From 0d8271fa7f9a3bdeaf070a81b190488c91fa527c Mon Sep 17 00:00:00 2001 From: Nabil Adouani Date: Thu, 25 Feb 2021 11:04:39 +0100 Subject: [PATCH 1/4] Add changelog file --- CHANGELOG.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..d6f6a7f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,32 @@ +# Change Log + +## [2.1.0](https://github.com/TheHive-Project/cortexutils/tree/2.1.0) (2021-02-25) +[Full Changelog](https://github.com/TheHive-Project/cortexutils/compare/2.0.0...2.1.0) + +**Implemented enhancements:** + +- API secret logging in Cortex analyzers [\#10](https://github.com/TheHive-Project/cortexutils/issues/10) + +**Fixed bugs:** + +- Various errors in unittests [\#17](https://github.com/TheHive-Project/cortexutils/issues/17) +- \[Bug\] manage files in artifacts [\#16](https://github.com/TheHive-Project/cortexutils/issues/16) +- The tests fail for the Worker Class: io.UnsupportedOperation: fileno [\#7](https://github.com/TheHive-Project/cortexutils/issues/7) + +**Closed issues:** + +- Trying to add a binary file as observable from analyzer returns error [\#14](https://github.com/TheHive-Project/cortexutils/issues/14) +- diagnostic output is not valid JSON [\#6](https://github.com/TheHive-Project/cortexutils/issues/6) + +**Merged pull requests:** + +- file attachment must be managed as binary [\#15](https://github.com/TheHive-Project/cortexutils/pull/15) ([dadokkio](https://github.com/dadokkio)) + +## [2.0.0](https://github.com/TheHive-Project/cortexutils/tree/2.0.0) (2019-04-04) +**Implemented enhancements:** + +- Deduplicate extracted artifacts from a job report [\#3](https://github.com/TheHive-Project/cortexutils/issues/3) + + + +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file From 38d80654ebda6ea317efbdedbecfe6b910505c93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Leonard?= Date: Sat, 29 Oct 2022 07:04:28 +0200 Subject: [PATCH 2/4] use operations in analyzers --- cortexutils/analyzer.py | 7 ++++++- cortexutils/responder.py | 38 +++++++++++++++++++------------------- cortexutils/worker.py | 20 ++++++++++++++++++++ 3 files changed, 45 insertions(+), 20 deletions(-) diff --git a/cortexutils/analyzer.py b/cortexutils/analyzer.py index e620680..3ed4283 100644 --- a/cortexutils/analyzer.py +++ b/cortexutils/analyzer.py @@ -102,11 +102,16 @@ def report(self, full_report, ensure_ascii=False): summary = self.summary(full_report) except Exception: pass - + operation_list = [] + try: + operation_list = self.operations(full_report) + except Exception: + pass super(Analyzer, self).report({ 'success': True, 'summary': summary, 'artifacts': self.artifacts(full_report), + 'operations': operation_list, 'full': full_report }, ensure_ascii) diff --git a/cortexutils/responder.py b/cortexutils/responder.py index 0c13a2a..84b0fb8 100644 --- a/cortexutils/responder.py +++ b/cortexutils/responder.py @@ -20,25 +20,25 @@ def get_data(self): :return: Data (observable value) given through Cortex""" return self.get_param('data', None, 'Missing data field') - @staticmethod - def build_operation(op_type, **parameters): - """ - :param op_type: an operation type as a string - :param parameters: a dict including the operation's params - :return: dict - """ - operation = { - 'type': op_type - } - operation.update(parameters) - - return operation - - def operations(self, raw): - """Returns the list of operations to be executed after the job completes - - :returns: by default return an empty array""" - return [] + # @staticmethod + # def build_operation(op_type, **parameters): + # """ + # :param op_type: an operation type as a string + # :param parameters: a dict including the operation's params + # :return: dict + # """ + # operation = { + # 'type': op_type + # } + # operation.update(parameters) + + # return operation + + # def operations(self, raw): + # """Returns the list of operations to be executed after the job completes + + # :returns: by default return an empty array""" + # return [] def report(self, full_report, ensure_ascii=False): """Returns a json dict via stdout. diff --git a/cortexutils/worker.py b/cortexutils/worker.py index f62d406..15bf151 100644 --- a/cortexutils/worker.py +++ b/cortexutils/worker.py @@ -127,6 +127,26 @@ def get_data(self): :return: Data (observable value) given through Cortex""" return self.get_param('data', None, 'Missing data field') + @staticmethod + def build_operation(op_type, **parameters): + """ + :param op_type: an operation type as a string + :param parameters: a dict including the operation's params + :return: dict + """ + operation = { + 'type': op_type + } + operation.update(parameters) + + return operation + + def operations(self, raw): + """Returns the list of operations to be executed after the job completes + + :returns: by default return an empty array""" + return [] + def get_param(self, name, default=None, message=None): """Just a wrapper for Analyzer.__get_param. :param name: Name of the parameter to get. JSON-like syntax, e.g. `config.username` From e85738bdcbc66cd281e7a2445b99e8338b7f4f9f Mon Sep 17 00:00:00 2001 From: Nabil Adouani Date: Mon, 7 Nov 2022 18:58:22 +0100 Subject: [PATCH 3/4] #19 Manual merge of PR#19 --- cortexutils/analyzer.py | 4 ++-- cortexutils/responder.py | 4 ++-- cortexutils/worker.py | 23 ++++++++++++++--------- setup.py | 2 +- 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/cortexutils/analyzer.py b/cortexutils/analyzer.py index 3ed4283..ec639c1 100644 --- a/cortexutils/analyzer.py +++ b/cortexutils/analyzer.py @@ -14,8 +14,8 @@ class Analyzer(Worker): - def __init__(self, job_directory=None): - Worker.__init__(self, job_directory) + def __init__(self, job_directory=None, secret_phrases=None): + Worker.__init__(self, job_directory, secret_phrases) # Not breaking compatibility self.artifact = self._input diff --git a/cortexutils/responder.py b/cortexutils/responder.py index 84b0fb8..21f74b9 100644 --- a/cortexutils/responder.py +++ b/cortexutils/responder.py @@ -8,8 +8,8 @@ class Responder(Worker): - def __init__(self, job_directory=None): - Worker.__init__(self, job_directory) + def __init__(self, job_directory=None, secret_phrases=None): + Worker.__init__(self, job_directory, secret_phrases) # Not breaking compatibility self.artifact = self._input diff --git a/cortexutils/worker.py b/cortexutils/worker.py index 15bf151..c5aab6a 100644 --- a/cortexutils/worker.py +++ b/cortexutils/worker.py @@ -1,23 +1,28 @@ #!/usr/bin/env python # encoding: utf-8 -import os -import sys import codecs import json +import os import select +import sys +DEFAULT_SECRET_PHRASES = ("key", "password", "secret") class Worker(object): READ_TIMEOUT = 3 # seconds - def __init__(self, job_directory): + def __init__(self, job_directory, secret_phrases): if job_directory is None: if len(sys.argv) > 1: job_directory = sys.argv[1] else: job_directory = '/job' self.job_directory = job_directory + if secret_phrases is None: + self.secret_phrases = DEFAULT_SECRET_PHRASES + else: + self.secret_phrases = secret_phrases # Load input self._input = {} if os.path.isfile('%s/input/input.json' % self.job_directory): @@ -164,13 +169,13 @@ def error(self, message, ensure_ascii=False): # Get analyzer input analyzer_input = self._input - # Define sensitive key values - secrets = ['password', 'key', 'secret'] - # Loop over all the sensitive config names and clean them - for config_key, v in analyzer_input.get('config', {}).items(): - if any(secret in config_key.lower() for secret in secrets): - analyzer_input.get('config', {})[config_key] = 'REMOVED' + for config_key in analyzer_input.get('config', {}).keys(): + if any( + secret_phrase in config_key.lower() + for secret_phrase in self.secret_phrases + ): + analyzer_input['config'][config_key] = 'REMOVED' self.__write_output({'success': False, 'input': analyzer_input, diff --git a/setup.py b/setup.py index d159def..814cf3f 100644 --- a/setup.py +++ b/setup.py @@ -2,7 +2,7 @@ setup( name='cortexutils', - version='2.1.0', + version='2.2.0', description='A Python library for including utility classes for Cortex analyzers and responders', long_description=open('README').read(), author='TheHive-Project', From 2882aa601d6844b1ba0f4a0fdc29436237d2125b Mon Sep 17 00:00:00 2001 From: Nabil Adouani Date: Mon, 7 Nov 2022 19:00:21 +0100 Subject: [PATCH 4/4] Clean up commented code --- cortexutils/responder.py | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/cortexutils/responder.py b/cortexutils/responder.py index 21f74b9..3cd0939 100644 --- a/cortexutils/responder.py +++ b/cortexutils/responder.py @@ -20,26 +20,6 @@ def get_data(self): :return: Data (observable value) given through Cortex""" return self.get_param('data', None, 'Missing data field') - # @staticmethod - # def build_operation(op_type, **parameters): - # """ - # :param op_type: an operation type as a string - # :param parameters: a dict including the operation's params - # :return: dict - # """ - # operation = { - # 'type': op_type - # } - # operation.update(parameters) - - # return operation - - # def operations(self, raw): - # """Returns the list of operations to be executed after the job completes - - # :returns: by default return an empty array""" - # return [] - def report(self, full_report, ensure_ascii=False): """Returns a json dict via stdout.