Skip to content

fix analyzers and upgrade deps #15024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
reyesj2 merged 27 commits into from
Sep 12, 2025
Merged

fix analyzers and upgrade deps #15024

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
0cebcf4
upgrade whoislookup deps
reyesj2 Aug 20, 2025
6a0d40e
leave requirements.txt as is
reyesj2 Aug 20, 2025
2e94e45
whoislookup py 3.13
reyesj2 Aug 20, 2025
9ca0c7d
urlhaus dep upgrades + update to use authenticated abusech api
reyesj2 Aug 20, 2025
87a28e8
malwarebazaar dep upgrades + use auth
reyesj2 Aug 21, 2025
c412e9b
malwarebazaar api uses auth
reyesj2 Aug 21, 2025
58228f7
malwarehashregistry dep upgrades
reyesj2 Aug 21, 2025
0e0ab83
localfile dep upgrade
reyesj2 Aug 21, 2025
67f8fca
spamhaus dep upgrades
reyesj2 Aug 21, 2025
220e485
threatfox dep upgrade + use auth for api access
reyesj2 Aug 21, 2025
a3e0072
update readme threatfox uses auth for api now
reyesj2 Aug 21, 2025
cccc3bf
urlscan dep upgrades
reyesj2 Aug 21, 2025
418dbee
virustotal dep upgrades
reyesj2 Aug 21, 2025
ebd81c1
otx dep upgrades
reyesj2 Aug 21, 2025
7d883cb
echotrail api no longer available
reyesj2 Aug 21, 2025
d3108c3
greynoise dep upgrade + use community version with no auth
reyesj2 Aug 21, 2025
9f45792
pulsedive dep upgrades
reyesj2 Aug 21, 2025
b79c7b0
sublime dep upgrades
reyesj2 Aug 21, 2025
d16dfcf
emailrep dep upgrades
reyesj2 Aug 21, 2025
1a08833
typo
reyesj2 Aug 22, 2025
c2c96da
bump version
reyesj2 Aug 22, 2025
924b069
spamhaus config typos
reyesj2 Aug 22, 2025
9f0bd4b
spamhaus enable multiline annotation on nameservers entries
reyesj2 Aug 22, 2025
5479d49
greynoise breakup long line for linter
reyesj2 Aug 22, 2025
a6600b8
elasticsearch dep upgrades
reyesj2 Aug 22, 2025
b2e7f58
analyzer test updates
reyesj2 Aug 22, 2025
a959f90
Merge remote-tracking branch 'origin/2.4/dev' into reyesj2/pypy
reyesj2 Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions salt/sensoroni/defaults.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ sensoroni:
api_version: community
localfile:
file_path: []
malwarebazaar:
api_key:
otx:
base_url: https://otx.alienvault.com/api/v1/
api_key:
Expand All @@ -49,12 +51,16 @@ sensoroni:
live_flow: False
mailbox_email_address:
message_source_id:
threatfox:
api_key:
urlscan:
base_url: https://urlscan.io/api/v1/
api_key:
enabled: False
visibility: public
timeout: 180
urlhaus:
api_key:
virustotal:
base_url: https://www.virustotal.com/api/v3/search?query=
api_key:
8 changes: 4 additions & 4 deletions salt/sensoroni/files/analyzers/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,15 @@ Many analyzers require authentication, via an API key or similar. The table belo
[EchoTrail](https://www.echotrail.io/docs/quickstart) |✓|
[EmailRep](https://emailrep.io/key) |✓|
[Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/setting-up-authentication.html) |✓|
[GreyNoise](https://www.greynoise.io/plans/community) |✓|
[GreyNoise (community)](https://www.greynoise.io/plans/community) |✗|
[LocalFile](https://github.com/Security-Onion-Solutions/securityonion/tree/fix/sublime_analyzer_documentation/salt/sensoroni/files/analyzers/localfile) |✗|
[Malware Hash Registry](https://hash.cymru.com/docs_whois) |✗|
[MalwareBazaar](https://bazaar.abuse.ch/) |✗|
[MalwareBazaar](https://bazaar.abuse.ch/) |✓|
[Pulsedive](https://pulsedive.com/api/) |✓|
[Spamhaus](https://www.spamhaus.org/dbl/) |✗|
[Sublime Platform](https://sublime.security) |✓|
[ThreatFox](https://threatfox.abuse.ch/) |✗|
[Urlhaus](https://urlhaus.abuse.ch/) |✗|
[ThreatFox](https://threatfox.abuse.ch/) |✓|
[Urlhaus](https://urlhaus.abuse.ch/) |✓|
[Urlscan](https://urlscan.io/docs/api/) |✓|
[VirusTotal](https://developers.virustotal.com/reference/overview) |✓|
[WhoisLookup](https://github.com/meeb/whoisit) |✗|
Expand Down
24 changes: 0 additions & 24 deletions salt/sensoroni/files/analyzers/echotrail/README.md
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions salt/sensoroni/files/analyzers/echotrail/echotrail.json
View file
Open in desktop

This file was deleted.

67 changes: 0 additions & 67 deletions salt/sensoroni/files/analyzers/echotrail/echotrail.py
View file
Open in desktop

This file was deleted.

3 changes: 0 additions & 3 deletions salt/sensoroni/files/analyzers/echotrail/echotrail.yaml
View file
Open in desktop

This file was deleted.

78 changes: 0 additions & 78 deletions salt/sensoroni/files/analyzers/echotrail/echotrail_test.py
View file
Open in desktop

This file was deleted.

2 changes: 0 additions & 2 deletions salt/sensoroni/files/analyzers/echotrail/requirements.txt
View file
Open in desktop

This file was deleted.

Binary file removed ...l/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/echotrail/source-packages/certifi-2023.11.17-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed ...kages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/echotrail/source-packages/idna-3.6-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/echotrail/source-packages/requests-2.31.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/echotrail/source-packages/urllib3-2.1.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed ...nsoroni/files/analyzers/elasticsearch/source-packages/certifi-2023.11.17-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added ...sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2025.8.3-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed ...kages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file added ...er-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.10-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.6-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed .../sensoroni/files/analyzers/elasticsearch/source-packages/requests-2.31.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added .../sensoroni/files/analyzers/elasticsearch/source-packages/requests-2.32.5-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.1.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.5.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2023.5.7-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2025.8.3-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed ...kages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file added ...er-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.10-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.4-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.31.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.32.5-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.0.3-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.5.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion salt/sensoroni/files/analyzers/greynoise/greynoise.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "Greynoise IP Analyzer",
"version": "0.1",
"version": "0.2",
"author": "Security Onion Solutions",
"description": "This analyzer queries Greynoise for context around an IP address",
"supportedTypes" : ["ip"]
Expand Down
12 changes: 9 additions & 3 deletions salt/sensoroni/files/analyzers/greynoise/greynoise.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@


def checkConfigRequirements(conf):
# Community API doesn't require API key
if conf.get('api_version') == 'community':
return True
# Other API versions require API key
if "api_key" not in conf or len(conf['api_key']) == 0:
sys.exit(126)
else:
Expand All @@ -17,10 +21,12 @@ def sendReq(conf, meta, ip):
url = conf['base_url']
if conf['api_version'] == 'community':
url = url + 'v3/community/' + ip
elif conf['api_version'] == 'investigate' or 'automate':
# Community API doesn't use API key
response = requests.request('GET', url=url)
elif conf['api_version'] in ['investigate', 'automate']:
url = url + 'v2/noise/context/' + ip
headers = {"key": conf['api_key']}
response = requests.request('GET', url=url, headers=headers)
headers = {"key": conf['api_key']}
response = requests.request('GET', url=url, headers=headers)
return response.json()


Expand Down
35 changes: 33 additions & 2 deletions salt/sensoroni/files/analyzers/greynoise/greynoise_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,31 @@ def test_checkConfigRequirements_not_present(self):
greynoise.checkConfigRequirements(conf)
self.assertEqual(cm.exception.code, 126)

def test_checkConfigRequirements_community_no_key(self):
conf = {"api_version": "community"}
# Should not raise exception for community version
result = greynoise.checkConfigRequirements(conf)
self.assertTrue(result)

def test_checkConfigRequirements_investigate_no_key(self):
conf = {"api_version": "investigate"}
with self.assertRaises(SystemExit) as cm:
greynoise.checkConfigRequirements(conf)
self.assertEqual(cm.exception.code, 126)

def test_checkConfigRequirements_investigate_with_key(self):
conf = {"api_version": "investigate", "api_key": "test_key"}
result = greynoise.checkConfigRequirements(conf)
self.assertTrue(result)

def test_sendReq_community(self):
with patch('requests.request', new=MagicMock(return_value=MagicMock())) as mock:
meta = {}
conf = {"base_url": "https://myurl/", "api_key": "abcd1234", "api_version": "community"}
conf = {"base_url": "https://myurl/", "api_version": "community"}
ip = "192.168.1.1"
response = greynoise.sendReq(conf=conf, meta=meta, ip=ip)
mock.assert_called_once_with("GET", headers={'key': 'abcd1234'}, url="https://myurl/v3/community/192.168.1.1")
# Community API should not include headers
mock.assert_called_once_with("GET", url="https://myurl/v3/community/192.168.1.1")
self.assertIsNotNone(response)

def test_sendReq_investigate(self):
Expand Down Expand Up @@ -115,3 +133,16 @@ def test_analyze(self):
results = greynoise.analyze(conf, artifactInput)
self.assertEqual(results["summary"], "suspicious")
mock.assert_called_once()

def test_analyze_community_no_key(self):
output = {"ip": "8.8.8.8", "noise": "false", "riot": "true",
"classification": "benign", "name": "Google Public DNS",
"link": "https://viz.gn.io", "last_seen": "2022-04-26",
"message": "Success"}
artifactInput = '{"value":"8.8.8.8","artifactType":"ip"}'
conf = {"base_url": "myurl/", "api_version": "community"}
with patch('greynoise.greynoise.sendReq', new=MagicMock(return_value=output)) as mock:
results = greynoise.analyze(conf, artifactInput)
self.assertEqual(results["summary"], "harmless")
self.assertEqual(results["status"], "ok")
mock.assert_called_once()
Binary file removed salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed ...kages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file added ...er-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.32.5-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2023.5.7-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2025.8.3-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed ...kages/charset_normalizer-3.4.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file added ...er-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.10-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.4-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.31.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.32.5-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file removed salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.0.3-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
Binary file added salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.5.0-py3-none-any.whl
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "Malwarebazaar",
"version": "0.1",
"version": "0.2",
"author": "Security Onion Solutions",
"description": "This analyzer queries Malwarebazaar to see if a hash, gimphash, tlsh, or telfhash is considered malicious.",
"supportedTypes" : ["gimphash","hash","tlsh", "telfhash"],
Expand Down
Loading
Loading