Created
April 21, 2017 15:31
-
-
Save garanews/0b322eb497e11216720763af17579bb1 to your computer and use it in GitHub Desktop.
cuckoo cortex analyzer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # encoding: utf-8 | |
| from cortexutils.analyzer import Analyzer | |
| import requests | |
| import time | |
| class CuckooSandboxAnalyzer(Analyzer): | |
| def __init__(self): | |
| Analyzer.__init__(self) | |
| self.service = self.getParam('config.service', None, 'CuckooSandbox service is missing') | |
| self.url = self.getParam('config.url', None, 'CuckooSandbox url is missing') | |
| #self.analysistimeout = self.getParam('config.analysistimeout', 30*60, None) | |
| #self.networktimeout = self.getParam('config.networktimeout', 30, None) | |
| def summary(self, raw): | |
| result = { | |
| 'service': self.service, | |
| 'dataType': self.data_type | |
| } | |
| result.update(raw['detection']) | |
| return result | |
| def run(self): | |
| Analyzer.run(self) | |
| try: | |
| # file analysis | |
| if self.service in ['file_analysis_inet', 'file_analysis_noinet']: | |
| filepath = self.getParam('file', None, 'File is missing') | |
| with open(filepath, "rb") as sample: | |
| files = {"file": ("temp_file_name", sample)} | |
| response = requests.post(self.url + 'tasks/create/file', files=files) | |
| task_id = response.json()['task_ids'] | |
| # url analysis | |
| elif self.service == 'url_analysis': | |
| data = {"url": self.getData()} | |
| response = requests.post(self.url + 'tasks/create/url', data=data) | |
| task_id = response.json()['task_id'] | |
| else: | |
| self.error('Unknown CuckooSandbox service') | |
| finished = False | |
| tries = 0 | |
| while not finished and tries <= 5: # 5 minuti di tentativo | |
| time.sleep(60) | |
| response = requests.get(self.url + 'tasks/view/' + str(task_id)) | |
| content = response.json()['task']['status'] | |
| if content == 'completed': | |
| finished = True | |
| tries += 1 | |
| if not finished: | |
| self.error('CuckooSandbox analysis timed out') | |
| # Download the report | |
| response = requests.get(self.url + 'tasks/report/' + str(task_id) + '/json') | |
| #analysis['htmlrepoon()t'] = self.url + 'analysis/' + str(task_id) | |
| #analysis['pdfreport'] = self.url + 'filereport/' + str(analysis['id']) + '/0/pdf' | |
| self.report({'mail_score': response.json()['malscore']}) | |
| except Exception as e: | |
| self.unexpectedError(e) | |
| if __name__ == '__main__': | |
| CuckooSandboxAnalyzer().run() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment