From a6fd60ee0169cc117cb88b8e111b3f88c2d02537 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Barto=C5=A1?= <bartos@cesnet.cz>
Date: Fri, 26 Jun 2020 00:22:31 +0200
Subject: [PATCH] NERD: Added tag translation/filtration, hostname added as
 artifact

---
 analyzers/NERD/nerd_analyzer.py | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/analyzers/NERD/nerd_analyzer.py b/analyzers/NERD/nerd_analyzer.py
index f297d17..4ee11b4 100644
--- a/analyzers/NERD/nerd_analyzer.py
+++ b/analyzers/NERD/nerd_analyzer.py
@@ -4,6 +4,24 @@
 import requests
 from cortexutils.analyzer import Analyzer
 
+# Map of tag IDs to (name,level)-tuple used in summary (tags not listed here are not shown)
+tag_map = {
+    'reconscanning': ('Scanner', 'suspicious'),
+    'attemptexploit': ('Exploit', 'malicious'),
+    'attemptlogin': ('Login', 'malicious'),
+    'malware': ('Malware', 'malicious'),
+    'availabilitydos': ('DDoS', 'malicious'),
+    'researchscanners': ('Research scanner', 'safe'),
+    'vpn': ('VPN', 'info'),
+    'nat': ('NAT', 'info'),
+    'dsl': ('DSL', 'info'),
+    'dynamicIP': ('Dynamic IP', 'info'),
+    'tor': ('Tor exit node', 'info'),
+    'spam': ('Spam', 'malicious'),
+    'reserved_ip': ('Reserved IP', 'info'),
+}
+
+
 class NERDAnalyzer(Analyzer):
     def __init__(self):
         Analyzer.__init__(self)
@@ -31,14 +49,19 @@ class NERDAnalyzer(Analyzer):
 
             # Tags
             for tag in raw['tags']:
-                # TODO: filter tags, set different levels
-                taxonomies.append(self.build_taxonomy('info', 'NERD', 'Tag', tag))
+                try:
+                    tag_name, level = tag_map[tag]
+                except KeyError:
+                    continue
+                taxonomies.append(self.build_taxonomy(level, 'NERD', 'Tag', tag_name))
 
         return {'taxonomies': taxonomies}
 
     def artifacts(self, raw):
-        """Returns a list of indicators extracted from reply (empty in this case)"""
-        return [] # TODO add hostname as a new indicator?
+        """Returns a list of indicators extracted from reply (only "hostname" in this case)"""
+        if raw.get('hostname'):
+            return [{'dataType': 'fqdn', 'data': raw['hostname']}]
+        return []
 
     def run(self):
         """Main function run by Cortex to analyze an observable."""
-- 
GitLab