Merge pull request #3 from polyswarm/update/polyswarm-v2

Update PolySwarm API version 2.1.1
polyswarm · May 7, 2020 · a4703c7 · a4703c7
2 parents 96c7b9a + ebe1d5e
commit a4703c7
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 47 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 
 * yum -y install python3.6
 * yum -y install python3-pip
-* pip3 install polyswarm-api==1.1.1
+* pip3 install polyswarm-api==2.1.1
 
 ## Install
 

diff --git a/integrations/custom-polyswarm.py b/integrations/custom-polyswarm.py
@@ -17,8 +17,10 @@
 
 try:
     from polyswarm_api.api import PolyswarmAPI
+    from polyswarm_api import get_version
+    from polyswarm_api import exceptions as api_exceptions
 except Exception as e:
-    Print.error('No module \'polyswarm_api\' found. Install: pip3 install polyswarm-api==v1.1.1')
+    Print.error('No module \'polyswarm_api\' found. Install: pip3 install polyswarm-api==v2.1.1')
     sys.exit(1)
 
 # ossec.conf configuration:
@@ -32,7 +34,7 @@
 # Global vars
 
 # grab metadata details and send to Manager
-OUTPUT_METADATA = False
+OUTPUT_METADATA = True
 
 # debug flag for logs
 DEBUG_ENABLED = False
@@ -123,64 +125,67 @@ def return_output(self):
     def search_hash(self, hash):
         try:
             Print.debug(f'PolySwarm Search Hash: {hash}')
+
             results = self.polyswarm_api.search(hash.lower().strip())
-            for search_result in results:
-                if search_result.failed:
-                    Print.debug(f'Failed to get result: {search_result.failure_reason}')
-                    return
 
-                for artifact in search_result.result:
-                    Print.debug('Got artifact results')
-                    self.alert_output['polyswarm']['found'] = 1
+            for artifact in results:
+                if artifact.failed:
+                    msg = 'Failed to get result.'
+                    Print.debug(msg)
+                    self.create_output('error', "1")
+                    self.create_output('description', msg)
+                    return
 
-                    # all assertion responses from engines
-                    all_assertions = artifact.last_scan.assertions
+                self.alert_output['polyswarm']['found'] = 1
 
-                    # malicious only assertions from engines
-                    malicious_detections = list(artifact.last_scan.detections)
-                    self.create_output('positives', len(malicious_detections))
+                if not artifact.assertions:
+                    msg = 'This artifact has not been scanned. Initiate a Scan on the artifact to get scan results."'
+                    Print.debug(msg)
+                    self.create_output('total', 0)
+                    self.create_output('positives', 0)
+                    self.create_output('description', msg)
+                    return
 
-                    # total engines asserting
-                    self.create_output('total', len(all_assertions))
+                Print.debug('Got artifact results')
 
-                    # a score between 0.0 and 1.0 indicating malintent
-                    self.create_output('polyscore', artifact.polyscore)
+                # all assertion responses from engines
+                all_assertions = artifact.assertions
 
-                    if malicious_detections:
-                        for assertion in all_assertions:
-                            # output only by malicious ones
-                            if assertion.verdict:
-                                self.create_output(f'microengine.{assertion.engine_name}.verdict', 'maliciuos')
-                                if assertion.metadata.get('malware_family'):
-                                    self.create_output(f'microengine.{assertion.engine_name}.malware_family',
-                                                       assertion.metadata.get('malware_family'))
+                # malicious only assertions from engines
+                malicious_detections = artifact.json['detections']['malicious']
+                self.create_output('positives', malicious_detections)
 
-                                self.alert_output['polyswarm']['malicious'] = 1
+                # total engines asserting
+                total = artifact.json['detections']['total']
+                self.create_output('total', total)
 
-                    if OUTPUT_METADATA:
-                        for h, h_val in artifact.metadata.hash.items():
-                            print(str(h), str(h_val))
-                            self.create_output(f'metadata.hash.{str(h)}', str(h_val))
+                # a score between 0.0 and 1.0 indicating malintent
+                self.create_output('polyscore', artifact.polyscore)
 
-                        for h, h_val in artifact.metadata.pefile.items():
-                            print(str(h), str(h_val))
-                            self.create_output(f'metadata.pefile.{str(h)}', str(h_val))
+                if malicious_detections:
+                    for assertion in all_assertions:
+                        # output only by malicious ones
+                        if assertion.verdict:
+                            self.create_output(f'microengine.{assertion.engine_name}.verdict', 'maliciuos')
+                            if assertion.metadata.get('malware_family'):
+                                self.create_output(f'microengine.{assertion.engine_name}.malware_family',
+                                                   assertion.metadata.get('malware_family'))
 
-                        for h, h_val in artifact.metadata.lief.items():
-                            print(str(h), str(h_val))
-                            self.create_output(f'metadata.lief.{str(h)}', str(h_val))
+                            self.alert_output['polyswarm']['malicious'] = 1
 
-                        for h, h_val in artifact.metadata.exiftool.items():
-                            print(str(h), str(h_val))
-                            self.create_output(f'metadata.exiftool.{str(h)}', str(h_val))
+                if OUTPUT_METADATA:
+                    for h, h_val in artifact.metadata.hash.items():
+                        self.create_output(f'metadata.hash.{str(h)}', str(h_val))
 
-                    self.create_output('sha1', artifact.sha1.hash)
-                    self.create_output('sha256', artifact.sha256.hash)
-                    self.create_output('md5', artifact.md5.hash)
-                    self.create_output('mimetype', artifact.mimetype)
-                    self.create_output('extended_type', artifact.extended_type)
-                    self.create_output('permalink', artifact.scan_permalink)
+                self.create_output('sha1', artifact.sha1)
+                self.create_output('sha256', artifact.sha256)
+                self.create_output('md5', artifact.md5)
+                self.create_output('mimetype', artifact.mimetype)
+                self.create_output('extended_type', artifact.extended_type)
+                self.create_output('permalink', artifact.permalink)
 
+        except api_exceptions.NoResultsException:
+            self.create_output('description', 'The request returned no results.')
 
         except Exception as e:
             self.create_output('error', "1")
@@ -195,6 +200,8 @@ def main(args):
 
     Print.debug('# PolySwarm Starting')
 
+    Print.debug(f'Polyswarm - API Version: {get_version()}')
+
     # Read args
     alert_file_location = args[1]
     apikey = args[2]

diff --git a/scripts/install.sh b/scripts/install.sh
@@ -13,4 +13,6 @@ if [ -n "${1}" ] && [ "${1}" == "restart" ]; then
     systemctl restart wazuh-api
 fi
 
+printf "* PolySwarm successfully installed.\n"
+
 #eof
diff --git a/test/events_samples/not_scanned_yet b/test/events_samples/not_scanned_yet
@@ -0,0 +1 @@
+{"timestamp":"2020-01-28T16:59:01.830+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"]},"agent":{"id":"006","name":"Win4","ip":"192.168.1.52"},"manager":{"name":"manager"},"id":"1580137141.224771","full_log":"File 'C:\\Users\\dev\\Desktop\\Wazuh\\fsdfadfsafsafa.txt' was added.\n","syscheck":{"path":"C:\\Users\\dev\\Desktop\\Wazuh\\fsdfadfsafsafa.txt","size_after":"0","perm_after":"100666","uid_after":"0","gid_after":"0","md5_after":"2bd85194dbc3c44e7368f32f8084a88f","sha1_after":"17530e35ed6291c93dc05868c91d82c6f48bc787","uname_after":"dev","event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}