Project

General

Profile

History

Start Here » User Guide » Writing Definitions » ThreatScript Definitions »

ThreatScript Web Client

ThreatScript definitions can actively access and gather information from websites using one of the HTTP request classes. The following classes are available (each corresponding to the associated HTTP verb):

  • GetRequest
  • PostRequest
  • DeleteRequest
  • PutRequest
  • TraceRequest
  • HeadRequest
  • OptionsRequest

Below is an example of a definition that determines how many links to the given page exists (via Google):

/*
 * Name: Test.Test.LinkCount
 * ID: 1200001
 * Version: 1
 * Message: Detects the number of websites linking to this page
 * Severity: Low
 */

importPackage(Packages.ThreatScript);
importPackage(Packages.HTTP);

function analyze( httpResponse, variables, environment ){

    var get = new GetRequest("http://www.google.com/search?q=site+to+" + httpResponse.getLocation() );
    var httpResponse = get.run();
    var s = httpResponse.getResponseBodyAsString();

    if( s == null ){
        return new Result( true, "Could not get a response from Google.com");
    }

    var resultsCount = /About ([,0-9]+) results/;
    var result = resultsCount.exec(s);

    var linkcount = result[1];

    return new Result( true, "Number of sites that link to this page: " + linkcount);
}