diff --git a/analyzers/NERD/nerd_analyzer.py b/analyzers/NERD/nerd_analyzer.py
index f297d1790708a71f7e93a694f77d7cdb791bd43f..4ee11b46c21245b1f92492f30b2718cd3cb2ed44 100644
--- a/analyzers/NERD/nerd_analyzer.py
+++ b/analyzers/NERD/nerd_analyzer.py
@@ -4,6 +4,24 @@
import requests
from cortexutils.analyzer import Analyzer
+# Map of tag IDs to (name,level)-tuple used in summary (tags not listed here are not shown)
+tag_map = {
+ 'reconscanning': ('Scanner', 'suspicious'),
+ 'attemptexploit': ('Exploit', 'malicious'),
+ 'attemptlogin': ('Login', 'malicious'),
+ 'malware': ('Malware', 'malicious'),
+ 'availabilitydos': ('DDoS', 'malicious'),
+ 'researchscanners': ('Research scanner', 'safe'),
+ 'vpn': ('VPN', 'info'),
+ 'nat': ('NAT', 'info'),
+ 'dsl': ('DSL', 'info'),
+ 'dynamicIP': ('Dynamic IP', 'info'),
+ 'tor': ('Tor exit node', 'info'),
+ 'spam': ('Spam', 'malicious'),
+ 'reserved_ip': ('Reserved IP', 'info'),
+}
+
+
class NERDAnalyzer(Analyzer):
def __init__(self):
Analyzer.__init__(self)
@@ -31,14 +49,19 @@ class NERDAnalyzer(Analyzer):
# Tags
for tag in raw['tags']:
- # TODO: filter tags, set different levels
- taxonomies.append(self.build_taxonomy('info', 'NERD', 'Tag', tag))
+ try:
+ tag_name, level = tag_map[tag]
+ except KeyError:
+ continue
+ taxonomies.append(self.build_taxonomy(level, 'NERD', 'Tag', tag_name))
return {'taxonomies': taxonomies}
def artifacts(self, raw):
- """Returns a list of indicators extracted from reply (empty in this case)"""
- return [] # TODO add hostname as a new indicator?
+ """Returns a list of indicators extracted from reply (only "hostname" in this case)"""
+ if raw.get('hostname'):
+ return [{'dataType': 'fqdn', 'data': raw['hostname']}]
+ return []
def run(self):
"""Main function run by Cortex to analyze an observable."""