Merge pull request #2 from CybercentreCanada/refactor

Refactor [dev]

.gitignore

@@ -0,0 +1,84 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# IDE files
+.pydevproject
+.python-version
+.idea
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Cython debug symbols
+cython_debug/

CONTRIBUTING.md

@@ -0,0 +1,25 @@
+# Assemblyline contributing guide
+
+This guide covers the basics of how to contribute to the Assemblyline project.
+
+Python code should follow the PEP8 guidelines defined here: [PEP8 Guidelines](https://www.python.org/dev/peps/pep-0008/).
+
+## Tell us want you want to build/fix
+Before you start coding anything you should connect with the [Assemblyline community](https://groups.google.com/d/forum/cse-cst-assemblyline) to make sure no one else is working on the same thing and that whatever you are going to build still fits with the vision off the system.
+
+## Git workflow
+
+- Clone the repo to your own account
+- Checkout and pull the latest commits from the master branch
+- Make a branch
+- Work in any way you like and make sure your changes actually work
+- When you're satisfied with your changes, create a pull requests to the main assemblyline repo
+
+#### Transfer your service repo
+If you've worked on a new service that you want to be included in the default service selection you'll have to transfer the repo into our control.
+
+#### You are not allow to merge:
+
+Even if you try to merge in your pull request, you will be denied. Only a few people in our team are allowed to merge code into our repositories.
+
+We check for new pull requests every day and will merge them in once they have been approved by someone in our team.

Dockerfile

@@ -4,11 +4,12 @@ ENV SERVICE_PATH intezer_static.IntezerStatic
 
 USER root
 
-RUN apt update
-RUN pip3 install requests
+RUN apt-get update
 
 USER assemblyline
 
+RUN pip install intezer-sdk && rm -rf ~/.cache/pip
+
 WORKDIR /opt/al_service
 COPY . .
 

README.md

@@ -1,3 +1,32 @@
-# Intezer service
-This repository is a self-developed Assemblyline service fetching the Intezer report of a specific sha256.
+# IntezerStatic service
+This repository is an Assemblyline service that fetches the Intezer report for the SHA256 of a submitted file, and if the SHA256 was not found on the Intezer instance, then this service will DO NOTHING MORE.
+
 It was created by [x1mus](https://github.com/x1mus) with support from [Sorakurai](https://github.com/Sorakurai) and [reynas](https://github.com/reynas) at [NVISO](https://github.com/NVISOsecurity).
+
+It has since been passed over to the CCCS :canada: for maintenance!
+
+**NOTE**: This service **requires** you to have your own API key (Paid or Free). It is **not** preinstalled during a default installation.
+
+**NOTE**: This service **requires** extensive setup prior to installation if you are deploying your own instance of IntezerAnalyze.
+
+## Execution
+
+This service calls the Intezer Analyze API with the hash of your file and returns the results (if any).
+
+Because this service could query an external API, if selected by the user, it will prompt the user and notify them that their file or metadata related to their file will leave the Assemblyline system.
+
+### Service Tweaks
+If you are using an Intezer Analyze On-Premise solution, then you do not need to set this service as `External` and the `is_external` flag to true. Change the `category` in the `service_manifest.yml` from `External` to `Antivirus` if using on-prem.
+
+### Configuration Values
+* **base_url**: This is the base url of the Intezer Analyze instance that you will be using. *NB* The public instance is at [https://analyze.intezer.com](https://analyze.intezer.com), but you can also set it to http://\<ip of private instance>. Don't forget the /api/ at the end of the URL!
+* **api_version**: This service has only been tested with `v2-0`.
+* **api_key**: This is the 36 character key provided to you by [Intezer](https://www.intezer.com/blog/malware-analysis/api-intezer-analyze-community/).
+* **private_only**: This is a flag that will only return private submissions on the Intezer Analyze system, if selected.
+* **is_on_premise**: This is a flag used for indicating if the Intezer Analyze system is on-premise, rather than the cloud API.
+
+### Submission Parameters
+* **analysis_id**: This is the analysis ID of an analysis that is already on the system. The cloud API counts retrieving the analysis by file hash as a "File Scan" which counts towards an account's monthly quota. We can circumvent this by submitting the analysis ID of an analysis. That being said, this will ignore the file that you submit to Assemblyline.
+
+## Troubleshooting
+If you get this error "server returns The request is not valid, details: {'should_get_only_private_analysis': ['unknown field']}", then you need to set the service configuration value to true for "is_on_premise".