diff --git a/README.md b/README.md index 075e8f3..6e74ba0 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ * yum -y install python3.6 * yum -y install python3-pip -* pip3 install polyswarm-api==1.1.1 +* pip3 install polyswarm-api==2.1.1 ## Install diff --git a/integrations/custom-polyswarm.py b/integrations/custom-polyswarm.py index 48220d0..a99f184 100755 --- a/integrations/custom-polyswarm.py +++ b/integrations/custom-polyswarm.py @@ -17,8 +17,10 @@ try: from polyswarm_api.api import PolyswarmAPI + from polyswarm_api import get_version + from polyswarm_api import exceptions as api_exceptions except Exception as e: - Print.error('No module \'polyswarm_api\' found. Install: pip3 install polyswarm-api==v1.1.1') + Print.error('No module \'polyswarm_api\' found. Install: pip3 install polyswarm-api==v2.1.1') sys.exit(1) # ossec.conf configuration: @@ -32,7 +34,7 @@ # Global vars # grab metadata details and send to Manager -OUTPUT_METADATA = False +OUTPUT_METADATA = True # debug flag for logs DEBUG_ENABLED = False @@ -123,64 +125,67 @@ def return_output(self): def search_hash(self, hash): try: Print.debug(f'PolySwarm Search Hash: {hash}') + results = self.polyswarm_api.search(hash.lower().strip()) - for search_result in results: - if search_result.failed: - Print.debug(f'Failed to get result: {search_result.failure_reason}') - return - for artifact in search_result.result: - Print.debug('Got artifact results') - self.alert_output['polyswarm']['found'] = 1 + for artifact in results: + if artifact.failed: + msg = 'Failed to get result.' + Print.debug(msg) + self.create_output('error', "1") + self.create_output('description', msg) + return - # all assertion responses from engines - all_assertions = artifact.last_scan.assertions + self.alert_output['polyswarm']['found'] = 1 - # malicious only assertions from engines - malicious_detections = list(artifact.last_scan.detections) - self.create_output('positives', len(malicious_detections)) + if not artifact.assertions: + msg = 'This artifact has not been scanned. Initiate a Scan on the artifact to get scan results."' + Print.debug(msg) + self.create_output('total', 0) + self.create_output('positives', 0) + self.create_output('description', msg) + return - # total engines asserting - self.create_output('total', len(all_assertions)) + Print.debug('Got artifact results') - # a score between 0.0 and 1.0 indicating malintent - self.create_output('polyscore', artifact.polyscore) + # all assertion responses from engines + all_assertions = artifact.assertions - if malicious_detections: - for assertion in all_assertions: - # output only by malicious ones - if assertion.verdict: - self.create_output(f'microengine.{assertion.engine_name}.verdict', 'maliciuos') - if assertion.metadata.get('malware_family'): - self.create_output(f'microengine.{assertion.engine_name}.malware_family', - assertion.metadata.get('malware_family')) + # malicious only assertions from engines + malicious_detections = artifact.json['detections']['malicious'] + self.create_output('positives', malicious_detections) - self.alert_output['polyswarm']['malicious'] = 1 + # total engines asserting + total = artifact.json['detections']['total'] + self.create_output('total', total) - if OUTPUT_METADATA: - for h, h_val in artifact.metadata.hash.items(): - print(str(h), str(h_val)) - self.create_output(f'metadata.hash.{str(h)}', str(h_val)) + # a score between 0.0 and 1.0 indicating malintent + self.create_output('polyscore', artifact.polyscore) - for h, h_val in artifact.metadata.pefile.items(): - print(str(h), str(h_val)) - self.create_output(f'metadata.pefile.{str(h)}', str(h_val)) + if malicious_detections: + for assertion in all_assertions: + # output only by malicious ones + if assertion.verdict: + self.create_output(f'microengine.{assertion.engine_name}.verdict', 'maliciuos') + if assertion.metadata.get('malware_family'): + self.create_output(f'microengine.{assertion.engine_name}.malware_family', + assertion.metadata.get('malware_family')) - for h, h_val in artifact.metadata.lief.items(): - print(str(h), str(h_val)) - self.create_output(f'metadata.lief.{str(h)}', str(h_val)) + self.alert_output['polyswarm']['malicious'] = 1 - for h, h_val in artifact.metadata.exiftool.items(): - print(str(h), str(h_val)) - self.create_output(f'metadata.exiftool.{str(h)}', str(h_val)) + if OUTPUT_METADATA: + for h, h_val in artifact.metadata.hash.items(): + self.create_output(f'metadata.hash.{str(h)}', str(h_val)) - self.create_output('sha1', artifact.sha1.hash) - self.create_output('sha256', artifact.sha256.hash) - self.create_output('md5', artifact.md5.hash) - self.create_output('mimetype', artifact.mimetype) - self.create_output('extended_type', artifact.extended_type) - self.create_output('permalink', artifact.scan_permalink) + self.create_output('sha1', artifact.sha1) + self.create_output('sha256', artifact.sha256) + self.create_output('md5', artifact.md5) + self.create_output('mimetype', artifact.mimetype) + self.create_output('extended_type', artifact.extended_type) + self.create_output('permalink', artifact.permalink) + except api_exceptions.NoResultsException: + self.create_output('description', 'The request returned no results.') except Exception as e: self.create_output('error', "1") @@ -195,6 +200,8 @@ def main(args): Print.debug('# PolySwarm Starting') + Print.debug(f'Polyswarm - API Version: {get_version()}') + # Read args alert_file_location = args[1] apikey = args[2] diff --git a/scripts/install.sh b/scripts/install.sh index 6ccc6c3..5f665d5 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -13,4 +13,6 @@ if [ -n "${1}" ] && [ "${1}" == "restart" ]; then systemctl restart wazuh-api fi +printf "* PolySwarm successfully installed.\n" + #eof diff --git a/test/events_samples/not_scanned_yet b/test/events_samples/not_scanned_yet new file mode 100644 index 0000000..fed24fd --- /dev/null +++ b/test/events_samples/not_scanned_yet @@ -0,0 +1 @@ +{"timestamp":"2020-01-28T16:59:01.830+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"]},"agent":{"id":"006","name":"Win4","ip":"192.168.1.52"},"manager":{"name":"manager"},"id":"1580137141.224771","full_log":"File 'C:\\Users\\dev\\Desktop\\Wazuh\\fsdfadfsafsafa.txt' was added.\n","syscheck":{"path":"C:\\Users\\dev\\Desktop\\Wazuh\\fsdfadfsafsafa.txt","size_after":"0","perm_after":"100666","uid_after":"0","gid_after":"0","md5_after":"2bd85194dbc3c44e7368f32f8084a88f","sha1_after":"17530e35ed6291c93dc05868c91d82c6f48bc787","uname_after":"dev","event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}