Skip to content

Commit

Permalink
#172 first update
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeromeleonard
jeromeleonard committed Jan 19, 2018
1 parent fe5a847 commit 6495339
Show file tree
Hide file tree
Showing 7 changed files with 284 additions and 63 deletions.
35 changes: 29 additions & 6 deletions analyzers/Abuse_Finder/Abuse_Finder.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,35 @@
"url": "https://github.com/CERT-BDF/Cortex-Analyzers",
"license": "AGPL-V3",
"baseConfig": "Abuse_Finder",
"config": {
"check_tlp": false,
"max_tlp":3,
"service":""
},
"description": "Find abuse contacts associated with domain names, URLs, IPs and email addresses.",
"dataTypeList": ["ip", "domain", "url", "mail"],
"command": "Abuse_Finder/abusefinder.py"
"command": "Abuse_Finder/abusefinder.py",
"config": {
"configurationItems": [
{
"name": "service",
"description": "Service Name",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "abuse_finder"
},
{
"name": "check_tlp",
"description": "Define if the analyzer should check TLP of data before running",
"type": "bool",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "max_tlp",
"description": "Define the maximum TLP level autorized",
"type": "number",
"multi": false,
"required": true,
"defaultValue": 3
}
]
}
}
63 changes: 43 additions & 20 deletions analyzers/Bluecoat/Bluecoat_Categorization.json
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,43 @@
{
"name": "Bluecoat_Categorization",
"version": "1.0",
"author": "CERT La Poste",
"url": "https://github.com/CERT-BDF/Cortex-Analyzers",
"description": "Retrieve Bluecoat categorization of a domain / url / FQDN",
"dataTypeList": [
"domain",
"url",
"fqdn"
],
"license": "AGPL-V3",
"command": "Bluecoat/categorization.py",
"config": {
"check_tlp": false,
"max_tlp": 3,
"service": ""
}
}

{
"name": "Bluecoat_Categorization",
"version": "1.0",
"author": "CERT La Poste",
"url": "https://github.com/CERT-BDF/Cortex-Analyzers",
"description": "Retrieve Bluecoat categorization of a domain / url / FQDN",
"dataTypeList": [
"domain",
"url",
"fqdn"
],
"license": "AGPL-V3",
"command": "Bluecoat/categorization.py",
"config": {
"configurationItems": [
{
"name": "service",
"description": "Service Name",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "bluecoat_cat"
},
{
"name": "check_tlp",
"description": "Define if the analyzer should check TLP of data before running",
"type": "bool",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "max_tlp",
"description": "Define the maximum TLP level autorized",
"type": "number",
"multi": false,
"required": true,
"defaultValue": 3
}
]
}
}

52 changes: 50 additions & 2 deletions analyzers/MISP/MISP.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,56 @@
"version": "2.0",
"baseConfig": "MISP",
"config": {
"check_tlp": false,
"max_tlp": 3
"configurationItems": [
{
"name": "service",
"description": "Service Name",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "misp"
},
{
"name": "check_tlp",
"description": "Define if the analyzer should check TLP of data before running",
"type": "bool",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "max_tlp",
"description": "Define the maximum TLP level autorized",
"type": "number",
"multi": false,
"required": true,
"defaultValue": 3
},
{
"name": "url",
"description": "URL of MISP servers",
"type": "string",
"multi": true,
"required": true,
"defaultValue": [ "Server1", "Server2"]
},
{
"name": "key",
"description": "API key for each server",
"type": "string",
"multi": true,
"required": true,
"defaultValue": [ "API key for Server1", "API key for Server2"]
},
{
"name": "cert_path",
"description": "Verify server certificate or path to the CA on the system",
"type": "string",
"multi": true,
"required": false,
"defaultValue": [ True, True]
}
]
},
"description": "Query multiple MISP instances for events containing an observable.",
"dataTypeList": ["domain", "ip", "url", "fqdn", "uri_path","user-agent", "hash", "email", "mail", "mail_subject" , "registry", "regexp", "other", "filename"],
Expand Down
32 changes: 28 additions & 4 deletions analyzers/Robtex/Robtex_IP_Query.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,33 @@
"description": "Check IPs using the Robtex IP API",
"dataTypeList": ["ip"],
"baseConfig": "Robtex",
"command": "Robtex/robtex.py",
"config": {
"check_tlp": false,
"service": "ipquery"
},
"command": "Robtex/robtex.py"
"configurationItems": [
{
"name": "service",
"description": "Service Name",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "ipquery"
},
{
"name": "check_tlp",
"description": "Define if the analyzer should check TLP of data before running",
"type": "bool",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "max_tlp",
"description": "Define the maximum TLP level autorized",
"type": "number",
"multi": false,
"required": true,
"defaultValue": 3
}
]
}
}
31 changes: 28 additions & 3 deletions analyzers/Robtex/Robtex_Reverse_PDNS_Query.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,34 @@
"description": "Check IPs using the Robtex reverse passive dns API",
"dataTypeList": ["ip"],
"baseConfig": "Robtex",
"command": "Robtex/robtex.py",
"config": {
"check_tlp": false,
"service": "rpdnsquery"
"configurationItems": [
{
"name": "service",
"description": "Service Name",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "rpdnsquery"
},
{
"name": "check_tlp",
"description": "Define if the analyzer should check TLP of data before running",
"type": "bool",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "max_tlp",
"description": "Define the maximum TLP level autorized",
"type": "number",
"multi": false,
"required": true,
"defaultValue": 3
}
]
},
"command": "Robtex/robtex.py"

}
67 changes: 53 additions & 14 deletions analyzers/VirusTotal/VirusTotal_GetReport.json
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,55 @@
{
"name": "VirusTotal_GetReport",
"version": "3.0",
"author": "CERT-BDF",
"url": "https://github.com/CERT-BDF/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Get the latest VirusTotal report for a file, hash, domain or an IP address.",
"dataTypeList": ["file", "hash", "domain", "ip"],
"baseConfig": "VirusTotal",
"config": {
"check_tlp": true,
"max_tlp": 3,
"service": "get"
},
"command": "VirusTotal/virustotal.py"
"name": "VirusTotal_GetReport",
"version": "3.0",
"author": "CERT-BDF",
"url": "https://github.com/CERT-BDF/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Get the latest VirusTotal report for a file, hash, domain or an IP address.",
"dataTypeList": ["file", "hash", "domain", "ip"],
"command": "VirusTotal/virustotal.py",
"baseConfig": "VirusTotal",
"config": {
"configurationItems": [
{
"name": "service",
"description": "Service Name",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "get"
},
{
"name": "check_tlp",
"description": "Define if the analyzer should check TLP of data before running",
"type": "bool",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "max_tlp",
"description": "Define the maximum TLP level autorized",
"type": "number",
"multi": false,
"required": true,
"defaultValue": 3
},
{
"name": "key",
"description": "API key for Virustotal",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "<API key>"
},
{
"name": "polling_interval",
"description": "Define time interval between two requests attempts for the report",
"type": "number",
"multi": false,
"required": false,
"defaultValue": 60
}
]
}
}
67 changes: 53 additions & 14 deletions analyzers/VirusTotal/VirusTotal_Scan.json
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,55 @@
{
"name": "VirusTotal_Scan",
"version": "3.0",
"author": "CERT-BDF",
"url": "https://github.com/CERT-BDF/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Use VirusTotal to scan a file or URL.",
"dataTypeList": ["file", "url"],
"baseConfig": "VirusTotal",
"config": {
"check_tlp": true,
"service": "scan",
"max_tlp": 1
},
"command": "VirusTotal/virustotal.py"
"name": "VirusTotal_Scan",
"version": "3.0",
"author": "CERT-BDF",
"url": "https://github.com/CERT-BDF/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Use VirusTotal to scan a file or URL.",
"dataTypeList": ["file", "url"],
"baseConfig": "VirusTotal",
"config": {
"configurationItems": [
{
"name": "service",
"description": "Service Name",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "scan"
},
{
"name": "check_tlp",
"description": "Define if the analyzer should check TLP of data before running",
"type": "bool",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "max_tlp",
"description": "Define the maximum TLP level autorized",
"type": "number",
"multi": false,
"required": true,
"defaultValue": 1
},
{
"name": "key",
"description": "API key for Virustotal",
"type": "string",
"multi": false,
"required": true,
"defaultValue": "<API key>"
},
{
"name": "polling_interval",
"description": "Define time interval between two requests attempts for the report",
"type": "number",
"multi": false,
"required": false,
"defaultValue": 60
}
]
},
"command": "VirusTotal/virustotal.py"
}

0 comments on commit 6495339

Please sign in to comment.