Skip to content

[Analyzer] Netlas.io#1834

Merged
0ssigeno merged 11 commits intointelowlproject:developfrom
deep-poharkar:netlas_analyzer
Aug 11, 2023
Merged

[Analyzer] Netlas.io#1834
0ssigeno merged 11 commits intointelowlproject:developfrom
deep-poharkar:netlas_analyzer

Conversation

@deep-poharkar
Copy link
Contributor

@deep-poharkar deep-poharkar commented Aug 8, 2023

closes #1258

Description

Add new analyzer netlas that scans IP and domains

Type of change

  • New feature (non-breaking change which adds functionality).

Checklist

  • I have read and understood the rules about how to Contribute to this project
  • The pull request is for the branch develop
  • A new plugin (analyzer, connector, visualizer, playbook or ingestor) was added or changed, in which case:
    • Usage file was updated.
    • Advanced-Usage was updated (in case the plugin provides additional optional configuration).
    • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
    • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
    • If you created a new analyzer and it is free (does not require API keys), please add it in the FREE_TO_USE_ANALYZERS playbook in playbook_config.json.
    • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
    • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
  • Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
  • I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
  • If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md).
  • If the GUI has been modified:
    • I have a provided a screenshot of the result in the PR.
    • I have created new frontend tests for the new component or updated existing ones.

Important Rules

  • If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
  • If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem
  • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review. After being reviewed and received a "change request", you should explicitly ask for a review again once you have made the requested changes.

@deep-poharkar
Copy link
Contributor Author

hey I think the method have changed since the last time. I am facing a problem when I try to create the migration file.

command used : docker exec -ti intelowl_uwsgi python3 manage.py dumpplugin AnalyzerConfig Netlas

error:

/usr/local/lib/python3.9/site-packages/dnstwist.py:64 No module named 'selenium'

/usr/local/lib/python3.9/site-packages/dnstwist.py:82 [Errno 2] No such file or directory: b'/usr/local/lib/python3.9/site-packages/GeoLite2-Country.mmdb'

/usr/local/lib/python3.9/site-packages/dnstwist.py:86 No module named 'GeoIP'

/usr/local/lib/python3.9/site-packages/dnstwist.py:114 No module named 'ssdeep'

XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)

Traceback (most recent call last):

  File "/opt/deploy/intel_owl/manage.py", line 25, in <module>

    main()

  File "/opt/deploy/intel_owl/manage.py", line 21, in main

    execute_from_command_line(sys.argv)

  File "/usr/local/lib/python3.9/site-packages/django/core/management/__init__.py", line 446, in execute_from_command_line

    utility.execute()

  File "/usr/local/lib/python3.9/site-packages/django/core/management/__init__.py", line 440, in execute

    self.fetch_command(subcommand).run_from_argv(self.argv)

  File "/usr/local/lib/python3.9/site-packages/django/core/management/base.py", line 402, in run_from_argv

    self.execute(*args, **cmd_options)

  File "/usr/local/lib/python3.9/site-packages/django/core/management/base.py", line 448, in execute

    output = self.handle(*args, **options)

  File "/opt/deploy/intel_owl/api_app/management/commands/dumpplugin.py", line 227, in handle

    content = self._migration_file(obj, serializer_class, app)

  File "/opt/deploy/intel_owl/api_app/management/commands/dumpplugin.py", line 166, in _migration_file

    obj_data, param_data, values_data = self._get_serialization(

  File "/opt/deploy/intel_owl/api_app/management/commands/dumpplugin.py", line 47, in _get_serialization

    obj_data = serializer_class(obj).data

  File "/usr/local/lib/python3.9/site-packages/rest_framework/serializers.py", line 555, in data

    ret = super().data

  File "/usr/local/lib/python3.9/site-packages/rest_framework/serializers.py", line 253, in data

    self._data = self.to_representation(self.instance)

  File "/usr/local/lib/python3.9/site-packages/rest_framework/serializers.py", line 507, in to_representation

    for field in fields:

  File "/usr/local/lib/python3.9/site-packages/rest_framework/serializers.py", line 368, in _readable_fields

    for field in self.fields.values():

  File "/usr/local/lib/python3.9/site-packages/django/utils/functional.py", line 57, in __get__

    res = instance.__dict__[self.name] = self.func(instance)

  File "/usr/local/lib/python3.9/site-packages/rest_framework/serializers.py", line 356, in fields

    for key, value in self.get_fields().items():

  File "/usr/local/lib/python3.9/site-packages/rest_framework/serializers.py", line 1052, in get_fields

    field_names = self.get_field_names(declared_fields, info)

  File "/usr/local/lib/python3.9/site-packages/rest_framework/serializers.py", line 1112, in get_field_names

    raise TypeError(

TypeError: The `exclude` option must be a list or tuple. Got str.



@0ssigeno
Copy link
Contributor

0ssigeno commented Aug 8, 2023

Uhm, let me check it, I probably fucked up something during the Ingestor change to the script

@0ssigeno
Copy link
Contributor

0ssigeno commented Aug 8, 2023

Yeah, typo, solve with cc54e77.
Can you rebase from develop and let me know if you are able to create the migration?

@deep-poharkar
Copy link
Contributor Author

thank you its working fine now!

@0ssigeno
Copy link
Contributor

0ssigeno commented Aug 8, 2023

Perfect!
As for the code, lgtm, the only change that I would like to have is some sort of valid mockup inside the analyzer (instead of a plain {}). A response taken from their api docs, instead of using your own api key is enough.

That and the new migration for the AnalyzerConfig. After these 2 things, we can merge the PR.

@codecov
Copy link

codecov bot commented Aug 9, 2023

Codecov Report

Merging #1834 (7efe7d3) into develop (aa8820f) will increase coverage by 9.41%.
Report is 1280 commits behind head on develop.
The diff coverage is 76.13%.

Impacted file tree graph

@@             Coverage Diff             @@
##           develop    #1834      +/-   ##
===========================================
+ Coverage    66.75%   76.16%   +9.41%     
===========================================
  Files           95      381     +286     
  Lines         3706    12471    +8765     
  Branches       519     1314     +795     
===========================================
+ Hits          2474     9499    +7025     
- Misses         941     2430    +1489     
- Partials       291      542     +251     
Files Changed Coverage Δ
...analyzers_manager/migrations/0004_datamigration.py 91.30% <ø> (ø)
...i_app/connectors_manager/migrations/0015_params.py 51.11% <ø> (ø)
...ager/migrations/0016_alter_connectorconfig_name.py 100.00% <ø> (ø)
...r/migrations/0017_alter_connectorconfig_options.py 100.00% <ø> (ø)
...ager/migrations/0018_alter_connectorconfig_name.py 100.00% <ø> (ø)
api_app/connectors_manager/models.py 95.65% <ø> (ø)
api_app/connectors_manager/serializers.py 100.00% <ø> (ø)
api_app/connectors_manager/urls.py 100.00% <ø> (ø)
api_app/connectors_manager/views.py 100.00% <ø> (ø)
api_app/decorators.py 78.94% <ø> (ø)
... and 231 more

... and 193 files with indirect coverage changes


Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c5b0902...7efe7d3. Read the comment docs.

@deep-poharkar
Copy link
Contributor Author

Perfect! As for the code, lgtm, the only change that I would like to have is some sort of valid mockup inside the analyzer (instead of a plain {}). A response taken from their api docs, instead of using your own api key is enough.

That and the new migration for the AnalyzerConfig. After these 2 things, we can merge the PR.

I added the mock response. But when I am trying to commit the changes the black is running for the migration files.


error: cannot format api_app/ingestors_manager/migrations/0004_alter_ingestorreport_name.py: [Errno 13] Permission denied: 'api_app/ingestors_manager/migrations/0004_alter_ingestorreport_name.py'

error: cannot format api_app/analyzers_manager/migrations/0035_analyzer_config.py: [Errno 13] Permission denied: 'api_app/analyzers_manager/migrations/0035_analyzer_config.py'

Should I force commit or something?

@deep-poharkar
Copy link
Contributor Author

deep-poharkar commented Aug 9, 2023

That and the new migration for the AnalyzerConfig. After these 2 things, we can merge the PR.

sorry but what do you mean by new migration? I tried creating new migration but it says one already exists.

there are few more params we can add.

q

indices (optional)

start (optional)

fields

source_type

should I add them ?

@0ssigeno
Copy link
Contributor

0ssigeno commented Aug 9, 2023

Yeah, I should have added the thing about the permission.
When you are creating the migration inside the container, the file is created as root:root. If you go, in your host, inside api_app/analyzers_manager/migration you should be able to chown the file as your own, allowing the linter to correctly work.

That file is the migration file that it is missing in the PR: you should commit that too. And yes, it is correct the script it is not creating another migration because you already have made one for that AnalyzerConfig.

About the other params, as you wish. If you think that the user experience will benefit for having them, yes.

@deep-poharkar deep-poharkar marked this pull request as ready for review August 10, 2023 04:07
@deep-poharkar
Copy link
Contributor Author

deep-poharkar commented Aug 10, 2023

About the other params, as you wish. If you think that the user experience will benefit for having them, yes.

They aren't much specified in the API docs. I was not able to test them.
Is the mock response okay, I got it from the search in their app.

Copy link
Contributor

@0ssigeno 0ssigeno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two things:
1 - The analyzer retrieve from the api response this structure result_data = result["items"][0]["data"]. In the mockup that you added, this dictionary structure is missing. You should change the mock of the raw request (meaning that you should have the at leastitems and data keys) or you should change the parsing of the request because right now they are not compatible.
2 - Unfortunately, you have pushed your own key because it was present in the database. You can change the value in the migration from your own key to None and revoke the key inside Netlas.

The second step was a miscalculation on my side that allowed the dump of your private key instead of replacing them with a fake value. I will update the script to fix this behaviour

@deep-poharkar
Copy link
Contributor Author

1 - The analyzer retrieve from the api response this structure result_data = result["items"][0]["data"]. In the mockup that you added, this dictionary structure is missing. You should change the mock of the raw request (meaning that you should have the at leastitems and data keys) or you should change the parsing of the request because right now they are not compatible.

will this work?
the response looks like this
img

@deep-poharkar
Copy link
Contributor Author

2 - Unfortunately, you have pushed your own key because it was present in the database. You can change the value in the migration from your own key to None and revoke the key inside Netlas.

I was about to ask about API key being visible in the migration file. I changed it to null like others

Copy link
Contributor

@0ssigeno 0ssigeno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@deep-poharkar
Copy link
Contributor Author

The backend tests are failing. Is it due to my code?

@0ssigeno
Copy link
Contributor

Something wrong with the migration autogenerated, yey.
It is something on my end

Signed-off-by: 0ssigeno <[email protected]>
Signed-off-by: 0ssigeno <[email protected]>
@deep-poharkar
Copy link
Contributor Author

Thanks @0ssigeno I thought the result would more match the mock_response. nvm. Do let me know if there is anything else we need to change.

@0ssigeno
Copy link
Contributor

LGTM, waiting let's see if @mlodic has some suggestions, otherwise I'm going to merge it

@mlodic
Copy link
Member

mlodic commented Aug 11, 2023

The PR is good, we are just missing some points in the checklist regarding the documentation.

  • Usage file was updated.

  • Advanced-Usage was updated (in case the plugin provides additional optional configuration).

@deep-poharkar
Copy link
Contributor Author

deep-poharkar commented Aug 11, 2023

okay, I think I messed up. I pulled and rebase these changes and the develop branch as well.

@0ssigeno
Copy link
Contributor

No big deal, i'm going to squash all together anyway.

@0ssigeno 0ssigeno requested a review from mlodic August 11, 2023 09:09
@0ssigeno
Copy link
Contributor

The review is for the docs part

@0ssigeno 0ssigeno merged commit c30aad8 into intelowlproject:develop Aug 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants