[WIP] Phunter Analyzer, Closes #2286

[basedBaba]

Description

Phunter Analyzer, Closes #2286

Type of change

• New feature (non-breaking change which adds functionality).

Checklist

• I have read and understood the rules about how to Contribute to this project
• The pull request is for the branch develop
• A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
  • I strictly followed the documentation "How to create a Plugin"
  • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
  • Advanced-Usage was updated (in case the plugin provides additional optional configuration). A link to the PR to the docs repo has been added as a comment here.
  • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
  • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
  • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
  • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
  • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks.
  • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
  • I have added that raw JSON sample to the MockUpResponse of the _monkeypatch() method. This serves us to provide a valid sample for testing.
• If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
• Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.
• After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

Important Rules

• If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
• Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review. After being reviewed and received a "change request", you should explicitly ask for a review again once you have made the requested changes.

Raw JSON :-

{
    "id": 1,
    "user": {
        "username": "admin"
    },
    "tags": [],
    "comments": [],
    "pivots_to_execute": [],
    "analyzers_to_execute": [
        "Phunter"
    ],
    "analyzers_requested": [
        "Phunter"
    ],
    "connectors_to_execute": [],
    "connectors_requested": [],
    "visualizers_to_execute": [],
    "playbook_requested": null,
    "playbook_to_execute": null,
    "investigation": null,
    "permissions": {
        "kill": true,
        "delete": true,
        "plugin_actions": true
    },
    "analyzers_data_model": [],
    "analyzer_reports": [
        {
            "name": "Phunter",
            "process_time": 4.02,
            "status": "SUCCESS",
            "end_time": "2025-01-25T16:29:55.242106Z",
            "parameters": {},
            "type": "analyzer",
            "id": 1,
            "report": {
                "Valid": true,
                "Operator": "Not found",
                "Possible": true,
                "Line Type": "Not found",
                "Spamcalls": true,
                "Free Lookup": {
                    "Owner": "Not found",
                    "Carrier": "Not found",
                    "Country": "United States",
                    "Location": "Not found",
                    "National": "(833) 371-2570",
                    "Line Type": "TOLL FREE",
                    "Local Time": "06:29:52",
                    "Views count": "36",
                    "International": "+1 833-371-2570"
                },
                "Phone Number": "+18333712570"
            },
            "errors": [],
            "start_time": "2025-01-25T16:29:51.225636Z",
            "description": "[Phunter](https://github.com/N0rz3/Phunter) is a very useful tool for finding information about a phone number.",
            "data_model": {}
        }
    ],
    "connector_reports": [],
    "pivot_reports": [],
    "visualizer_reports": [],
    "is_sample": false,
    "md5": "be9265fae3c09d4cfadaa52d8542d2cd",
    "observable_name": "+18333712570",
    "observable_classification": "generic",
    "file_name": "",
    "file_mimetype": "",
    "status": "reported_without_fails",
    "runtime_configuration": {
        "pivots": {},
        "analyzers": {},
        "connectors": {},
        "visualizers": {}
    },
    "received_request_time": "2025-01-25T16:29:50.529409Z",
    "finished_analysis_time": "2025-01-25T16:29:55.363747Z",
    "process_time": 4.83,
    "tlp": "CLEAR",
    "errors": [],
    "warnings": [],
    "scan_mode": 2,
    "scan_check_time": "1 00:00:00"
}

Screenshot :-

[basedBaba]

@mlodic Hello, can I get some assistance on how to fix the failing check?

[mlodic]

I appreciate the creative solution but this is not the solution to the issue raised. This can be an additional observable analyzer for generic phone lookup and you can call it Phone_Checkup or something similar. Please change PR description accordingly

[mlodic]

if the number is not valid (that can happen because the observable type is generic so everything is allowed here), what does this library trigger?

This is important because it would be better to properly manage that error here and do not raise an analyzer error because that would make people believe that there is something wrong in the analyzer itself but the problem was the input. In that case, I would prefer to have a valid result of the analyzer with an explicit message saying that only phone numbers are supported

[mlodic]

Please wrap this in a separated function and inside a try/except clause. In this way, if this part, for any reason, fails, the other analyzer parts still get the results to the users

[mlodic]

same here, separated function

[mlodic]

please provide this as an optional configurable parameter

[basedBaba]

#2286 (comment)

You could also export the main logic of the tool outside the main used by the CLI to a separate function that could be imported. In that way, a simple python import would be enough

I thought I had to look into and re-create the internal workings of Phunter and make it a separate function that could be imported. Sorry if I misunderstood it in any way. 😓

[mlodic]

I thought I had to look into and re-create the internal workings of Phunter and make it a separate function that could be imported. Sorry if I misunderstood it in any way.

Noproblem. My idea was to leverage that tool so we don't have to write and maintain our own one. IntelOwl should be more focused on integration of other tools than on adding our own logic of extraction, if possible.

On the other hand, it could make sense to add the code that you created anyway because it is simple. The important thing is that here we should explicitly write in the code and description that it was inspired by Phunter and the name of the analyzer must be changed

[basedBaba]

Thank you for the clarification, I'll keep that in mind going forward. Meanwhile, I'll make the necessary changes ASAP.

[github-actions]

This pull request has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates or it will be closed in 5 days.

[basedBaba]

Sorry, been a bit busy lately, will get back to this immediately!

[github-actions]

This pull request has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates or it will be closed in 5 days.

[github-actions]

This pull request has been closed because it had no updates in 15 days. If you're still working on this fell free to reopen.