diff --git a/analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_long.png b/analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_long.png new file mode 100644 index 000000000..395b5f2c0 Binary files /dev/null and b/analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_long.png differ diff --git a/analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_short.png b/analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_short.png new file mode 100644 index 000000000..2b89fb9c0 Binary files /dev/null and b/analyzers/DomainMailSPFDMARC/assets/DomainMailSPFDMARC_short.png differ diff --git a/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC.py b/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC.py new file mode 100755 index 000000000..517a2734b --- /dev/null +++ b/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -* + +from cortexutils.analyzer import Analyzer + +import checkdmarc + +class DomainMailSPFDMARC(Analyzer): + def __init__(self): + Analyzer.__init__(self) + self.name = "DomainMailSPFDMARC" + + def summary(self, raw): + taxonomies = [] + namespace = "DomainMailSPF_DMARC" + + if 'error' in raw['DomainMailSPFDMARC']['dmarc']: + if 'error' in raw['DomainMailSPFDMARC']['spf']: + taxonomies.append(self.build_taxonomy("malicious", namespace,"DMARC","no")) + taxonomies.append(self.build_taxonomy("malicious", namespace,"SPF","no")) + else: + taxonomies.append(self.build_taxonomy("safe", namespace,"SPF","yes")) + taxonomies.append(self.build_taxonomy("suspicious", namespace,"DMARC","no")) + else: + if 'error' in raw['DomainMailSPFDMARC']['spf']: + taxonomies.append(self.build_taxonomy("suspicious", namespace,"SPF","no")) + taxonomies.append(self.build_taxonomy("safe", namespace,"DMARC","yes")) + else: + taxonomies.append(self.build_taxonomy("safe", namespace,"SPF","yes")) + taxonomies.append(self.build_taxonomy("safe", namespace,"DMARC","yes")) + + return {'taxonomies': taxonomies} + + def get_info(self, data): + try: + result = checkdmarc.check_domains(data.split()) + except Exception as e : + self.error(e) + return {"DomainMailSPFDMARC": dict(result)} + + def run(self): + if self.data_type == 'domain' or self.data_type == 'fqdn': + self.report(self.get_info(self.get_data())) + else: + self.error('Data type not supported. Please use this analyzer with data types domain or fqdn.') + +if __name__ == '__main__': + DomainMailSPFDMARC().run() diff --git a/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC_get_reports.json b/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC_get_reports.json new file mode 100644 index 000000000..867bf048b --- /dev/null +++ b/analyzers/DomainMailSPFDMARC/domainMailSPFDMARC_get_reports.json @@ -0,0 +1,30 @@ +{ + "name": "DomainMailSPFDMARC_Analyzer", + "version": "1.1", + "url":"https://thehive-project.org", + "author": "torsolaso", + "license": "AGPL-V3", + "description": "DomainMailSPFDMARC", + "dataTypeList": ["domain", "fqdn"], + "command": "DomainMailSPFDMARC/domainMailSPFDMARC.py", + "baseConfig": "DomainMailSPFDMARC", + "config": { + "service": "get" + }, + "configurationItems": [ + ], + "registration_required": false, + "subscription_required": false, + "free_subscription": false, + "screenshots": [ + { + "path": "assets/DomainMailSPFDMARC_long.png", + "caption": "DomainMailSPFDMARC long report sample" + }, + { + "path": "assets/DomainMailSPFDMARC_short.png", + "caption:": "DomainMailSPFDMARC mini report sample" + } + ] +} + diff --git a/analyzers/DomainMailSPFDMARC/requirements.txt b/analyzers/DomainMailSPFDMARC/requirements.txt new file mode 100644 index 000000000..ec20509fb --- /dev/null +++ b/analyzers/DomainMailSPFDMARC/requirements.txt @@ -0,0 +1 @@ +checkdmarc diff --git a/thehive-templates/DomainMailSPFDMARC_1_1/long.html b/thehive-templates/DomainMailSPFDMARC_1_1/long.html new file mode 100644 index 000000000..f09bf4f39 --- /dev/null +++ b/thehive-templates/DomainMailSPFDMARC_1_1/long.html @@ -0,0 +1,105 @@ +
+
+ DomainMailSPF_DMARC information for {{artifact.data}} +
+
+
+
+
Domain
+
{{content.DomainMailSPFDMARC.domain}}
+
+
+
Base domain
+
{{content.DomainMailSPFDMARC.base_domain}}
+
+
+
dnssec
+
{{content.DomainMailSPFDMARC.dnssec}}
+
+
+
[NS] Hostnames
+
{{content.DomainMailSPFDMARC.ns.hostnames.join(', ') }}
+
+
+
[NS] Warnings
+
{{content.DomainMailSPFDMARC.ns.warnings.join('\n') }}
+
+ +
+
[MX] Hosts
+
{{content.DomainMailSPFDMARC.mx.hosts.join(', ') }}
+
+
+
[MX] Warnings
+
{{content.DomainMailSPFDMARC.mx.warnings.join('\n')}}
+
+
+
+
+
+
+ SPF +
+
+
+
+
Record
+
{{content.DomainMailSPFDMARC.spf.record}}
+
+
+
Valid
+
{{content.DomainMailSPFDMARC.spf.valid}}
+
+
+
Error
+
{{content.DomainMailSPFDMARC.spf.error}}
+
+
+
+
+
+
+ DMARK +
+
+
+

Info

+
+
Record
+
{{content.DomainMailSPFDMARC.dmarc.record}}
+
+
+
Valid
+
{{content.DomainMailSPFDMARC.dmarc.valid}}
+
+
+
Error
+
{{content.DomainMailSPFDMARC.dmarc.error}}
+
+
+
Location
+
{{content.DomainMailSPFDMARC.dmarc.location}}
+
+
+
Warnings
+
{{content.DomainMailSPFDMARC.dmarc.warnings.join('\n')}}
+
+
+

Tags

+
+
{{tag}}
+
{{value.value}} [Explicit]
+
+
+
+
+ + +
+
+ {{artifact.data | fang}} +
+
+ {{content.errorMessage}} +
+
diff --git a/thehive-templates/DomainMailSPFDMARC_1_1/short.html b/thehive-templates/DomainMailSPFDMARC_1_1/short.html new file mode 100755 index 000000000..5fc0dabfb --- /dev/null +++ b/thehive-templates/DomainMailSPFDMARC_1_1/short.html @@ -0,0 +1,3 @@ + + {{t.namespace}}:{{t.predicate}}="{{t.value}}" +