensoroni/files/analyzers/helpers.py
+++ b/salt/sensoroni/files/analyzers/helpers.py
@@ -0,0 +1,24 @@
+import os
+import json
+import inspect
+
+def checkSupportedType(meta, artifact_type):
+    if artifact_type not in meta['supportedTypes']:
+        sys.exit("No supported type detected!")
+    else:
+        return True
+
+
+def loadData(artifact):
+    request_data = json.loads(artifact)
+    artifact_value = request_data['value']
+    artifact_type = request_data['artifactType']
+    return artifact_type, artifact_value
+
+
+def loadMeta(file):
+    dir = os.path.dirname(os.path.realpath(file))
+    filename = os.path.realpath(file).rsplit('/', 1)[1].split('.')[0]
+    with open(str(dir + "/" + filename + ".json"), "r") as metafile:
+        return json.load(metafile)
+    
--- a/salt/sensoroni/files/analyzers/urlhaus/init.py
+++ b/salt/sensoroni/files/analyzers/urlhaus/init.py
--- a/salt/sensoroni/files/analyzers/urlhaus/requirements.txt
+++ b/salt/sensoroni/files/analyzers/urlhaus/requirements.txt
@@ -0,0 +1,2 @@
+requests>=2.27.1
+pyyaml
--- a/salt/sensoroni/files/analyzers/urlhaus/urlhaus.json
+++ b/salt/sensoroni/files/analyzers/urlhaus/urlhaus.json
@@ -0,0 +1,8 @@
+{
+  "name": "Urlhaus",
+  "version": "0.1",
+  "author": "Wes",
+  "description": "This analyzer queries URLHaus to see if a URL is consdered malicious",
+  "supportedTypes" :  ["url"],
+  "baseUrl": "https://urlhaus-api.abuse.ch/v1/url/"
+}
--- a/salt/sensoroni/files/analyzers/urlhaus/urlhaus.py
+++ b/salt/sensoroni/files/analyzers/urlhaus/urlhaus.py
@@ -0,0 +1,44 @@
+#!/usr/bin/python3
+import json
+import requests
+import sys
+import helpers
+
+
+def buildReq(meta, artifact_value):
+    base_url = meta['baseUrl']
+    url = base_url
+    payload = {"url": artifact_value}
+    return payload, url
+
+
+def sendReq(meta, payload, url):
+    response = requests.request('POST', url, data=payload)
+    raw = response.json()
+    if raw['query_status'] == "no_results":
+        summaryinfo = "No results available."
+    elif raw['query_status'] == "invalid_url":
+        summaryinfo = "Invalid URL."
+    if 'threat' in raw:
+        threat = raw['threat']
+        if threat == 'malware_download':
+            summaryinfo = "Threat: Malware"
+        else:
+            summaryinfo = threat
+    summary = summaryinfo
+    results = {'response': raw, 'summary': summary}
+    print(json.dumps(results))
+
+
+def main():
+    meta = helpers.loadMeta(__file__)
+    data = helpers.loadData(sys.argv[1])
+    helpers.checkSupportedType(meta, data[0])
+    request = buildReq(meta, data[1])
+    payload = request[0]
+    url = request[1]
+    sendReq(meta, payload, url)
+
+
+if __name__ == "__main__":
+    main()