add totalhash plugin

CHANGELOG.md

@@ -24,6 +24,7 @@ All notable changes to this project will be documented in this file.
 -	added support for ElasticSearch through use of **blacktop/elk**
 -	add zip plugin place holder
 -	add nsrl lookup plugin
+-	add totalhash lookup plugin
 -	Docs !!!
 -	release binaries
 

commands/scan.go

@@ -86,7 +86,7 @@ func ScanSample(path string) {
 
 		/////////////////////////////////////////////////////////////////
 		// Run all Intel Plugins on the md5 hash associated with the file
-		plugins.RunIntelPlugins(docker, file.MD5, scanID, true)
+		plugins.RunIntelPlugins(docker, file.SHA1, scanID, true)
 
 		// Get file's mime type
 		mimeType, err := persist.GetMimeType(docker, file.SHA256)

docs/examples/lookup.md

@@ -19,6 +19,10 @@ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
 |-------|-------------------------------------------------------------------------------------------------------------------------------|--------|---------------------|
 | 95%   | [link](https://www.virustotal.com/file/371d99fc5514f5a9816b4ec844cb816c52460a41b8e5d14bac1cb7bee57e0b1f/analysis/1312464222/) | Public | 2011-08-04 13:23:42 |
 
+#### #totalhash
+
+ - Not found
+
 #### NSRL Database
 
  - Not Found :grey_question:

docs/examples/scan.md

@@ -31,6 +31,12 @@ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
 |-------|-------------------------------------------------------------------------------------------------------------------------------|--------|---------------------|
 | 85%   | [link](https://www.virustotal.com/file/befb88b89c2eb401900a68e9f5b78764203f2b48264fcc3f7121bf04a57fd408/analysis/1455536823/) | Public | 2016-02-15 11:47:03 |
 
+#### #totalhash
+
+| Found              | URL                                                                                    |
+| ------------------ | -------------------------------------------------------------------------------------- |
+| :white_check_mark: | [link](https://totalhash.cymru.com/analysis/?6b82f126555e7644816df5d4e4614677ee0bda5c) |
+
 #### NSRL Database
 
  - Not Found :grey_question:

docs/plugins/plugins.md

@@ -8,6 +8,7 @@ $ malice plugin list --all --detail
 | ------------- | ----------------------------------------- | ------- | -------------------- | -------- | ---------------------- |
 | nsrl          | NSRL Database Hash Search                 | true    | malice/nsrl          | intel    | hash                   |
 | virustotal    | VirusTotal - files scan and hash lookup   | true    | malice/virustotal    | intel    | hash                   |
+| totalhash     | #totalhash - hash lookup                  | true    | malice/totalhash     | intel    | hash                   |
 | shadow-server | ShadowServer - hash lookup                | true    | malice/shadow-server | intel    | hash                   |
 | team-cymru    | TeamCymru - hash lookup                   | false   | malice/team-cymru    | intel    | hash                   |
 | fileinfo      | ssdeep/TRiD/exiftool                      | true    | malice/fileinfo      | metadata | *                      |

plugins/list.go

@@ -2,6 +2,7 @@ package plugins
 
 import (
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/crackcomm/go-clitable"
@@ -61,12 +62,30 @@ func GetPluginByName(name string) Plugin {
 }
 
 // GetIntelPlugins will return all Intel plugins
-func GetIntelPlugins(enabled bool) []Plugin {
+func GetIntelPlugins(hashType string, enabled bool) []Plugin {
+	var intelPlugs []Plugin
 	if enabled {
-		// fmt.Printf("%#v\n", filterPluginsByIntel(Plugs.Plugins))
-		return getIntel(getEnabled(getInstalled()))
+		intelPlugs = getIntel(getEnabled(getInstalled()))
+	} else {
+		intelPlugs = getIntel(getInstalled())
+	}
+	// filter down to intel plugins with apikey's set in ENV
+	var allSet bool
+	var hasEnvPlugs []Plugin
+	for _, plugin := range intelPlugs {
+		allSet = true
+		for _, pluginEnv := range plugin.Env {
+			if os.Getenv(pluginEnv) == "" {
+				allSet = false
+			}
+		}
+		if allSet {
+			if utils.StringInSlice(hashType, plugin.HashTypes) {
+				hasEnvPlugs = append(hasEnvPlugs, plugin)
+			}
+		}
 	}
-	return getIntel(getInstalled())
+	return hasEnvPlugs
 }
 
 // GetPluginsForMime will return all plugins that can consume the mime type file

plugins/plugins.go

@@ -14,6 +14,7 @@ import (
 	log "github.com/Sirupsen/logrus"
 	"github.com/docker/docker/api/types/strslice"
 	runconfigopts "github.com/docker/docker/runconfig/opts"
+	"github.com/maliceio/go-plugin-utils/utils"
 	"github.com/maliceio/malice/config"
 	"github.com/maliceio/malice/malice/docker/client"
 	"github.com/maliceio/malice/malice/docker/client/container"
@@ -85,8 +86,10 @@ func (plugin Plugin) buildCmd(args string, logs bool) strslice.StrSlice {
 // RunIntelPlugins run all Intel plugins
 func RunIntelPlugins(docker *client.Docker, hash string, scanID string, logs bool) {
 
+	hashType, _ := utils.GetHashType(hash)
+
 	log.Debug("Looking for Intel plugins...")
-	intelPlugins := GetIntelPlugins(true)
+	intelPlugins := GetIntelPlugins(hashType, true)
 	log.Debug("Found these plugins: ")
 	for _, plugin := range intelPlugins {
 		log.Debugf(" - %v", plugin.Name)

plugins/plugins.toml

@@ -34,6 +34,21 @@ title = "Malice Plugin Configurations"
   hashtypes = [ "md5", "sha1", "sha256" ]
   env = ["MALICE_VT_API"]
 
+[[plugin]]
+  enabled = true
+  name = "totalhash"
+  description = "#totalhash - hash lookup"
+  category = "intel"
+  image = "malice/totalhash"
+  repository = "https://github.com/maliceio/malice-totalhash.git"
+  build = false
+  upload = false # Set upload to `true` if you want to upload sample to totalhash.cymru.com
+  user = ""
+  key = ""
+  mime = "hash"
+  hashtypes = [ "sha1" ]
+  env = ["MALICE_TH_USER", "MALICE_TH_KEY"]
+
 [[plugin]]
   enabled = true
   name = "shadow-server"