adding commandsequence_api to greedybear

Author: spoiicy

api_app/analyzers_manager/migrations/0159_analyzer_config_greedybear.py

@@ -0,0 +1,237 @@
+from django.db import migrations
+from django.db.models.fields.related_descriptors import (
+    ForwardManyToOneDescriptor,
+    ForwardOneToOneDescriptor,
+    ManyToManyDescriptor,
+    ReverseManyToOneDescriptor,
+    ReverseOneToOneDescriptor,
+)
+
+plugin = {
+    "python_module": {
+        "health_check_schedule": None,
+        "update_schedule": None,
+        "module": "greedybear.GreedyBear",
+        "base_path": "api_app.analyzers_manager.observable_analyzers",
+    },
+    "name": "GreedyBear",
+    "description": "scan an IP or a domain against the [GreedyBear](https://www.honeynet.org/2021/12/27/new-project-available-greedybear/) service",
+    "disabled": False,
+    "soft_time_limit": 30,
+    "routing_key": "default",
+    "health_check_status": True,
+    "type": "observable",
+    "docker_based": False,
+    "maximum_tlp": "AMBER",
+    "observable_supported": ["ip", "domain", "hash"],
+    "supported_filetypes": [],
+    "run_hash": False,
+    "run_hash_type": "sha256",
+    "not_supported_filetypes": [],
+    "mapping_data_model": {},
+    "model": "analyzers_manager.AnalyzerConfig",
+}
+
+params = [
+    {
+        "python_module": {
+            "module": "greedybear.GreedyBear",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "url",
+        "type": "str",
+        "description": "URL of the GreedyBear instance you want to connect to",
+        "is_secret": False,
+        "required": False,
+    },
+    {
+        "python_module": {
+            "module": "greedybear.GreedyBear",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "api_key_name",
+        "type": "str",
+        "description": "API key required for authentication",
+        "is_secret": True,
+        "required": True,
+    },
+    {
+        "python_module": {
+            "module": "greedybear.GreedyBear",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "command_sequence_toggle",
+        "type": "bool",
+        "description": "Enable fetching the details from CommandSequenceAPI",
+        "is_secret": False,
+        "required": False,
+    },
+    {
+        "python_module": {
+            "module": "greedybear.GreedyBear",
+            "base_path": "api_app.analyzers_manager.observable_analyzers",
+        },
+        "name": "same_cluster_commands",
+        "type": "bool",
+        "description": "Fetch results for command sequences from same cluster",
+        "is_secret": False,
+        "required": False,
+    },
+]
+
+values = [
+    {
+        "parameter": {
+            "python_module": {
+                "module": "greedybear.GreedyBear",
+                "base_path": "api_app.analyzers_manager.observable_analyzers",
+            },
+            "name": "url",
+            "type": "str",
+            "description": "URL of the GreedyBear instance you want to connect to",
+            "is_secret": False,
+            "required": False,
+        },
+        "analyzer_config": "GreedyBear",
+        "connector_config": None,
+        "visualizer_config": None,
+        "ingestor_config": None,
+        "pivot_config": None,
+        "for_organization": False,
+        "value": "https://greedybear.honeynet.org",
+        "updated_at": "2025-02-19T14:53:18.159755Z",
+        "owner": None,
+    },
+    {
+        "parameter": {
+            "python_module": {
+                "module": "greedybear.GreedyBear",
+                "base_path": "api_app.analyzers_manager.observable_analyzers",
+            },
+            "name": "command_sequence_toggle",
+            "type": "bool",
+            "description": "Enable fetching the details from CommandSequenceAPI",
+            "is_secret": False,
+            "required": False,
+        },
+        "analyzer_config": "GreedyBear",
+        "connector_config": None,
+        "visualizer_config": None,
+        "ingestor_config": None,
+        "pivot_config": None,
+        "for_organization": False,
+        "value": True,
+        "updated_at": "2025-06-19T03:34:12.680076Z",
+        "owner": None,
+    },
+    {
+        "parameter": {
+            "python_module": {
+                "module": "greedybear.GreedyBear",
+                "base_path": "api_app.analyzers_manager.observable_analyzers",
+            },
+            "name": "same_cluster_commands",
+            "type": "bool",
+            "description": "Fetch results for command sequences from same cluster",
+            "is_secret": False,
+            "required": False,
+        },
+        "analyzer_config": "GreedyBear",
+        "connector_config": None,
+        "visualizer_config": None,
+        "ingestor_config": None,
+        "pivot_config": None,
+        "for_organization": False,
+        "value": False,
+        "updated_at": "2025-06-19T03:34:12.688262Z",
+        "owner": None,
+    },
+]
+
+
+def _get_real_obj(Model, field, value):
+    def _get_obj(Model, other_model, value):
+        if isinstance(value, dict):
+            real_vals = {}
+            for key, real_val in value.items():
+                real_vals[key] = _get_real_obj(other_model, key, real_val)
+            value = other_model.objects.get_or_create(**real_vals)[0]
+        # it is just the primary key serialized
+        else:
+            if isinstance(value, int):
+                if Model.__name__ == "PluginConfig":
+                    value = other_model.objects.get(name=plugin["name"])
+                else:
+                    value = other_model.objects.get(pk=value)
+            else:
+                value = other_model.objects.get(name=value)
+        return value
+
+    if (
+        type(getattr(Model, field))
+        in [
+            ForwardManyToOneDescriptor,
+            ReverseManyToOneDescriptor,
+            ReverseOneToOneDescriptor,
+            ForwardOneToOneDescriptor,
+        ]
+        and value
+    ):
+        other_model = getattr(Model, field).get_queryset().model
+        value = _get_obj(Model, other_model, value)
+    elif type(getattr(Model, field)) in [ManyToManyDescriptor] and value:
+        other_model = getattr(Model, field).rel.model
+        value = [_get_obj(Model, other_model, val) for val in value]
+    return value
+
+
+def _create_object(Model, data):
+    mtm, no_mtm = {}, {}
+    for field, value in data.items():
+        value = _get_real_obj(Model, field, value)
+        if type(getattr(Model, field)) is ManyToManyDescriptor:
+            mtm[field] = value
+        else:
+            no_mtm[field] = value
+    try:
+        o = Model.objects.get(**no_mtm)
+    except Model.DoesNotExist:
+        o = Model(**no_mtm)
+        o.full_clean()
+        o.save()
+        for field, value in mtm.items():
+            attribute = getattr(o, field)
+            if value is not None:
+                attribute.set(value)
+        return False
+    return True
+
+
+def migrate(apps, schema_editor):
+    Parameter = apps.get_model("api_app", "Parameter")
+    PluginConfig = apps.get_model("api_app", "PluginConfig")
+    python_path = plugin.pop("model")
+    Model = apps.get_model(*python_path.split("."))
+    if not Model.objects.filter(name=plugin["name"]).exists():
+        exists = _create_object(Model, plugin)
+        if not exists:
+            for param in params:
+                _create_object(Parameter, param)
+            for value in values:
+                _create_object(PluginConfig, value)
+
+
+def reverse_migrate(apps, schema_editor):
+    python_path = plugin.pop("model")
+    Model = apps.get_model(*python_path.split("."))
+    Model.objects.get(name=plugin["name"]).delete()
+
+
+class Migration(migrations.Migration):
+    atomic = False
+    dependencies = [
+        ("api_app", "0071_delete_last_elastic_report"),
+        ("analyzers_manager", "0158_analyzer_config_huntingabuseapi"),
+    ]
+
+    operations = [migrations.RunPython(migrate, reverse_migrate)]

api_app/analyzers_manager/observable_analyzers/greedybear.py

@@ -1,6 +1,8 @@
 # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl
 # See the file 'LICENSE' for copying permission.
 
+from ipaddress import ip_address
+
 import requests
 
 from api_app.analyzers_manager.classes import ObservableAnalyzer
@@ -10,20 +12,60 @@
 class GreedyBear(ObservableAnalyzer):
     _api_key_name: str
     url: str
+    command_sequence_toggle: bool = True
+    same_cluster_commands: bool = False
+
+    def is_ip_address(self, observable: str) -> bool:
+        try:
+            ip_address(observable)
+            return True
+        except ValueError:
+            return False
+
+    def is_sha256_hash(self, observable: str) -> bool:
+        return len(observable) == 64 and all(
+            c in "0123456789abcdefABCDEF" for c in self.observable_name
+        )
+
+    @classmethod
+    def update(cls):
+        pass
 
     def run(self):
         headers = {
             "Authorization": "Token " + self._api_key_name,
             "Accept": "application/json",
         }
-        params_ = {
-            "query": self.observable_name,
-        }
-        uri = "/api/enrichment"
-        response = requests.get(self.url + uri, params=params_, headers=headers)
-        response.raise_for_status()
 
-        result = response.json()
+        params_ = {"query": self.observable_name, "include_similar": False}
+
+        enrichment_uri = "/api/enrichment"
+        command_sequence_uri = "/api/command_sequence"
+
+        result = {}
+
+        if self.is_sha256_hash(self.observable_name):
+            if self.same_cluster_commands:
+                params_["include_similar"] = True
+
+                command_sequence_response = requests.get(
+                    self.url + command_sequence_uri, params=params_, headers=headers
+                )
+                result = {"command_sequence_results": command_sequence_response.json()}
+
+        else:
+            if self.command_sequence_toggle:
+                if self.same_cluster_commands:
+                    params_["include_similar"] = True
+                command_sequence_response = requests.get(
+                    self.url + command_sequence_uri, params=params_, headers=headers
+                )
+                result["command_sequence_results"] = command_sequence_response.json()
+
+            enrichment_response = requests.get(
+                self.url + enrichment_uri, params=params_, headers=headers
+            )
+            result["enrichment_results"] = enrichment_response.json()
 
         return result