CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

greynoise dep upgrade + use community version with no auth

Browse Source
This commit is contained in:
reyesj2
2025-08-21 14:30:21 -05:00
parent 7d883cb5e0
commit d3108c3549
14 changed files with 36 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/sensoroni/files/analyzers/README.md
View File

@@ -35,7 +35,7 @@ Many analyzers require authentication, via an API key or similar. The table belo
[EchoTrail](https://www.echotrail.io/docs/quickstart) |✓| [EchoTrail](https://www.echotrail.io/docs/quickstart) |✓|
[EmailRep](https://emailrep.io/key) |✓| [EmailRep](https://emailrep.io/key) |✓|
[Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/setting-up-authentication.html) |✓| [Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/setting-up-authentication.html) |✓|
[GreyNoise](https://www.greynoise.io/plans/community) |✓| [GreyNoise (community)](https://www.greynoise.io/plans/community) |✗|
[LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile) |✗| [LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile) |✗|
[Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗| [Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗|
[MalwareBazaar](https://bazaar.abuse.ch/) |✓| [MalwareBazaar](https://bazaar.abuse.ch/) |✓|

2
salt/sensoroni/files/analyzers/greynoise/greynoise.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "Greynoise IP Analyzer", "name": "Greynoise IP Analyzer",
"version": "0.1", "version": "0.2",
"author": "Security Onion Solutions", "author": "Security Onion Solutions",
"description": "This analyzer queries Greynoise for context around an IP address", "description": "This analyzer queries Greynoise for context around an IP address",
"supportedTypes" : ["ip"] "supportedTypes" : ["ip"]

8
salt/sensoroni/files/analyzers/greynoise/greynoise.py
View File

@@ -7,6 +7,10 @@ import argparse
def checkConfigRequirements(conf): def checkConfigRequirements(conf):
# Community API doesn't require API key
if conf.get('api_version') == 'community':
return True
# Other API versions require API key
if "api_key" not in conf or len(conf['api_key']) == 0: if "api_key" not in conf or len(conf['api_key']) == 0:
sys.exit(126) sys.exit(126)
else: else:
@@ -17,7 +21,9 @@ def sendReq(conf, meta, ip):
url = conf['base_url'] url = conf['base_url']
if conf['api_version'] == 'community': if conf['api_version'] == 'community':
url = url + 'v3/community/' + ip url = url + 'v3/community/' + ip
elif conf['api_version'] == 'investigate' or 'automate': # Community API doesn't use API key
response = requests.request('GET', url=url)
elif conf['api_version'] in ['investigate', 'automate']:
url = url + 'v2/noise/context/' + ip url = url + 'v2/noise/context/' + ip
headers = {"key": conf['api_key']} headers = {"key": conf['api_key']}
response = requests.request('GET', url=url, headers=headers) response = requests.request('GET', url=url, headers=headers)

27
salt/sensoroni/files/analyzers/greynoise/greynoise_test.py
View File

@@ -31,13 +31,26 @@ class TestGreynoiseMethods(unittest.TestCase):
greynoise.checkConfigRequirements(conf) greynoise.checkConfigRequirements(conf)
self.assertEqual(cm.exception.code, 126) self.assertEqual(cm.exception.code, 126)
def test_checkConfigRequirements_community_no_key(self):
conf = {"api_version": "community"}
# Should not raise exception for community version
result = greynoise.checkConfigRequirements(conf)
self.assertTrue(result)
def test_checkConfigRequirements_investigate_no_key(self):
conf = {"api_version": "investigate"}
with self.assertRaises(SystemExit) as cm:
greynoise.checkConfigRequirements(conf)
self.assertEqual(cm.exception.code, 126)
def test_sendReq_community(self): def test_sendReq_community(self):
with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock: with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock:
meta = {} meta = {}
conf = {"base_url": "https://myurl/", "api_key": "abcd1234", "api_version": "community"} conf = {"base_url": "https://myurl/", "api_version": "community"}
ip = "192.168.1.1" ip = "192.168.1.1"
response = greynoise.sendReq(conf=conf, meta=meta, ip=ip) response = greynoise.sendReq(conf=conf, meta=meta, ip=ip)
mock.assert_called_once_with("GET", headers={'key': 'abcd1234'}, url="https://myurl/v3/community/192.168.1.1") # Community API should not include headers
mock.assert_called_once_with("GET", url="https://myurl/v3/community/192.168.1.1")
self.assertIsNotNone(response) self.assertIsNotNone(response)
def test_sendReq_investigate(self): def test_sendReq_investigate(self):
@@ -115,3 +128,13 @@ class TestGreynoiseMethods(unittest.TestCase):
results = greynoise.analyze(conf, artifactInput) results = greynoise.analyze(conf, artifactInput)
self.assertEqual(results["summary"], "suspicious") self.assertEqual(results["summary"], "suspicious")
mock.assert_called_once() mock.assert_called_once()
def test_analyze_community_no_key(self):
output = {"ip": "8.8.8.8", "noise": "false", "riot": "true", "classification": "benign", "name": "Google Public DNS", "link": "https://viz.gn.io", "last_seen": "2022-04-26", "message": "Success"}
artifactInput = '{"value":"8.8.8.8","artifactType":"ip"}'
conf = {"base_url": "myurl/", "api_version": "community"}
with patch('greynoise.greynoise.sendReq', new=MagicMock(return_value=output)) as mock:
results = greynoise.analyze(conf, artifactInput)
self.assertEqual(results["summary"], "harmless")
self.assertEqual(results["status"], "ok")
mock.assert_called_once()

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl Normal file
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl Normal file
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl Normal file
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.32.5-py3-none-any.whl Normal file
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl
View File

Binary file not shown.

BIN
salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl Normal file
View File

Binary file not shown.