Thanks to the invaluable contributions of our growing and thriving user community, Cortex has now 6 more analyzers, bringing the total to 21. The new analyzers, released under our usual AGPL v3 license, are:
- CIRCLPassiveDNS
- CIRCLPassiveSSL
- GoogleSafebrowsing
- Nessus
- Virusshare
- Yara
All but one have been submitted by Nils Kuhnert of CERT-Bund. The Nessus analyzer has been contributed by our long-time friend Guillaume Rousse.
Cortexutils 1.1.0
While reviewing the submissions, we realized that a new version of the Cortexutils library was needed in order to support both Python 2 and 3. Hence we released version 1.1.0. You can grab it through PIP. To update your existing installation, please run the following command:
sudo pip install cortexutils --upgrade
Note that Cortexutils 1.1.0 is required to benefit from these analyzers and future ones. If you are performing a fresh Cortex installation, follow the guide.
Installation
To install the new analyzers, grab the Cortex-Analyzers repository and unpack its content (or git pull the master branch) in your existing /path/to/cortex-analyzers. Then follow the Cortex analyzers guide.
New Short and Long Report Templates for TheHive
Short and long reports for TheHive were also created to parse and display the results produced by the new analyzers. We also bundled in the new package a URL analysis template for Joe Sandbox which was missing and improved some of the older short templates in order to follow a taxonomy.
To import the new report templates in your instance of TheHive:
- download the updated package
- log in TheHive using an administrator account
- go to
Admin>Report templatesmenu - click on
Import templatesbutton and select the downloaded package
CIRCLPassiveDNS
The CIRCLPassiveDNS analyzer lets you check the CIRCL’s Passive DNS service for a given domain. It takes domains and URLs as input. Access to the service is allowed to trusted partners in Luxembourg and abroad. If you think you qualify, please contact the good CIRCL folks. To make it work, you’ll need the pypdns Python library.
In order to take advantage of CIRCLPassiveDNS, you need to add the following section to the Cortex configuration file (application.conf):
CIRCLPassiveDNS {
user=""
password=""
}
When called from TheHive, the following output is produced:
CIRCLPassiveSSL
The CIRCLPassiveSSL analyzer lets you check CIRCL’s Passive SSL service for a given IP address or certificate hash. Access to the service is restricted to partners and security researchers worldwide. If you think you qualify, please contact the good CIRCL folks. This analyzer needs the pypssl Python library to work properly.
To use it, please add the following section to the Cortex configuration file (application.conf):
CIRCLPassiveSSL {
user=""
password=""
}
When called from TheHive, the following output is produced:
GoogleSafebrowsing
This analyzer lets you check URLs and domains against Google Safe Browsing. You need an API key to use it.
To leverage GoogleSafebrowsing, add the following section to Cortex’ configuration file:
GoogleSafebrowsing { key="" }
When you run the analyzer fromTheHive, you should see output similar to the samples below:
Nessus
The Nessus analyzer lets you leverage Tenable’s Nessus Vulnerability Scanner to scan an IP address or a FQDN. Of course, you must not scan assets that do not belong to you, unless you really know what you are doing. That’s why safeguards were built in the analyzer’s configuration:
Nessus {
url="<https://url.to.scanner>"
login=""
password=""
policy=""
ca_bundle=""
allowed_networks=[ 'x.y.z.t/8', 'a.b.c.d/24', ... ]
The nessrest Python library is needed to make REST API calls to Nessus. Analysts would use the analyzer to assess the vulnerabilities of potentially compromised machines or new, unknown assets that have been plugged into one of their constituency’s networks. Of course, penetration testers conducting large-scale reconnaissance can also benefit from this analyzer.
Virusshare
The Virusshare analyzer lets you verify whether a file or hash is available on VirusShare.com. It requires the progressbar2 Python library besides requests (which should be already installed if you have an existing Cortex installation). As stated by Nils:
This analyzer enables searching for md5 hashes in Virusshare.com hash list. It does not download samples for you nor links directly to the sample – the author of virusshare prohibits the automatic download/site scraping and I respect that. It provides a button to start the virusshare search, though, but you need an account for that. You can request an invitation to the platform through contacting the admin via mail, directly.
To use it, add the following section to your Cortex application.conf:
Virusshare {
path="/path/to/download/directory"
}
Quoting Nils again, in order to download the newest available hash lists from virusshare.com, you can run the download_hashes.py script that comes with the analyzer.
./download_hashes.py /path/to/your/download/directory
Upon running the analyzer from TheHive, the report will contain a link to the corresponding Virusshare page if a match is found as shown below.
Yara
Last but not least, the Yara analyzer can check files against YARA rules using yara-python. To use it, add the following to your Cortex configuration file:
Yara { rules=["/path/a", "/path/b", "/path/my/rules.yar"] }
You can specify path to directories and files. If you supply a directory, the analyzer expects to find an index.yar or index.yas file. The index file can include other rule files. An example can be found in the Yara-rules repository.
Running Into Trouble?
Shall you encounter any difficulty, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!
TheHive Project 