Fixes #438: Phishstats analyzer (#771)

intelowlproject · Nov 22, 2021 · 414490a · 414490a
1 parent ceb98ab
commit 414490a
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/api_app/analyzers_manager/observable_analyzers/phishstats.py b/api_app/analyzers_manager/observable_analyzers/phishstats.py
@@ -0,0 +1,54 @@
+# This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl
+# See the file 'LICENSE' for copying permission.
+
+import requests
+
+from api_app.analyzers_manager.classes import ObservableAnalyzer
+from api_app.exceptions import AnalyzerRunException
+from tests.mock_utils import MockResponse, if_mock_connections, patch
+
+
+class PhishStats(ObservableAnalyzer):
+    """
+    Analyzer that uses PhishStats API to check if the observable is a phishing site.
+    """
+
+    base_url: str = "https://phishstats.info:2096/api/"
+
+    def __build_phishstats_url(self) -> str:
+        if self.observable_classification == self.ObservableTypes.IP:
+            endpoint = "phishing?_where=(ip,eq,{input})&_sort=-date"
+        elif self.observable_classification == self.ObservableTypes.URL:
+            endpoint = "phishing?_where=(url,like,~{input}~)&_sort=-date"
+        elif self.observable_classification == self.ObservableTypes.DOMAIN:
+            endpoint = "phishing?_where=(url,like,~{input}~)&_sort=-date"
+        elif self.observable_classification == self.ObservableTypes.GENERIC:
+            endpoint = "phishing?_where=(title,like,~{input}~)&_sort=-date"
+        else:
+            raise AnalyzerRunException(
+                "Phishstats require either of IP, URL, Domain or Generic"
+            )
+        return f"{self.base_url}/{endpoint.format(input=self.observable_name)}"
+
+    def run(self):
+        api_uri = self.__build_phishstats_url()
+        try:
+            response = requests.get(api_uri)
+            response.raise_for_status()
+        except requests.RequestException as e:
+            raise AnalyzerRunException(e)
+
+        result = response.json()
+        return result
+
+    @classmethod
+    def _monkeypatch(cls):
+        patches = [
+            if_mock_connections(
+                patch(
+                    "requests.get",
+                    return_value=MockResponse({}, 200),
+                ),
+            )
+        ]
+        return super()._monkeypatch(patches=patches)
diff --git a/configuration/analyzer_config.json b/configuration/analyzer_config.json
@@ -1878,6 +1878,23 @@
     "secrets": {},
     "params": {}
   },
+  "Phishstats": {
+    "type": "observable",
+    "python_module": "phishstats.PhishStats",
+    "description": "Search PhishStats API to determine if an IP/URL/domain is malicious.",
+    "disabled": false,
+    "external_service": true,
+    "leaks_info": true,
+    "observable_supported": [
+      "ip", "url", "domain", "generic"
+    ],
+    "config": {
+      "soft_time_limit": 100,
+      "queue": "long"
+    },
+    "secrets": {},
+    "params": {}
+  },
   "Phishtank": {
     "type": "observable",
     "python_module": "phishtank.Phishtank",

diff --git a/docs/source/Usage.md b/docs/source/Usage.md
@@ -231,6 +231,7 @@ The following is the list of the available analyzers you can run out-of-the-box.
 * `UrlScan_Search`: Search an IP/domain/url/hash against [URLScan](https://urlscan.io) API
 * `UrlScan_Submit_Result`: Submit & retrieve result of an URL against [URLScan](https://urlscan.io) API
 * `Phishtank`: Search an url against [Phishtank](https://phishtank.org/api_info.php) API
+* `Phishstats`: Search [PhishStats API](https://phishstats.info/) to determine if an IP/URL/domain is malicious.
 * `Quad9_DNS`: Retrieve current domain resolution with Quad9 DoH (DNS over HTTPS)
 * `Quad9_Malicious_Detector`: Leverages Quad9 DoH to check if a domain is related to malware
 * `DNStwist`: Scan a url/domain to find potentially malicious permutations via dns fuzzing. [dnstwist repo](https://github.com/elceef/dnstwist)