new: [api] hashlookup:trust added in the output

The trust level is calculated based on the number of parent to the file.
If the file has been seen on many sources, the trust level increase.

The scale of the trust level is between 0 and 100. By default, the trust
level is 50 meaning we don't know the trust. Below 50, the file is
suspicious. Above 50, we have evidences that the file is more
legitimate. The calculation is based on the number of parents seen per
file. If a file is seen more often in various sources, it increases the
trust level to reach a maximum of 100.
This commit is contained in:
Alexandre Dulaunoy 2021-12-02 07:33:20 +01:00
parent d8ac479d72
commit a928c4e51e
Signed by: adulau
GPG key ID: 09E2CD4944E6CBCD

View file

@ -84,6 +84,20 @@ def get_session():
ttl = rdb.ttl("session:{}".format(session_name)) ttl = rdb.ttl("session:{}".format(session_name))
return ttl return ttl
def calculate_trust(hobject=None):
"""Trust level is between 0 and 100. 50 means we don't know the trust. Above 50, the trust level is more important as the file has been seen on various sources."""
if hobject is None:
return False
hashlookup_trust = 50
if 'hashlookup:parent-total' in hobject:
hashlookup_trust = hashlookup_trust + (5*hobject['hashlookup:parent-total'])
if 'KnownMalicious' in hobject:
hashlookup_trust = hashlookup_trust - 20
if hashlookup_trust > 100:
hashlookup_trust = 100
hobject['hashlookup:trust'] = hashlookup_trust
return hobject
@api.route('/lookup/md5/<string:md5>') @api.route('/lookup/md5/<string:md5>')
@api.doc(description="Lookup MD5.") @api.doc(description="Lookup MD5.")
class lookup(Resource): class lookup(Resource):
@ -141,6 +155,7 @@ class lookup(Resource):
for child in rdb.smembers("c:{}".format(sha1)): for child in rdb.smembers("c:{}".format(sha1)):
children.append(child) children.append(child)
h['children'] = children h['children'] = children
h = calculate_trust(hobject=h)
return h return h
@api.route('/lookup/sha1/<string:sha1>') @api.route('/lookup/sha1/<string:sha1>')
@ -196,6 +211,7 @@ class lookup(Resource):
for child in rdb.smembers("c:{}".format(k)): for child in rdb.smembers("c:{}".format(k)):
children.append(child) children.append(child)
h['children'] = children h['children'] = children
h = calculate_trust(hobject=h)
return h return h
@api.route('/lookup/sha256/<string:sha256>') @api.route('/lookup/sha256/<string:sha256>')
@ -255,6 +271,7 @@ class lookup(Resource):
for child in rdb.smembers("c:{}".format(sha1)): for child in rdb.smembers("c:{}".format(sha1)):
children.append(child) children.append(child)
h['children'] = children h['children'] = children
h = calculate_trust(hobject=h)
return h return h