CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make sure everything is added back after renaming mhr to malwarehashregistry

Browse Source
This commit is contained in:
Wes Lambert
2022-05-31 11:42:26 +00:00
parent c82aa89497
commit 7f30a364ee
12 changed files with 167 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
salt/sensoroni/files/analyzers/malwarehashregistry/malwarehashregistry.py Executable file
View File

@@ -0,0 +1,65 @@
import json
import helpers
import argparse
import datetime
from whois import NICClient
def sendReq(hash):
server = "hash.cymru.com"
flags = 0
options = {"whoishost": server}
nic_client = NICClient()
response = nic_client.whois_lookup(options, hash, flags).rstrip()
hash = response.split(' ')[0]
lastSeen = response.split(' ')[1]
if lastSeen == "NO_DATA":
avPct = 0
else:
avPct = response.split(' ')[2]
lastSeen = datetime.datetime.fromtimestamp(int(lastSeen)).strftime("%Y-%d-%m %H:%M:%S")
raw = {"hash": hash, "last_seen": lastSeen, "av_detection_percentage": int(avPct)}
return raw
def prepareResults(raw):
if raw and "last_seen" in raw:
if raw["last_seen"] == "NO_DATA":
status = "ok"
summary = "no_results"
elif raw["av_detection_percentage"] < 1:
status = "ok"
summary = "harmless"
elif raw["av_detection_percentage"] in range(1, 50):
status = "caution"
summary = "suspicious"
elif raw["av_detection_percentage"] in range(51, 100):
status = "threat"
summary = "malicious"
else:
status = "caution"
summary = "internal_failure"
results = {'response': raw, 'summary': summary, 'status': status}
return results
def analyze(input):
meta = helpers.loadMetadata(__file__)
data = helpers.parseArtifact(input)
helpers.checkSupportedType(meta, data["artifactType"])
response = sendReq(data["value"])
return prepareResults(response)
def main():
parser = argparse.ArgumentParser(description='Search Team Cymru Malware Hash Registry for a given artifact')
parser.add_argument('artifact', help='the artifact represented in JSON format')
args = parser.parse_args()
if args.artifact:
results = analyze(args.artifact)
print(json.dumps(results))
if __name__ == "__main__":
main()