Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Joe Sandbox API version 2 support #141

Merged
merged 1 commit into from Dec 22, 2017
Merged

Joe Sandbox API version 2 support #141

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
204 changes: 141 additions & 63 deletions analyzers/JoeSandbox/joesandbox_analyzer.py
View file
Open in desktop
Expand Up @@ -3,6 +3,7 @@

from cortexutils.analyzer import Analyzer

import os.path
import requests
import time

Expand All @@ -12,11 +13,10 @@ def __init__(self):
Analyzer.__init__(self)
self.service = self.get_param('config.service', None, 'JoeSandbox service is missing')
self.url = self.get_param('config.url', None, 'JoeSandbox url is missing')
# self.apikey = self.get_param('config.key', None, 'JoeSandbox apikey is missing')
if self.get_param('config.key'):
self.apikey = self.get_param('config.key')
else:
self.apikey = self.get_param('config.apikey', None, 'MISP key for API is missing')
self.apikey = self.get_param('config.apikey', None, 'JoeSandbox API key is missing')
self.analysistimeout = self.get_param('config.analysistimeout', 30*60, None)
self.networktimeout = self.get_param('config.networktimeout', 30, None)

Expand Down Expand Up @@ -55,74 +55,152 @@ def summary(self, raw):

return result

def runv1(self):
data = {
'apikey': self.apikey,
'tandc': 1,
'auto': 1,
'comments': 'Submitted by Cortex'
}
files = {}

# file analysis with internet access
if self.service == 'file_analysis_inet':
extension = os.path.splitext(self.get_param('filename', ''))[1]
filepath = self.get_param('file', None, 'File is missing')
files['sample'] = (filepath + extension, open(filepath, 'rb'))
data['type'] = 'file'
data['inet'] = 1

# file analysis without internet access
elif self.service == 'file_analysis_noinet':
extension = os.path.splitext(self.get_param('filename', ''))[1]
filepath = self.get_param('file', None, 'File is missing')
files['sample'] = (filepath + extension, open(filepath, 'rb'))
data['type'] = 'file'
data['inet'] = 0

# url analysis
elif self.service == 'url_analysis':
data['url'] = self.getData()
data['type'] = 'url'
data['inet'] = 1

else:
self.error('Unknown JoeSandbox service')

# Submit the file/url for analysis
response = requests.post(self.url + 'api/analysis', files=files, data=data, timeout=self.networktimeout)
webid = response.json()['webid']

# Wait for the analysis to finish
data = {
'apikey': self.apikey,
'webid': webid
}
finished = False
tries = 0
while not finished and tries <= self.analysistimeout/60:
time.sleep(60)
response = requests.post(self.url + 'api/analysis/check', data=data, timeout=self.networktimeout)
content = response.json()
if content['status'] == 'finished':
finished = True
tries += 1
if not finished:
self.error('JoeSandbox analysis timed out')

# Download the report
data = {
'apikey': self.apikey,
'webid': webid,
'type': 'irjsonfixed',
'run': 0
}
response = requests.post(self.url + 'api/analysis/download', data=data, timeout=self.networktimeout)
analysis = response.json()['analysis']
analysis['htmlreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/html'
analysis['pdfreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/pdf'
self.report(analysis)

def runv2(self):
data = {
'apikey': self.apikey,
'accept-tac': '1',
'systems': None,
'comments': 'Submitted by Cortex'
}
files = {}

# file analysis with internet access
if self.service == 'file_analysis_inet':
extension = os.path.splitext(self.get_param('filename', ''))[1]
filepath = self.get_param('file', None, 'File is missing')
files['sample'] = (filepath + extension, open(filepath, 'rb'))
data['internet-access'] = '1'

# file analysis without internet access
elif self.service == 'file_analysis_noinet':
extension = os.path.splitext(self.get_param('filename', ''))[1]
filepath = self.get_param('file', None, 'File is missing')
files['sample'] = (filepath + extension, open(filepath, 'rb'))
data['internet-access'] = '0'

# url analysis
elif self.service == 'url_analysis':
data['url'] = self.getData()
data['internet-access'] = '1'

else:
self.error('Unknown JoeSandbox service')

# Submit the file/url for analysis
response = requests.post(self.url + 'api/v2/analysis/submit', files=files, data=data, timeout=self.networktimeout)
webid = response.json()['data']['webids'][0]

# Wait for the analysis to finish
data = {
'apikey': self.apikey,
'webid': webid
}
finished = False
tries = 0
while not finished and tries <= self.analysistimeout/60:
time.sleep(60)
response = requests.post(self.url + 'api/v2/analysis/info', data=data, timeout=self.networktimeout)
content = response.json()
if content['data']['status'] == 'finished':
finished = True
tries += 1
if not finished:
self.error('JoeSandbox analysis timed out')

# Download the report
data = {
'apikey': self.apikey,
'webid': webid,
'type': 'irjsonfixed',
'run': 0
}
response = requests.post(self.url + 'api/v2/analysis/download', data=data, timeout=self.networktimeout)
analysis = response.json()['analysis']
analysis['htmlreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/html'
analysis['pdfreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/pdf'
self.report(analysis)

def run(self):
Analyzer.run(self)

try:
data = {
'apikey': self.apikey,
'tandc': 1,
'auto': 1,
'comments': 'Submitted by Cortex'
'apikey': self.apikey
}
files = {}

# file analysis with internet access
if self.service == 'file_analysis_inet':
filepath = self.get_param('file', None, 'File is missing')
files['sample'] = open(filepath, 'rb')
data['type'] = 'file'
data['inet'] = 1

# file analysis without internet access
elif self.service == 'file_analysis_noinet':
filepath = self.get_param('file', None, 'File is missing')
files['sample'] = open(filepath, 'rb')
data['type'] = 'file'
data['inet'] = 0

# url analysis
elif self.service == 'url_analysis':
data['url'] = self.getData()
data['type'] = 'url'
data['inet'] = 1

# Check whether API v2 is supported or not
response = requests.post(self.url + 'api/v2/server/online', data=data, timeout=self.networktimeout, allow_redirects=False)
if response.status_code == 200:
self.runv2()
else:
self.error('Unknown JoeSandbox service')

# Submit the file/url for analysis
response = requests.post(self.url + 'api/analysis', files=files, data=data, timeout=self.networktimeout)
webid = response.json()['webid']

# Wait for the analysis to finish
data = {
'apikey': self.apikey,
'webid': webid
}
finished = False
tries = 0
while not finished and tries <= self.analysistimeout/60:
time.sleep(60)
response = requests.post(self.url + 'api/analysis/check', data=data, timeout=self.networktimeout)
content = response.json()
if content['status'] == 'finished':
finished = True
tries += 1
if not finished:
self.error('JoeSandbox analysis timed out')

# Download the report
data = {
'apikey': self.apikey,
'webid': webid,
'type': 'irjsonfixed',
'run': 0
}
response = requests.post(self.url + 'api/analysis/download', data=data, timeout=self.networktimeout)
analysis = response.json()['analysis']
analysis['htmlreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/html'
analysis['pdfreport'] = self.url + 'analysis/' + str(analysis['id']) + '/0/pdf'
self.report(analysis)
self.runv1()

except Exception as e:
self.unexpectedError(e)
Expand Down