Merge pull request #1053 from korteke/feature/netcraft

Netcraft Cortex responder

responders/Netcraft/Dockerfile

@@ -0,0 +1,6 @@
+FROM python:3
+
+WORKDIR /worker
+COPY . Netcraft
+RUN pip install --no-cache-dir -r Netcraft/requirements.txt
+ENTRYPOINT Netcraft/Netcraft.py

responders/Netcraft/Netcraft.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+# encoding: utf-8
+
+from cortexutils.responder import Responder
+import requests
+
+
+class NetcraftReporter(Responder):
+    def __init__(self):
+        Responder.__init__(self)
+        self.scheme = "https"
+        self.api_key = self.get_param(
+            'config.api_key', None, "API-key Missing")
+        self.takedown_url = self.get_param(
+            'config.takedown_url', None, "Takedown URL Missing")
+        self.observable_type = self.get_param('data.dataType', None, "Data type is empty")
+        self.observable_description = self.get_param('data.message', None, "Description is empty")
+        self.username = self.get_param(
+            'config.username', None, "Takedown Username is empty")
+        self.password = self.get_param(
+            'config.password', None, "Takedown Password is empty")
+        self.useUserPass = self.get_param(
+            'config.useUserPass', None, "Takedown Use Username Password authentication is empty")
+
+    def run(self):
+        Responder.run(self)
+        try:
+            supported_observables = ["domain", "url", "fqdn"]
+            if self.observable_type in supported_observables:
+                if self.observable_type == "domain" or self.observable_type == "fqdn":
+                    domain = self.get_param('data.data', None, 'No artifacts available')
+                    takedown = "{}://{}".format(self.scheme, domain)
+                elif self.observable_type == "url":
+                    takedown = self.get_param('data.data')
+
+                session = requests.Session()
+                session.headers.update({'User-Agent': 'Netcraft-Cortex-Responder'})
+
+                if self.useUserPass:
+                    session.auth = (self.username, self.password)
+                else:
+                    session.headers.update({'Authorization': 'Bearer ' + self.api_key})
+
+                payload = {
+                    "attack": takedown,
+                    "comment": "Automated takedown via Cortex"
+                }
+                response = session.post(self.takedown_url, data=payload)
+
+                if response.status_code == 200:
+                    self.report({'message': 'Takedown request sent to Netcraft. Message: {}'.format(response.text)})
+                elif response.status_code == 401:
+                    self.error({'message': 'Failed authentication. Check API-Key. Message: {}'.format(response.text)})
+                else:
+                    self.error('Failed to submit takedown request. Error code: {}. Error message: {}'
+                               .format(response.status_code, response.text))
+            else:
+                self.error('Incorrect dataType. "Domain", "FQDN", or "URL" expected.')
+
+        except requests.exceptions.RequestException as e:
+            self.error(str(e))
+
+    def operations(self, raw):
+        return [self.build_operation('AddTagToArtifact', tag='Netcraft:takedown')]
+
+
+if __name__ == '__main__':
+    NetcraftReporter().run()

responders/Netcraft/NetcraftTakedown.json

@@ -0,0 +1,52 @@
+{
+  "name": "Netcraft_TakedownPhishingURL",
+  "version": "1.0",
+  "author": "Keijo Korte - @korteke",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Submit URL to Netcraft's Takedown API.",
+  "dataTypeList": ["thehive:case_artifact"],
+  "command": "Netcraft/Netcraft.py",
+  "baseConfig": "Netcraft",
+  "configurationItems": [
+    {
+      "name": "api_key",
+      "description": "Netcraft Takedown API key",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "username",
+      "description": "Netcraft Takedown Username",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "password",
+      "description": "Netcraft Takedown Password",
+      "type": "string",
+      "multi": false,
+      "required": false
+    },
+    {
+      "name": "useUserPass",
+      "description": "Use User and Password authentication",
+      "type": "boolean",
+      "multi": false
+    },
+    {
+      "name": "takedown_url",
+      "description": "Netcraft Takedown URL",
+      "type": "string",
+      "multi": false,
+      "required": true,
+      "defaultValue": "https://takedown.netcraft.com/authorise.php"
+    }
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://www.netcraft.com/cybercrime/countermeasures/"
+}

responders/Netcraft/README.md

@@ -0,0 +1,13 @@
+### Netcraft Takedown
+
+This responder sends observables to [Netcraft Takedown service](https://www.netcraft.com/cybercrime/countermeasures/).
+
+#### Requirements
+One need to request API-key from Netcraft [Contact form](https://www.netcraft.com/contact/).
+
+#### Configuration
+- `api_key` : Netcraft Takedown API-key   
+- `takedown_url`: Netcraft Takedown URL (default: https://takedown.netcraft.com/authorise.php)
+
+#### Official documenation
+Official API documentation: [Netcraft site](https://takedown.netcraft.com/help_api.php).

responders/Netcraft/requirements.txt

@@ -0,0 +1,2 @@
+cortexutils
+requests