Merge pull request #836 from TheHive-Project/feature/Forcepoint_Webse…

…nsePing

Add forcepoint websense ping Analyzer

analyzers/ForcepointWebsensePing/ForcepointWebsensePing.json

@@ -0,0 +1,172 @@
+{
+    "name":
+    "ForcepointWebsensePing",
+    "version":
+    "1.0",
+    "author":
+    "Andrea Garavaglia, Davide Arcuri - LDO-CERT",
+    "url":
+    "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license":
+    "AGPL-V3",
+    "description":
+    "Use ForcepointWebsensePing to determine which category a certain URL is assigned to.",
+    "dataTypeList": ["url", "ip", "domain", "fqdn"],
+    "command":
+    "ForcepointWebsensePing/forcepointwebsenseping.py",
+    "baseConfig":
+    "ForcepointWebsensePing",
+    "config": {
+        "service": "lookup"
+    },
+    "configurationItems": [{
+        "name":
+        "hostname",
+        "description":
+        "Forcepoint remote Filtering Service",
+        "type":
+        "string",
+        "multi":
+        false,
+        "required":
+        true
+    }, {
+        "name": "timeout",
+        "description": "WebsensePing timeout-secs",
+        "type": "number",
+        "multi": false,
+        "required": true,
+        "defaultValue": 10
+    }, {
+        "name": "path",
+        "description": "WebsensePing path",
+        "type": "string",
+        "multi": false,
+        "required": true,
+        "defaultValue": "/opt/Websense/bin"
+    }, {
+        "name":
+        "malicious_categories",
+        "description":
+        "List of Forcepoint categories to be considered as malicious",
+        "type":
+        "string",
+        "multi":
+        true,
+        "required":
+        true,
+        "defaultValue": [
+            "Dynamic DNS", "Elevated Exposure", "Emerging Exploits",
+            "Extended Protection", "Newly Registered Websites",
+            "Suspicious Content", "Advanced Malware Command and Control",
+            "Advanced Malware Payloads", "Botnets", "Bot Networks", 
+            "Compromised Websites", "Malicious Web Sites",
+            "Custom-Encrypted Uploads", "Files Containing Passwords",
+            "Keyloggers", "Malicious Embedded Link",
+            "Malicious Embedded Iframe", "Malicious Websites",
+            "Mobile Malware", "Phishing and Other Frauds",
+            "Potentially Exploited Documents", "Potentially Unwanted Software",
+            "Spyware", "Suspicious Embedded Link",
+            "Elevated Exposure  Newly Registered Websites",
+            "Unauthorized Mobile Marketplaces", "User-Defined"
+        ]
+    }, {
+        "name":
+        "suspicious_categories",
+        "description":
+        "List of Forcepoint categories you would consider as suspicious",
+        "type":
+        "string",
+        "multi":
+        true,
+        "required":
+        true,
+        "defaultValue": [
+            "Uncategorized", "Parked Domain", "Hacking", "Proxy Avoidance",
+            "Intolerance", "Abused Drugs", "Adult Content", "Adult Material",
+            "Advertisements", "Computer Security", "Drugs", "Dynamic Content",
+            "Illegal or Questionable", "Marijuana", "Militancy and Extremist",
+            "Network Errors", "Peer-to-Peer File Sharing",
+            "Personal Network Storage and Backup", "Private IP Addresses",
+            "Sex", "Tastelesstopics or to improper language", "Violence",
+            "Web and Email Spam", "Security"
+        ]
+    }, {
+        "name":
+        "safe_categories",
+        "description":
+        "List of Forcepoint categories you would consider as safe",
+        "type":
+        "string",
+        "multi":
+        true,
+        "required":
+        true,
+        "defaultValue": [
+            "Business and Economy", "Bandwidth", "Education", "Government",
+            "News and Media", "Productivity", "Religion",
+            "Society and Lifestyles", "Special Events",
+            "Information Technology", "Abortion", "Advocacy Groups",
+            "Entertainment", "Facebook Apps ", "Facebook Chat",
+            "Facebook Commenting", "Facebook Events", "Facebook Friends",
+            "Facebook Games", "Facebook Groups", "Facebook Mail",
+            "Facebook Photo Upload", "Facebook Posting", "Facebook Questions",
+            "Facebook Video Upload", "File Download Servers",
+            "LinkedIn Connections", "LinkedIn Jobs", "LinkedIn Mail",
+            "LinkedIn Updates", "Twitter Follow", "Twitter Mail",
+            "Twitter Posting", "YouTube Commenting", "YouTube Sharing",
+            "YouTube Video Upload", "Alternative Journals",
+            "Application and Software Download", "Blog Commenting",
+            "Blog Posting", "Blogs and Personal Sites", "Classified Posting",
+            "Social and Affiliation Organizations", "Social Networking",
+            "Social Organizations", "Social Web - Facebook",
+            "Social Web - LinkedIn", "Social Web - Twitter",
+            "Social Web - YouTube", "Social Web Controls - Various", "Sports",
+            "Entertainment Video", "Financial Data and Services",
+            "Instant Messaging", "Job Search", "Shopping", "Travel",
+            "Vehicles", "Search Engines and Portals", "Alcohol and Tobacco",
+            "Collaboration – Office", "Content Delivery Networks",
+            "Cultural Institutions", "Educational Institutions",
+            "Educational Materials", "Educational Video", "General Email",
+            "Health", "Hobbies", "Gay or Lesbian or Bisexual Interest",
+            "Gambling", "Games", "Hosted Business Applications",
+            "Internet Auctions", "Internet Communication",
+            "Internet Radio and TV", "Internet Telephony",
+            "Media File Download", "Message Boards and Forums",
+            "Non-Traditional Religion", "Nudity", "Nutrition", "Office - Apps",
+            "Office - Documents", "Office - Drive", "Office - Mail",
+            "Office Category used to manage the Office domain",
+            "Online Brokerage and Trading", "Organizational Email",
+            "Personals and Dating", "Pay-to-Surf", "Political Organizations",
+            "Prescribed Medications", "Pro-Choice", "Pro-Life",
+            "Professional and Worker Organizations", "Real Estate",
+            "Reference Materials", "Restaurants and Dining",
+            "Service and Philanthropic Organizations", "Sex Education",
+            "Lingerie and Swimsuit", "Sport Hunting and Gun Clubs",
+            "Streaming Media", "Surveillance", "Text and Media Messaging",
+            "Traditional Religions", "Viral Video", "Weapons", "Web Analytics",
+            "Web and Email Marketing", "Web Chat", "Web Collaboration",
+            "Web Hosting", "Web Images", "Web Infrastructure",
+            "Website Translation"
+        ]
+    }],
+    "registration_required":
+    true,
+    "subscription_required":
+    true,
+    "free_subscription":
+    false,
+    "service_homepage":
+    "https://www.forcepoint.com",
+    "service_logo": {
+        "path": "assets/forcepoint_logo.png",
+        "caption": "logo"
+    },
+    "screenshots": [{
+        "path": "assets/ForcepointWebsensePing_long.png",
+        "caption": "ForcepointWebsensePing long report sample"
+    }, {
+        "path": "assets/ForcepointWebsensePing_short.png",
+        "caption:": "ForcepointWebsensePing mini report sample"
+    }]
+}

analyzers/ForcepointWebsensePing/README.md

@@ -0,0 +1,8 @@
+ Categorize domain names, URL, fqdn, IP addresses using the popular  [Forcepoint Master Database](https://www.forcepoint.com/it/product/feature/master-database-url-categories) service .
+
+
+#### Requirements
+ You need a [valid Forcepoint license](https://support.forcepoint.com/KBArticle?id=000016428#WebsensePing/) to use the analyzer:
+
+- Install WebsensePing on instance where you will run this analyzer
+- Provide hostname of remote Filtering Service as a value for the `hostname` parameter and timeout as a value for the `timeout` parameter.

analyzers/ForcepointWebsensePing/forcepointwebsenseping.py

@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+
+import subprocess
+from cortexutils.analyzer import Analyzer
+
+
+class WebsensePingAnalyzer(Analyzer):
+
+    def __init__(self):
+        Analyzer.__init__(self)
+        self.hostname = self.get_param('config.hostname', None)
+        self.timeout = self.get_param('config.timeout', None)
+        self.path = self.get_param('config.path', None)
+
+def summary(self, raw):
+    taxonomies = []
+    if raw.get('Categories', None):
+        value = raw['Categories']
+        if value in self.get_param('config.malicious_categories', []):
+            level = "malicious"
+        elif value in self.get_param('config.suspicious_categories', []):
+            level = "suspicious"
+        elif value in self.get_param('config.safe_categories', []):
+            level = "safe"
+        else:
+            level = "info"
+        taxonomies.append(self.build_taxonomy(level, "Forcepoint", "WebsensePing", value))
+    return {"taxonomies": taxonomies}
+
+    def run(self):
+        Analyzer.run(self)
+
+        if self.data_type in ("url", "ip", "domain","fqdn"):
+            data = self.get_param('data', None, 'Data is missing')
+            command = "export LD_LIBRARY_PATH={} && {}/WebsensePing -m 25 -url {} -s {} -t {}".format(self.path, self.path, data, self.hostname, self.timeout)
+            process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+            output = [line.decode('utf8') for line in process.stdout]
+            report = {k.strip():v.strip() for k,v in [x.split("=") for x in output if x.find("=") != -1]}
+            self.report(report)
+        else:
+            self.error('Invalid data type')
+
+
+if __name__ == '__main__':
+    WebsensePingAnalyzer().run()

analyzers/ForcepointWebsensePing/requirements.txt

@@ -0,0 +1 @@
+cortexutils

thehive-templates/ForcepointWebsensePing_1_0/short.html

@@ -0,0 +1,3 @@
+<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
+    {{t.namespace}}:{{t.predicate}}="{{t.value}}"
+</span>