A connector for VirusTotal

.gitignore

@@ -0,0 +1,40 @@
+*.py[cod]
+
+# C extensions
+*.so
+
+# Packages
+*.egg
+*.egg-info
+dist
+build
+eggs
+parts
+bin
+var
+sdist
+develop-eggs
+.installed.cfg
+lib
+lib64
+
+# Installer logs
+pip-log.txt
+
+# Unit test / coverage reports
+.coverage
+.tox
+nosetests.xml
+
+# Translations
+*.mo
+
+# Mr Developer
+.mr.developer.cfg
+.project
+.pydevproject
+
+# IDE exclusions
+.idea
+
+config.ini

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Carbon Black Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

MANIFEST

@@ -0,0 +1,24 @@
+# file GENERATED by distutils, do NOT edit
+cb-virustotal-connector.spec
+setup.py
+cbopensource/__init__.py
+cbopensource/__init__.pyc
+cbopensource/connectors/__init__.py
+cbopensource/connectors/__init__.pyc
+cbopensource/connectors/virustotal/0001-Changed-Version-to-1.0.patch
+cbopensource/connectors/virustotal/0001-fixes-to-init.d-script.patch
+cbopensource/connectors/virustotal/__init__.py
+cbopensource/connectors/virustotal/__init__.pyc
+cbopensource/connectors/virustotal/apiclient_virustotal.py
+cbopensource/connectors/virustotal/apiclient_virustotal.pyc
+cbopensource/connectors/virustotal/bridge.py
+cbopensource/connectors/virustotal/bridge.py.backup
+cbopensource/connectors/virustotal/joe
+cbopensource/connectors/virustotal/joe-original
+cbopensource/connectors/virustotal/test.py
+cbopensource/connectors/virustotal/testing.conf
+root/etc/cb/integrations/virustotal/connector.conf.example
+root/etc/init.d/cb-virustotal-connector
+root/usr/share/cb/integrations/virustotal/cacert.pem
+root/usr/share/cb/integrations/virustotal/virustotal-logo.png
+scripts/cb-virustotal-connector

MANIFEST.in

@@ -0,0 +1,6 @@
+recursive-include cbopensource *
+recursive-include root/etc *
+recursive-include root/usr *
+recursive-include scripts
+
+include cb-virustotal-connector.spec

README.md

@@ -0,0 +1,69 @@
+# Carbon Black - virustotal Connector
+
+The virustotal connector submits binaries collected by Carbon Black to virustotal
+for binary analysis. The results are collected and placed into an Intelligence
+Feed on your Carbon Black server. The feed will then tag any binaries executed on your
+endpoints identified as malware by virustotal. Only binaries submitted by the connector
+for analysis will be included in the generated Intelligence Feed.
+
+## Installation Quickstart
+
+As root on your Carbon Black or other RPM based 64-bit Linux distribution server:
+```
+cd /etc/yum.repos.d
+curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
+yum install python-cb-virustotal-connector
+```
+
+Once the software is installed via YUM, copy the `/etc/cb/integrations/virustotal/connector.conf.example` file to
+`/etc/cb/integrations/virustotal/connector.conf`. Edit this file and place your Carbon Black API key into the
+`carbonblack_server_token` variable and your Carbon Black server's base URL into the `carbonblack_server_url` variable.
+
+Then you must place your credentials for virustotal into the configuration file: place API token
+into the `virustotal_api_token` variable in the
+`/etc/cb/integrations/virustotal/connector.conf` file.
+
+Any errors will be logged into `/var/log/cb/integrations/virustotal/virustotal.log`.
+
+## Troubleshooting
+
+If you suspect a problem, please first look at the virustotal connector logs found here:
+`/var/log/cb/integrations/virustotal/virustotal.log`
+(There might be multiple files as the logger "rolls over" when the log file hits a certain size).
+
+If you want to re-run the analysis across your binaries:
+
+1. Stop the service: `service cb-virustotal-connector stop`
+2. Remove the database file: `rm /usr/share/cb/integrations/virustotal/db/sqlite.db`
+3. Remove the feed from your Cb server's Threat Intelligence page
+4. Restart the service: `service cb-virustotal-connector start`
+
+## Contacting Carbon Black Developer Relations Support
+
+Web: https://community.carbonblack.com/groups/developer-relations
+E-mail: dev-support@bcarbonblack.com
+
+### Reporting Problems
+
+When you contact Carbon Black Developer Relations Technical Support with an issue, please provide the following:
+
+* Your name, company name, telephone number, and e-mail address
+* Product name/version, CB Server version, CB Sensor version
+* Hardware configuration of the Carbon Black Server or computer (processor, memory, and RAM)
+* For documentation issues, specify the version of the manual you are using.
+* Action causing the problem, error message returned, and event log output (as appropriate)
+* Problem severity
+
+#### Additional Configuration Options:
+By default, binaries which are already known by virustotal will not be resubmitted for rescanning.
+If this functionality is desired, the rescan_window option can be added to the configuration file 
+to set the window of time in which binaries are to be resubmitted for scanning.
+
+```
+;Window of time within which to rescan a submitted file
+;rescan_window=1D
+;FORMAT=%D%S
+;S=H,M,D,W = hours,minutes,days,weeks
+;NEVER= do not rescan binaries no matter how old the latest scan is
+rescan_window=365D
+```

cb-virustotal-connector.spec

@@ -0,0 +1,25 @@
+# -*- mode: python -*-
+a = Analysis(['scripts/cb-virustotal-connector'],
+             pathex=['.'],
+             hiddenimports=['unicodedata'],
+             datas=[ (HOMEPATH + '/cbapi/response/models/*', 'cbapi/response/models/'),
+                     (HOMEPATH + '/cbapi/protection/models/*', 'cbapi/protection/models/'),
+                     (HOMEPATH + '/cbapi/defense/models/*', 'cbapi/defense/models/') ],
+             hookspath=None,
+             runtime_hooks=None)
+pyz = PYZ(a.pure)
+exe = EXE(pyz,
+          a.scripts,
+          exclude_binaries=True,
+          name='cb-virustotal-connector',
+          debug=False,
+          strip=None,
+          upx=True,
+          console=True )
+coll = COLLECT(exe,
+               a.binaries,
+               a.zipfiles,
+               a.datas,
+               strip=None,
+               upx=True,
+               name='cb-virustotal-connector')

cbopensource/connectors/virustotal/__init__.py

@@ -0,0 +1 @@
+__version__ = '1.0'

cbopensource/connectors/virustotal/apiclient_virustotal.py

@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+
+import logging
+import os
+
+log = logging.getLogger(__name__)
+
+
+class VirusTotalAnalysisClient(object):
+
+    def __init__(self, session=None, api_token=None, url=None,log_level=None):
+        self.session = session
+        self.api_token = api_token
+        self.url = url if url else "https://www.virustotal.com/vtapi/v2/file/"
+        log.setLevel(logging.INFO if not log_level else logging.DEBUG)
+
+    def submit_file(self, resource_hash=None, stream=None):
+        log.info("VTAnalysis: submit_file: hash = %s " % (resource_hash))
+        params = {"apikey": self.api_token}
+        file_name = None
+        if hasattr(stream, "name"):
+            log.info("submitting file: fs.name: %s" % stream.name)
+            file_name = os.path.basename(stream.name)
+        files = {'file': (file_name, open(file_name, 'rb'))} if file_name else {'file': (resource_hash, stream)}
+        response = self.session.post(self.url + 'scan', files=files, params=params)
+        log.debug("submit_file: response = %s" % response)
+        return response.json()
+
+    def rescan_hash(self, resource_hash):
+        log.info("rescan_hash: resource_hash = %s" % resource_hash)
+        params = {"apikey": self.api_token}
+        if resource_hash:
+            params["resource"] = resource_hash
+        else:
+            raise Exception("No resources provided")
+        headers = {
+            "Accept-Encoding": "gzip, deflate",
+            "User-Agent": "gzip,  My Python requests library example client or username"
+        }
+        response = self.session.post(self.url + "rescan", params=params, headers=headers)
+        log.debug("Rescan hash: response = %s" % response)
+        return response.json()
+
+    def get_report(self, resource_hash=None, batch=None):
+        log.info("get_report: resource_hash = %s" % resource_hash)
+        params = {"apikey": self.api_token}
+        if resource_hash:
+            params["resource"] = resource_hash
+        elif batch:
+            params['resource'] = ",".join(batch)
+        else:
+            raise Exception("No resources provided")
+        headers = {
+            "Accept-Encoding": "gzip, deflate",
+            "User-Agent": "gzip,  My Python requests library example client or username"
+        }
+        response = self.session.get(self.url + "report",
+                                    params=params, headers=headers)
+        log.debug("get_report: response = %s " % response)
+        return response.json()