diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 273430e7d..c85249fac 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -31,6 +31,7 @@ body: - 2.4.160 - 2.4.170 - 2.4.180 + - 2.4.190 - Other (please provide detail below) validations: required: true diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 6b966957c..ec4e4657c 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.170-20250812 ISO image released on 2025/08/12 +### 2.4.180-20250916 ISO image released on 2025/09/17 ### Download and Verify -2.4.170-20250812 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso +2.4.180-20250916 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.180-20250916.iso -MD5: 50ECAAD05736298452DECEAE074FA773 -SHA1: 1B1EB520DE61ECC4BF34E512DAFE307317D7666A -SHA256: 87D176A48A58BAD1C2D57196F999BED23DE9B526226E3754F0C166C866CCDC1A +MD5: DE93880E38DE4BE45D05A41E1745CB1F +SHA1: AEA6948911E50A4A38E8729E0E965C565402E3FC +SHA256: C9BD8CA071E43B048ABF9ED145B87935CB1D4BB839B2244A06FAD1BBA8EAC84A Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.180-20250916.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.170-20250812.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.180-20250916.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.170-20250812.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.180-20250916.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.170-20250812.iso.sig securityonion-2.4.170-20250812.iso +gpg --verify securityonion-2.4.180-20250916.iso.sig securityonion-2.4.180-20250916.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 08 Aug 2025 06:24:56 PM EDT using RSA key ID FE507013 +gpg: Signature made Tue 16 Sep 2025 06:30:19 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index 1ff799fad..3f8c50a50 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.180 +2.4.190 diff --git a/pillar/top.sls b/pillar/top.sls index b15038e5e..3557b8706 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -263,6 +263,8 @@ base: - kafka.nodes - kafka.soc_kafka - stig.soc_stig + - elasticfleet.soc_elasticfleet + - elasticfleet.adv_elasticfleet '*_import': - node_data.ips diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index 72ece1919..e3768da46 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -268,6 +268,13 @@ for log_file in $(cat /tmp/log_check_files); do tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check check_for_errors done +# Look for OOM specific errors in /var/log/messages which can lead to odd behavior / test failures +if [[ -f /var/log/messages ]]; then + status "Checking log file /var/log/messages" + if journalctl --since "24 hours ago" | grep -iE 'out of memory|oom-kill'; then + RESULT=1 + fi +fi # Cleanup temp files rm -f /tmp/log_check_files diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/elastic-agent-monitor.json b/salt/elasticfleet/files/integrations/grid-nodes_general/elastic-agent-monitor.json index 31b004a91..0be40a3d3 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/elastic-agent-monitor.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/elastic-agent-monitor.json @@ -21,7 +21,7 @@ "paths": [ "/opt/so/log/agents/agent-monitor.log" ], - "data_stream.dataset": "agent-monitor", + "data_stream.dataset": "agentmonitor", "pipeline": "elasticagent.monitor", "parsers": "", "exclude_files": [ @@ -36,7 +36,7 @@ "harvester_limit": 0, "fingerprint": true, "fingerprint_offset": 0, - "fingerprint_length": 1024, + "fingerprint_length": 64, "file_identity_native": false, "exclude_lines": [], "include_lines": [] diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update index b5d6e1bfe..43eef6ee9 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update @@ -23,14 +23,28 @@ function update_logstash_outputs() { } function update_kafka_outputs() { # Make sure SSL configuration is included in policy updates for Kafka output. SSL is configured in so-elastic-fleet-setup - SSL_CONFIG=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_kafka" | jq -r '.item.ssl') - - JSON_STRING=$(jq -n \ - --arg UPDATEDLIST "$NEW_LIST_JSON" \ - --argjson SSL_CONFIG "$SSL_CONFIG" \ - '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": $SSL_CONFIG}') - # Update Kafka outputs - curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_kafka" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" | jq + if kafka_policy=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_kafka" --fail 2>/dev/null); then + SSL_CONFIG=$(echo "$kafka_policy" | jq -r '.item.ssl') + if SECRETS=$(echo "$kafka_policy" | jq -er '.item.secrets' 2>/dev/null); then + # Update policy when fleet has secrets enabled + JSON_STRING=$(jq -n \ + --arg UPDATEDLIST "$NEW_LIST_JSON" \ + --argjson SSL_CONFIG "$SSL_CONFIG" \ + --argjson SECRETS "$SECRETS" \ + '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": $SSL_CONFIG,"secrets": $SECRETS}') + else + # Update policy when fleet has secrets disabled or policy hasn't been force updated + JSON_STRING=$(jq -n \ + --arg UPDATEDLIST "$NEW_LIST_JSON" \ + --argjson SSL_CONFIG "$SSL_CONFIG" \ + '{"name": "grid-kafka","type": "kafka","hosts": $UPDATEDLIST,"is_default": true,"is_default_monitoring": true,"config_yaml": "","ssl": $SSL_CONFIG}') + fi + # Update Kafka outputs + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_kafka" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" | jq + else + printf "Failed to get current Kafka output policy..." + exit 1 + fi } {% if GLOBALS.pipeline == "KAFKA" %} diff --git a/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy b/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy index a5ea79922..d44a5cb6c 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy +++ b/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy @@ -5,46 +5,78 @@ # Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% if GLOBALS.role in ['so-manager', 'so-standalone', 'so-managersearch'] %} +{% if GLOBALS.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-managerhype'] %} . /usr/sbin/so-common +force=false +while [[ $# -gt 0 ]]; do + case $1 in + -f|--force) + force=true + shift + ;; + *) + echo "Unknown option $1" + echo "Usage: $0 [-f|--force]" + exit 1 + ;; + esac +done + # Check to make sure that Kibana API is up & ready RETURN_CODE=0 wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" RETURN_CODE=$? if [[ "$RETURN_CODE" != "0" ]]; then - printf "Kibana API not accessible, can't setup Elastic Fleet output policy for Kafka..." - exit 1 + echo -e "\nKibana API not accessible, can't setup Elastic Fleet output policy for Kafka...\n" + exit 1 fi -output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs" | jq -r .items[].id) +KAFKACRT=$(openssl x509 -in /etc/pki/elasticfleet-kafka.crt) +KAFKAKEY=$(openssl rsa -in /etc/pki/elasticfleet-kafka.key) +KAFKACA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) +KAFKA_OUTPUT_VERSION="2.6.0" -if ! echo "$output" | grep -q "so-manager_kafka"; then - KAFKACRT=$(openssl x509 -in /etc/pki/elasticfleet-kafka.crt) - KAFKAKEY=$(openssl rsa -in /etc/pki/elasticfleet-kafka.key) - KAFKACA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) - KAFKA_OUTPUT_VERSION="2.6.0" +if ! kafka_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_kafka" --fail 2>/dev/null); then + # Create a new output policy for Kafka. Default is disabled 'is_default: false & is_default_monitoring: false' JSON_STRING=$( jq -n \ - --arg KAFKACRT "$KAFKACRT" \ - --arg KAFKAKEY "$KAFKAKEY" \ - --arg KAFKACA "$KAFKACA" \ - --arg MANAGER_IP "{{ GLOBALS.manager_ip }}:9092" \ - --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \ - '{ "name": "grid-kafka", "id": "so-manager_kafka", "type": "kafka", "hosts": [ $MANAGER_IP ], "is_default": false, "is_default_monitoring": false, "config_yaml": "", "ssl": { "certificate_authorities": [ $KAFKACA ], "certificate": $KAFKACRT, "key": $KAFKAKEY, "verification_mode": "full" }, "proxy_id": null, "client_id": "Elastic", "version": $KAFKA_OUTPUT_VERSION, "compression": "none", "auth_type": "ssl", "partition": "round_robin", "round_robin": { "group_events": 10 }, "topics":[{"topic":"default-securityonion"}], "headers": [ { "key": "", "value": "" } ], "timeout": 30, "broker_timeout": 30, "required_acks": 1 }' - ) - curl -sK /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" -o /dev/null - refresh_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs" | jq -r .items[].id) - - if ! echo "$refresh_output" | grep -q "so-manager_kafka"; then - echo -e "\nFailed to setup Elastic Fleet output policy for Kafka...\n" + --arg KAFKACRT "$KAFKACRT" \ + --arg KAFKAKEY "$KAFKAKEY" \ + --arg KAFKACA "$KAFKACA" \ + --arg MANAGER_IP "{{ GLOBALS.manager_ip }}:9092" \ + --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \ + '{"name":"grid-kafka", "id":"so-manager_kafka","type":"kafka","hosts":[ $MANAGER_IP ],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topics":[{"topic":"default-securityonion"}],"headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}' + ) + if ! response=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --fail 2>/dev/null); then + echo -e "\nFailed to setup Elastic Fleet output policy for Kafka...\n" + exit 1 + else + echo -e "\nSuccessfully setup Elastic Fleet output policy for Kafka...\n" + exit 0 + fi +elif kafka_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/outputs/so-manager_kafka" --fail 2>/dev/null) && [[ "$force" == "true" ]]; then + # force an update to Kafka policy. Keep the current value of Kafka output policy (enabled/disabled). + ENABLED_DISABLED=$(echo "$kafka_output" | jq -e .item.is_default) + HOSTS=$(echo "$kafka_output" | jq -r '.item.hosts') + JSON_STRING=$( jq -n \ + --arg KAFKACRT "$KAFKACRT" \ + --arg KAFKAKEY "$KAFKAKEY" \ + --arg KAFKACA "$KAFKACA" \ + --arg ENABLED_DISABLED "$ENABLED_DISABLED"\ + --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \ + --argjson HOSTS "$HOSTS" \ + '{"name":"grid-kafka","type":"kafka","hosts":$HOSTS,"is_default":$ENABLED_DISABLED,"is_default_monitoring":$ENABLED_DISABLED,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topics":[{"topic":"default-securityonion"}],"headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}' + ) + if ! response=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_kafka" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --fail 2>/dev/null); then + echo -e "\nFailed to force update to Elastic Fleet output policy for Kafka...\n" exit 1 - elif echo "$refresh_output" | grep -q "so-manager_kafka"; then - echo -e "\nSuccessfully setup Elastic Fleet output policy for Kafka...\n" + else + echo -e "\nForced update to Elastic Fleet output policy for Kafka...\n" fi -elif echo "$output" | grep -q "so-manager_kafka"; then +else echo -e "\nElastic Fleet output policy for Kafka already exists...\n" fi {% else %} diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index db4fc0515..6ed55a936 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1323,7 +1323,7 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-agent-monitor: + so-elastic-agent-monitor: index_sorting: false index_template: composed_of: @@ -1335,10 +1335,8 @@ elasticsearch: data_stream: allow_custom_routing: false hidden: false - ignore_missing_component_templates: - - logs-agent-monitor@custom index_patterns: - - logs-agent-monitor-* + - logs-agentmonitor-* priority: 501 template: mappings: @@ -1350,7 +1348,7 @@ elasticsearch: settings: index: lifecycle: - name: so-logs-agent-monitor-logs + name: so-elastic-agent-monitor-logs mapping: total_fields: limit: 5000 @@ -4175,7 +4173,7 @@ elasticsearch: hot: actions: rollover: - max_age: 1d + max_age: 30d max_primary_shard_size: 50gb set_priority: priority: 100 diff --git a/salt/elasticsearch/files/ingest/common.ip_validation b/salt/elasticsearch/files/ingest/common.ip_validation new file mode 100644 index 000000000..828879431 --- /dev/null +++ b/salt/elasticsearch/files/ingest/common.ip_validation @@ -0,0 +1,22 @@ +{ + "processors": [ + { + "convert": { + "field": "_ingest._value", + "type": "ip", + "target_field": "_ingest._temp_ip", + "ignore_failure": true + } + }, + { + "append": { + "field": "temp._valid_ips", + "allow_duplicates": false, + "value": [ + "{{{_ingest._temp_ip}}}" + ], + "ignore_failure": true + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index ccf57b2d7..c92c15612 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -24,7 +24,7 @@ { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, { "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } }, {"append": {"field":"related.ip","value":["{{source.ip}}","{{destination.ip}}"],"allow_duplicates":false,"if":"ctx?.event?.dataset == 'endpoint.events.network' && ctx?.source?.ip != null","ignore_failure":true}}, - {"foreach": {"field":"host.ip","processor":{"append":{"field":"related.ip","value":"{{_ingest._value}}","allow_duplicates":false}},"if":"ctx?.event?.module == 'endpoint'","description":"Extract IPs from Elastic Agent events (host.ip) and adds them to related.ip"}}, + {"foreach": {"field":"host.ip","processor":{"append":{"field":"related.ip","value":"{{_ingest._value}}","allow_duplicates":false}},"if":"ctx?.event?.module == 'endpoint' && ctx?.host?.ip != null","ignore_missing":true, "description":"Extract IPs from Elastic Agent events (host.ip) and adds them to related.ip"}}, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index 5616310bd..7be8afec6 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -21,7 +21,10 @@ { "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } }, { "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } }, { "rename": { "field": "message2.answers", "target_field": "dns.answers.name", "ignore_missing": true } }, - { "script": { "lang": "painless", "if": "ctx.dns != null && ctx.dns.answers != null && ctx.dns.answers.name != null", "source": "def ips = []; for (item in ctx.dns.answers.name) { if (item =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$/ || item =~ /^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+$/) { ips.add(item); } } ctx.dns.resolved_ip = ips;" } }, + { "foreach": {"field": "dns.answers.name","processor": {"pipeline": {"name": "common.ip_validation"}},"if": "ctx.dns != null && ctx.dns.answers != null && ctx.dns.answers.name != null","ignore_failure": true}}, + { "foreach": {"field": "temp._valid_ips","processor": {"append": {"field": "dns.resolved_ip","allow_duplicates": false,"value": "{{{_ingest._value}}}","ignore_failure": true}},"ignore_failure": true}}, + { "script": { "source": "if (ctx.dns.resolved_ip != null && ctx.dns.resolved_ip instanceof List) {\n ctx.dns.resolved_ip.removeIf(item -> item == null || item.toString().trim().isEmpty());\n }","ignore_failure": true }}, + { "remove": {"field": ["temp"], "ignore_missing": true ,"ignore_failure": true } }, { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index 48a0808e7..acb6b0eaf 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -91,7 +91,7 @@ COMMIT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -j LOGGING -{% if GLOBALS.role in ['so-hypervisor', 'so-managerhyper'] -%} +{% if GLOBALS.role in ['so-hypervisor', 'so-managerhype'] -%} -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i br0 -o br0 -j ACCEPT {%- endif %} diff --git a/salt/libvirt/bridge.sls b/salt/libvirt/bridge.sls index b8f720993..bd76f8ef4 100644 --- a/salt/libvirt/bridge.sls +++ b/salt/libvirt/bridge.sls @@ -4,6 +4,9 @@ # Elastic License 2.0. # We do not import GLOBALS in this state because it is called during setup +include: + - salt.mine_functions + - salt.minion.service_file down_original_mgmt_interface: cmd.run: @@ -28,29 +31,13 @@ wait_for_br0_ip: - timeout: 95 - onchanges: - cmd: down_original_mgmt_interface - -{% if grains.role == 'so-hypervisor' %} - -update_mine_functions: - file.managed: - - name: /etc/salt/minion.d/mine_functions.conf - - contents: | - mine_interval: 25 - mine_functions: - network.ip_addrs: - - interface: br0 - {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %} - x509.get_pem_entries: - - glob_path: '/etc/pki/ca.crt' - {% endif %} - - onchanges: - - cmd: wait_for_br0_ip + - onchanges_in: + - file: salt_minion_service_unit_file + - file: mine_functions restart_salt_minion_service: service.running: - name: salt-minion - enable: True - listen: - - file: update_mine_functions - -{% endif %} + - file: mine_functions diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index f7180c46c..86595c162 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -590,9 +590,6 @@ post_to_2.4.160() { } post_to_2.4.170() { - echo "Regenerating Elastic Agent Installers" - /sbin/so-elastic-agent-gen-installers - # Update kibana default space salt-call state.apply kibana.config queue=True echo "Updating Kibana default space" @@ -602,7 +599,12 @@ post_to_2.4.170() { } post_to_2.4.180() { - echo "Nothing to apply" + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers + + # Force update to Kafka output policy + /usr/sbin/so-kafka-fleet-output-policy --force + POSTVERSION=2.4.180 } @@ -857,14 +859,13 @@ up_to_2.4.170() { touch /opt/so/saltstack/local/pillar/$state/adv_$state.sls /opt/so/saltstack/local/pillar/$state/soc_$state.sls done - # Elastic Update for this release, so download Elastic Agent files - determine_elastic_agent_upgrade INSTALLEDVERSION=2.4.170 } up_to_2.4.180() { - echo "Nothing to do for 2.4.180" + # Elastic Update for this release, so download Elastic Agent files + determine_elastic_agent_upgrade INSTALLEDVERSION=2.4.180 } diff --git a/salt/salt/mine_functions.sls b/salt/salt/mine_functions.sls index ed786e997..ae3df1ce9 100644 --- a/salt/salt/mine_functions.sls +++ b/salt/salt/mine_functions.sls @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -# this state was seperated from salt.minion state since it is called during setup +# this state was separated from salt.minion state since it is called during setup # GLOBALS are imported in the salt.minion state and that is not available at that point in setup # this state is included in the salt.minion state diff --git a/salt/salt/minion.sls b/salt/salt/minion/init.sls similarity index 86% rename from salt/salt/minion.sls rename to salt/salt/minion/init.sls index b85fad1c0..374e6954c 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion/init.sls @@ -1,18 +1,22 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'salt/map.jinja' import UPGRADECOMMAND with context %} {% from 'salt/map.jinja' import SALTVERSION %} {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %} {% from 'salt/map.jinja' import SALTPACKAGES %} -{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %} {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %} include: - salt.python_modules - salt.patch.x509_v2 - salt - - systemd.reload - repo.client - salt.mine_functions + - salt.minion.service_file {% if GLOBALS.role in GLOBALS.manager_roles %} - ca {% endif %} @@ -94,17 +98,6 @@ enable_startup_states: - regex: '^startup_states: highstate$' - unless: pgrep so-setup -# prior to 2.4.30 this managed file would restart the salt-minion service when updated -# since this file is currently only adding a delay service start -# it is not required to restart the service -salt_minion_service_unit_file: - file.managed: - - name: {{ SYSTEMD_UNIT_FILE }} - - source: salt://salt/service/salt-minion.service.jinja - - template: jinja - - onchanges_in: - - module: systemd_reload - {% endif %} # this has to be outside the if statement above since there are _in calls to this state diff --git a/salt/salt/minion/service_file.sls b/salt/salt/minion/service_file.sls new file mode 100644 index 000000000..8aded2d60 --- /dev/null +++ b/salt/salt/minion/service_file.sls @@ -0,0 +1,26 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'salt/map.jinja' import SALTVERSION %} +{% from 'salt/map.jinja' import INSTALLEDSALTVERSION %} +{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %} + +include: + - systemd.reload + +{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} + +# prior to 2.4.30 this managed file would restart the salt-minion service when updated +# since this file is currently only adding a delay service start +# it is not required to restart the service +salt_minion_service_unit_file: + file.managed: + - name: {{ SYSTEMD_UNIT_FILE }} + - source: salt://salt/service/salt-minion.service.jinja + - template: jinja + - onchanges_in: + - module: systemd_reload + +{% endif %} diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml index 7777985dd..bd74da7ec 100644 --- a/salt/sensoroni/defaults.yaml +++ b/salt/sensoroni/defaults.yaml @@ -34,6 +34,8 @@ sensoroni: api_version: community localfile: file_path: [] + malwarebazaar: + api_key: otx: base_url: https://otx.alienvault.com/api/v1/ api_key: @@ -49,12 +51,16 @@ sensoroni: live_flow: False mailbox_email_address: message_source_id: + threatfox: + api_key: urlscan: base_url: https://urlscan.io/api/v1/ api_key: enabled: False visibility: public timeout: 180 + urlhaus: + api_key: virustotal: base_url: https://www.virustotal.com/api/v3/search?query= api_key: diff --git a/salt/sensoroni/files/analyzers/README.md b/salt/sensoroni/files/analyzers/README.md index fa891ed7b..a67b24e2d 100644 --- a/salt/sensoroni/files/analyzers/README.md +++ b/salt/sensoroni/files/analyzers/README.md @@ -35,15 +35,15 @@ Many analyzers require authentication, via an API key or similar. The table belo [EchoTrail](https://www.echotrail.io/docs/quickstart) |✓| [EmailRep](https://emailrep.io/key) |✓| [Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/setting-up-authentication.html) |✓| -[GreyNoise](https://www.greynoise.io/plans/community) |✓| +[GreyNoise (community)](https://www.greynoise.io/plans/community) |✗| [LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile) |✗| [Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗| -[MalwareBazaar](https://bazaar.abuse.ch/) |✗| +[MalwareBazaar](https://bazaar.abuse.ch/) |✓| [Pulsedive](https://pulsedive.com/api/) |✓| [Spamhaus](https://www.spamhaus.org/dbl/) |✗| [Sublime Platform](https://sublime.security) |✓| -[ThreatFox](https://threatfox.abuse.ch/) |✗| -[Urlhaus](https://urlhaus.abuse.ch/) |✗| +[ThreatFox](https://threatfox.abuse.ch/) |✓| +[Urlhaus](https://urlhaus.abuse.ch/) |✓| [Urlscan](https://urlscan.io/docs/api/) |✓| [VirusTotal](https://developers.virustotal.com/reference/overview) |✓| [WhoisLookup](https://github.com/meeb/whoisit) |✗| diff --git a/salt/sensoroni/files/analyzers/echotrail/README.md b/salt/sensoroni/files/analyzers/echotrail/README.md deleted file mode 100644 index eb705fb64..000000000 --- a/salt/sensoroni/files/analyzers/echotrail/README.md +++ /dev/null @@ -1,24 +0,0 @@ -# EchoTrail - - -## Description -Submit a filename, hash, commandline to EchoTrail for analysis - -## Configuration Requirements - -In SOC, navigate to `Administration`, toggle `Show all configurable settings, including advanced settings.`, and navigate to `sensoroni` -> `analyzers` -> `echotrail`. -![echotrail](https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/dev/assets/images/screenshots/analyzers/echotrail.png?raw=true) - - -The following configuration options are available for: - -``api_key`` - API key used for communication with the Echotrail API (Required) - -This value should be set in the ``sensoroni`` pillar, like so: - -``` -sensoroni: - analyzers: - echotrail: - api_key: $yourapikey -``` diff --git a/salt/sensoroni/files/analyzers/echotrail/echotrail.json b/salt/sensoroni/files/analyzers/echotrail/echotrail.json deleted file mode 100644 index 081643b0c..000000000 --- a/salt/sensoroni/files/analyzers/echotrail/echotrail.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "name": "Echotrail", - "version": "0.1", - "author": "Security Onion Solutions", - "description": "This analyzer queries Echotrail to see if a related filename, hash, or commandline is considered malicious.", - "supportedTypes" : ["filename","hash","commandline"], - "baseUrl": "https://api.echotrail.io/insights/" - } - - \ No newline at end of file diff --git a/salt/sensoroni/files/analyzers/echotrail/echotrail.py b/salt/sensoroni/files/analyzers/echotrail/echotrail.py deleted file mode 100644 index 34c6a51a2..000000000 --- a/salt/sensoroni/files/analyzers/echotrail/echotrail.py +++ /dev/null @@ -1,67 +0,0 @@ -import json -import os -import sys -import requests -import helpers -import argparse - - -# for test usage: -# python3 echotrail.py '{"artifactType":"hash", "value":"438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7"}' -# You will need to provide an API key in the .yaml file. -def checkConfigRequirements(conf): - if not conf['api_key']: - sys.exit(126) - else: - return True - - -def sendReq(conf, observ_value): - # send a get requests using a user-provided API key and the API url - url = conf['base_url'] + observ_value - headers = {'x-api-key': conf['api_key']} - response = requests.request('GET', url=url, headers=headers) - return response.json() - - -def prepareResults(raw): - # checking for the 'filenames' key alone does - # not work when querying by filename. - # So, we can account for a hash query, a filename query, - # and anything else with these if statements. - if 'filenames' in raw.keys(): - summary = raw['filenames'][0][0] - elif 'tags' in raw.keys(): - summary = raw['tags'][0][0] - else: - summary = 'inconclusive' - status = 'info' - return {'response': raw, 'summary': summary, 'status': status} - - -def analyze(conf, input): - # put all of our methods together and return a properly formatted output. - checkConfigRequirements(conf) - meta = helpers.loadMetadata(__file__) - data = helpers.parseArtifact(input) - helpers.checkSupportedType(meta, data['artifactType']) - response = sendReq(conf, data['value']) - return prepareResults(response) - - -def main(): - dir = os.path.dirname(os.path.realpath(__file__)) - parser = argparse.ArgumentParser( - description='Search Echotrail for a given artifact') - parser.add_argument( - 'artifact', help='the artifact represented in JSON format') - parser.add_argument('-c', '--config', metavar='CONFIG_FILE', default=dir + '/echotrail.yaml', - help='optional config file to use instead of the default config file') - args = parser.parse_args() - if args.artifact: - results = analyze(helpers.loadConfig(args.config), args.artifact) - print(json.dumps(results)) - - -if __name__ == '__main__': - main() diff --git a/salt/sensoroni/files/analyzers/echotrail/echotrail.yaml b/salt/sensoroni/files/analyzers/echotrail/echotrail.yaml deleted file mode 100644 index f5db57f24..000000000 --- a/salt/sensoroni/files/analyzers/echotrail/echotrail.yaml +++ /dev/null @@ -1,3 +0,0 @@ -base_url: "{{ salt['pillar.get']('sensoroni:analyzers:echotrail:base_url', 'https://api.echotrail.io/insights/') }}" -api_key: "{{ salt['pillar.get']('sensoroni:analyzers:echotrail:api_key', '') }}" - diff --git a/salt/sensoroni/files/analyzers/echotrail/echotrail_test.py b/salt/sensoroni/files/analyzers/echotrail/echotrail_test.py deleted file mode 100644 index ea0d7433a..000000000 --- a/salt/sensoroni/files/analyzers/echotrail/echotrail_test.py +++ /dev/null @@ -1,78 +0,0 @@ -from io import StringIO -import sys -from unittest.mock import patch, MagicMock -import unittest -import echotrail - - -class TestEchoTrailMethods(unittest.TestCase): - def test_main_success(self): - with patch('sys.stdout', new=StringIO()) as mock_cmd: - with patch('echotrail.analyze', new=MagicMock(return_value={'test': 'val'})) as mock: - sys.argv = ["test", "test"] - echotrail.main() - expected = '{"test": "val"}\n' - self.assertEqual(mock_cmd.getvalue(), expected) - mock.assert_called_once() - - def test_main_missing_input(self): - with patch('sys.exit', new=MagicMock()) as sysmock: - with patch('sys.stderr', new=StringIO()) as mock_stderr: - sys.argv = ["cmd"] - echotrail.main() - self.assertEqual(mock_stderr.getvalue(), "usage: cmd [-h] [-c CONFIG_FILE] artifact\ncmd: error: the following arguments are required: artifact\n") - sysmock.assert_called_once() - - def test_checkConfigRequirements(self): - conf = {'base_url': 'https://www.randurl.xyz/', 'api_key': ''} - with self.assertRaises(SystemExit) as cm: - echotrail.checkConfigRequirements(conf) - self.assertEqual(cm.exception.code, 126) - - def test_sendReq(self): - with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock: - response = echotrail.sendReq(conf={'base_url': 'https://www.randurl.xyz/', 'api_key': 'randkey'}, observ_value='example_data') - self.assertIsNotNone(response) - mock.assert_called_once() - - def test_prepareResults_noinput(self): - raw = {} - sim_results = {'response': raw, - 'status': 'info', 'summary': 'inconclusive'} - results = echotrail.prepareResults(raw) - self.assertEqual(results, sim_results) - - def test_prepareResults_none(self): - raw = {'query_status': 'no_result'} - sim_results = {'response': raw, - 'status': 'info', 'summary': 'inconclusive'} - results = echotrail.prepareResults(raw) - self.assertEqual(results, sim_results) - - def test_prepareResults_filenames(self): - raw = {'filenames': [["abc.exe", "def.exe"], ["abc.exe", "def.exe"]]} - sim_results = {'response': raw, - 'status': 'info', 'summary': 'abc.exe'} - results = echotrail.prepareResults(raw) - self.assertEqual(results, sim_results) - - def test_prepareResults_tags(self): - raw = {'tags': [["tag1", "tag2"], ["tag1", "tag2"]]} - sim_results = {'response': raw, - 'status': 'info', 'summary': 'tag1'} - results = echotrail.prepareResults(raw) - self.assertEqual(results, sim_results) - - def test_analyze(self): - sendReqOutput = {'threat': 'no_result'} - input = '{"artifactType":"hash", "value":"1234"}' - prepareResultOutput = {'response': '', - 'summary': 'inconclusive', 'status': 'info'} - conf = {"api_key": "xyz"} - - with patch('echotrail.sendReq', new=MagicMock(return_value=sendReqOutput)) as mock: - with patch('echotrail.prepareResults', new=MagicMock(return_value=prepareResultOutput)) as mock2: - results = echotrail.analyze(conf, input) - self.assertEqual(results["summary"], "inconclusive") - mock2.assert_called_once() - mock.assert_called_once() diff --git a/salt/sensoroni/files/analyzers/echotrail/requirements.txt b/salt/sensoroni/files/analyzers/echotrail/requirements.txt deleted file mode 100644 index 925ada01e..000000000 --- a/salt/sensoroni/files/analyzers/echotrail/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -requests>=2.31.0 -pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/echotrail/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/echotrail/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/echotrail/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/echotrail/source-packages/certifi-2023.11.17-py3-none-any.whl b/salt/sensoroni/files/analyzers/echotrail/source-packages/certifi-2023.11.17-py3-none-any.whl deleted file mode 100644 index de0787f64..000000000 Binary files a/salt/sensoroni/files/analyzers/echotrail/source-packages/certifi-2023.11.17-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/echotrail/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/echotrail/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/echotrail/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/echotrail/source-packages/idna-3.6-py3-none-any.whl b/salt/sensoroni/files/analyzers/echotrail/source-packages/idna-3.6-py3-none-any.whl deleted file mode 100644 index fdf65ae30..000000000 Binary files a/salt/sensoroni/files/analyzers/echotrail/source-packages/idna-3.6-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/echotrail/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/echotrail/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/echotrail/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/echotrail/source-packages/urllib3-2.1.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/echotrail/source-packages/urllib3-2.1.0-py3-none-any.whl deleted file mode 100644 index 0951ac354..000000000 Binary files a/salt/sensoroni/files/analyzers/echotrail/source-packages/urllib3-2.1.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2023.11.17-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2023.11.17-py3-none-any.whl deleted file mode 100644 index de0787f64..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2023.11.17-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.6-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.6-py3-none-any.whl deleted file mode 100644 index fdf65ae30..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.6-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.1.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.1.0-py3-none-any.whl deleted file mode 100644 index 0951ac354..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.1.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/greynoise.json b/salt/sensoroni/files/analyzers/greynoise/greynoise.json index 76cef3324..20102206b 100644 --- a/salt/sensoroni/files/analyzers/greynoise/greynoise.json +++ b/salt/sensoroni/files/analyzers/greynoise/greynoise.json @@ -1,6 +1,6 @@ { "name": "Greynoise IP Analyzer", - "version": "0.1", + "version": "0.2", "author": "Security Onion Solutions", "description": "This analyzer queries Greynoise for context around an IP address", "supportedTypes" : ["ip"] diff --git a/salt/sensoroni/files/analyzers/greynoise/greynoise.py b/salt/sensoroni/files/analyzers/greynoise/greynoise.py index bf2b98e7a..837c12f31 100755 --- a/salt/sensoroni/files/analyzers/greynoise/greynoise.py +++ b/salt/sensoroni/files/analyzers/greynoise/greynoise.py @@ -7,6 +7,10 @@ import argparse def checkConfigRequirements(conf): + # Community API doesn't require API key + if conf.get('api_version') == 'community': + return True + # Other API versions require API key if "api_key" not in conf or len(conf['api_key']) == 0: sys.exit(126) else: @@ -17,10 +21,12 @@ def sendReq(conf, meta, ip): url = conf['base_url'] if conf['api_version'] == 'community': url = url + 'v3/community/' + ip - elif conf['api_version'] == 'investigate' or 'automate': + # Community API doesn't use API key + response = requests.request('GET', url=url) + elif conf['api_version'] in ['investigate', 'automate']: url = url + 'v2/noise/context/' + ip - headers = {"key": conf['api_key']} - response = requests.request('GET', url=url, headers=headers) + headers = {"key": conf['api_key']} + response = requests.request('GET', url=url, headers=headers) return response.json() diff --git a/salt/sensoroni/files/analyzers/greynoise/greynoise_test.py b/salt/sensoroni/files/analyzers/greynoise/greynoise_test.py index 900a35e8c..76a17cc81 100644 --- a/salt/sensoroni/files/analyzers/greynoise/greynoise_test.py +++ b/salt/sensoroni/files/analyzers/greynoise/greynoise_test.py @@ -31,13 +31,31 @@ class TestGreynoiseMethods(unittest.TestCase): greynoise.checkConfigRequirements(conf) self.assertEqual(cm.exception.code, 126) + def test_checkConfigRequirements_community_no_key(self): + conf = {"api_version": "community"} + # Should not raise exception for community version + result = greynoise.checkConfigRequirements(conf) + self.assertTrue(result) + + def test_checkConfigRequirements_investigate_no_key(self): + conf = {"api_version": "investigate"} + with self.assertRaises(SystemExit) as cm: + greynoise.checkConfigRequirements(conf) + self.assertEqual(cm.exception.code, 126) + + def test_checkConfigRequirements_investigate_with_key(self): + conf = {"api_version": "investigate", "api_key": "test_key"} + result = greynoise.checkConfigRequirements(conf) + self.assertTrue(result) + def test_sendReq_community(self): with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock: meta = {} - conf = {"base_url": "https://myurl/", "api_key": "abcd1234", "api_version": "community"} + conf = {"base_url": "https://myurl/", "api_version": "community"} ip = "192.168.1.1" response = greynoise.sendReq(conf=conf, meta=meta, ip=ip) - mock.assert_called_once_with("GET", headers={'key': 'abcd1234'}, url="https://myurl/v3/community/192.168.1.1") + # Community API should not include headers + mock.assert_called_once_with("GET", url="https://myurl/v3/community/192.168.1.1") self.assertIsNotNone(response) def test_sendReq_investigate(self): @@ -115,3 +133,16 @@ class TestGreynoiseMethods(unittest.TestCase): results = greynoise.analyze(conf, artifactInput) self.assertEqual(results["summary"], "suspicious") mock.assert_called_once() + + def test_analyze_community_no_key(self): + output = {"ip": "8.8.8.8", "noise": "false", "riot": "true", + "classification": "benign", "name": "Google Public DNS", + "link": "https://viz.gn.io", "last_seen": "2022-04-26", + "message": "Success"} + artifactInput = '{"value":"8.8.8.8","artifactType":"ip"}' + conf = {"base_url": "myurl/", "api_version": "community"} + with patch('greynoise.greynoise.sendReq', new=MagicMock(return_value=output)) as mock: + results = greynoise.analyze(conf, artifactInput) + self.assertEqual(results["summary"], "harmless") + self.assertEqual(results["status"], "ok") + mock.assert_called_once() diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.json b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.json index 7eb43f5ba..83eacba10 100644 --- a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.json +++ b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.json @@ -1,6 +1,6 @@ { "name": "Malwarebazaar", - "version": "0.1", + "version": "0.2", "author": "Security Onion Solutions", "description": "This analyzer queries Malwarebazaar to see if a hash, gimphash, tlsh, or telfhash is considered malicious.", "supportedTypes" : ["gimphash","hash","tlsh", "telfhash"], diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.py b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.py index 649f6881d..dfc33abab 100755 --- a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.py +++ b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.py @@ -2,12 +2,21 @@ import requests import helpers import json import sys +import os +import argparse # supports querying for hash, gimphash, tlsh, and telfhash # usage is as follows: # python3 malwarebazaar.py '{"artifactType":"x", "value":"y"}' +def checkConfigRequirements(conf): + if not conf.get('api_key'): + sys.exit(126) + else: + return True + + def buildReq(observ_type, observ_value): # determine correct query type to send based off of observable type unique_types = {'gimphash': 1, 'telfhash': 1, 'tlsh': 1} @@ -18,10 +27,13 @@ def buildReq(observ_type, observ_value): return {'query': qtype, observ_type: observ_value} -def sendReq(meta, query): +def sendReq(conf, meta, query): # send a post request with our compiled query to the API url = meta['baseUrl'] - response = requests.post(url, query) + headers = {} + if conf.get('api_key'): + headers['Auth-Key'] = conf['api_key'] + response = requests.post(url, query, headers=headers) return response.json() @@ -113,10 +125,11 @@ def prepareResults(raw): return {'response': raw, 'summary': summary, 'status': status} -def analyze(input): +def analyze(conf, input): # put all of our methods together, pass them input, and return # properly formatted json/python dict output - data = json.loads(input) + checkConfigRequirements(conf) + data = helpers.parseArtifact(input) meta = helpers.loadMetadata(__file__) helpers.checkSupportedType(meta, data["artifactType"]) @@ -127,7 +140,7 @@ def analyze(input): # twice for the sake of retrieving more specific data. initialQuery = buildReq(data['artifactType'], data['value']) - initialRaw = sendReq(meta, initialQuery) + initialRaw = sendReq(conf, meta, initialQuery) # To prevent double-querying when a tlsh/gimphash is invalid, # this if statement is necessary. @@ -140,16 +153,22 @@ def analyze(input): return prepareResults(initialRaw) query = buildReq(data['artifactType'], data['value']) - response = sendReq(meta, query) + response = sendReq(conf, meta, query) return prepareResults(response) def main(): - if len(sys.argv) == 2: - results = analyze(sys.argv[1]) + dir = os.path.dirname(os.path.realpath(__file__)) + parser = argparse.ArgumentParser( + description='Search MalwareBazaar for a given artifact') + parser.add_argument( + 'artifact', help='the artifact represented in JSON format') + parser.add_argument('-c', '--config', metavar='CONFIG_FILE', default=dir + '/malwarebazaar.yaml', + help='optional config file to use instead of the default config file') + args = parser.parse_args() + if args.artifact: + results = analyze(helpers.loadConfig(args.config), args.artifact) print(json.dumps(results)) - else: - print("ERROR: Input is not in proper JSON format") if __name__ == '__main__': diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.yaml b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.yaml new file mode 100644 index 000000000..685511432 --- /dev/null +++ b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.yaml @@ -0,0 +1 @@ +api_key: "{{ salt['pillar.get']('sensoroni:analyzers:malwarebazaar:api_key', '') }}" \ No newline at end of file diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar_test.py b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar_test.py index 212882048..aba4719e0 100644 --- a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar_test.py +++ b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar_test.py @@ -6,22 +6,18 @@ import unittest class TestMalwarebazaarMethods(unittest.TestCase): - def test_main_missing_input(self): - with patch('sys.stdout', new=StringIO()) as mock_cmd: - sys.argv = ["cmd"] - malwarebazaar.main() - self.assertEqual(mock_cmd.getvalue(), - 'ERROR: Input is not in proper JSON format\n') - def test_main_success(self): - with patch('sys.stdout', new=StringIO()) as mock_cmd: - with patch('malwarebazaar.malwarebazaar.analyze', - new=MagicMock(return_value={'test': 'val'})) as mock: - sys.argv = ["cmd", "input"] - malwarebazaar.main() - expected = '{"test": "val"}\n' - self.assertEqual(mock_cmd.getvalue(), expected) - mock.assert_called_once() + output = {"test": "val"} + config = {"api_key": "test_key"} + with patch('sys.stdout', new=StringIO()) as mock_stdout: + with patch('malwarebazaar.malwarebazaar.analyze', new=MagicMock(return_value=output)) as mock_analyze: + with patch('helpers.loadConfig', new=MagicMock(return_value=config)) as mock_config: + sys.argv = ["cmd", "input"] + malwarebazaar.main() + expected = '{"test": "val"}\n' + self.assertEqual(mock_stdout.getvalue(), expected) + mock_analyze.assert_called_once() + mock_config.assert_called_once() def test_isInJson_tail_greater_than_max_depth(self): max_depth = 1000 @@ -84,6 +80,7 @@ class TestMalwarebazaarMethods(unittest.TestCase): and then we compared results['summary'] with 'no result' """ sendReqOutput = {'threat': 'no_result', "query_status": "ok", 'data': [{'sha256_hash': 'notavalidhash'}]} + config = {"api_key": "test_key"} input = '{"artifactType": "hash", "value": "1234"}' input2 = '{"artifactType": "tlsh", "value": "1234"}' input3 = '{"artifactType": "gimphash", "value": "1234"}' @@ -94,9 +91,9 @@ class TestMalwarebazaarMethods(unittest.TestCase): new=MagicMock(return_value=sendReqOutput)) as mock: with patch('malwarebazaar.malwarebazaar.prepareResults', new=MagicMock(return_value=prep_res_sim)) as mock2: - results = malwarebazaar.analyze(input) - results2 = malwarebazaar.analyze(input2) - results3 = malwarebazaar.analyze(input3) + results = malwarebazaar.analyze(config, input) + results2 = malwarebazaar.analyze(config, input2) + results3 = malwarebazaar.analyze(config, input3) self.assertEqual(results["summary"], prep_res_sim['summary']) self.assertEqual(results2["summary"], prep_res_sim['summary']) self.assertEqual(results3["summary"], prep_res_sim['summary']) @@ -113,6 +110,7 @@ class TestMalwarebazaarMethods(unittest.TestCase): and then we compared results['summary'] with 'no result' """ sendReqOutput = {'threat': 'threat', "query_status": "notok", 'data': [ {'sha256_hash': 'validhash'}]} + config = {"api_key": "test_key"} input = '{"artifactType": "hash", "value": "1234"}' input2 = '{"artifactType": "tlsh", "value": "1234"}' input3 = '{"artifactType": "gimphash", "value": "1234"}' @@ -123,9 +121,9 @@ class TestMalwarebazaarMethods(unittest.TestCase): new=MagicMock(return_value=sendReqOutput)) as mock: with patch('malwarebazaar.malwarebazaar.prepareResults', new=MagicMock(return_value=prep_res_sim)) as mock2: - results = malwarebazaar.analyze(input) - results2 = malwarebazaar.analyze(input2) - results3 = malwarebazaar.analyze(input3) + results = malwarebazaar.analyze(config, input) + results2 = malwarebazaar.analyze(config, input2) + results3 = malwarebazaar.analyze(config, input3) self.assertEqual(results["summary"], prep_res_sim['summary']) self.assertEqual(results2["summary"], prep_res_sim['summary']) self.assertEqual(results3["summary"], prep_res_sim['summary']) @@ -239,7 +237,18 @@ class TestMalwarebazaarMethods(unittest.TestCase): def test_sendReq(self): with patch('requests.post', new=MagicMock(return_value=MagicMock())) as mock: + conf = {"api_key": "test_key"} response = malwarebazaar.sendReq( - {'baseUrl': 'https://www.randurl.xyz'}, 'example_data') + conf, {'baseUrl': 'https://www.randurl.xyz'}, 'example_data') self.assertIsNotNone(response) mock.assert_called_once() + + def test_checkConfigRequirements_valid(self): + config = {"api_key": "test_key"} + self.assertTrue(malwarebazaar.checkConfigRequirements(config)) + + def test_checkConfigRequirements_missing_key(self): + config = {} + with self.assertRaises(SystemExit) as cm: + malwarebazaar.checkConfigRequirements(config) + self.assertEqual(cm.exception.code, 126) diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2023.11.17-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2023.11.17-py3-none-any.whl deleted file mode 100644 index de0787f64..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2023.11.17-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.6-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.6-py3-none-any.whl deleted file mode 100644 index fdf65ae30..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.6-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.1.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.1.0-py3-none-any.whl deleted file mode 100644 index 0951ac354..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.1.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.3.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.3.0-py3-none-any.whl deleted file mode 100644 index 24dacf04a..000000000 Binary files a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.3.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.7.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.7.0-py3-none-any.whl new file mode 100644 index 000000000..ebbf41c69 Binary files /dev/null and b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.7.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/spamhaus.yaml b/salt/sensoroni/files/analyzers/spamhaus/spamhaus.yaml index 271cf27a0..d24790813 100644 --- a/salt/sensoroni/files/analyzers/spamhaus/spamhaus.yaml +++ b/salt/sensoroni/files/analyzers/spamhaus/spamhaus.yaml @@ -1,2 +1,2 @@ lookup_host: zen.spamhaus.org -nameservers: ["{{ salt['pillar.get']('sensoroni:analyzers:spamhaus:nameserver', '') }}"] \ No newline at end of file +nameservers: {{ salt['pillar.get']('sensoroni:analyzers:spamhaus:nameservers', '') }} \ No newline at end of file diff --git a/salt/sensoroni/files/analyzers/spamhaus/spamhaus_test.py b/salt/sensoroni/files/analyzers/spamhaus/spamhaus_test.py index b62024444..93acbdb9c 100644 --- a/salt/sensoroni/files/analyzers/spamhaus/spamhaus_test.py +++ b/salt/sensoroni/files/analyzers/spamhaus/spamhaus_test.py @@ -28,13 +28,16 @@ class TestSpamhausMethods(unittest.TestCase): def test_main_success(self): output = {"foo": "bar"} + conf = {"nameservers": ["1.2.3.4"], "lookup_host": "some.host"} with patch('sys.stdout', new=StringIO()) as mock_stdout: with patch('spamhaus.spamhaus.analyze', new=MagicMock(return_value=output)) as mock: - sys.argv = ["cmd", "input"] - spamhaus.main() - expected = '{"foo": "bar"}\n' - self.assertEqual(mock_stdout.getvalue(), expected) - mock.assert_called_once() + with patch('helpers.loadConfig', new=MagicMock(return_value=conf)) as lcmock: + sys.argv = ["cmd", "input"] + spamhaus.main() + expected = '{"foo": "bar"}\n' + self.assertEqual(mock_stdout.getvalue(), expected) + mock.assert_called_once() + lcmock.assert_called_once() def test_resolve(self): with patch('dns.resolver.Resolver.resolve', new=MagicMock(return_value=MagicMock())) as mock: diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2023.11.17-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2023.11.17-py3-none-any.whl deleted file mode 100644 index de0787f64..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2023.11.17-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.6-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.6-py3-none-any.whl deleted file mode 100644 index fdf65ae30..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.6-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.1.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.1.0-py3-none-any.whl deleted file mode 100644 index 0951ac354..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.1.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox.json b/salt/sensoroni/files/analyzers/threatfox/threatfox.json index 076e7619d..2ae3ca909 100644 --- a/salt/sensoroni/files/analyzers/threatfox/threatfox.json +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox.json @@ -1,6 +1,6 @@ { "name": "Threatfox", - "version": "0.1", + "version": "0.2", "author": "Security Onion Solutions", "description": "This analyzer queries Threatfox to see if a domain, hash, or IP is considered malicious.", "supportedTypes" : ["domain","hash","ip"], diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox.py b/salt/sensoroni/files/analyzers/threatfox/threatfox.py index 134ad99ec..a20f072ed 100644 --- a/salt/sensoroni/files/analyzers/threatfox/threatfox.py +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox.py @@ -2,6 +2,8 @@ import requests import helpers import json import sys +import argparse +import os def buildReq(observ_type, observ_value): @@ -13,10 +15,20 @@ def buildReq(observ_type, observ_value): return qterms -def sendReq(meta, query): +def checkConfigRequirements(conf): + if not conf.get('api_key'): + sys.exit(126) + else: + return True + + +def sendReq(conf, meta, query): # send a post request based off of our compiled query url = meta['baseUrl'] - response = requests.post(url, json.dumps(query)) + headers = {} + if conf.get('api_key'): + headers['Auth-Key'] = conf['api_key'] + response = requests.post(url, json.dumps(query), headers=headers) return response.json() @@ -51,23 +63,30 @@ def prepareResults(raw): return results -def analyze(input): +def analyze(conf, input): # put all of our methods together, pass them input, and return # properly formatted json/python dict output - data = json.loads(input) + checkConfigRequirements(conf) meta = helpers.loadMetadata(__file__) + data = helpers.parseArtifact(input) helpers.checkSupportedType(meta, data["artifactType"]) query = buildReq(data['artifactType'], data['value']) - response = sendReq(meta, query) + response = sendReq(conf, meta, query) return prepareResults(response) def main(): - if len(sys.argv) == 2: - results = analyze(sys.argv[1]) + dir = os.path.dirname(os.path.realpath(__file__)) + parser = argparse.ArgumentParser( + description='Search ThreatFox for a given artifact') + parser.add_argument( + 'artifact', help='the artifact represented in JSON format') + parser.add_argument('-c', '--config', metavar='CONFIG_FILE', default=dir + '/threatfox.yaml', + help='optional config file to use instead of the default config file') + args = parser.parse_args() + if args.artifact: + results = analyze(helpers.loadConfig(args.config), args.artifact) print(json.dumps(results)) - else: - print("ERROR: Input is not in proper JSON format") if __name__ == '__main__': diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox.yaml b/salt/sensoroni/files/analyzers/threatfox/threatfox.yaml new file mode 100644 index 000000000..051fc8e74 --- /dev/null +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox.yaml @@ -0,0 +1 @@ +api_key: "{{ salt['pillar.get']('sensoroni:analyzers:threatfox:api_key', '') }}" \ No newline at end of file diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox_test.py b/salt/sensoroni/files/analyzers/threatfox/threatfox_test.py index 98a15c6bb..5c8fe729e 100644 --- a/salt/sensoroni/files/analyzers/threatfox/threatfox_test.py +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox_test.py @@ -13,11 +13,12 @@ class TestThreatfoxMethods(unittest.TestCase): # DOES NOT WORK WITH ARGPARSE/MAIN METHOD def test_main_missing_input(self): - with patch('sys.stdout', new=StringIO()) as mock_cmd: - sys.argv = ["cmd"] - threatfox.main() - self.assertEqual(mock_cmd.getvalue(), - 'ERROR: Input is not in proper JSON format\n') + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd"] + threatfox.main() + self.assertEqual(mock_stderr.getvalue(), "usage: cmd [-h] [-c CONFIG_FILE] artifact\ncmd: error: the following arguments are required: artifact\n") + sysmock.assert_called_once_with(2) # This should 1. create a fake cmd input with 1 arg # and 2. hit the if statement in main which runs a mock @@ -26,13 +27,17 @@ class TestThreatfoxMethods(unittest.TestCase): # which is then asserted equal against an expected value. def test_main_success(self): - with patch('sys.stdout', new=StringIO()) as mock_cmd: - with patch('threatfox.analyze', new=MagicMock(return_value={'test': 'val'})) as mock: - sys.argv = ["cmd", "input"] - threatfox.main() - expected = '{"test": "val"}\n' - self.assertEqual(mock_cmd.getvalue(), expected) - mock.assert_called_once() + output = {"test": "val"} + conf = {"api_key": "test_key"} + with patch('sys.stdout', new=StringIO()) as mock_stdout: + with patch('threatfox.analyze', new=MagicMock(return_value=output)) as mock: + with patch('helpers.loadConfig', new=MagicMock(return_value=conf)) as lcmock: + sys.argv = ["cmd", "input"] + threatfox.main() + expected = '{"test": "val"}\n' + self.assertEqual(mock_stdout.getvalue(), expected) + mock.assert_called_once() + lcmock.assert_called_once() # result stores the output of the buildReq method # comparing result with expected output @@ -58,8 +63,10 @@ class TestThreatfoxMethods(unittest.TestCase): # simulate API response and makes sure sendReq gives a response, we are just checking if sendReq gives back anything def test_sendReq(self): with patch('requests.post', new=MagicMock(return_value=MagicMock())) as mock: - response = threatfox.sendReq( - {'baseUrl': 'https://www.randurl.xyz'}, 'example_data') + conf = {'api_key': 'test_key'} + meta = {'baseUrl': 'https://www.randurl.xyz'} + query = {'query': 'search_hash', 'hash': 'test_hash'} + response = threatfox.sendReq(conf, meta, query) self.assertIsNotNone(response) mock.assert_called_once() @@ -153,11 +160,23 @@ class TestThreatfoxMethods(unittest.TestCase): input created for analyze method call and then we compared results['summary'] with 'no result' """ sendReqOutput = {'threat': 'no_result'} input = '{"artifactType":"hash", "value":"1234"}' + conf = {'api_key': 'test_key'} prepareResultOutput = {'response': '', 'summary': 'no result', 'status': ''} with patch('threatfox.sendReq', new=MagicMock(return_value=sendReqOutput)) as mock: with patch('threatfox.prepareResults', new=MagicMock(return_value=prepareResultOutput)) as mock2: - results = threatfox.analyze(input) + results = threatfox.analyze(conf, input) self.assertEqual(results["summary"], "no result") mock.assert_called_once() mock2.assert_called_once() + + def test_checkConfigRequirements_with_api_key(self): + conf = {'api_key': 'test_key'} + result = threatfox.checkConfigRequirements(conf) + self.assertTrue(result) + + def test_checkConfigRequirements_no_api_key(self): + conf = {} + with self.assertRaises(SystemExit) as cm: + threatfox.checkConfigRequirements(conf) + self.assertEqual(cm.exception.code, 126) diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/urlhaus.json b/salt/sensoroni/files/analyzers/urlhaus/urlhaus.json index d9cf1dce0..50127bced 100644 --- a/salt/sensoroni/files/analyzers/urlhaus/urlhaus.json +++ b/salt/sensoroni/files/analyzers/urlhaus/urlhaus.json @@ -1,6 +1,6 @@ { "name": "Urlhaus", - "version": "0.1", + "version": "0.2", "author": "Security Onion Solutions", "description": "This analyzer queries URLHaus to see if a URL is considered malicious.", "supportedTypes" : ["url"], diff --git a/salt/sensoroni/files/analyzers/urlhaus/urlhaus.py b/salt/sensoroni/files/analyzers/urlhaus/urlhaus.py index 3c326d3b0..f332ab1c2 100644 --- a/salt/sensoroni/files/analyzers/urlhaus/urlhaus.py +++ b/salt/sensoroni/files/analyzers/urlhaus/urlhaus.py @@ -1,16 +1,28 @@ import json +import os import requests import sys import helpers +import argparse + + +def checkConfigRequirements(conf): + if not conf.get('api_key'): + sys.exit(126) + else: + return True def buildReq(artifact_value): return {"url": artifact_value} -def sendReq(meta, payload): +def sendReq(conf, meta, payload): url = meta['baseUrl'] - response = requests.request('POST', url, data=payload) + headers = {} + if conf.get('api_key'): + headers['Auth-Key'] = conf['api_key'] + response = requests.request('POST', url, data=payload, headers=headers) return response.json() @@ -31,21 +43,28 @@ def prepareResults(raw): return results -def analyze(input): +def analyze(conf, input): + checkConfigRequirements(conf) meta = helpers.loadMetadata(__file__) data = helpers.parseArtifact(input) helpers.checkSupportedType(meta, data["artifactType"]) payload = buildReq(data["value"]) - response = sendReq(meta, payload) + response = sendReq(conf, meta, payload) return prepareResults(response) def main(): - if len(sys.argv) == 2: - results = analyze(sys.argv[1]) + dir = os.path.dirname(os.path.realpath(__file__)) + parser = argparse.ArgumentParser( + description='Search URLhaus for a given artifact') + parser.add_argument( + 'artifact', help='the artifact represented in JSON format') + parser.add_argument('-c', '--config', metavar='CONFIG_FILE', default=dir + '/urlhaus.yaml', + help='optional config file to use instead of the default config file') + args = parser.parse_args() + if args.artifact: + results = analyze(helpers.loadConfig(args.config), args.artifact) print(json.dumps(results)) - else: - print("ERROR: Missing input JSON") if __name__ == "__main__": diff --git a/salt/sensoroni/files/analyzers/urlhaus/urlhaus.yaml b/salt/sensoroni/files/analyzers/urlhaus/urlhaus.yaml new file mode 100644 index 000000000..04bdd9d04 --- /dev/null +++ b/salt/sensoroni/files/analyzers/urlhaus/urlhaus.yaml @@ -0,0 +1 @@ +api_key: "{{ salt['pillar.get']('sensoroni:analyzers:urlhaus:api_key', '') }}" \ No newline at end of file diff --git a/salt/sensoroni/files/analyzers/urlhaus/urlhaus_test.py b/salt/sensoroni/files/analyzers/urlhaus/urlhaus_test.py index ae4584ee5..c7ab6123d 100644 --- a/salt/sensoroni/files/analyzers/urlhaus/urlhaus_test.py +++ b/salt/sensoroni/files/analyzers/urlhaus/urlhaus_test.py @@ -1,27 +1,24 @@ from io import StringIO import sys from unittest.mock import patch, MagicMock -from urlhaus import urlhaus import unittest +from urlhaus import urlhaus class TestUrlhausMethods(unittest.TestCase): - def test_main_missing_input(self): - with patch('sys.stdout', new=StringIO()) as mock_stdout: - sys.argv = ["cmd"] - urlhaus.main() - self.assertEqual(mock_stdout.getvalue(), "ERROR: Missing input JSON\n") - def test_main_success(self): output = {"foo": "bar"} + config = {"api_key": "test_key"} with patch('sys.stdout', new=StringIO()) as mock_stdout: - with patch('urlhaus.urlhaus.analyze', new=MagicMock(return_value=output)) as mock: - sys.argv = ["cmd", "input"] - urlhaus.main() - expected = '{"foo": "bar"}\n' - self.assertEqual(mock_stdout.getvalue(), expected) - mock.assert_called_once() + with patch('urlhaus.urlhaus.analyze', new=MagicMock(return_value=output)) as mock_analyze: + with patch('helpers.loadConfig', new=MagicMock(return_value=config)) as mock_config: + sys.argv = ["cmd", "input"] + urlhaus.main() + expected = '{"foo": "bar"}\n' + self.assertEqual(mock_stdout.getvalue(), expected) + mock_analyze.assert_called_once() + mock_config.assert_called_once() def test_buildReq(self): result = urlhaus.buildReq("test") @@ -29,9 +26,10 @@ class TestUrlhausMethods(unittest.TestCase): def test_sendReq(self): with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock: + conf = {"api_key": "test_key"} meta = {"baseUrl": "myurl"} - response = urlhaus.sendReq(meta, "mypayload") - mock.assert_called_once_with("POST", "myurl", data="mypayload") + response = urlhaus.sendReq(conf, meta, "mypayload") + mock.assert_called_once_with("POST", "myurl", data="mypayload", headers={"Auth-Key": "test_key"}) self.assertIsNotNone(response) def test_prepareResults_none(self): @@ -65,8 +63,19 @@ class TestUrlhausMethods(unittest.TestCase): def test_analyze(self): output = {"threat": "malware_download"} + config = {"api_key": "test_key"} artifactInput = '{"value":"foo","artifactType":"url"}' with patch('urlhaus.urlhaus.sendReq', new=MagicMock(return_value=output)) as mock: - results = urlhaus.analyze(artifactInput) + results = urlhaus.analyze(config, artifactInput) self.assertEqual(results["summary"], "malware_download") mock.assert_called_once() + + def test_checkConfigRequirements_valid(self): + config = {"api_key": "test_key"} + self.assertTrue(urlhaus.checkConfigRequirements(config)) + + def test_checkConfigRequirements_missing_key(self): + config = {} + with self.assertRaises(SystemExit) as cm: + urlhaus.checkConfigRequirements(config) + self.assertEqual(cm.exception.code, 126) diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/requirements.txt b/salt/sensoroni/files/analyzers/whoislookup/requirements.txt index 7de5f057c..abb38ccc3 100755 --- a/salt/sensoroni/files/analyzers/whoislookup/requirements.txt +++ b/salt/sensoroni/files/analyzers/whoislookup/requirements.txt @@ -1,2 +1,2 @@ requests>=2.31.0 -whoisit>=2.7.0 +whoisit>=2.7.0 \ No newline at end of file diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.10.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.10.0-py3-none-any.whl new file mode 100644 index 000000000..ba752083e Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.10.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2023.5.7-py3-none-any.whl deleted file mode 100644 index c983e799c..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2023.5.7-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2025.8.3-py3-none-any.whl new file mode 100644 index 000000000..b4158ec67 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2025.8.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index 666649ed2..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..a8f2bd0c4 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.0-py3-none-any.whl new file mode 100644 index 000000000..50bf3af10 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/h11-0.16.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/h11-0.16.0-py3-none-any.whl new file mode 100644 index 000000000..f12b3ce76 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/h11-0.16.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/httpcore-1.0.9-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/httpcore-1.0.9-py3-none-any.whl new file mode 100644 index 000000000..74013b88f Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/httpcore-1.0.9-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/httpx-0.28.1-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/httpx-0.28.1-py3-none-any.whl new file mode 100644 index 000000000..0a9780e14 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/httpx-0.28.1-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.10-py3-none-any.whl new file mode 100644 index 000000000..52759bdd2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.10-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.4-py3-none-any.whl deleted file mode 100644 index 7343c6845..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.4-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/python_dateutil-2.8.2-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/python_dateutil-2.8.2-py2.py3-none-any.whl deleted file mode 100644 index 8ffb92386..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/python_dateutil-2.8.2-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/python_dateutil-2.9.0.post0-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/python_dateutil-2.9.0.post0-py2.py3-none-any.whl new file mode 100644 index 000000000..b9a14e1bf Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/python_dateutil-2.9.0.post0-py2.py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.31.0-py3-none-any.whl deleted file mode 100644 index bfd5d2ea9..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.31.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.32.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.32.5-py3-none-any.whl new file mode 100644 index 000000000..58c3d6a25 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.32.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/setuptools-80.1.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/setuptools-80.1.0-py3-none-any.whl deleted file mode 100644 index 98164f3da..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/setuptools-80.1.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/six-1.16.0-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/six-1.16.0-py2.py3-none-any.whl deleted file mode 100644 index fd942658a..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/six-1.16.0-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/six-1.17.0-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/six-1.17.0-py2.py3-none-any.whl new file mode 100644 index 000000000..c506fd05b Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/six-1.17.0-py2.py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/sniffio-1.3.1-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/sniffio-1.3.1-py3-none-any.whl new file mode 100644 index 000000000..04f44e47d Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/sniffio-1.3.1-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.14.1-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.14.1-py3-none-any.whl new file mode 100644 index 000000000..d2aef8cf2 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.14.1-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.6.3-py3-none-any.whl deleted file mode 100644 index bce86d2ce..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.6.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.0.3-py3-none-any.whl deleted file mode 100644 index 5e0b52889..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.0.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.5.0-py3-none-any.whl new file mode 100644 index 000000000..81b580f1c Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.5.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.7.0.tar.gz b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.7.0.tar.gz deleted file mode 100644 index 8a619c85f..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.7.0.tar.gz and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-3.1.1.tar.gz b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-3.1.1.tar.gz new file mode 100644 index 000000000..e46573efd Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-3.1.1.tar.gz differ diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index c2978b1af..2344655f6 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -174,6 +174,14 @@ sensoroni: sensitive: False advanced: True forcedType: "[]string" + malwarebazaar: + api_key: + description: API key for the malwarebazaar analyzer. + helpLink: sensoroni.html + global: False + sensitive: True + advanced: False + forcedType: string otx: api_key: description: API key for the OTX analyzer. @@ -217,6 +225,7 @@ sensoroni: helpLink: cases.html global: False sensitive: False + multiline: True advanced: True forcedTypes: "[]string" sublime_platform: @@ -255,6 +264,14 @@ sensoroni: sensitive: False advanced: True forcedType: string + threatfox: + api_key: + description: API key for the threatfox analyzer. + helpLink: sensoroni.html + global: False + sensitive: True + advanced: False + forcedType: string urlscan: api_key: description: API key for the Urlscan analyzer. @@ -291,6 +308,14 @@ sensoroni: sensitive: False advanced: True forcedType: string + urlhaus: + api_key: + description: API key for the urlhaus analyzer. + helpLink: sensoroni.html + global: False + sensitive: True + advanced: False + forcedType: string virustotal: api_key: description: API key for the VirusTotal analyzer. diff --git a/sigs/securityonion-2.4.180-20250916.iso.sig b/sigs/securityonion-2.4.180-20250916.iso.sig new file mode 100644 index 000000000..4ba61d389 Binary files /dev/null and b/sigs/securityonion-2.4.180-20250916.iso.sig differ