Analyzer for TheHive Cortex Soc platform. Allows you to run observables against default and custom ClamAV rules.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
clam.json
long.html
pyclam_analyzer.py
requirements.txt
short.html

README.md

ClamAV-Analyzer

Analyzer for integrating ClamAV scanning to TheHive and Cortex.

When investigating an incident you may not want to send a file off to Virustotal or some other public resource.

ClamAV will allow you to scan locally, and you can add custom rules to ClamAV via Sigtool and Yara to enhance its detection capability.

Package includes everthing you will need to setup in TheHive

pyclam_analyzer.py
clam.json

Templates:
long.html
short.html

Python package requirements:

cortexutils
os
pyclamd

However! Keep reading

You will need to have Clamd installed and running on the server that TheHive/Cortex is running on so that it can connect for the scans.

As well you will need to make som adjustments to the user and/or group running Clamd by default Clamd runs as the clamav user, you will need to allow root, or edit the config to allow additional groups to clamd as the observables that TheHive will send to the scanner will be owned by the cortex user.