Skip to content

Commit

Permalink
18.9.1
Browse files Browse the repository at this point in the history
  • Loading branch information
@Itay4
hirshbergshachar authored and Itay4 committed Sep 6, 2018
1 parent 586ee38 commit dddb220
Show file tree
Hide file tree
Showing 3 changed files with 1,165 additions and 79 deletions.
79 changes: 50 additions & 29 deletions Integrations/integration-VirusTotal.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,15 +216,22 @@ script:
}
ec.DBotScore.push({Indicator: hash, Type: 'hash', Vendor: 'VirusTotal', Score: dbotScore});
md += 'MD5 / SHA1 / SHA256: **' + r[i].md5 + ' / ' + r[i].sha1 + ' / ' + r[i].sha256 + '**\n';
if (longFormat === 'true' && r[i].scans) {
if (longFormat === 'true' && r[i].scans) { // add scans table
scansTable = createScansTable(r[i].scans);
md += tableToMarkdown('Scans', scansTable)
md += tableToMarkdown('Scans', scansTable);
if (ec[outputPaths.file]){
scans_ec = {
Scans: scansTable,
ScanID: r[i].scan_id
};
if (typeof ec[outputPaths.file][0] === 'object') { // malicous
ec[outputPaths.file][0].VirusTotal = scans_ec;
} else { // not malicious
ec[outputPaths.file][0] = {
MD5: r[i].md5,
VirusTotal: scans_ec
};
}
ec[outputPaths.file][0].VirusTotal = scans_ec;
} else {
scans_ec = {
MD5: r[i].md5,
Expand All @@ -234,13 +241,30 @@ script:
Scans: scansTable,
ScanID: r[i].scan_id
}
}
};
ec[outputPaths.file] = scans_ec;
}
} else {
ec[outputPaths.file][0]['VirusTotal'] = {
ScanID: r[i].scan_id,
MD5: r[i].md5
} else { // short format
if (ec[outputPaths.file]){
scans_ec = {
ScanID: r[i].scan_id
};
if (typeof ec[outputPaths.file][0] === 'object') { // malicious
ec[outputPaths.file][0].VirusTotal = scans_ec;
} else { // not malicious
ec[outputPaths.file][0] = {
MD5: r[i].md5,
VirusTotal: scans_ec
};
}
} else {
scans_ec = {
MD5: r[i].md5,
VirusTotal: {
ScanID: r[i].scan_id
}
};
ec[outputPaths.file] = scans_ec;
}
}
md += '\n';
Expand Down Expand Up @@ -283,7 +307,7 @@ script:
if (o.response_code === 0) {
ec.DBotScore = {Indicator: ip, Type: 'ip', Vendor: 'VirusTotal', Score: 0};
return {Type: entryTypes.note, Contents: res.body, ContentsFormat: formats.json, EntryContext: ec,
HumanReadable: 'VirusTotal does not have details about ' + ip + '\n' + res.obj.verbose_msg};
HumanReadable: 'VirusTotal does not have details about ' + ip + ' ,it sent the following response:\n' + res.obj.verbose_msg};
}
if (fullResponse === 'true'){
maxLen = 1000;
Expand Down Expand Up @@ -344,8 +368,8 @@ script:
'UnAVDetectedReferrerHashes': undetectedReferrerSamples.slice(0,maxLen)
}
};
if (ec[outputPaths.ip]){
ec[outputPaths.IP][0]['VirusTotal'] = {
if (ec[outputPaths.ip]){ // malicious
ec[outputPaths.ip]['VirusTotal'] = {
'DownloadedHashes': detectedDownloadedSamples.slice(0,maxLen),
'UnAVDetectedDownloadedHashes': undetectedDownloadedSamples.slice(0,maxLen),
"DetectedURLs": detectedUrls.slice(0,maxLen),
Expand All @@ -355,7 +379,7 @@ script:
'ReferrerHashes': detectedReferrerSamples.slice(0,maxLen),
'UnAVDetectedReferrerHashes': undetectedReferrerSamples.slice(0,maxLen)
};
} else {
} else { // not malicious
ec[outputPaths.ip] = ip_ec;
}
if (longFormat === 'true') {
Expand Down Expand Up @@ -407,12 +431,12 @@ script:
res = doReq('GET', 'url/report', {resource: url});
o = res.obj;
}
if (!o.scans) {
if (!o.scans) { // URL doesn't exist in VT
md += 'URL submitted for scan. Please retry command later\n';
ec[outputPaths.url] = {
Data: url,
VirusTotal: {
ScanID: o.scan_id,
Data: url
ScanID: o.scan_id
}
};
} else {
Expand All @@ -435,17 +459,16 @@ script:
}
ec.DBotScore = {Indicator: url, Type: 'url', Vendor: 'VirusTotal', Score: dbotScore};
if (longFormat === 'true') {
md += '### Scans\n';
if (longFormat === 'true') { // add scans table
scansTable = createScansTable(o.scans);
md += tableToMarkdown('Scans', scansTable)
if (ec[outputPaths.url]){
if (ec[outputPaths.url]){ // malicious
scans_ec = {
Scans: scansTable,
ScanID: o.scan_id
}
ec[outputPaths.url][0].VirusTotal = scans_ec;
} else {
ec[outputPaths.url].VirusTotal = scans_ec;
} else { // not malicious
scans_ec = {
Data: url,
"VirusTotal": {
Expand All @@ -455,12 +478,12 @@ script:
}
ec[outputPaths.url] = scans_ec;
}
} else {
if (ec[outputPaths.url]){
} else { // short format
if (ec[outputPaths.url]){ // malicious
ec[outputPaths.url]['VirusTotal'] = {
ScanID: o.scan_id,
};
} else {
} else { // not malicious
ec[outputPaths.url] = {
Data: url,
VirusTotal: {
Expand Down Expand Up @@ -636,8 +659,8 @@ script:
'Subdomains': domain_siblings,
}
};
if (ec[outputPaths.domain]){
ec['Domain(val.Name==obj.Name)'].VirusTotal = {
if (ec[outputPaths.domain]){ // malicious
ec[outputPaths.domain].VirusTotal = {
'DownloadedHashes': detected_downloaded_samples,
'UnAVDetectedDownloadedHashes': undetected_downloaded_samples,
"DetectedURLs": detected_urls,
Expand All @@ -649,7 +672,7 @@ script:
'Whois': o.whois,
'Subdomains': domain_siblings,
}
} else {
} else { // not malicious
ec[outputPaths.domain] = domain_ec;
}
Expand Down Expand Up @@ -964,8 +987,6 @@ script:
description: Scan detection for this URL (True/False)
- contextPath: URL.VirusTotal.Scans.Result
description: Scan result for this URL - signature, etc.
- contextPath: URL.VirusTotal.ScanID
description: Scan ID for this URL
description: Check URL Reputation
- name: domain
arguments:
Expand Down Expand Up @@ -1105,4 +1126,4 @@ script:
description: Datetime token in format YYYYMMDDHHMISS that can be used for paging
description: Private API. Retrieve comments for a given resource
runonce: false
releaseNotes: "ScanID will appear now in the context data instead of in the command war-room output"
releaseNotes: "-"
Loading

0 comments on commit dddb220

Please sign in to comment.