From a928c4e51efcf568be0186f21cc9c46945216cdb Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 2 Dec 2021 07:33:20 +0100
Subject: [PATCH] new: [api] hashlookup:trust added in the output

The trust level is calculated based on the number of parent to the file.
If the file has been seen on many sources, the trust level increase.

The scale of the trust level is between 0 and 100. By default, the trust
level is 50 meaning we don't know the trust. Below 50, the file is
suspicious. Above 50, we have evidences that the file is more
legitimate. The calculation is based on the number of parents seen per
file. If a file is seen more often in various sources, it increases the
trust level to reach a maximum of 100.
---
 bin/server.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/bin/server.py b/bin/server.py
index f45e5a4..f5c6b6e 100644
--- a/bin/server.py
+++ b/bin/server.py
@@ -84,6 +84,20 @@ def get_session():
     ttl = rdb.ttl("session:{}".format(session_name))
     return ttl
 
+def calculate_trust(hobject=None):
+    """Trust level is between 0 and 100. 50 means we don't know the trust. Above 50, the trust level is more important as the file has been seen on various sources."""
+    if hobject is None:
+        return False
+    hashlookup_trust = 50
+    if 'hashlookup:parent-total' in hobject:
+        hashlookup_trust = hashlookup_trust + (5*hobject['hashlookup:parent-total'])
+    if 'KnownMalicious' in hobject:
+        hashlookup_trust = hashlookup_trust - 20
+    if hashlookup_trust > 100:
+        hashlookup_trust = 100
+    hobject['hashlookup:trust'] = hashlookup_trust
+    return hobject
+
 @api.route('/lookup/md5/<string:md5>')
 @api.doc(description="Lookup MD5.")
 class lookup(Resource):
@@ -141,6 +155,7 @@ class lookup(Resource):
             for child in rdb.smembers("c:{}".format(sha1)):
                 children.append(child)
             h['children'] = children
+        h = calculate_trust(hobject=h)
         return h 
 
 @api.route('/lookup/sha1/<string:sha1>')
@@ -196,6 +211,7 @@ class lookup(Resource):
             for child in rdb.smembers("c:{}".format(k)):
                 children.append(child)
             h['children'] = children
+        h = calculate_trust(hobject=h)
         return h
 
 @api.route('/lookup/sha256/<string:sha256>')
@@ -255,6 +271,7 @@ class lookup(Resource):
             for child in rdb.smembers("c:{}".format(sha1)):
                 children.append(child)
             h['children'] = children
+        h = calculate_trust(hobject=h)
         return h