VirusTotal DXL Service 0.2.0

VirusTotal API service for use with the OpenDXL Python Client

Overview

The VirusTotal DXL service exposes access to the VirusTotal API via the Data Exchange Layer (DXL) fabric.

Documentation

See the Wiki for an overview of the VirusTotal API DXL Python service and usage examples.


See the VirusTotal API DXL Python service documentation for installation instructions, API documentation, and usage examples.


Icon by Neurovit licensed under Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0).

  • Version 0.2.0

    VirusTotal API DXL Python Service 0.2.0 Release

    • Updated to support both Python 2 and 3
  • Version 0.1.2

    VirusTotal API DXL Python Service 0.1.2 Release

    • Updated to be consistent with bootstrap 0.1.4
  • Version 0.1.1

    VirusTotal API DXL Python Service 0.1.1 Release

    • Updated Dockerfile to use slim vs. alpine (glibc issues)
    • Updated Dockerfile to include VOLUME definition
  • Version 0.1.0

    Initial release

Bootprint

VirusTotal API DXL Service

Version: 0.1.0

The OpenDXL VirusTotal service(s) exposes access to the VirusTotal API via the Data Exchange Layer (DXL) fabric.

Solutions

VirusTotal API DXL Service

The VirusTotal API DXL Service.

VirusTotal Public API Reference

Version:

0.2.0

VirusTotal API DXL Service

Services

Requests

/opendxl-virustotal/service/vtapi/domain/report

Invokes a VirusTotal 'domain address report' command and returns the results.

VirusTotal Public API v2.0 Reference: 'Retrieving domain reports'

payload: object

{
"domain": "027.ru"
}
domain: string

A domain name.

The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.

payload: object

{
"BitDefender category": "parked",
"Dr.Web category": "known infection source",
"Forcepoint ThreatSeeker category": "uncategorized",
"Websense ThreatSeeker category": "uncategorized",
"Webutation domain info": {
"Adult content": "yes",
"Safety score": 40,
"Verdict": "malicious"
}
,
"categories": [
"parked",
"uncategorized"
]
,
"detected_downloaded_samples": [
{
"date": "2013-06-20 18:51:30",
"positives": 2,
"sha256": "cd8553d9b24574467f381d13c7e0e1eb1e58d677b9484bd05b9c690377813e54",
"total": 46
}
]
,
"detected_referrer_samples": [
]
,
"detected_urls": [
{
"positives": 1,
"scan_date": "2016-11-09 21:36:51",
"total": 68,
"url": "http://027.ru/testing"
},
{
"positives": 2,
"scan_date": "2015-02-18 08:54:52",
"total": 62,
"url": "http://027.ru/index.html"
}
]
,
"domain_siblings": [
]
,
"resolutions": [
{
"ip_address": "185.53.177.31",
"last_resolved": "2018-09-03 10:58:50"
},
{
"ip_address": "46.38.62.7",
"last_resolved": "2019-02-03 04:49:26"
}
]
,
"response_code": 1,
"subdomains": [
"www.027.ru",
"test.027.ru"
]
,
"undetected_downloaded_samples": [
{
"date": "2018-01-14 22:34:24",
"positives": 0,
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"total": 70
}
]
,
"undetected_referrer_samples": [
{
"date": "2018-03-04 16:38:06",
"positives": 0,
"sha256": "ce08cf22949b6b6fcd4e61854ce810a4f9ee04529340dd077fa354d759dc7a95",
"total": 66
},
{
"positives": 0,
"sha256": "b8f5db667431d02291eeec61cf9f0c3d7af00798d0c2d676fde0efb0cedb7741",
"total": 53
}
]
,
"undetected_urls": [
]
,
"verbose_msg": "Domain found in dataset",
"whois": "domain: 027.RU\nnserver: ns1.nevstruev.ru.\nnserver: ns2.nevstruev.ru.\nstate: REGISTERED, DELEGATED, VERIFIED\nregistrar: RU-CENTER-RU\ncreated: 2005-12-08T21:00:00Z\npaid-till: 2019-12-08T21:00:00Z\nsource: TCI\nLast updated on 2019-02-03T04:46:31Z",
"whois_timestamp": 1549169366
}

/opendxl-virustotal/service/vtapi/file/report

Invokes a VirusTotal 'file report' command and returns the results.

VirusTotal Public API v2.0 Reference: 'Retrieving file scan reports'

payload: object

{
"resource": "54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71-1549331758"
}
resource: string

Hash (md5/sha1/sha256) of the file or SHA-256 hash ('scan_id') of the specific existing report you wish to retrieve. You can also specify a CSV list made up of a combination of any of the three allowed hashes (up to 4 items). Note that the file(s) must already be present in the VirusTotal file store.

The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.

payload: object

{
"md5": "99017f6eebbac24f351415dd410d522d",
"permalink": "https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1273894724/",
"positives": 1,
"resource": "99017f6eebbac24f351415dd410d522d",
"response_code": 1,
"scan_date": "2010-05-15 03:38:44",
"scan_id": "52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1273894724",
"scans": {
"F-Prot": {
"detected": false,
"result": null,
"update": "20100514",
"version": "4.5.1.85"
}
,
"McAfee": {
"detected": true,
"result": "Generic.dx!rkx",
"update": "20100515",
"version": "5.400.0.1158"
}
}
,
"sha1": "4d1740485713a2ab3a4f5822a01f645fe8387f92",
"sha256": "52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c",
"total": 2,
"verbose_msg": "Scan finished, scan information embedded in this object"
}
Error Code: 0

payload: object

"VirusTotal error, VirusTotal API request rate limit exceeded. (204)"
                                                                            
errorMessage: string

Message string containing HTTP error response information.

/opendxl-virustotal/service/vtapi/file/rescan

Invokes a VirusTotal 'file rescan' command and returns the results.

VirusTotal Public API v2.0 Reference: 'Rescanning already submitted files'

payload: object

{
"resource": "7657fcb7d772448a6d8504e4b20168b8"
}
resource: string

Hash (md5/sha1/sha256). You can also specify a CSV list made up of a combination of any of the three allowed hashes (up to 25 items). Note that the file(s) must already be present in the VirusTotal file store.

The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.

payload: object

{
"permalink": "https://www.virustotal.com/file/__sha256hash__/analysis/1390472785/",
"resource": "7657fcb7d772448a6d8504e4b20168b8",
"response_code": 1,
"scan_id": "54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71-1390472785",
"sha256": "54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71"
}
Error Code: 0

payload: object

"VirusTotal error, VirusTotal API request rate limit exceeded. (204)"
                                                                            
errorMessage: string

Message string containing HTTP error response information.

/opendxl-virustotal/service/vtapi/ip-address/report

Invokes a VirusTotal 'IP address report' command and returns the results.

VirusTotal Public API v2.0 Reference: 'Retrieving IP address reports'

payload: object

{
"ip": "90.156.201.27"
}
ip: string

A valid IPv4 address in dotted quad notation, for the time being only IPv4 addresses are supported.

The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.

payload: object

{
"as_owner": ".masterhost autonomous system",
"asn": "25532",
"continent": "EU",
"country": "RU",
"detected_downloaded_samples": [
{
"date": "2017-10-22 02:45:39",
"positives": 1,
"sha256": "a2765185a15d8deebc76ae0fede9aca69ff8a838f80ba80aca269e93ad028d11",
"total": 63
},
{
"date": "2017-10-12 01:34:54",
"positives": 27,
"sha256": "24da30bc528fc99eea326e40405422e6077793aa439c6da38f6103286155621b",
"total": 50
}
]
,
"detected_urls": [
{
"positives": 2,
"scan_date": "2018-06-15 05:59:02",
"total": 68,
"url": "http://www.npftin.ru/"
},
{
"positives": 1,
"scan_date": "2018-06-15 04:00:18",
"total": 67,
"url": "http://coloreat.ru/people?order=user_login"
}
]
,
"network": "90.156.128.0/17",
"resolutions": [
{
"hostname": "otvody.trubarm.ru",
"last_resolved": "2017-09-17 00:00:00"
},
{
"hostname": "ourfoods.ru",
"last_resolved": "2018-08-26 14:39:39"
}
]
,
"response_code": 1,
"undetected_downloaded_samples": [
{
"date": "2019-02-06 10:31:56",
"positives": 0,
"sha256": "ace5dc20c9d255e174e21d2334caac90ac4f45e9e0da16076811185d0717b5e9",
"total": 59
},
{
"date": "2019-02-06 10:21:46",
"positives": 0,
"sha256": "b0e4a3d9fbc32b6b3f7d6460572036e811854c24205b795c4a601f132f83f65e",
"total": 58
}
]
,
"undetected_urls": [
[
"http://ethology.ru/video/?id=77",
"54ad59859c6d370b2f8c6e8012849d9ad8469a0f2be1593856c7279eb5b87975",
0,
69,
"2019-02-03 14:09:23"
],
[
"http://profinews.ru/",
"522db998c133ed88074533d3076264b900317c51e5469d802d8d1fe4ef508f19",
0,
69,
"2019-01-21 12:18:07"
]
]
,
"verbose_msg": "IP address in dataset",
"whois": "Last updated on 2019-01-10T06:11:31Z",
"whois_timestamp": 1547100971
}
Error Code: 0

payload: object

"VirusTotal error, VirusTotal API request rate limit exceeded. (204)"
                                                                            
errorMessage: string

Message string containing HTTP error response information.

/opendxl-virustotal/service/vtapi/url/report

Invokes a VirusTotal 'URL report' command and returns the results.

VirusTotal Public API v2.0 Reference: 'Retrieving URL scan reports'

payload: object

{
"resource": "http://www.virustotal.com"
}
resource: string

URL for which to retrieve the most recent report. You may also specify a 'scan_id' (sha256-timestamp as returned by the URL submission API) to access a specific report. At the same time, you can specify a CSV list made up of a combination of hashes and 'scan_id's so as to perform a batch request with one single call (up to 4 resources per call with the standard request rate). When sending multiples, the 'scan_id's or URLs must be separated by a new line character.

The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.

payload: object

{
"filescan_id": null,
"permalink": "https://www.virustotal.com/url/1db0ad7dbcec0676710ea0eaacd35d5e471d3e11944d53bcbd31f0cbd11bce31/analysis/1549563068/",
"positives": 0,
"resource": "http://www.virustotal.com",
"response_code": 1,
"scan_date": "2019-02-07 18:11:08",
"scan_id": "1db0ad7dbcec0676710ea0eaacd35d5e471d3e11944d53bcbd31f0cbd11bce31-1549563068",
"scans": {
"Avira": {
"detected": false,
"result": "clean site"
}
,
"CLEAN MX": {
"detected": false,
"result": "clean site"
}
}
,
"total": 2,
"url": "http://www.virustotal.com/",
"verbose_msg": "Scan finished, scan information embedded in this object"
}
Error Code: 0

payload: object

"VirusTotal error, VirusTotal API request rate limit exceeded. (204)"
                                                                            
errorMessage: string

Message string containing HTTP error response information.

/opendxl-virustotal/service/vtapi/url/scan

Invokes a VirusTotal 'URL scan' command and returns the results.

VirusTotal Public API v2.0 Reference: 'Sending and scanning URLs'

payload: object

{
"url": "http://www.virustotal.com"
}
url: string

The URL that should be scanned. This parameter accepts a list of URLs (up to 4 with the standard request rate) so as to perform a batch scanning request with one single call. The URLs must be separated by a new line character.

The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.

payload: object

{
"permalink": "https://www.virustotal.com/url/1db0ad7dbcec0676710ea0eaacd35d5e471d3e11944d53bcbd31f0cbd11bce31/analysis/1549501826/",
"resource": "http://www.virustotal.com/",
"response_code": 1,
"scan_date": "2019-02-07 01:10:26",
"scan_id": "1db0ad7dbcec0676710ea0eaacd35d5e471d3e11944d53bcbd31f0cbd11bce31-1549501826",
"url": "http://www.virustotal.com/",
"verbose_msg": "Scan request successfully queued, come back later for the report"
}
Error Code: 0

payload: object

"VirusTotal error, VirusTotal API request rate limit exceeded. (204)"
                                                                            
errorMessage: string

Message string containing HTTP error response information.

Definitions

VirusTotal HTTP Error Response Object: object

"VirusTotal error, VirusTotal API request rate limit exceeded. (204)"
                            
errorMessage: string

Message string containing HTTP error response information.