Spaces:
Sleeping
Sleeping
File size: 9,790 Bytes
9e3d618 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 |
from langchain_core.tools import tool
import os
import requests
import base64
from .base_tool import Tool
import re
class VirusTotalTool(Tool):
"""Keep all existing implementation"""
def name(self):
return "virustotal"
def run(self, input_data: dict) -> dict:
ioc = input_data.get("ioc")
metadata_search = input_data.get("metadata_search")
if ioc and (('\\' in ioc) or ('/' in ioc)):
metadata_search = metadata_search or {}
metadata_search.setdefault("file_path", ioc)
ioc = None
if not ioc and not metadata_search:
return {"error": "No IOC or metadata provided"}
api_key = os.getenv("VT_API_KEY")
if not api_key:
return {"error": "VT_API_KEY not set in environment"}
headers = {"x-apikey": api_key}
try:
if metadata_search:
return self._search_by_metadata(metadata_search, headers)
if self._is_ip(ioc):
url = f"https://www.virustotal.com/api/v3/ip_addresses/{ioc}"
elif self._is_hash(ioc):
url = f"https://www.virustotal.com/api/v3/files/{ioc}"
elif self._is_url(ioc):
url_id = base64.urlsafe_b64encode(ioc.encode()).decode().strip("=")
url = f"https://www.virustotal.com/api/v3/urls/{url_id}"
elif self._is_domain(ioc):
url = f"https://www.virustotal.com/api/v3/domains/{ioc}"
else:
return {"error": "Unsupported IOC type"}
resp = requests.get(url, headers=headers, timeout=10)
data = resp.json()
return self._parse_simple_result(ioc, data)
except Exception as e:
return {"error": str(e)}
def _search_by_metadata(self, metadata: dict, headers: dict) -> dict:
"""Search VirusTotal using metadata from logs"""
try:
search_terms = []
if metadata.get("filename") or metadata.get("file_path"):
filename = metadata.get("filename") or metadata.get("file_path")
if '\\' in filename or '/' in filename:
filename = filename.split('\\')[-1].split('/')[-1]
search_terms.append(f'name:"{filename}"')
if metadata.get("command_line"):
cmd = metadata["command_line"].strip()
if cmd:
exe_name = cmd.split()[0]
if '\\' in exe_name or '/' in exe_name:
exe_name = exe_name.split('\\')[-1].split('/')[-1]
search_terms.append(f'name:"{exe_name}"')
if metadata.get("parent_process"):
parent = metadata["parent_process"]
if '\\' in parent or '/' in parent:
parent = parent.split('\\')[-1].split('/')[-1]
search_terms.append(f'parent:"{parent}"')
if not search_terms:
return {"error": "No searchable metadata provided"}
search_query = " OR ".join(search_terms)
search_url = "https://www.virustotal.com/api/v3/search"
params = {'query': search_query, 'limit': 5}
resp = requests.get(search_url, headers=headers, params=params, timeout=15)
if resp.status_code != 200:
return {"error": f"Search failed: {resp.status_code}"}
search_data = resp.json()
results = search_data.get('data', [])
if not results:
return {
"metadata": metadata,
"tool": "virustotal",
"result": {
"found": False,
"message": "No matches found in VirusTotal database",
"intelligence": "File may be new, custom, or legitimate"
}
}
best_match = results[0]
attributes = best_match.get('attributes', {})
stats = attributes.get('last_analysis_stats', {})
malicious = stats.get('malicious', 0)
suspicious = stats.get('suspicious', 0)
total = sum(stats.values()) if stats else 0
if malicious > 0:
threat_level = "MALICIOUS"
confidence = "HIGH" if malicious > 5 else "MEDIUM"
elif suspicious > 0:
threat_level = "SUSPICIOUS"
confidence = "MEDIUM"
else:
threat_level = "CLEAN"
confidence = "LOW"
return {
"metadata": metadata,
"tool": "virustotal",
"result": {
"found": True,
"threat_level": threat_level,
"confidence": confidence,
"detections": f"{malicious}/{total} engines flagged as malicious",
"file_info": {
"sha256": best_match.get('id', 'Unknown'),
"names": attributes.get('names', [])[:3],
"size": attributes.get('size', 0),
"first_seen": attributes.get('first_submission_date', 'Unknown')
},
"intelligence": self._get_simple_intelligence(threat_level, attributes)
}
}
except Exception as e:
return {"error": f"Metadata search failed: {str(e)}"}
def _get_simple_intelligence(self, threat_level: str, attributes: dict) -> str:
if threat_level == "MALICIOUS":
tags = attributes.get('tags', [])
if any('trojan' in tag.lower() for tag in tags):
return "Likely trojan/backdoor - immediate containment recommended"
elif any('ransomware' in tag.lower() for tag in tags):
return "Potential ransomware - isolate system immediately"
elif any('miner' in tag.lower() for tag in tags):
return "Cryptocurrency miner detected"
else:
return "Confirmed malware - block and investigate"
elif threat_level == "SUSPICIOUS":
return "Potentially unwanted program or suspicious behavior detected"
else:
return "No immediate threats detected in VirusTotal database"
def _parse_simple_result(self, ioc: str, data: dict) -> dict:
attributes = data.get("data", {}).get("attributes", {})
stats = attributes.get("last_analysis_stats", {})
malicious = stats.get("malicious", 0)
suspicious = stats.get("suspicious", 0)
total = sum(stats.values()) if stats else 0
return {
"ioc": ioc,
"tool": "virustotal",
"result": {
"malicious": malicious,
"suspicious": suspicious,
"total_engines": total,
"threat_level": "HIGH" if malicious > 5 else "MEDIUM" if malicious > 0 or suspicious > 0 else "LOW",
"tags": attributes.get("tags", [])
}
}
def _is_ip(self, ioc: str) -> bool:
return bool(re.match(r"^\d{1,3}(\.\d{1,3}){3}$", ioc))
def _is_hash(self, ioc: str) -> bool:
return bool(re.match(r"^[A-Fa-f0-9]{32,64}$", ioc))
def _is_url(self, ioc: str) -> bool:
return bool(re.match(r"^https?://[^\s/$.?#].[^\s]*$", ioc, re.IGNORECASE))
def _is_domain(self, ioc: str) -> bool:
return bool(re.match(r"^(?=.{1,253}$)(?!-)[A-Za-z0-9-]{1,63}(?<!-)(\.[A-Za-z]{2,})+$", ioc)) and not self._is_ip(ioc)
# Create singleton instance
_virustotal_tool = VirusTotalTool()
@tool
def virustotal_lookup(ioc: str) -> dict:
"""Analyzes IPs, file hashes, URLs, and domains against multiple security vendors.
Use this tool to determine if an indicator of compromise (IOC) is malicious by checking it
against VirusTotal's database of security vendor detections.
Args:
ioc: An IP address, file hash (MD5/SHA1/SHA256), URL, or domain to analyze
Returns:
Threat assessment with detection results from multiple security vendors and actionable intelligence.
"""
return _virustotal_tool.run({"ioc": ioc})
@tool
def virustotal_metadata_search(filename: str = None, command_line: str = None, parent_process: str = None) -> dict:
"""Searches VirusTotal using file metadata from logs when you don't have the actual file.
Use this tool when you have file metadata from logs (filename, command line, parent process)
but not the actual file hash. This helps identify if executables or commands seen in logs
are known malicious.
Args:
filename: Name of the file or full file path
command_line: Command line arguments used to execute the file
parent_process: Parent process that spawned this execution
Returns:
Threat assessment and file intelligence based on metadata matching in VirusTotal database.
"""
metadata = {}
if filename:
metadata["filename"] = filename
if command_line:
metadata["command_line"] = command_line
if parent_process:
metadata["parent_process"] = parent_process
return _virustotal_tool.run({"metadata_search": metadata}) |