Merge pull request #1411 from TheHive-Project/abuseipdb-improvements

AbuseIPDB - Report Responder & improvements

Author: nusantara-self

analyzers/AbuseIPDB/abuseipdb.py

@@ -59,6 +59,7 @@ def run(self):
                     "Accept": "application/json",
                     "Content-Type": "application/x-www-form-urlencoded",
                     "Key": "%s" % api_key,
+                    "User-Agent": "strangebee-thehive/1.0",
                 }
                 params = {
                     "maxAgeInDays": days_to_check,
@@ -172,7 +173,7 @@ def summary(self, raw):
         if "abuseConfidenceScore" in data:
             score = int(data.get("abuseConfidenceScore") or 0)
             level = (
-                "malicious" if score >= 80 else ("suspicious" if score > 0 else "safe")
+                "malicious" if score >= 75 else ("suspicious" if score > 0 else "safe")
             )
             taxonomies.append(
                 self.build_taxonomy(level, "AbuseIPDB", "Abuse Confidence Score", score)

responders/AbuseIPDB/AbuseIPDB_Report.json

@@ -0,0 +1,47 @@
+{
+    "name": "AbuseIPDB_Report",
+    "version": "1.0",
+    "author": "Fabien Bloume, StrangeBee",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Report an IP address to AbuseIPDB for abuse tracking and community sharing. Please, make sure to use the correct category in your Cortex responder configuration.",
+    "dataTypeList": ["thehive:case_artifact"],
+    "command": "AbuseIPDB/abuseipdb_responder.py",
+    "baseConfig": "AbuseIPDB",
+    "config": {
+        "service": "report"
+    },
+    "configurationItems": [
+        {
+            "name": "key",
+            "description": "API key for AbuseIPDB",
+            "type": "string",
+            "multi": false,
+            "required": true
+        },
+        {
+            "name": "categories",
+            "description": "Select one or more abuse categories: DNS Compromise, DNS Poisoning, Fraud Orders, DDoS Attack, FTP Brute-Force, Ping of Death, Phishing, Fraud VoIP, Open Proxy, Web Spam, Email Spam, Blog Spam, VPN IP, Port Scan, Hacking, SQL Injection, Spoofing, Brute Force, Bad Web Bot, Exploited Host, Web App Attack, SSH, IoT Targeted",
+            "type": "string",
+            "multi": true,
+            "required": true,
+            "defaultValue": ["Hacking"]
+        },
+        {
+            "name": "comment",
+            "description": "Optional comment describing the abuse (max 1024 characters)",
+            "type": "string",
+            "multi": false,
+            "required": false
+        }
+    ],
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": true,
+    "integration_type": "external_api",
+    "service_homepage": "https://www.abuseipdb.com/",
+    "service_logo": {
+        "path": "assets/abuseipdb.png",
+        "caption": "AbuseIPDB logo"
+    }
+}

responders/AbuseIPDB/README.md

@@ -0,0 +1,19 @@
+# AbuseIPDB Responder
+
+Reports IP addresses to AbuseIPDB.
+
+## Configuration
+
+- **key**: Your AbuseIPDB API key
+- **categories**: One or more categories (see below)
+- **comment**: Optional comment (max 1024 chars)
+
+### Categories
+
+DNS Compromise, DNS Poisoning, Fraud Orders, DDoS Attack, FTP Brute-Force, Ping of Death, Phishing, Fraud VoIP, Open Proxy, Web Spam, Email Spam, Blog Spam, VPN IP, Port Scan, Hacking, SQL Injection, Spoofing, Brute Force, Bad Web Bot, Exploited Host, Web App Attack, SSH, IoT Targeted
+
+## Before you use this
+
+Everytime you run it, configure the responder in Cortex with the correct categories **before** running it from TheHive. Categories cannot be changed at runtime, as of today.
+
+Wrong categories = bad data in AbuseIPDB. Always validate Cortex configuration before using.

responders/AbuseIPDB/abuseipdb_responder.py

@@ -0,0 +1,149 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+import requests
+from cortexutils.responder import Responder
+
+
+class AbuseIPDBResponder(Responder):
+    """
+    AbuseIPDB Responder - Report malicious IP addresses to AbuseIPDB
+    API documentation: https://docs.abuseipdb.com/#report-endpoint
+    """
+
+    # Mapping from category ID to name (for display)
+    CATEGORIES = {
+        "1": "DNS Compromise",
+        "2": "DNS Poisoning",
+        "3": "Fraud Orders",
+        "4": "DDoS Attack",
+        "5": "FTP Brute-Force",
+        "6": "Ping of Death",
+        "7": "Phishing",
+        "8": "Fraud VoIP",
+        "9": "Open Proxy",
+        "10": "Web Spam",
+        "11": "Email Spam",
+        "12": "Blog Spam",
+        "13": "VPN IP",
+        "14": "Port Scan",
+        "15": "Hacking",
+        "16": "SQL Injection",
+        "17": "Spoofing",
+        "18": "Brute Force",
+        "19": "Bad Web Bot",
+        "20": "Exploited Host",
+        "21": "Web App Attack",
+        "22": "SSH",
+        "23": "IoT Targeted",
+    }
+
+    # Reverse mapping from category name to ID (for API calls)
+    CATEGORY_NAME_TO_ID = {name: id for id, name in CATEGORIES.items()}
+
+    def __init__(self):
+        Responder.__init__(self)
+        self.api_key = self.get_param("config.key", None, "Missing AbuseIPDB API key")
+        self.categories = self.get_param("config.categories", ["Brute Force"])
+        self.comment = self.get_param("config.comment", "")
+        self.service = self.get_param("config.service", "report")
+
+    def run(self):
+        Responder.run(self)
+
+        if self.service == "report":
+            self.report_ip()
+        else:
+            self.error(f"Unknown service: {self.service}")
+
+    def report_ip(self):
+        """Report an IP address to AbuseIPDB"""
+        data_type = self.get_param("data.dataType", None)
+
+        if data_type != "ip":
+            self.error("This responder only supports IP addresses")
+            return
+
+        ip_address = self.get_param("data.data", None, "No IP address provided")
+
+        # Ensure categories is a list
+        category_list = self.categories if isinstance(self.categories, list) else [self.categories]
+
+        # Validate and translate category names to IDs
+        category_ids = []
+        invalid_categories = []
+        for cat_name in category_list:
+            cat_name = cat_name.strip()
+            if cat_name in self.CATEGORY_NAME_TO_ID:
+                category_ids.append(self.CATEGORY_NAME_TO_ID[cat_name])
+            else:
+                invalid_categories.append(cat_name)
+
+        if invalid_categories:
+            valid_names = ", ".join(self.CATEGORY_NAME_TO_ID.keys())
+            self.error(f"Invalid category names: {', '.join(invalid_categories)}. Valid categories are: {valid_names}")
+            return
+
+        if not category_ids:
+            self.error("At least one category must be specified")
+            return
+
+        # Convert category IDs to comma-separated string for API
+        categories_str = ",".join(category_ids)
+
+        # Prepare the API request
+        url = "https://api.abuseipdb.com/api/v2/report"
+        headers = {
+            "Accept": "application/json",
+            "Key": self.api_key,
+            "User-Agent": "strangebee-thehive/1.0",
+        }
+        payload = {
+            "ip": ip_address,
+            "categories": categories_str,
+        }
+
+        if self.comment:
+            # Truncate comment to 1024 characters as per API limit
+            payload["comment"] = self.comment[:1024]
+
+        try:
+            response = requests.post(url, headers=headers, data=payload)
+
+            if response.status_code == 200:
+                result = response.json()
+                data = result.get("data", {})
+
+                self.report({
+                    "success": True,
+                    "message": f"IP {ip_address} reported successfully to AbuseIPDB",
+                    "ip_address": data.get("ipAddress", ip_address),
+                    "abuse_confidence_score": data.get("abuseConfidenceScore"),
+                    "categories_reported": category_list,
+                })
+            elif response.status_code == 422:
+                # Validation error from API
+                error_detail = response.json().get("errors", [{}])[0].get("detail", "Validation error")
+                self.error(f"AbuseIPDB validation error: {error_detail}")
+            elif response.status_code == 429:
+                self.error("AbuseIPDB rate limit exceeded. Please try again later.")
+            elif response.status_code == 401:
+                self.error("Invalid AbuseIPDB API key")
+            else:
+                self.error(f"AbuseIPDB API error (HTTP {response.status_code}): {response.text}")
+
+        except requests.exceptions.RequestException as e:
+            self.error(f"Network error while contacting AbuseIPDB: {str(e)}")
+
+    def operations(self, raw):
+        """Add a tag to the artifact after successful reporting"""
+        operations = []
+        if raw.get("success"):
+            operations.append(
+                self.build_operation("AddTagToArtifact", tag="AbuseIPDB:reported")
+            )
+        return operations
+
+
+if __name__ == "__main__":
+    AbuseIPDBResponder().run()

responders/AbuseIPDB/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests

thehive-templates/AbuseIPDB_1_1/long.html

@@ -9,6 +9,7 @@
                     'fa-check-circle': content.values[0].data.abuseConfidenceScore < 1}"></i>
 			AbuseIPDB Verdict:
 			<strong>{{content.values[0].data.ipAddress}}</strong>
+			<a ng-href="https://www.abuseipdb.com/check/{{content.values[0].data.ipAddress}}" target="_blank" title="View on AbuseIPDB" style="margin-left:6px;"><i class="fa fa-external-link"></i></a>
 
 			<span class="pull-right">
 				<!-- compact context badges, subtle but handy -->