greynoise dep upgrade + use community version with no auth

2025-12-06 09:12:45 +01:00 · 2025-08-21 14:30:21 -05:00
parent 7d883cb5e0
commit d3108c3549
14 changed files with 36 additions and 7 deletions
--- a/salt/sensoroni/files/analyzers/README.md
+++ b/salt/sensoroni/files/analyzers/README.md
@@ -35,7 +35,7 @@ Many analyzers require authentication, via an API key or similar. The table belo
 [EchoTrail](https://www.echotrail.io/docs/quickstart)            |&check;|
 [EmailRep](https://emailrep.io/key)                  |&check;|
 [Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/setting-up-authentication.html)            |&check;|
-[GreyNoise](https://www.greynoise.io/plans/community)                 |&check;|
+[GreyNoise (community)](https://www.greynoise.io/plans/community)                 |&cross;|
 [LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile)                 |&cross;|
 [Malware Hash Registry](https://hash.cymru.com/docs_whois)    |&cross;|
 [MalwareBazaar](https://bazaar.abuse.ch/)            |&check;|
--- a/salt/sensoroni/files/analyzers/greynoise/greynoise.json
+++ b/salt/sensoroni/files/analyzers/greynoise/greynoise.json
@@ -1,6 +1,6 @@
 {
  "name": "Greynoise IP Analyzer",
-  "version": "0.1",
+  "version": "0.2",
  "author": "Security Onion Solutions",
  "description": "This analyzer queries Greynoise for context around an IP address",
  "supportedTypes" :  ["ip"]
--- a/salt/sensoroni/files/analyzers/greynoise/greynoise.py
+++ b/salt/sensoroni/files/analyzers/greynoise/greynoise.py
@@ -7,6 +7,10 @@ import argparse


 def checkConfigRequirements(conf):
+    # Community API doesn't require API key
+    if conf.get('api_version') == 'community':
+        return True
+    # Other API versions require API key
    if "api_key" not in conf or len(conf['api_key']) == 0:
        sys.exit(126)
    else:
@@ -17,10 +21,12 @@ def sendReq(conf, meta, ip):
    url = conf['base_url']
    if conf['api_version'] == 'community':
        url = url + 'v3/community/' + ip
-    elif conf['api_version'] == 'investigate' or 'automate':
+        # Community API doesn't use API key
+        response = requests.request('GET', url=url)
+    elif conf['api_version'] in ['investigate', 'automate']:
        url = url + 'v2/noise/context/' + ip
-    headers = {"key": conf['api_key']}
-    response = requests.request('GET', url=url, headers=headers)
+        headers = {"key": conf['api_key']}
+        response = requests.request('GET', url=url, headers=headers)
    return response.json()


--- a/salt/sensoroni/files/analyzers/greynoise/greynoise_test.py
+++ b/salt/sensoroni/files/analyzers/greynoise/greynoise_test.py
@@ -31,13 +31,26 @@ class TestGreynoiseMethods(unittest.TestCase):
            greynoise.checkConfigRequirements(conf)
        self.assertEqual(cm.exception.code, 126)

+    def test_checkConfigRequirements_community_no_key(self):
+        conf = {"api_version": "community"}
+        # Should not raise exception for community version
+        result = greynoise.checkConfigRequirements(conf)
+        self.assertTrue(result)
+
+    def test_checkConfigRequirements_investigate_no_key(self):
+        conf = {"api_version": "investigate"}
+        with self.assertRaises(SystemExit) as cm:
+            greynoise.checkConfigRequirements(conf)
+        self.assertEqual(cm.exception.code, 126)
+
    def test_sendReq_community(self):
        with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock:
            meta = {}
-            conf = {"base_url": "https://myurl/", "api_key": "abcd1234", "api_version": "community"}
+            conf = {"base_url": "https://myurl/", "api_version": "community"}
            ip = "192.168.1.1"
            response = greynoise.sendReq(conf=conf, meta=meta, ip=ip)
-            mock.assert_called_once_with("GET", headers={'key': 'abcd1234'}, url="https://myurl/v3/community/192.168.1.1")
+            # Community API should not include headers
+            mock.assert_called_once_with("GET", url="https://myurl/v3/community/192.168.1.1")
            self.assertIsNotNone(response)

    def test_sendReq_investigate(self):
@@ -115,3 +128,13 @@ class TestGreynoiseMethods(unittest.TestCase):
            results = greynoise.analyze(conf, artifactInput)
            self.assertEqual(results["summary"], "suspicious")
            mock.assert_called_once()
+
+    def test_analyze_community_no_key(self):
+        output = {"ip": "8.8.8.8", "noise": "false", "riot": "true", "classification": "benign", "name": "Google Public DNS", "link": "https://viz.gn.io", "last_seen": "2022-04-26", "message": "Success"}
+        artifactInput = '{"value":"8.8.8.8","artifactType":"ip"}'
+        conf = {"base_url": "myurl/", "api_version": "community"}
+        with patch('greynoise.greynoise.sendReq', new=MagicMock(return_value=output)) as mock:
+            results = greynoise.analyze(conf, artifactInput)
+            self.assertEqual(results["summary"], "harmless")
+            self.assertEqual(results["status"], "ok")
+            mock.assert_called_once()
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.32.5-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.32.5-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl