Skip to content

Added enhanced support for "Auto extraction" with observables for the emlparser analyzer #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jeffrey-e wants to merge 8 commits into from
Closed

Added enhanced support for "Auto extraction" with observables for the emlparser analyzer #399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f944db9
Added support for enabling/disabling certificate validation
Nov 2, 2018
9e48bf3
Adjusted emlparser to enhance the "Auto Extract" feature of The Hive
Jan 2, 2019
90f4949
Merge branch 'master' of github.com:TheHive-Project/Cortex-Analyzers
Jan 2, 2019
0973b6c
Enhanced regexes
jeffrey-e Jan 3, 2019
f2e1f76
Added task based mail respondings
Feb 14, 2019
5fcf7e9
Revert "Added task based mail respondings"
Feb 18, 2019
fa18080
Adjusted code so that only analyzer specific regex are to be added
Feb 19, 2019
098d76f
Fixed some issues
Feb 19, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 38 additions & 1 deletion analyzers/EmlParser/parse.py
100755 → 100644
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,35 @@
import base64
from pprint import pprint

#Required for analyzer specific observable auto extraction
from cortexutils.extractor import Extractor
import re

class EnhancedExtractor(Extractor):

def __init__(self, ignore=None):
Extractor.__init__(self)
self.asregex = self.__init_analyzer_regex()

@staticmethod
def __init_analyzer_regex():

"""
Returns compiled regex list specifically for mail.

:return: List of {type, regex} dicts
:rtype: list
"""

### Mail Specific regexes
# Received from
as_regex = [{
'types': ['fqdn','fqdn'],
'regex': re.compile(r'from\s\[?([A-Za-z0-9\.\-]*)\]?.*?\sby\s\[?([A-Za-z0-9\.\-]*)\]?', re.MULTILINE)
}]

return as_regex

class EmlParserAnalyzer(Analyzer):

def __init__(self):
Expand Down Expand Up @@ -43,6 +72,14 @@ def summary(self, raw):

return {"taxonomies": taxonomies}

def artifacts(self, raw):
# Use the regex extractor, if auto_extract setting is not False
if self.auto_extract:
extractor = EnhancedExtractor(ignore=self.get_data())
return extractor.check_iterable(raw)

# Return empty list
return []

def parseEml(filepath):

Expand Down Expand Up @@ -119,4 +156,4 @@ def parseEml(filepath):
return result

if __name__ == '__main__':
EmlParserAnalyzer().run()
EmlParserAnalyzer().run()
1 change: 1 addition & 0 deletions analyzers/EmlParser/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
cortexutils;python_version>='3.5'
eml_parser
python-magic
2 changes: 1 addition & 1 deletion analyzers/IBMXForce/IBMXForce_Lookup.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,4 +47,4 @@
"default": true
}
]
}
}
2 changes: 1 addition & 1 deletion analyzers/IBMXForce/ibmxforce_lookup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,4 +220,4 @@ def run(self):


if __name__ == '__main__':
IBMXForceAnalyzer().run()
IBMXForceAnalyzer().run()