Skip to content

Feature ipqs#3431

Closed
RamboV wants to merge 21 commits intointelowlproject:developfrom
RamboV:feature-IPQS
Closed

Feature ipqs#3431
RamboV wants to merge 21 commits intointelowlproject:developfrom
RamboV:feature-IPQS

Conversation

@RamboV
Copy link
Copy Markdown
Contributor

@RamboV RamboV commented Mar 5, 2026
edited
Loading

Description

  • Added darkwebleak api to ipqs observable analyzer.
  • Added malicious file scanner in file analyzer.

Type of change

  • New feature (non-breaking change which adds functionality).

Checklist

  • I have read and understood the rules about how to Contribute to this project
  • The pull request is for the branch develop
  • A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
    • I strictly followed the documentation "How to create a Plugin"
    • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
    • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
    • If a new analyzer has beed added, I have created a unittest for it in the appropriate dir. I have also mocked all the external calls, so that no real calls are being made while testing.
    • I have added that raw JSON sample to the get_mocker_response() method of the unittest class. This serves us to provide a valid sample for testing.
  • Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.

Screenshots and raw_json
darkweb_leak
darkweb_leak_raw_resp.txt
ip
ip_raw_json.txt
malware_file_scanner
malware_file_url_scanner
malware_file_scanner_raw_json.txt
phone
phone_raw_json.txt

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 5, 2026
View reviewed changes
@RamboV RamboV mentioned this pull request Mar 9, 2026
Open
2 tasks
@RamboV
Copy link
Copy Markdown
Contributor Author

RamboV commented Mar 9, 2026

intelowlproject/docs#47
PR for docs

@RamboV
Copy link
Copy Markdown
Contributor Author

RamboV commented Mar 9, 2026

@mlodic can you please review it.

@mlodic
Copy link
Copy Markdown
Member

mlodic commented Mar 12, 2026

you removed from the PR checklist the screenshot and raw JSON requirements. provide them or the PR won't be reviewed

@RamboV
Copy link
Copy Markdown
Contributor Author

RamboV commented Mar 12, 2026

@mlodic I've updated the requested screenshots and the raw_json in description. Thanks!

mlodic
mlodic requested changes Mar 13, 2026
View reviewed changes
api_app/analyzers_manager/migrations/0178_analyzer_config_ipqs_file_url_scanner.py Outdated

plugin = {'python_module': {'health_check_schedule': None, 'update_schedule': None, 'module': 'ipqsurl.IPQSUrlScan', 'base_path': 'api_app.analyzers_manager.observable_analyzers'}, 'name': 'IPQS_File_URL_Scanner', 'description': 'Scans files hosted or accessible via a URL using IPQualityScore’s malware detection API.', 'disabled': False, 'soft_time_limit': 60, 'routing_key': 'default', 'health_check_status': True, 'type': 'observable', 'docker_based': False, 'maximum_tlp': 'RED', 'observable_supported': ['url'], 'supported_filetypes': [], 'run_hash': False, 'run_hash_type': '', 'not_supported_filetypes': [], 'mapping_data_model': {}, 'model': 'analyzers_manager.AnalyzerConfig'}

params = [{'python_module': {'module': 'ipqsurl.IPQSUrlScan', 'base_path': 'api_app.analyzers_manager.observable_analyzers'}, 'name': 'ipqs_api_key', 'type': 'str', 'description': 'Please provide the IPQS API key.', 'is_secret': True, 'required': True}]
Copy link
Copy Markdown
Member

@mlodic mlodic Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

format these dicts appropriately please, this is not readable

api_app/analyzers_manager/migrations/0178_analyzer_config_ipqs_file_url_scanner.py Outdated
ReverseOneToOneDescriptor,
)

plugin = {'python_module': {'health_check_schedule': None, 'update_schedule': None, 'module': 'ipqsurl.IPQSUrlScan', 'base_path': 'api_app.analyzers_manager.observable_analyzers'}, 'name': 'IPQS_File_URL_Scanner', 'description': 'Scans files hosted or accessible via a URL using IPQualityScore’s malware detection API.', 'disabled': False, 'soft_time_limit': 60, 'routing_key': 'default', 'health_check_status': True, 'type': 'observable', 'docker_based': False, 'maximum_tlp': 'RED', 'observable_supported': ['url'], 'supported_filetypes': [], 'run_hash': False, 'run_hash_type': '', 'not_supported_filetypes': [], 'mapping_data_model': {}, 'model': 'analyzers_manager.AnalyzerConfig'}
Copy link
Copy Markdown
Member

@mlodic mlodic Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in the description use markdown to add link to the service, this will be rendered in the GUI

api_app/analyzers_manager/migrations/0178_analyzer_config_ipqs_file_url_scanner.py
)

plugin = {'python_module': {'health_check_schedule': None, 'update_schedule': None, 'module': 'ipqsurl.IPQSUrlScan', 'base_path': 'api_app.analyzers_manager.observable_analyzers'}, 'name': 'IPQS_File_URL_Scanner', 'description': 'Scans files hosted or accessible via a URL using IPQualityScore’s malware detection API.', 'disabled': False, 'soft_time_limit': 60, 'routing_key': 'default', 'health_check_status': True, 'type': 'observable', 'docker_based': False, 'maximum_tlp': 'RED', 'observable_supported': ['url'], 'supported_filetypes': [], 'run_hash': False, 'run_hash_type': '', 'not_supported_filetypes': [], 'mapping_data_model': {}, 'model': 'analyzers_manager.AnalyzerConfig'}

Copy link
Copy Markdown
Member

@mlodic mlodic Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

max TLP must be AMBER for external services

api_app/analyzers_manager/migrations/0179_analyzer_config_ipqs_malware_file_scanner.py Outdated

plugin = {'python_module': {'health_check_schedule': None, 'update_schedule': None, 'module': 'ipqsfile.IPQSFileScan', 'base_path': 'api_app.analyzers_manager.file_analyzers'}, 'name': 'IPQS_Malware_File_Scanner', 'description': 'Scan files for malware, viruses, and malicious payloads in real-time using IPQualityScore’s advanced file scanning engine.', 'disabled': False, 'soft_time_limit': 60, 'routing_key': 'default', 'health_check_status': True, 'type': 'file', 'docker_based': False, 'maximum_tlp': 'RED', 'observable_supported': [], 'supported_filetypes': ['application/w-script-file', 'application/javascript', 'application/x-javascript', 'text/javascript', 'application/x-vbscript', 'text/x-ms-iqy', 'application/vnd.android.package-archive', 'application/x-dex', 'application/onenote', 'application/zip', 'multipart/x-zip', 'application/java-archive', 'text/rtf', 'application/rtf', 'application/x-sharedlib', 'application/vnd.microsoft.portable-executable', 'application/x-elf', 'application/octet-stream', 'application/vnd.tcpdump.pcap', 'application/pdf', 'text/html', 'application/x-mspublisher', 'application/vnd.ms-excel.addin.macroEnabled', 'application/vnd.ms-excel.sheet.macroEnabled.12', 'application/vnd.ms-excel', 'application/excel', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/xml', 'text/xml', 'application/encrypted', 'text/plain', 'text/csv', 'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.ms-powerpoint', 'application/vnd.ms-office', 'application/x-binary', 'application/x-macbinary', 'application/mac-binary', 'application/x-mach-binary', 'application/x-zip-compressed', 'application/x-compressed', 'application/vnd.ms-outlook', 'message/rfc822', 'application/pkcs7-signature', 'application/x-pkcs7-signature', 'multipart/mixed', 'text/x-shellscript', 'application/x-chrome-extension', 'application/json', 'application/x-executable', 'text/x-java', 'text/x-kotlin', 'text/x-swift', 'text/x-objective-c', 'application/x-ms-shortcut', 'application/gzip'], 'run_hash': False, 'run_hash_type': '', 'not_supported_filetypes': [], 'mapping_data_model': {}, 'model': 'analyzers_manager.AnalyzerConfig'}

params = [{'python_module': {'module': 'ipqsfile.IPQSFileScan', 'base_path': 'api_app.analyzers_manager.file_analyzers'}, 'name': 'ipqs_api_key', 'type': 'str', 'description': 'Please provide the IPQS API key.', 'is_secret': True, 'required': True}]
Copy link
Copy Markdown
Member

@mlodic mlodic Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same for thsese, not readable

api_app/mixins.py Outdated

try:
# Increase timeout for the initial upload/scan
request_timeout = 120 if files else 30
Copy link
Copy Markdown
Member

@mlodic mlodic Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you must change the soft time limit parameter in the migration to be at least the maximum amount of time of the worst case scenario, otherwise an expection would raise and the analysis would fail

api_app/mixins.py Outdated
class IPQualityScoreMixin:
base_url: str = "https://www.ipqualityscore.com/api/json" # Ensure correct API base
_ipqs_api_key: str
polling_interval: int = 10 # Increased for large file stability
Copy link
Copy Markdown
Member

@mlodic mlodic Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

polling_interval and max_retries should be parameters of the analyzers (see othera analyzers). In this way the user can adjust them based on the case

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 28, 2026

This pull request has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates or it will be closed in 5 days.

@github-actions github-actions bot added the stale label Mar 28, 2026
@mlodic
Copy link
Copy Markdown
Member

mlodic commented Apr 1, 2026

closing this for inactivity

@mlodic mlodic closed this Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mlodic mlodic mlodic requested changes

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RamboV @mlodic @github-advanced-security