AIL/ail-framework
7
0
Fork 0
mirror of https://github.com/ail-project/ail-framework.git synced 2024-09-20 07:58:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

chg: refractor base64 encoded to hash

Browse source
This commit is contained in:
Terrtia 2018-07-20 10:32:52 +02:00
parent 9a8e37fb0b
commit bd5f83f0eb
No known key found for this signature in database
GPG key ID: 1E1B1F50D84613D0
15 changed files with 309 additions and 497 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
OVERVIEW.md
View file

@ -35,6 +35,8 @@ ARDB overview
'vt_link' vt_link
'vt_report' vt_report
'nb_seen_in_all_pastes' nb_seen_in_all_pastes
'base64_decoder' nb_encoded
'binary_decoder' nb_encoded
SET - 'all_decoder' decoder*

133
bin/DbDump.py Executable file
View file

@ -0,0 +1,133 @@
#!/usr/bin/env python3
# -*-coding:UTF-8 -*
"""
DbDump
"""
import time
from pubsublogger import publisher
from Helper import Process
from packages import Paste
def get_lines(content):
is_db_leak = False
list_lines = content.splitlines()
list_separators = []
if len(list_lines) > 0:
for line in list_lines:
list_separators.append(search_separator(line))
threshold_num_separator_line = 0
# Minimum number of separator per line
threshold_min_separator_line = 7
same_separator = 0
num_separator = 0
current_separator = ''
for separator in list_separators:
if separator != '':
#same separator on the next line
if separator[0] == current_separator:
if abs(separator[1] - num_separator) <= threshold_num_separator_line:
if num_separator > threshold_min_separator_line:
same_separator += 1
else:
num_separator = separator[1]
same_separator = 0
else:
# FIXME: enhancement ?
num_separator = separator[1]
if(same_separator >= 5):
is_db_leak = True
#different operator
else:
#change the current separator
current_separator = separator[0]
same_separator = 0
num_separator = 0
return is_db_leak
def search_separator(line):
list_separator = []
#count separators
#list_separator.append( (';', line.count(';')) )
#list_separator.append( (',', line.count(',')) )
list_separator.append( (';', line.count(';')) )
list_separator.append( ('|', line.count('|')) )
#list_separator.append( (':', line.count(':')) )
separator = ''
separator_number = 0
# line separator
for potential_separator in list_separator:
if potential_separator[1] > separator_number:
separator = potential_separator[0]
separator_number = potential_separator[1]
return (separator, separator_number)
if __name__ == '__main__':
# If you wish to use an other port of channel, do not forget to run a subscriber accordingly (see launch_logs.sh)
# Port of the redis instance used by pubsublogger
publisher.port = 6380
# Script is the default channel used for the modules.
publisher.channel = 'Script'
# Section name in bin/packages/modules.cfg
config_section = 'DbDump'
# Setup the I/O queues
p = Process(config_section)
# Sent to the logging a description of the module
publisher.info("DbDump started")
# Endless loop getting messages from the input queue
while True:
# Get one message from the input queue
message = p.get_from_set()
if message is None:
publisher.debug("{} queue is empty, waiting".format(config_section))
time.sleep(1)
continue
filename = message
paste = Paste.Paste(filename)
# Do something with the message from the queue
print(filename)
content = paste.get_p_content()
is_db_leak = get_lines(content)
if is_db_leak:
to_print = 'DbDump;{};{};{};'.format(
paste.p_source, paste.p_date, paste.p_name)
print('found DbDump')
print(to_print)
publisher.warning('{}Checked found Database Dump;{}'.format(
to_print, paste.p_path))
msg = 'dbdump;{}'.format(filename)
p.populate_set_out(msg, 'alertHandler')
msg = 'dbdump;{}'.format(filename)
p.populate_set_out(msg, 'Tags')
#Send to duplicate
p.populate_set_out(filename, 'Duplicate')

3
bin/Decoder.py
View file

@ -59,6 +59,7 @@ def decode_string(content, message, date, encoded_list, decoder_name, encoded_mi
# # TODO: FIXME check db
def save_hash(decoder_name, message, date, decoded):
print(decoder_name)
type = magic.from_buffer(decoded, mime=True)
print(type)
hash = sha1(decoded).hexdigest()
@ -88,6 +89,7 @@ def save_hash(decoder_name, message, date, decoded):
if serv_metadata.zscore(decoder_name+'_hash:'+hash, message) is None:
print('first '+decoder_name)
serv_metadata.hincrby('metadata_hash:'+hash, 'nb_seen_in_all_pastes', 1)
serv_metadata.hincrby('metadata_hash:'+hash, decoder_name+'_decoder', 1)
serv_metadata.sadd('hash_paste:'+message, hash) # paste - hash map
serv_metadata.sadd(decoder_name+'_paste:'+message, hash) # paste - hash map
@ -206,7 +208,6 @@ if __name__ == '__main__':
date = str(paste._get_p_date())
for decoder in all_decoder: # add threshold and size limit
print(decoder['name'])
# max execution time on regex
signal.alarm(decoder['max_execution_time'])

96
bin/Dox.py Executable file
View file

@ -0,0 +1,96 @@
#!/usr/bin/env python3
# -*-coding:UTF-8 -*
"""
The Dox Module
======================
This module is consuming the Redis-list created by the Categ module.
"""
import pprint
import time
from packages import Paste
from packages import lib_refine
from pubsublogger import publisher
import re
import sys
from Helper import Process
if __name__ == "__main__":
publisher.port = 6380
publisher.channel = "Script"
config_section = 'Dox'
p = Process(config_section)
# FUNCTIONS #
publisher.info("Dox module")
channel = 'dox_categ'
regex = re.compile('name|age', re.IGNORECASE)
while True:
message = p.get_from_set()
if message is not None:
filepath, count = message.split(' ')
filename, score = message.split()
paste = Paste.Paste(filename)
content = paste.get_p_content()
count = 0
tmp = paste._get_word('name')
if (len(tmp) > 0):
print(tmp)
count += tmp[1]
tmp = paste._get_word('Name')
if (len(tmp) > 0):
print(tmp)
count += tmp[1]
tmp = paste._get_word('NAME')
if (len(tmp) > 0):
print(tmp)
count += tmp[1]
tmp = paste._get_word('age')
if (len(tmp) > 0):
count += tmp[1]
tmp = paste._get_word('Age')
if (len(tmp) > 0):
count += tmp[1]
tmp = paste._get_word('AGE')
if (len(tmp) > 0):
count += tmp[1]
tmp = paste._get_word('address')
if (len(tmp) > 0):
count += tmp[1]
tmp = paste._get_word('Address')
if (len(tmp) > 0):
count += tmp[1]
tmp = paste._get_word('ADDRESS')
if (len(tmp) > 0):
count += tmp[1]
#dox_list = re.findall(regex, content)
if(count > 0):
#Send to duplicate
p.populate_set_out(filepath, 'Duplicate')
#Send to alertHandler
msg = 'dox;{}'.format(filepath)
p.populate_set_out(msg, 'alertHandler')
print(filename)
print(content)
print('--------------------------------------------------------------------------------------')
else:
publisher.debug("Script creditcard is idling 1m")
time.sleep(10)

4
bin/LAUNCH.sh
View file

@ -142,10 +142,6 @@ function launching_scripts {
sleep 0.1
screen -S "Script_AIL" -X screen -t "Keys" bash -c './Keys.py; read x'
sleep 0.1
screen -S "Script_AIL" -X screen -t "Base64" bash -c './Base64.py; read x'
sleep 0.1
screen -S "Script_AIL" -X screen -t "Binary" bash -c './Binary.py; read x'
sleep 0.1
screen -S "Script_AIL" -X screen -t "Decoder" bash -c './Decoder.py; read x'
sleep 0.1
screen -S "Script_AIL" -X screen -t "Bitcoin" bash -c './Bitcoin.py; read x'

8
bin/packages/modules.cfg
View file

@ -121,14 +121,6 @@ publish = Redis_Duplicate,Redis_alertHandler,Redis_Tags
subscribe = Redis_Global
publish = Redis_Duplicate,Redis_alertHandler,Redis_Tags
[Base64]
subscribe = Redis_Global
publish = Redis_Duplicate,Redis_alertHandler,Redis_Tags
[Binary]
subscribe = Redis_Global
publish = Redis_Duplicate,Redis_alertHandler,Redis_Tags
[Bitcoin]
subscribe = Redis_Global
publish = Redis_Duplicate,Redis_alertHandler,Redis_Tags

179
var/www/modules/base64Decoded/templates/base64_type.html
View file

@ -1,179 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Analysis Information Leak framework Dashboard</title>
<!-- Core CSS -->
<link href="{{ url_for('static', filename='css/bootstrap.min.css') }}" rel="stylesheet">
<link href="{{ url_for('static', filename='font-awesome/css/font-awesome.css') }}" rel="stylesheet">
<link href="{{ url_for('static', filename='css/sb-admin-2.css') }}" rel="stylesheet">
<link href="{{ url_for('static', filename='css/dataTables.bootstrap.css') }}" rel="stylesheet" type="text/css" />
<!-- JS -->
<script language="javascript" src="{{ url_for('static', filename='js/jquery.js')}}"></script>
<script src="{{ url_for('static', filename='js/bootstrap.min.js') }}"></script>
<script src="{{ url_for('static', filename='js/jquery.dataTables.min.js') }}"></script>
<script src="{{ url_for('static', filename='js/dataTables.bootstrap.js') }}"></script>
<script src="{{ url_for('static', filename='js/jquery.flot.js') }}"></script>
<script src="{{ url_for('static', filename='js/jquery.flot.time.js') }}"></script>
<script src="{{ url_for('static', filename='js/jquery.flot.stack.js') }}"></script>
<script language="javascript" src="{{ url_for('static', filename='js/d3.js') }}"></script>
<style>
.red_table thead{
background: #d91f2d;
color: #fff;
}
.bar {
fill: steelblue;
}
.bar:hover{
fill: brown;
}
.bar span {
position: relative;
}
.bar span .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.bar span:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
</style>
</head>
<body>
{% include 'navbar.html' %}
<div id="page-wrapper">
<div class="row">
<div class="col-lg-12">
<h1 class="page-header" data-page="page-termsfrequency" >Base64 Files</h1>
</div>
<!-- /.col-lg-12 -->
<div id="barchart_type">
</div>
</div>
<!-- /.row -->
<script>
$(document).ready(function(){
activePage = "page-base64Decoded"
$("#"+activePage).addClass("active");
barchart_type('url', 'id')
});
</script>
<script>
function barchart_type(url, id) {
var margin = {top: 20, right: 20, bottom: 70, left: 40};
var width = 960 - margin.left - margin.right;
var height = 500 - margin.top - margin.bottom;
var x = d3.scaleBand().rangeRound([0, width]).padding(0.1);
var y = d3.scaleLinear().rangeRound([height, 0]);
var xAxis = d3.axisBottom(x)
//.tickFormat(d3.time.format("%Y-%m"));
var yAxis = d3.axisLeft(y)
.ticks(10);
var svg = d3.select("#barchart_type").append("svg")
.attr("width", width + margin.left + margin.right)
.attr("height", height + margin.top + margin.bottom)
.append("g")
.attr("transform",
"translate(" + margin.left + "," + margin.top + ")");
d3.json("/base64Decoded/hash_by_type_json?type={{type}}")
.then(function(data){
data.forEach(function(d) {
d.value = +d.value;
});
x.domain(data.map(function(d) { return d.date.substring(5); }));
y.domain([0, d3.max(data, function(d) { return d.value; })]);
var label = svg.append("g")
.attr("class", "x axis")
.attr("transform", "translate(0," + height + ")")
.call(xAxis)
.selectAll("text")
.style("text-anchor", "end")
.attr("dx", "-.8em")
.attr("dy", "-.55em")
.attr("transform", "rotate(-70)" );
svg.append("g")
.attr("class", "y axis")
.call(yAxis)
.append("text")
.attr("transform", "rotate(-90)")
.attr("y", 6)
.attr("dy", ".71em")
.style("text-anchor", "end")
.text("Value ($)");
var bar = svg.selectAll("bar")
.data(data)
.enter().append("rect")
.attr("class", "bar")
//.style("fill", "steelblue")
.attr("x", function(d) { return x(d.date.substring(5)); })
.attr("width", x.bandwidth())
.attr("y", function(d) { return y(d.value); })
.attr("height", function(d) { return height - y(d.value); })
.on("click", function(d){ window.location.href = "/base64Decoded/" +'?type={{type}}&date_from='+ d.date +'&date_to='+ d.date; });
bar.append("span")
.attr("class", "tooltiptext")
.text('bonjour');
data.forEach(function(d) {
if(d.value != 0){
svg.append("text")
.attr("class", "bar")
.attr("dy", "-.35em")
//.text(function(d) { return d.value; });
.text(d.value)
.attr('x', x(d.date.substring(5)) + x.bandwidth()/4)
.attr('y', y(d.value));
}
});
});
}
</script>
</body>
</html>

229
var/www/modules/base64Decoded/templates/base64_types.html
View file

@ -1,229 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Analysis Information Leak framework Dashboard</title>
<!-- Core CSS -->
<link href="{{ url_for('static', filename='css/bootstrap.min.css') }}" rel="stylesheet">
<link href="{{ url_for('static', filename='font-awesome/css/font-awesome.css') }}" rel="stylesheet">
<link href="{{ url_for('static', filename='css/sb-admin-2.css') }}" rel="stylesheet">
<link href="{{ url_for('static', filename='css/dataTables.bootstrap.css') }}" rel="stylesheet" type="text/css" />
<!-- JS -->
<script language="javascript" src="{{ url_for('static', filename='js/jquery.js')}}"></script>
<script src="{{ url_for('static', filename='js/bootstrap.min.js') }}"></script>
<script src="{{ url_for('static', filename='js/jquery.dataTables.min.js') }}"></script>
<script src="{{ url_for('static', filename='js/dataTables.bootstrap.js') }}"></script>
<script src="{{ url_for('static', filename='js/jquery.flot.js') }}"></script>
<script src="{{ url_for('static', filename='js/jquery.flot.time.js') }}"></script>
<script src="{{ url_for('static', filename='js/jquery.flot.stack.js') }}"></script>
<script language="javascript" src="{{ url_for('static', filename='js/d3.js') }}"></script>
<style>
.red_table thead{
background: #d91f2d;
color: #fff;
}
.bar_stack:hover{
fill: brown;
}
.bar_stack span {
position: relative;
}
.svgText {
pointer-events: none;
}
</style>
</head>
<body>
<div id="page-wrapper">
<div class="row">
<div class="col-lg-12">
<h1 class="page-header" data-page="page-termsfrequency" >Base64 Files</h1>
</div>
<!-- /.col-lg-12 -->
<div id="barchart_type">
</div>
</div>
<!-- /.row -->
<script>
var chart = {};
$(document).ready(function(){
activePage = "page-base64Decoded"
$("#"+activePage).addClass("active");
chart.stackBarChart = barchart_type('url', 'id')
chart.onResize();
});
$(window).on("resize", function() {
chart.onResize();
});
</script>
<script>
var margin = {top: 20, right: 55, bottom: 30, left: 40},
width = 1000 - margin.left - margin.right,
height = 500 - margin.top - margin.bottom;
var x = d3.scaleBand().rangeRound([0, width]).padding(0.1);
var y = d3.scaleLinear().rangeRound([height, 0]);
var xAxis = d3.axisBottom(x);
var yAxis = d3.axisLeft(y);
var color = d3.scaleOrdinal(d3.schemeSet3);
var svg = d3.select("#barchart_type").append("svg")
.attr("id", "thesvg")
.attr("viewBox", "0 0 1000 500")
.attr("width", width + margin.left + margin.right)
.attr("height", height + margin.top + margin.bottom)
.append("g")
.attr("transform", "translate(" + margin.left + "," + margin.top + ")");
function barchart_type(url, id) {
d3.json("/base64Decoded/range_type_json")
.then(function(data){
var labelVar = 'date'; //A
var varNames = d3.keys(data[0])
.filter(function (key) { return key !== labelVar;}); //B
data.forEach(function (d) { //D
var y0 = 0;
d.mapping = varNames.map(function (name) {
return {
name: name,
label: d[labelVar],
y0: y0,
y1: y0 += +d[name]
};
});
d.total = d.mapping[d.mapping.length - 1].y1;
});
console.log(data)
x.domain(data.map(function (d) { return (d.date).substring(5); })); //E
y.domain([0, d3.max(data, function (d) { return d.total; })]);
svg.append("g")
.attr("class", "x axis")
.attr("transform", "translate(0," + height + ")")
.call(xAxis)
.selectAll("text")
.style("text-anchor", "end")
.attr("transform", "rotate(-45)" );
svg.append("g")
.attr("class", "y axis")
.call(yAxis)
.append("text")
.attr("transform", "rotate(-90)")
.attr("y", 6)
.attr("dy", ".71em")
.style("text-anchor", "end");
var selection = svg.selectAll(".series")
.data(data)
.enter().append("g")
.attr("class", "series")
.attr("transform", function (d) { return "translate(" + x((d.date).substring(5)) + ",0)"; });
selection.selectAll("rect")
.data(function (d) { return d.mapping; })
.enter().append("rect")
.attr("class", "bar_stack")
.attr("width", x.bandwidth())
.attr("y", function (d) { return y(d.y1); })
.attr("height", function (d) { return y(d.y0) - y(d.y1); })
.style("fill", function (d) { return color(d.name); })
.style("stroke", "grey")
.on("mouseover", function (d) { showPopover.call(this, d); })
.on("mouseout", function (d) { removePopovers(); })
.on("click", function(d){ window.location.href = "/base64Decoded/" +'?type='+ d.name +'&date_from='+d.label+'&date_to='+d.label; });
data.forEach(function(d) {
if(d.total != 0){
svg.append("text")
.attr("class", "bar")
.attr("dy", "-.35em")
.attr('x', x(d.date.substring(5)) + x.bandwidth()/2)
.attr('y', y(d.total))
.style("text-anchor", "middle")
.text(d.total);
}
});
drawLegend(varNames);
});
}
function drawLegend (varNames) {
var legend = svg.selectAll(".legend")
.data(varNames.slice().reverse())
.enter().append("g")
.attr("class", "legend")
.attr("transform", function (d, i) { return "translate(0," + i * 20 + ")"; });
legend.append("rect")
.attr("x", 152)
.attr("width", 10)
.attr("height", 10)
.style("fill", color)
.style("stroke", "grey");
legend.append("text")
.attr("class", "svgText")
.attr("x", 150)
.attr("y", 6)
.attr("dy", ".35em")
.style("text-anchor", "end")
.text(function (d) { return d; });
}
function removePopovers () {
$('.popover').each(function() {
$(this).remove();
});
}
function showPopover (d) {
$(this).popover({
title: d.name,
placement: 'auto top',
container: 'body',
trigger: 'manual',
html : true,
content: function() {
return "date: " + d.label +
"<br/>num: " + d3.format(",")(d.value ? d.value: d.y1 - d.y0); }
});
$(this).popover('show')
}
chart.onResize = function () {
var aspect = 1000 / 500, chart = $("#thesvg");
var targetWidth = chart.parent().width();
chart.attr("width", targetWidth);
chart.attr("height", targetWidth / aspect);
}
window.chart = chart;
</script>
</body>
</html>

1
var/www/modules/base64Decoded/templates/header_base64Decoded.html
View file

@ -1 +0,0 @@
<li id='page-base64Decoded'><a href="{{ url_for('base64Decoded.base64Decoded_page') }}"><i class="fa fa-files-o"></i> base64Decoded </a></li>

84
var/www/modules/base64Decoded/Flask_base64Decoded.py → var/www/modules/hashDecoded/Flask_hashDecoded.py
View file

@ -25,7 +25,7 @@ r_serv_metadata = Flask_config.r_serv_metadata
vt_enabled = Flask_config.vt_enabled
vt_auth = Flask_config.vt_auth
base64Decoded = Blueprint('base64Decoded', __name__, template_folder='templates')
hashDecoded = Blueprint('hashDecoded', __name__, template_folder='templates')
# ============ FUNCTIONS ============
@ -52,7 +52,7 @@ def substract_date(date_from, date_to):
def list_sparkline_values(date_range_sparkline, hash):
sparklines_value = []
for date_day in date_range_sparkline:
nb_seen_this_day = r_serv_metadata.zscore('base64_date:'+date_day, hash)
nb_seen_this_day = r_serv_metadata.zscore('hash_date:'+date_day, hash)
if nb_seen_this_day is None:
nb_seen_this_day = 0
sparklines_value.append(int(nb_seen_this_day))
@ -94,16 +94,16 @@ def one():
return 1
# ============= ROUTES ==============
@base64Decoded.route("/base64Decoded/all_base64_search", methods=['POST'])
def all_base64_search():
@hashDecoded.route("/hashDecoded/all_hash_search", methods=['POST'])
def all_hash_search():
date_from = request.form.get('date_from')
date_to = request.form.get('date_to')
type = request.form.get('type')
print(type)
return redirect(url_for('base64Decoded.base64Decoded_page', date_from=date_from, date_to=date_to, type=type))
return redirect(url_for('hashDecoded.hashDecoded_page', date_from=date_from, date_to=date_to, type=type))
@base64Decoded.route("/base64Decoded/", methods=['GET'])
def base64Decoded_page():
@hashDecoded.route("/hashDecoded/", methods=['GET'])
def hashDecoded_page():
date_from = request.args.get('date_from')
date_to = request.args.get('date_to')
type = request.args.get('type')
@ -150,7 +150,7 @@ def base64Decoded_page():
l_64 = set()
for date in date_range:
l_hash = r_serv_metadata.zrange('base64_date:' +date, 0, -1)
l_hash = r_serv_metadata.zrange('hash_date:' +date, 0, -1)
if l_hash:
for hash in l_hash:
l_64.add(hash)
@ -198,34 +198,34 @@ def base64Decoded_page():
l_type = r_serv_metadata.smembers('hash_all_type')
return render_template("base64Decoded.html", l_64=b64_metadata, vt_enabled=vt_enabled, l_type=l_type, type=type, daily_type_chart=daily_type_chart, daily_date=daily_date,
return render_template("hashDecoded.html", l_64=b64_metadata, vt_enabled=vt_enabled, l_type=l_type, type=type, daily_type_chart=daily_type_chart, daily_date=daily_date,
date_from=date_from, date_to=date_to)
@base64Decoded.route('/base64Decoded/hash_by_type')
@hashDecoded.route('/hashDecoded/hash_by_type')
def hash_by_type():
type = request.args.get('type')
type = 'text/plain'
return render_template('base64_type.html',type = type)
return render_template('hash_type.html',type = type)
@base64Decoded.route('/base64Decoded/base64_hash')
def base64_hash():
@hashDecoded.route('/hashDecoded/hash_hash')
def hash_hash():
hash = request.args.get('hash')
return render_template('base64_hash.html')
return render_template('hash_hash.html')
@base64Decoded.route('/base64Decoded/showHash')
@hashDecoded.route('/hashDecoded/showHash')
def showHash():
hash = request.args.get('hash')
#hash = 'e02055d3efaad5d656345f6a8b1b6be4fe8cb5ea'
# TODO FIXME show error
if hash is None:
return base64Decoded_page()
return hashDecoded_page()
estimated_type = r_serv_metadata.hget('metadata_hash:'+hash, 'estimated_type')
# hash not found
# TODO FIXME show error
if estimated_type is None:
return base64Decoded_page()
return hashDecoded_page()
else:
file_icon = get_file_icon(estimated_type)
@ -256,7 +256,7 @@ def showHash():
first_seen=first_seen,
last_seen=last_seen, nb_seen_in_all_pastes=nb_seen_in_all_pastes, sparkline_values=sparkline_values)
@app.route('/base64Decoded/downloadHash')
@app.route('/hashDecoded/downloadHash')
def downloadHash():
hash = request.args.get('hash')
# sanitize hash
@ -291,7 +291,7 @@ def downloadHash():
else:
return 'hash: ' + hash + " don't exist"
@base64Decoded.route('/base64Decoded/hash_by_type_json')
@hashDecoded.route('/hashDecoded/hash_by_type_json')
def hash_by_type_json():
type = request.args.get('type')
@ -305,7 +305,7 @@ def hash_by_type_json():
if type in r_serv_metadata.smembers('hash_all_type'):
type_value = []
for date in date_range_sparkline:
num_day_type = r_serv_metadata.zscore('base64_type:'+type, date)
num_day_type = r_serv_metadata.zscore('hash_type:'+type, date)
if num_day_type is None:
num_day_type = 0
date = date[0:4] + '-' + date[4:6] + '-' + date[6:8]
@ -315,12 +315,12 @@ def hash_by_type_json():
else:
return jsonify()
@base64Decoded.route('/base64Decoded/daily_type_json')
@hashDecoded.route('/hashDecoded/daily_type_json')
def daily_type_json():
date = request.args.get('date')
daily_type = set()
l_b64 = r_serv_metadata.zrange('base64_date:' +date, 0, -1)
l_b64 = r_serv_metadata.zrange('hash_date:' +date, 0, -1)
for hash in l_b64:
estimated_type = r_serv_metadata.hget('metadata_hash:'+hash, 'estimated_type')
if estimated_type is not None:
@ -328,12 +328,12 @@ def daily_type_json():
type_value = []
for day_type in daily_type:
num_day_type = r_serv_metadata.zscore('base64_type:'+day_type, date)
num_day_type = r_serv_metadata.zscore('hash_type:'+day_type, date)
type_value.append({ 'date' : day_type, 'value' : int( num_day_type )})
return jsonify(type_value)
@base64Decoded.route('/base64Decoded/range_type_json')
@hashDecoded.route('/hashDecoded/range_type_json')
def range_type_json():
date_from = request.args.get('date_from')
date_to = request.args.get('date_to')
@ -351,7 +351,7 @@ def range_type_json():
all_type = set()
for date in date_range:
l_hash = r_serv_metadata.zrange('base64_date:' +date, 0, -1)
l_hash = r_serv_metadata.zrange('hash_date:' +date, 0, -1)
if l_hash:
for hash in l_hash:
estimated_type = r_serv_metadata.hget('metadata_hash:'+hash, 'estimated_type')
@ -362,7 +362,7 @@ def range_type_json():
day_type = {}
day_type['date']= date[0:4] + '-' + date[4:6] + '-' + date[6:8]
for type in all_type:
num_day_type = r_serv_metadata.zscore('base64_type:'+type, date)
num_day_type = r_serv_metadata.zscore('hash_type:'+type, date)
if num_day_type is None:
num_day_type = 0
day_type[type]= num_day_type
@ -370,7 +370,7 @@ def range_type_json():
return jsonify(range_type)
@base64Decoded.route('/base64Decoded/hash_graph_line_json')
@hashDecoded.route('/hashDecoded/hash_graph_line_json')
def hash_graph_line_json():
hash = request.args.get('hash')
date_from = request.args.get('date_from')
@ -390,7 +390,7 @@ def hash_graph_line_json():
if r_serv_metadata.hget('metadata_hash:'+hash, 'estimated_type') is not None:
json_seen_in_paste = []
for date in date_range_seen_in_pastes:
nb_seen_this_day = r_serv_metadata.zscore('base64_date:'+date, hash)
nb_seen_this_day = r_serv_metadata.zscore('hash_date:'+date, hash)
if nb_seen_this_day is None:
nb_seen_this_day = 0
date = date[0:4] + '-' + date[4:6] + '-' + date[6:8]
@ -401,7 +401,7 @@ def hash_graph_line_json():
return jsonify()
@base64Decoded.route('/base64Decoded/hash_graph_node_json')
@hashDecoded.route('/hashDecoded/hash_graph_node_json')
def hash_graph_node_json():
hash = request.args.get('hash')
@ -422,16 +422,16 @@ def hash_graph_node_json():
nodes_set_hash.add((hash, 1, first_seen, last_seen, estimated_type, nb_seen_in_paste, size, url))
#get related paste
l_pastes = r_serv_metadata.zrange('base64_hash:'+hash, 0, -1)
l_pastes = r_serv_metadata.zrange('nb_seen_hash:'+hash, 0, -1)
for paste in l_pastes:
url = paste
#nb_seen_in_this_paste = nb_in_file = int(r_serv_metadata.zscore('base64_hash:'+hash, paste))
nb_base64_in_paste = r_serv_metadata.scard('base64_paste:'+paste)
#nb_seen_in_this_paste = nb_in_file = int(r_serv_metadata.zscore('nb_seen_hash:'+hash, paste))
nb_hash_in_paste = r_serv_metadata.scard('hash_paste:'+paste)
nodes_set_paste.add((paste, 2,nb_base64_in_paste,url))
nodes_set_paste.add((paste, 2,nb_hash_in_paste,url))
links_set.add((hash, paste))
l_hash = r_serv_metadata.smembers('base64_paste:'+paste)
l_hash = r_serv_metadata.smembers('hash_paste:'+paste)
for child_hash in l_hash:
if child_hash != hash:
url = child_hash
@ -444,12 +444,12 @@ def hash_graph_node_json():
nodes_set_hash.add((child_hash, 3, first_seen, last_seen, estimated_type, nb_seen_in_paste, size, url))
links_set.add((child_hash, paste))
#l_pastes_child = r_serv_metadata.zrange('base64_hash:'+child_hash, 0, -1)
#l_pastes_child = r_serv_metadata.zrange('nb_seen_hash:'+child_hash, 0, -1)
#for child_paste in l_pastes_child:
nodes = []
for node in nodes_set_hash:
nodes.append({"id": node[0], "group": node[1], "first_seen": node[2], "last_seen": node[3], 'estimated_type': node[4], "nb_seen_in_paste": node[5], "size": node[6], 'icon': get_file_icon_text(node[4]),"url": url_for('base64Decoded.showHash', hash=node[7]), 'hash': True})
nodes.append({"id": node[0], "group": node[1], "first_seen": node[2], "last_seen": node[3], 'estimated_type': node[4], "nb_seen_in_paste": node[5], "size": node[6], 'icon': get_file_icon_text(node[4]),"url": url_for('hashDecoded.showHash', hash=node[7]), 'hash': True})
for node in nodes_set_paste:
nodes.append({"id": node[0], "group": node[1], "nb_seen_in_paste": node[2],"url": url_for('showsavedpastes.showsavedpaste', paste=node[3]), 'hash': False})
links = []
@ -461,13 +461,13 @@ def hash_graph_node_json():
else:
return jsonify({})
@base64Decoded.route('/base64Decoded/base64_types')
def base64_types():
@hashDecoded.route('/hashDecoded/hash_types')
def hash_types():
date_from = 20180701
date_to = 20180706
return render_template('base64_types.html', date_from=date_from, date_to=date_to)
return render_template('hash_types.html', date_from=date_from, date_to=date_to)
@base64Decoded.route('/base64Decoded/send_file_to_vt_js')
@hashDecoded.route('/hashDecoded/send_file_to_vt_js')
def send_file_to_vt_js():
hash = request.args.get('hash')
@ -490,7 +490,7 @@ def send_file_to_vt_js():
return jsonify({'vt_link': vt_link, 'vt_report': vt_report})
@base64Decoded.route('/base64Decoded/update_vt_result')
@hashDecoded.route('/hashDecoded/update_vt_result')
def update_vt_result():
hash = request.args.get('hash')
@ -525,4 +525,4 @@ def update_vt_result():
return jsonify()
# ========= REGISTRATION =========
app.register_blueprint(base64Decoded)
app.register_blueprint(hashDecoded)

40
var/www/modules/base64Decoded/templates/base64Decoded.html → var/www/modules/hashDecoded/templates/hashDecoded.html
View file

@ -59,7 +59,7 @@
<div id="page-wrapper">
<div class="row">
<div class="col-lg-12">
<h1 class="page-header" data-page="page-termsfrequency" >Base64 Files</h1>
<h1 class="page-header" data-page="page-termsfrequency" >Hash Files</h1>
<div>
</div>
@ -76,7 +76,7 @@
<div class="panel panel-info" style="text-align:center;">
<div class="panel-heading">
Select a date range :
<form action="/base64Decoded/all_base64_search" id="base64_selector_form" method='post'>
<form action="/hashDecoded/all_hash_search" id="hash_selector_form" method='post'>
<div class="input-group">
<span class="input-group-addon"><i class="fa fa-calendar fa" aria-hidden="true"></i></span>
<input class="form-control" id="date-range-from" placeholder="yyyy-mm-dd" value="{{ date_from }}" name="date_from">
@ -110,9 +110,9 @@
<!-- /#page-wrapper -->
{% if l_64|length != 0 %}
{% if date_from|string == date_to|string %}
<h3> {{ date_from }} Base64 files: </h3>
<h3> {{ date_from }} Hash files: </h3>
{% else %}
<h3> {{ date_from }} to {{ date_to }} Base64 files: </h3>
<h3> {{ date_from }} to {{ date_to }} Hash files: </h3>
{% endif %}
<table id="tableb64" class="red_table table table-striped table-bordered">
<thead>
@ -131,7 +131,7 @@
{% for b64 in l_64 %}
<tr>
<td><i class="fa {{ b64[0] }}"></i>&nbsp;&nbsp;{{ b64[1] }}</td>
<td><a target="_blank" href="{{ url_for('base64Decoded.showHash') }}?hash={{ b64[2] }}">{{ b64[2] }}</a></td>
<td><a target="_blank" href="{{ url_for('hashDecoded.showHash') }}?hash={{ b64[2] }}">{{ b64[2] }}</a></td>
<td>{{ b64[5] }}</td>
<td>{{ b64[6] }}</td>
<td>{{ b64[3] }}</td>
@ -163,9 +163,9 @@
</table>
{% else %}
{% if date_from|string == date_to|string %}
<h3> {{ date_from }}, No base64</h3>
<h3> {{ date_from }}, No Hash</h3>
{% else %}
<h3> {{ date_from }} to {{ date_to }}, No base64</h3>
<h3> {{ date_from }} to {{ date_to }}, No Hash</h3>
{% endif %}
{% endif %}
</div>
@ -176,7 +176,7 @@
<script>
var chart = {};
$(document).ready(function(){
activePage = "page-base64Decoded"
activePage = "page-hashDecoded"
$("#"+activePage).addClass("active");
$('#date-range-from').dateRangePicker({
@ -217,9 +217,9 @@
});
{% if type %}
chart.stackBarChart =barchart_type('/base64Decoded/hash_by_type_json?type={{type}}', '#barchart_type');
chart.stackBarChart =barchart_type('/hashDecoded/hash_by_type_json?type={{type}}', '#barchart_type');
{% elif daily_type_chart %}
chart.stackBarChart =barchart_type('/base64Decoded/daily_type_json?date={{daily_date}}', '#barchart_type');
chart.stackBarChart =barchart_type('/hashDecoded/daily_type_json?date={{daily_date}}', '#barchart_type');
{% else %}
chart.stackBarChart = barchart_type_stack('url', 'id')
{% endif %}
@ -233,7 +233,7 @@
<script>
function updateVTReport(hash) {
//updateReport
$.getJSON('/base64Decoded/update_vt_result?hash='+hash,
$.getJSON('/hashDecoded/update_vt_result?hash='+hash,
function(data) {
content = '<span class="glyphicon glyphicon-refresh"></span> ' +data['report_vt']
$( "#report_vt_"+hash ).html(content);
@ -242,7 +242,7 @@
function sendFileToVT(hash) {
//send file to vt
$.getJSON('/base64Decoded/send_file_to_vt_js?hash='+hash,
$.getJSON('/hashDecoded/send_file_to_vt_js?hash='+hash,
function(data) {
var content = '<a id="submit_vt_'+hash+'" class="btn btn-primary" target="_blank" href="'+ data['vt_link'] +'"><i class="fa fa-link"> '+ ' VT Report' +'</i></a>';
$('#submit_vt_'+hash).remove();
@ -317,7 +317,7 @@ var svg = d3.select("#barchart_type").append("svg")
function barchart_type_stack(url, id) {
d3.json("/base64Decoded/range_type_json?date_from={{date_from}}&date_to={{date_to}}")
d3.json("/hashDecoded/range_type_json?date_from={{date_from}}&date_to={{date_to}}")
.then(function(data){
var labelVar = 'date'; //A
@ -346,7 +346,7 @@ function barchart_type_stack(url, id) {
.call(xAxis)
.selectAll("text")
.attr("class", "bar")
.on("click", function (d) { window.location.href = "/base64Decoded/"+'?date_from='+d+'&date_to='+d })
.on("click", function (d) { window.location.href = "/hashDecoded/"+'?date_from='+d+'&date_to='+d })
.style("text-anchor", "end")
.attr("transform", "rotate(-45)" );
@ -376,17 +376,17 @@ function barchart_type_stack(url, id) {
.style("stroke", "grey")
.on("mouseover", function (d) { showPopover.call(this, d); })
.on("mouseout", function (d) { removePopovers(); })
.on("click", function(d){ window.location.href = "/base64Decoded/" +'?type='+ d.name +'&date_from='+d.label+'&date_to='+d.label; });
.on("click", function(d){ window.location.href = "/hashDecoded/" +'?type='+ d.name +'&date_from='+d.label+'&date_to='+d.label; });
data.forEach(function(d) {
if(d.total != 0){
svg.append("text")
.attr("class", "bar")
.attr("dy", "-.35em")
//.on("click", (window.location.href = "/base64Decoded/"+'?date_from='+d.date) )
//.on("click", (window.location.href = "/hashDecoded/"+'?date_from='+d.date) )
.attr('x', x(d.date) + x.bandwidth()/2)
.attr('y', y(d.total))
.on("click", function () {window.location.href = "/base64Decoded/"+'?date_from='+d.date+'&date_to='+d.date })
.on("click", function () {window.location.href = "/hashDecoded/"+'?date_from='+d.date+'&date_to='+d.date })
.style("text-anchor", "middle")
.text(d.total);
}
@ -505,7 +505,7 @@ function barchart_type(url, id) {
{% else %}
.attr("transform", "rotate(-70)" )
.attr("class", "bar")
.on("click", function (d) { window.location.href = "/base64Decoded/"+'?date_from='+d+'&date_to='+d });
.on("click", function (d) { window.location.href = "/hashDecoded/"+'?date_from='+d+'&date_to='+d });
{% endif %}
svg.append("g")
@ -528,10 +528,10 @@ function barchart_type(url, id) {
.attr("y", function(d) { return y(d.value); })
.attr("height", function(d) { return height - y(d.value); })
{% if type %}
.on("click", function(d){ window.location.href = "/base64Decoded/" +'?type={{type}}&date_from='+ d.date +'&date_to='+ d.date; });
.on("click", function(d){ window.location.href = "/hashDecoded/" +'?type={{type}}&date_from='+ d.date +'&date_to='+ d.date; });
{% endif %}
{% if daily_type_chart %}
.on("click", function(d){ window.location.href = "/base64Decoded/" +'?type='+d.date+'&date_from={{ daily_date }}&date_to={{ daily_date }}'; });
.on("click", function(d){ window.location.href = "/hashDecoded/" +'?type='+d.date+'&date_from={{ daily_date }}&date_to={{ daily_date }}'; });
{% endif %}

1
var/www/modules/hashDecoded/templates/header_hashDecoded.html Normal file
View file

@ -0,0 +1 @@
<li id='page-hashDecoded'><a href="{{ url_for('hashDecoded.hashDecoded_page') }}"><i class="fa fa-files-o"></i> hashDecoded </a></li>

10
var/www/modules/base64Decoded/templates/showHash.html → var/www/modules/hashDecoded/templates/showHash.html
View file

@ -151,7 +151,7 @@
Virus Total submission is disabled
{% endif %}
<a href="/base64Decoded/downloadHash?hash={{hash}}" target="blank">
<a href="/hashDecoded/downloadHash?hash={{hash}}" target="blank">
<button class='btn btn-info pull-right'><i id="flash-tld" class="glyphicon glyphicon-download-alt " flash-tld=""></i> Download Hash file
</button>
</a>
@ -206,8 +206,8 @@
$(document).ready(function(){
sparklines("sparkline", {{ sparkline_values }})
all_graph.node_graph = create_graph('/base64Decoded/hash_graph_node_json?hash={{hash}}');
all_graph.line_chart = create_line_chart('graph_line', '/base64Decoded/hash_graph_line_json?hash={{hash}}');
all_graph.node_graph = create_graph('/hashDecoded/hash_graph_node_json?hash={{hash}}');
all_graph.line_chart = create_line_chart('graph_line', '/hashDecoded/hash_graph_line_json?hash={{hash}}');
all_graph.onResize();
});
@ -218,7 +218,7 @@
<script>
function sendFileToVT(hash) {
//send file to vt
$.getJSON('/base64Decoded/send_file_to_vt_js?hash='+hash,
$.getJSON('/hashDecoded/send_file_to_vt_js?hash='+hash,
function(data) {
var content = '<a id="submit_vt_b" class="btn btn-primary" target="_blank" href="'+ data['vt_link'] +'"><i class="fa fa-link"> '+ ' VT Report' +'</i></a>';
$('#submit_vt_b').remove();
@ -228,7 +228,7 @@
function updateVTReport(hash) {
//updateReport
$.getJSON('/base64Decoded/update_vt_result?hash='+hash,
$.getJSON('/hashDecoded/update_vt_result?hash='+hash,
function(data) {
var content = '<span class="glyphicon glyphicon-refresh"></span> ' +data['report_vt'];
$( "#report_vt_b" ).html(content);

8
var/www/modules/showpaste/Flask_showpaste.py
View file

@ -134,11 +134,11 @@ def showpaste(content_range, requested_path):
list_tags.append( (tag, automatic, tag_status_tp, tag_status_fp) )
l_64 = []
# load base64 files
if r_serv_metadata.scard('base64_paste:'+requested_path) > 0:
set_b64 = r_serv_metadata.smembers('base64_paste:'+requested_path)
# load hash files
if r_serv_metadata.scard('hash_paste:'+requested_path) > 0:
set_b64 = r_serv_metadata.smembers('hash_paste:'+requested_path)
for hash in set_b64:
nb_in_file = int(r_serv_metadata.zscore('base64_hash:'+hash, requested_path))
nb_in_file = int(r_serv_metadata.zscore('nb_seen_hash:'+hash, requested_path))
estimated_type = r_serv_metadata.hget('metadata_hash:'+hash, 'estimated_type')
file_type = estimated_type.split('/')[0]
# set file icon

8
var/www/modules/showpaste/templates/show_saved_paste.html
View file

@ -379,7 +379,7 @@
{% endif %}
{% if l_64|length != 0 %}
<h3> Base64 files: </h3>
<h3> Hash files: </h3>
<table id="tableb64" class="red_table table table-striped table-bordered">
<thead>
<tr>
@ -393,7 +393,7 @@
{% for b64 in l_64 %}
<tr>
<td><i class="fa {{ b64[0] }}"></i>&nbsp;&nbsp;{{ b64[1] }}</td>
<td><a target="_blank" href="{{ url_for('base64Decoded.showHash') }}?hash={{ b64[2] }}">{{ b64[2] }}</a> ({{ b64[4] }})</td>
<td><a target="_blank" href="{{ url_for('hashDecoded.showHash') }}?hash={{ b64[2] }}">{{ b64[2] }}</a> ({{ b64[4] }})</td>
<td>{{ b64[3] }}</td>
<td style="text-align:center;">
{% if vt_enabled %}
@ -464,7 +464,7 @@
<script>
function updateVTReport(hash) {
//updateReport
$.getJSON('/base64Decoded/update_vt_result?hash='+hash,
$.getJSON('/hashDecoded/update_vt_result?hash='+hash,
function(data) {
content = '<span class="glyphicon glyphicon-refresh"></span> ' +data['report_vt']
$( "#report_vt_"+hash ).html(content);
@ -473,7 +473,7 @@
function sendFileToVT(hash) {
//send file to vt
$.getJSON('/base64Decoded/send_file_to_vt_js?hash='+hash,
$.getJSON('/hashDecoded/send_file_to_vt_js?hash='+hash,
function(data) {
var content = '<a id="submit_vt_'+hash+'" class="btn btn-primary" target="_blank" href="'+ data['vt_link'] +'"><i class="fa fa-link"> '+ ' VT Report' +'</i></a>';
$('#submit_vt_'+hash).remove();