intelixir Goto Github PK

██╗███╗   ██╗████████╗███████╗██╗     ██╗██╗  ██╗██╗██████╗ 
██║████╗  ██║╚══██╔══╝██╔════╝██║     ██║╚██╗██╔╝██║██╔══██╗
██║██╔██╗ ██║   ██║   █████╗  ██║     ██║ ╚███╔╝ ██║██████╔╝
██║██║╚██╗██║   ██║   ██╔══╝  ██║     ██║ ██╔██╗ ██║██╔══██╗
██║██║ ╚████║   ██║   ███████╗███████╗██║██╔╝ ██╗██║██║  ██║
╚═╝╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚══════╝╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═╝

A (poorly written) potion of threat intelligence.

Intelixir is a demonstration library for SophosLabs Intelix, written in Python. It's major features are poorly written code, zero tests, few comments, and no docstrings! You're welcome!

Import the library (github.com/intelixir/intelixir)

from intelixir import SophosLabs

Create a SophosLabs and auth to get api token

s = SophosLabs(
    client_id='abcdefghijklmnopqrstuvwzyz',
    client_secret='abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmno',
    region='DE')

There are three services:

• lookups (quick lookups for known intelligence)
• static (analysis - ML, AV, and other static tools)
• dynamic (sandbox - detonate on a VM and observe behavior) They all return json-formatted intelligence reports

We can GET existing, basic threat intel via sha256, url, or local filepath

s.lookup_sha256('01ea7b43695112507f3d312c64701d1af88266e87205f0be3103872229b925c9')
s.lookup_url('http://sophostest.com/politics/index.html')
s.lookup_file('putty.exe')
# TODO: s.lookup_apk()

We can GET existing threat intel from the static analyzers via job_id or sha256 We can POST files to SophosLabs for static analysis

s.static_job('76e82b693fbcb7300e21fe1f4fc68927')
s.static_sha256('8c2be18f80801afa8129f5e82cbf9c53afb8f9368f88619acbb7d1dc0df0237a')
s.static_file('putty.exe')

Dynamic (sandbox) is used the same way

s.dynamic_job('5d09277fef89bc5113f000e51da191bf')
s.dynamic_sha256('8c2be18f80801afa8129f5e82cbf9c53afb8f9368f88619acbb7d1dc0df0237a')
s.dynamic_file('putty.exe')

Each method returns the report direct from the API at the time it was called (inc. incomplete jobs / errors)

report = s.lookup_url('https://website.com')

Reports of successful analyses are added to a dictionary in our instance of a SophosLabs.

s.reports_lookup
s.reports_static
s.reports_dynamic
s.reports_dynamic['file']['another.exe']

Reports are stored in a nested dictionary with a key that corresponds to the method you called

for key in s.reports_lookup:
    print(key)

The individual reports are stored with a key that corresponds to the args provided to the method you called

for key in s.reports_lookup['sha256']:
    print(key)

You can stop reports from being saved if you don't want them to by setting save to False

s.static_sha256('01ea7b43695112507f3d312c64701d1af88266e87205f0be3103872229b925c9', save=False)

Sometimes a job isn't done instantly (dynamic execution takes time)

print(s.dynamic_file('another.exe'))
# {'jobStatus': 'IN_PROGRESS', 'jobId': '5d09277fef89bc5113f000e51da191bf'}

After some time has passed, we can recheck the reports for all "IN_PROGRESS" jobs for either static or dynamic analysis. These return a list of tuples corresponding to the method and the arg provided when you initially requested them

static = s.check_static_jobs()
dynamic = s.check_dynamic_jobs()
# the tuples in the list make it easy to query the reports dicts
for t in static:
    print(s.reports_static[t0][t1])