Initial Commit

__init__.py

@@ -0,0 +1 @@
+__iris_module_interface = "IrisScoring"

buildnpush2iris.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# Courtesy of SOCFortress
+
+# Help
+Help()
+{
+   # Display Help
+   echo "This script builds the DFIR-IRIS module of the current directory and installs it to DFIR-IRIS. If you run it for the first time or change something in the module configuration template make sure to run the -a switch."
+   echo
+   echo "Syntax: ./buildnpush2iris [-a|h]"
+   echo "options:"
+   echo "a     Also install the module to the iris-web_app_1 container. Only required on initial install or when changes to config template were made."
+   echo "h     Print this Help."
+   echo
+}
+
+Run()
+{
+    echo "[BUILDnPUSH2IRIS] Starting the build and push process.."
+    SEARCH_DIR='./dist'
+    get_recent_file () {
+        FILE=$(ls -Art1 ${SEARCH_DIR} | tail -n 1)
+        if [ ! -f ${FILE} ]; then
+            SEARCH_DIR="${SEARCH_DIR}/${FILE}"
+            get_recent_file
+        fi
+        echo $FILE
+        exit
+    }
+
+    python3.9 setup.py bdist_wheel
+
+    latest=$(get_recent_file)
+    module=${latest#"./dist/"}
+
+    echo "[BUILDnPUSH2IRIS] Found latest module file: $latest"
+    echo "[BUILDnPUSH2IRIS] Copy module file to worker container.."
+    docker cp $latest iris-web-worker-1:/iriswebapp/dependencies/$module
+    echo "[BUILDnPUSH2IRIS] Installing module in worker container.."
+    docker exec -it iris-web-worker-1 /bin/sh -c "pip3 install dependencies/$module --force-reinstall"
+    echo "[BUILDnPUSH2IRIS] Restarting worker container.."
+    docker restart iris-web-worker-1
+
+    if [ "$a_Flag" = true ] ; then
+        echo "[BUILDnPUSH2IRIS] Copy module file to app container.."
+        docker cp $latest iris-web-app-1:/iriswebapp/dependencies/$module
+        echo "[BUILDnPUSH2IRIS] Installing module in app container.."
+        docker exec -it iris-web-app-1 /bin/sh -c "pip3 install dependencies/$module --force-reinstall"
+        echo "[BUILDnPUSH2IRIS] Restarting app container.."
+        docker restart iris-web-app-1
+    fi
+
+    echo "[BUILDnPUSH2IRIS] Completed!"
+}
+
+a_Flag=false
+
+while getopts ":ha" option; do
+   case $option in
+      h) # display Help
+         Help
+         exit;;
+      a) # Enter a name
+         echo "[BUILDnPUSH2IRIS] Pushing to Worker and App container!"
+         a_Flag=true
+         Run
+         exit;;
+     \?) # Invalid option
+         echo "ERROR: Invalid option"
+         exit;;
+
+   esac
+done
+
+echo "[BUILDnPUSH2IRIS] Pushing to Worker container only!"
+Run
+exit

iris_scoring_config.py

@@ -0,0 +1,26 @@
+from iris_interface.IrisModuleInterface import IrisModuleTypes
+
+module_name = "IrisScoring"
+
+module_description = "Module to check through abuseipdb, virustotal and more"
+
+interface_version = 1.1
+
+module_version = 1.0
+
+module_type = IrisModuleTypes.module_processor
+
+pipeline_support = False
+
+pipeline_info = {}
+
+module_configuration = [   
+    {     
+        "param_name": "log_received_hook",
+        "param_human_name": "Log received hook",
+        "param_description": "Logs a message upon hook receiving if set to true. Otherwise do nothing.",
+        "default": True,
+        "mandatory": True,
+        "type": "bool"    
+    }
+]

iris_scoring_module.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+
+from iris_interface.IrisModuleInterface import IrisModuleInterface
+
+class IrisScoringModule(IrisModuleInterface):
+    _module_name = interface_conf.module_name
+    _module_description = interface_conf.module_description
+    _interface_version = interface_conf.interface_version
+    _module_version = interface_conf.module_version
+    _pipeline_support = interface_conf.pipeline_support
+    _pipeline_info = interface_conf.pipeline_info
+    _module_configuration = interface_conf.module_configuration
+    _module_type = interface_conf.module_type
+    
+    def register_hooks(self, module_id: int):
+        """
+        Called by IRIS indicating it's time to register hooks.  
+        :param module_id: Module ID provided by IRIS.
+        """        
+        status = self.register_to_hook(module_id, iris_hook_name='on_postload_ioc_create')
+        if status.is_failure():
+            self.log.error(status.get_message())
+        else:
+            self.log.info(f"Successfully subscribed to on_postload_ioc_create hook")
+
+
+    def hooks_handler(self, hook_name: str, data):
+        """
+        Called by IRIS each time one of our hook is triggered. 
+        """
+    
+        if self._dict_conf.get('log_received_hook') is True:
+            self.log.info(f'Received {hook_name}')
+            self.log.info(f'Received data of type {type(data)}')
+    
+        return InterfaceStatus.I2Success(data=data, logs=list(self.message_queue))