misp-modules 2.4.196__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- misp_modules/__init__.py +379 -0
- misp_modules/helpers/__init__.py +1 -0
- misp_modules/helpers/cache.py +84 -0
- misp_modules/lib/__init__.py +4 -0
- misp_modules/lib/_vmray/__init__.py +0 -0
- misp_modules/lib/_vmray/parser.py +1417 -0
- misp_modules/lib/_vmray/rest_api.py +148 -0
- misp_modules/lib/cof2misp/LICENSE-2.0.txt +202 -0
- misp_modules/lib/cof2misp/__init__.py +0 -0
- misp_modules/lib/cof2misp/cof.py +165 -0
- misp_modules/lib/joe_mapping.py +114 -0
- misp_modules/lib/joe_parser.py +573 -0
- misp_modules/lib/lastline_api.py +841 -0
- misp_modules/lib/qintel_helper.py +263 -0
- misp_modules/lib/stix2misp.py +2080 -0
- misp_modules/lib/stix2misp_mapping.py +460 -0
- misp_modules/lib/synonymsToTagNames.json +1 -0
- misp_modules/lib/vt_graph_parser/__init__.py +8 -0
- misp_modules/lib/vt_graph_parser/errors.py +20 -0
- misp_modules/lib/vt_graph_parser/helpers/__init__.py +7 -0
- misp_modules/lib/vt_graph_parser/helpers/parsers.py +88 -0
- misp_modules/lib/vt_graph_parser/helpers/rules.py +304 -0
- misp_modules/lib/vt_graph_parser/helpers/wrappers.py +58 -0
- misp_modules/lib/vt_graph_parser/importers/__init__.py +7 -0
- misp_modules/lib/vt_graph_parser/importers/base.py +98 -0
- misp_modules/lib/vt_graph_parser/importers/pymisp_response.py +73 -0
- misp_modules/modules/__init__.py +4 -0
- misp_modules/modules/action_mod/__init__.py +1 -0
- misp_modules/modules/action_mod/_utils/__init__.py +1 -0
- misp_modules/modules/action_mod/_utils/utils.py +70 -0
- misp_modules/modules/action_mod/mattermost.py +113 -0
- misp_modules/modules/action_mod/slack.py +96 -0
- misp_modules/modules/action_mod/testaction.py +68 -0
- misp_modules/modules/expansion/__init__.py +36 -0
- misp_modules/modules/expansion/_dnsdb_query/COPYRIGHT +27 -0
- misp_modules/modules/expansion/_dnsdb_query/LICENSE +202 -0
- misp_modules/modules/expansion/_dnsdb_query/README.md +162 -0
- misp_modules/modules/expansion/_dnsdb_query/__init__.py +0 -0
- misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +327 -0
- misp_modules/modules/expansion/_ransomcoindb/__init__.py +0 -0
- misp_modules/modules/expansion/_ransomcoindb/ransomcoindb.py +96 -0
- misp_modules/modules/expansion/_vulnerability_parser/__init__.py +0 -0
- misp_modules/modules/expansion/_vulnerability_parser/vulnerability_parser.py +118 -0
- misp_modules/modules/expansion/abuseipdb.py +146 -0
- misp_modules/modules/expansion/apiosintds.py +365 -0
- misp_modules/modules/expansion/apivoid.py +133 -0
- misp_modules/modules/expansion/assemblyline_query.py +179 -0
- misp_modules/modules/expansion/assemblyline_submit.py +100 -0
- misp_modules/modules/expansion/backscatter_io.py +84 -0
- misp_modules/modules/expansion/btc_scam_check.py +54 -0
- misp_modules/modules/expansion/btc_steroids.py +238 -0
- misp_modules/modules/expansion/censys_enrich.py +287 -0
- misp_modules/modules/expansion/circl_passivedns.py +85 -0
- misp_modules/modules/expansion/circl_passivessl.py +113 -0
- misp_modules/modules/expansion/clamav.py +129 -0
- misp_modules/modules/expansion/cluster25_expand.py +239 -0
- misp_modules/modules/expansion/countrycode.py +69 -0
- misp_modules/modules/expansion/cpe.py +140 -0
- misp_modules/modules/expansion/crowdsec.py +235 -0
- misp_modules/modules/expansion/crowdstrike_falcon.py +148 -0
- misp_modules/modules/expansion/cuckoo_submit.py +161 -0
- misp_modules/modules/expansion/cve.py +57 -0
- misp_modules/modules/expansion/cve_advanced.py +185 -0
- misp_modules/modules/expansion/cytomic_orion.py +196 -0
- misp_modules/modules/expansion/dbl_spamhaus.py +78 -0
- misp_modules/modules/expansion/dns.py +71 -0
- misp_modules/modules/expansion/docx_enrich.py +71 -0
- misp_modules/modules/expansion/domaintools.py +290 -0
- misp_modules/modules/expansion/eql.py +91 -0
- misp_modules/modules/expansion/eupi.py +86 -0
- misp_modules/modules/expansion/extract_url_components.py +83 -0
- misp_modules/modules/expansion/farsight_passivedns.py +243 -0
- misp_modules/modules/expansion/geoip_asn.py +75 -0
- misp_modules/modules/expansion/geoip_city.py +75 -0
- misp_modules/modules/expansion/geoip_country.py +73 -0
- misp_modules/modules/expansion/google_safe_browsing.py +86 -0
- misp_modules/modules/expansion/google_search.py +57 -0
- misp_modules/modules/expansion/google_threat_intelligence.py +453 -0
- misp_modules/modules/expansion/greynoise.py +346 -0
- misp_modules/modules/expansion/hashdd.py +53 -0
- misp_modules/modules/expansion/hashlookup.py +118 -0
- misp_modules/modules/expansion/hibp.py +62 -0
- misp_modules/modules/expansion/html_to_markdown.py +63 -0
- misp_modules/modules/expansion/hyasinsight.py +881 -0
- misp_modules/modules/expansion/intel471.py +73 -0
- misp_modules/modules/expansion/intelmq_eventdb.py.experimental +67 -0
- misp_modules/modules/expansion/ip2locationio.py +90 -0
- misp_modules/modules/expansion/ipasn.py +70 -0
- misp_modules/modules/expansion/ipinfo.py +112 -0
- misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py +633 -0
- misp_modules/modules/expansion/iprep.py +98 -0
- misp_modules/modules/expansion/jinja_template_rendering.py +54 -0
- misp_modules/modules/expansion/joesandbox_query.py +91 -0
- misp_modules/modules/expansion/joesandbox_submit.py +147 -0
- misp_modules/modules/expansion/lastline_query.py +148 -0
- misp_modules/modules/expansion/lastline_submit.py +180 -0
- misp_modules/modules/expansion/macaddress_io.py +130 -0
- misp_modules/modules/expansion/macvendors.py +55 -0
- misp_modules/modules/expansion/malshare_upload.py +107 -0
- misp_modules/modules/expansion/malwarebazaar.py +67 -0
- misp_modules/modules/expansion/mcafee_insights_enrich.py +249 -0
- misp_modules/modules/expansion/mmdb_lookup.py +138 -0
- misp_modules/modules/expansion/module.py.skeleton +44 -0
- misp_modules/modules/expansion/mwdb.py +152 -0
- misp_modules/modules/expansion/ocr_enrich.py +74 -0
- misp_modules/modules/expansion/ods_enrich.py +71 -0
- misp_modules/modules/expansion/odt_enrich.py +61 -0
- misp_modules/modules/expansion/onyphe.py +243 -0
- misp_modules/modules/expansion/onyphe_full.py +387 -0
- misp_modules/modules/expansion/otx.py +167 -0
- misp_modules/modules/expansion/passive_ssh.py +150 -0
- misp_modules/modules/expansion/passivetotal.py +358 -0
- misp_modules/modules/expansion/pdf_enrich.py +58 -0
- misp_modules/modules/expansion/pptx_enrich.py +65 -0
- misp_modules/modules/expansion/qintel_qsentry.py +229 -0
- misp_modules/modules/expansion/qrcode.py +99 -0
- misp_modules/modules/expansion/ransomcoindb.py +82 -0
- misp_modules/modules/expansion/rbl.py +126 -0
- misp_modules/modules/expansion/recordedfuture.py +544 -0
- misp_modules/modules/expansion/reversedns.py +77 -0
- misp_modules/modules/expansion/securitytrails.py +571 -0
- misp_modules/modules/expansion/shodan.py +244 -0
- misp_modules/modules/expansion/sigma_queries.py +61 -0
- misp_modules/modules/expansion/sigma_syntax_validator.py +49 -0
- misp_modules/modules/expansion/sigmf_expand.py +303 -0
- misp_modules/modules/expansion/socialscan.py +108 -0
- misp_modules/modules/expansion/sophoslabs_intelix.py +146 -0
- misp_modules/modules/expansion/sourcecache.py +57 -0
- misp_modules/modules/expansion/stairwell.py +156 -0
- misp_modules/modules/expansion/stix2_pattern_syntax_validator.py +56 -0
- misp_modules/modules/expansion/threatcrowd.py +170 -0
- misp_modules/modules/expansion/threatfox.py +75 -0
- misp_modules/modules/expansion/threatminer.py +152 -0
- misp_modules/modules/expansion/triage_submit.py +119 -0
- misp_modules/modules/expansion/trustar_enrich.py +235 -0
- misp_modules/modules/expansion/urlhaus.py +164 -0
- misp_modules/modules/expansion/urlscan.py +269 -0
- misp_modules/modules/expansion/variotdbs.py +133 -0
- misp_modules/modules/expansion/virustotal.py +311 -0
- misp_modules/modules/expansion/virustotal_public.py +272 -0
- misp_modules/modules/expansion/virustotal_upload.py +91 -0
- misp_modules/modules/expansion/vmray_submit.py +161 -0
- misp_modules/modules/expansion/vmware_nsx.py +628 -0
- misp_modules/modules/expansion/vulndb.py +292 -0
- misp_modules/modules/expansion/vulnerability_lookup.py +324 -0
- misp_modules/modules/expansion/vulners.py +81 -0
- misp_modules/modules/expansion/vysion.py +221 -0
- misp_modules/modules/expansion/whois.py +72 -0
- misp_modules/modules/expansion/whoisfreaks.py +232 -0
- misp_modules/modules/expansion/wiki.py +58 -0
- misp_modules/modules/expansion/xforceexchange.py +189 -0
- misp_modules/modules/expansion/xlsx_enrich.py +63 -0
- misp_modules/modules/expansion/yara_query.py +70 -0
- misp_modules/modules/expansion/yara_syntax_validator.py +49 -0
- misp_modules/modules/expansion/yeti.py +196 -0
- misp_modules/modules/export_mod/__init__.py +3 -0
- misp_modules/modules/export_mod/cef_export.py +93 -0
- misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py +150 -0
- misp_modules/modules/export_mod/defender_endpoint_export.py +141 -0
- misp_modules/modules/export_mod/goamlexport.py +255 -0
- misp_modules/modules/export_mod/liteexport.py +97 -0
- misp_modules/modules/export_mod/mass_eql_export.py +106 -0
- misp_modules/modules/export_mod/nexthinkexport.py +131 -0
- misp_modules/modules/export_mod/osqueryexport.py +125 -0
- misp_modules/modules/export_mod/pdfexport.py +107 -0
- misp_modules/modules/export_mod/testexport.py +73 -0
- misp_modules/modules/export_mod/threatStream_misp_export.py +114 -0
- misp_modules/modules/export_mod/threat_connect_export.py +125 -0
- misp_modules/modules/export_mod/virustotal_collections.py +141 -0
- misp_modules/modules/export_mod/vt_graph.py +120 -0
- misp_modules/modules/export_mod/yara_export.py +290 -0
- misp_modules/modules/import_mod/__init__.py +22 -0
- misp_modules/modules/import_mod/cof2misp.py +264 -0
- misp_modules/modules/import_mod/csvimport.py +319 -0
- misp_modules/modules/import_mod/cuckooimport.py +749 -0
- misp_modules/modules/import_mod/email_import.py +294 -0
- misp_modules/modules/import_mod/goamlimport.py +188 -0
- misp_modules/modules/import_mod/import_blueprint.py +93 -0
- misp_modules/modules/import_mod/joe_import.py +74 -0
- misp_modules/modules/import_mod/lastline_import.py +160 -0
- misp_modules/modules/import_mod/mispjson.py +73 -0
- misp_modules/modules/import_mod/ocr.py +122 -0
- misp_modules/modules/import_mod/openiocimport.py +99 -0
- misp_modules/modules/import_mod/taxii21.py +383 -0
- misp_modules/modules/import_mod/testimport.py +73 -0
- misp_modules/modules/import_mod/threatanalyzer_import.py +552 -0
- misp_modules/modules/import_mod/url_import.py +97 -0
- misp_modules/modules/import_mod/vmray_import.py +96 -0
- misp_modules/modules/import_mod/vmray_summary_json_import.py +87 -0
- misp_modules-2.4.196.dist-info/LICENSE +661 -0
- misp_modules-2.4.196.dist-info/METADATA +281 -0
- misp_modules-2.4.196.dist-info/RECORD +194 -0
- misp_modules-2.4.196.dist-info/WHEEL +4 -0
- misp_modules-2.4.196.dist-info/entry_points.txt +3 -0
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
import json
|
|
2
|
+
import binascii
|
|
3
|
+
import np
|
|
4
|
+
import ezodf
|
|
5
|
+
import pandas_ods_reader
|
|
6
|
+
import io
|
|
7
|
+
import logging
|
|
8
|
+
|
|
9
|
+
misperrors = {'error': 'Error'}
|
|
10
|
+
mispattributes = {'input': ['attachment'],
|
|
11
|
+
'output': ['freetext', 'text']}
|
|
12
|
+
moduleinfo = {
|
|
13
|
+
'version': '0.1',
|
|
14
|
+
'author': 'Sascha Rommelfangen',
|
|
15
|
+
'description': 'Module to extract freetext from a .ods document.',
|
|
16
|
+
'module-type': ['expansion'],
|
|
17
|
+
'name': 'ODS Enrich',
|
|
18
|
+
'logo': 'ods.png',
|
|
19
|
+
'requirements': ['ezodf: Python package to create/manipulate OpenDocumentFormat files.', 'pandas_ods_reader: Python library to read in ODS files.'],
|
|
20
|
+
'features': 'The module reads the text contained in a .ods document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
|
|
21
|
+
'references': [],
|
|
22
|
+
'input': 'Attachment attribute containing a .ods document.',
|
|
23
|
+
'output': 'Text and freetext parsed from the document.',
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
moduleconfig = []
|
|
27
|
+
|
|
28
|
+
|
|
29
|
+
def handler(q=False):
|
|
30
|
+
if q is False:
|
|
31
|
+
return False
|
|
32
|
+
q = json.loads(q)
|
|
33
|
+
filename = q['attachment']
|
|
34
|
+
try:
|
|
35
|
+
ods_array = np.frombuffer(binascii.a2b_base64(q['data']), np.uint8)
|
|
36
|
+
except Exception as e:
|
|
37
|
+
print(e)
|
|
38
|
+
err = "Couldn't fetch attachment (JSON 'data' is empty). Are you using the 'Query enrichment' action?"
|
|
39
|
+
misperrors['error'] = err
|
|
40
|
+
print(err)
|
|
41
|
+
return misperrors
|
|
42
|
+
|
|
43
|
+
ods_content = ""
|
|
44
|
+
ods_file = io.BytesIO(ods_array)
|
|
45
|
+
doc = ezodf.opendoc(ods_file)
|
|
46
|
+
num_sheets = len(doc.sheets)
|
|
47
|
+
try:
|
|
48
|
+
for i in range(0, num_sheets):
|
|
49
|
+
rows = pandas_ods_reader.parsers.ods.get_rows(doc, i)
|
|
50
|
+
try:
|
|
51
|
+
ods = pandas_ods_reader.algo.parse_data(pandas_ods_reader.parsers.ods, rows, headers=False, columns=[], skiprows=0)
|
|
52
|
+
ods = pandas_ods_reader.utils.sanitize_df(ods)
|
|
53
|
+
except TypeError:
|
|
54
|
+
ods = pandas_ods_reader.algo.read_data(pandas_ods_reader.parsers.ods, ods_file, i, headers=False)
|
|
55
|
+
ods_content = ods_content + "\n" + ods.to_string(max_rows=None)
|
|
56
|
+
return {'results': [{'types': ['freetext'], 'values': ods_content, 'comment': ".ods-to-text from file " + filename},
|
|
57
|
+
{'types': ['text'], 'values': ods_content, 'comment': ".ods-to-text from file " + filename}]}
|
|
58
|
+
except Exception as e:
|
|
59
|
+
logging.exception(e)
|
|
60
|
+
err = "Couldn't analyze file as .ods. Error was: " + str(e)
|
|
61
|
+
misperrors['error'] = err
|
|
62
|
+
return misperrors
|
|
63
|
+
|
|
64
|
+
|
|
65
|
+
def introspection():
|
|
66
|
+
return mispattributes
|
|
67
|
+
|
|
68
|
+
|
|
69
|
+
def version():
|
|
70
|
+
moduleinfo['config'] = moduleconfig
|
|
71
|
+
return moduleinfo
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
import json
|
|
2
|
+
import binascii
|
|
3
|
+
import np
|
|
4
|
+
from ODTReader.odtreader import odtToText
|
|
5
|
+
import io
|
|
6
|
+
|
|
7
|
+
misperrors = {'error': 'Error'}
|
|
8
|
+
mispattributes = {'input': ['attachment'],
|
|
9
|
+
'output': ['freetext', 'text']}
|
|
10
|
+
moduleinfo = {
|
|
11
|
+
'version': '0.1',
|
|
12
|
+
'author': 'Sascha Rommelfangen',
|
|
13
|
+
'description': 'Module to extract freetext from a .odt document.',
|
|
14
|
+
'module-type': ['expansion'],
|
|
15
|
+
'name': 'ODT Enrich',
|
|
16
|
+
'logo': 'odt.png',
|
|
17
|
+
'requirements': ['ODT reader python library.'],
|
|
18
|
+
'features': 'The module reads the text contained in a .odt document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
|
|
19
|
+
'references': [],
|
|
20
|
+
'input': 'Attachment attribute containing a .odt document.',
|
|
21
|
+
'output': 'Text and freetext parsed from the document.',
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
moduleconfig = []
|
|
25
|
+
|
|
26
|
+
|
|
27
|
+
def handler(q=False):
|
|
28
|
+
if q is False:
|
|
29
|
+
return False
|
|
30
|
+
q = json.loads(q)
|
|
31
|
+
filename = q['attachment']
|
|
32
|
+
try:
|
|
33
|
+
odt_array = np.frombuffer(binascii.a2b_base64(q['data']), np.uint8)
|
|
34
|
+
except Exception as e:
|
|
35
|
+
print(e)
|
|
36
|
+
err = "Couldn't fetch attachment (JSON 'data' is empty). Are you using the 'Query enrichment' action?"
|
|
37
|
+
misperrors['error'] = err
|
|
38
|
+
print(err)
|
|
39
|
+
return misperrors
|
|
40
|
+
|
|
41
|
+
odt_content = ""
|
|
42
|
+
odt_file = io.BytesIO(odt_array)
|
|
43
|
+
try:
|
|
44
|
+
odt_content = odtToText(odt_file)
|
|
45
|
+
print(odt_content)
|
|
46
|
+
return {'results': [{'types': ['freetext'], 'values': odt_content, 'comment': ".odt-to-text from file " + filename},
|
|
47
|
+
{'types': ['text'], 'values': odt_content, 'comment': ".odt-to-text from file " + filename}]}
|
|
48
|
+
except Exception as e:
|
|
49
|
+
print(e)
|
|
50
|
+
err = "Couldn't analyze file as .odt. Error was: " + str(e)
|
|
51
|
+
misperrors['error'] = err
|
|
52
|
+
return misperrors
|
|
53
|
+
|
|
54
|
+
|
|
55
|
+
def introspection():
|
|
56
|
+
return mispattributes
|
|
57
|
+
|
|
58
|
+
|
|
59
|
+
def version():
|
|
60
|
+
moduleinfo['config'] = moduleconfig
|
|
61
|
+
return moduleinfo
|
|
@@ -0,0 +1,243 @@
|
|
|
1
|
+
# -*- coding: utf-8 -*-
|
|
2
|
+
|
|
3
|
+
import json
|
|
4
|
+
|
|
5
|
+
from pymisp import MISPEvent, MISPObject
|
|
6
|
+
|
|
7
|
+
try:
|
|
8
|
+
from onyphe import Onyphe
|
|
9
|
+
except ImportError:
|
|
10
|
+
print("pyonyphe module not installed.")
|
|
11
|
+
|
|
12
|
+
misperrors = {'error': 'Error'}
|
|
13
|
+
|
|
14
|
+
mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'],
|
|
15
|
+
'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url'],
|
|
16
|
+
'format': 'misp_standard'}
|
|
17
|
+
# possible module-types: 'expansion', 'hover' or both
|
|
18
|
+
moduleinfo = {
|
|
19
|
+
'version': '2',
|
|
20
|
+
'author': 'Sebastien Larinier @sebdraven',
|
|
21
|
+
'description': 'Module to process a query on Onyphe.',
|
|
22
|
+
'module-type': ['expansion', 'hover'],
|
|
23
|
+
'name': 'Onyphe Lookup',
|
|
24
|
+
'logo': 'onyphe.jpg',
|
|
25
|
+
'requirements': ['onyphe python library', 'An access to the Onyphe API (apikey)'],
|
|
26
|
+
'features': 'This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.',
|
|
27
|
+
'references': ['https://www.onyphe.io/', 'https://github.com/sebdraven/pyonyphe'],
|
|
28
|
+
'input': 'A domain, hostname or IP address MISP attribute.',
|
|
29
|
+
'output': 'MISP attributes fetched from the Onyphe query.',
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
# config fields that your code expects from the site admin
|
|
33
|
+
moduleconfig = ['apikey']
|
|
34
|
+
|
|
35
|
+
|
|
36
|
+
class OnypheClient:
|
|
37
|
+
|
|
38
|
+
def __init__(self, api_key, attribute):
|
|
39
|
+
self.onyphe_client = Onyphe(api_key=api_key)
|
|
40
|
+
self.attribute = attribute
|
|
41
|
+
self.misp_event = MISPEvent()
|
|
42
|
+
self.misp_event.add_attribute(**attribute)
|
|
43
|
+
|
|
44
|
+
def get_results(self):
|
|
45
|
+
event = json.loads(self.misp_event.to_json())
|
|
46
|
+
results = {key: event[key]
|
|
47
|
+
for key in ('Attribute', 'Object') if key in event}
|
|
48
|
+
return results
|
|
49
|
+
|
|
50
|
+
def get_query_onyphe(self):
|
|
51
|
+
if self.attribute['type'] == 'ip-src' or self.attribute['type'] == 'ip-dst':
|
|
52
|
+
self.__summary_ip()
|
|
53
|
+
if self.attribute['type'] == 'domain':
|
|
54
|
+
self.__summary_domain()
|
|
55
|
+
if self.attribute['type'] == 'hostname':
|
|
56
|
+
self.__summary_hostname()
|
|
57
|
+
|
|
58
|
+
def __summary_ip(self):
|
|
59
|
+
results = self.onyphe_client.summary_ip(self.attribute['value'])
|
|
60
|
+
if 'results' in results:
|
|
61
|
+
for r in results['results']:
|
|
62
|
+
if 'domain' in r:
|
|
63
|
+
domain = r['domain']
|
|
64
|
+
if type(domain) == list:
|
|
65
|
+
for d in domain:
|
|
66
|
+
self.__get_object_domain_ip(d, 'domain')
|
|
67
|
+
elif type(domain) == str:
|
|
68
|
+
self.__get_object_domain_ip(domain, 'domain')
|
|
69
|
+
|
|
70
|
+
if 'hostname' in r:
|
|
71
|
+
hostname = r['hostname']
|
|
72
|
+
if type(hostname) == list:
|
|
73
|
+
for d in hostname:
|
|
74
|
+
self.__get_object_domain_ip(d, 'domain')
|
|
75
|
+
elif type(hostname) == str:
|
|
76
|
+
self.__get_object_domain_ip(hostname, 'domain')
|
|
77
|
+
|
|
78
|
+
if 'issuer' in r:
|
|
79
|
+
self.__get_object_certificate(r)
|
|
80
|
+
|
|
81
|
+
def __summary_domain(self):
|
|
82
|
+
results = self.onyphe_client.summary_domain(self.attribute['value'])
|
|
83
|
+
if 'results' in results:
|
|
84
|
+
for r in results['results']:
|
|
85
|
+
|
|
86
|
+
for domain in r.get('domain'):
|
|
87
|
+
self.misp_event.add_attribute('domain', domain)
|
|
88
|
+
for hostname in r.get('hostname'):
|
|
89
|
+
self.misp_event.add_attribute('hostname', hostname)
|
|
90
|
+
if 'ip' in r:
|
|
91
|
+
if type(r['ip']) is str:
|
|
92
|
+
self.__get_object_domain_ip(r['ip'], 'ip')
|
|
93
|
+
if type(r['ip']) is list:
|
|
94
|
+
for ip in r['ip']:
|
|
95
|
+
self.__get_object_domain_ip(ip, 'ip')
|
|
96
|
+
if 'issuer' in r:
|
|
97
|
+
self.__get_object_certificate(r)
|
|
98
|
+
|
|
99
|
+
def __summary_hostname(self):
|
|
100
|
+
results = self.onyphe_client.summary_hostname(self.attribute['value'])
|
|
101
|
+
if 'results' in results:
|
|
102
|
+
|
|
103
|
+
for r in results['results']:
|
|
104
|
+
if 'domain' in r:
|
|
105
|
+
if type(r['domain']) is str:
|
|
106
|
+
self.misp_event.add_attribute(
|
|
107
|
+
'domain', r['domain'])
|
|
108
|
+
if type(r['domain']) is list:
|
|
109
|
+
for domain in r['domain']:
|
|
110
|
+
self.misp_event.add_attribute('domain', domain)
|
|
111
|
+
|
|
112
|
+
if 'hostname' in r:
|
|
113
|
+
if type(r['hostname']) is str:
|
|
114
|
+
self.misp_event.add_attribute(
|
|
115
|
+
'hostname', r['hostname'])
|
|
116
|
+
if type(r['hostname']) is list:
|
|
117
|
+
for hostname in r['hostname']:
|
|
118
|
+
self.misp_event.add_attribute(
|
|
119
|
+
'hostname', hostname)
|
|
120
|
+
|
|
121
|
+
if 'ip' in r:
|
|
122
|
+
if type(r['ip']) is str:
|
|
123
|
+
self.__get_object_domain_ip(r['ip'], 'ip')
|
|
124
|
+
if type(r['ip']) is list:
|
|
125
|
+
for ip in r['ip']:
|
|
126
|
+
self.__get_object_domain_ip(ip, 'ip')
|
|
127
|
+
|
|
128
|
+
if 'issuer' in r:
|
|
129
|
+
self.__get_object_certificate(r)
|
|
130
|
+
|
|
131
|
+
if 'cve' in r:
|
|
132
|
+
if type(r['cve']) is list:
|
|
133
|
+
for cve in r['cve']:
|
|
134
|
+
self.__get_object_cve(r, cve)
|
|
135
|
+
|
|
136
|
+
def __get_object_certificate(self, r):
|
|
137
|
+
object_certificate = MISPObject('x509')
|
|
138
|
+
object_certificate.add_attribute('ip', self.attribute['value'])
|
|
139
|
+
object_certificate.add_attribute('serial-number', r['serial'])
|
|
140
|
+
object_certificate.add_attribute(
|
|
141
|
+
'x509-fingerprint-sha256', r['fingerprint']['sha256'])
|
|
142
|
+
object_certificate.add_attribute(
|
|
143
|
+
'x509-fingerprint-sha1', r['fingerprint']['sha1'])
|
|
144
|
+
object_certificate.add_attribute(
|
|
145
|
+
'x509-fingerprint-md5', r['fingerprint']['md5'])
|
|
146
|
+
|
|
147
|
+
signature = r['signature']['algorithm']
|
|
148
|
+
value = ''
|
|
149
|
+
if 'sha256' in signature and 'RSA' in signature:
|
|
150
|
+
value = 'SHA256_WITH_RSA_ENCRYPTION'
|
|
151
|
+
elif 'sha1' in signature and 'RSA' in signature:
|
|
152
|
+
value = 'SHA1_WITH_RSA_ENCRYPTION'
|
|
153
|
+
if value:
|
|
154
|
+
object_certificate.add_attribute('signature_algorithm', value)
|
|
155
|
+
|
|
156
|
+
object_certificate.add_attribute(
|
|
157
|
+
'pubkey-info-algorithm', r['publickey']['algorithm'])
|
|
158
|
+
|
|
159
|
+
if 'exponent' in r['publickey']:
|
|
160
|
+
object_certificate.add_attribute(
|
|
161
|
+
'pubkey-info-exponent', r['publickey']['exponent'])
|
|
162
|
+
if 'length' in r['publickey']:
|
|
163
|
+
object_certificate.add_attribute(
|
|
164
|
+
'pubkey-info-size', r['publickey']['length'])
|
|
165
|
+
|
|
166
|
+
object_certificate.add_attribute('issuer', r['issuer']['commonname'])
|
|
167
|
+
object_certificate.add_attribute(
|
|
168
|
+
'validity-not-before', r['validity']['notbefore'])
|
|
169
|
+
object_certificate.add_attribute(
|
|
170
|
+
'validity-not-after', r['validity']['notbefore'])
|
|
171
|
+
object_certificate.add_reference(self.attribute['uuid'], 'related-to')
|
|
172
|
+
self.misp_event.add_object(object_certificate)
|
|
173
|
+
|
|
174
|
+
def __get_object_domain_ip(self, obs, relation):
|
|
175
|
+
objet_domain_ip = MISPObject('domain-ip')
|
|
176
|
+
objet_domain_ip.add_attribute(relation, obs)
|
|
177
|
+
relation_attr = self.__get_relation_attribute()
|
|
178
|
+
if relation_attr:
|
|
179
|
+
objet_domain_ip.add_attribute(
|
|
180
|
+
relation_attr, self.attribute['value'])
|
|
181
|
+
objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to')
|
|
182
|
+
self.misp_event.add_object(objet_domain_ip)
|
|
183
|
+
|
|
184
|
+
def __get_relation_attribute(self):
|
|
185
|
+
|
|
186
|
+
if self.attribute['type'] == 'ip-src':
|
|
187
|
+
return 'ip'
|
|
188
|
+
elif self.attribute['type'] == 'ip-dst':
|
|
189
|
+
return 'ip'
|
|
190
|
+
elif self.attribute['type'] == 'domain':
|
|
191
|
+
return 'domain'
|
|
192
|
+
elif self.attribute['type'] == 'hostname':
|
|
193
|
+
return 'domain'
|
|
194
|
+
|
|
195
|
+
def __get_object_cve(self, item, cve):
|
|
196
|
+
attributes = []
|
|
197
|
+
object_cve = MISPObject('vulnerability')
|
|
198
|
+
object_cve.add_attribute('id', cve)
|
|
199
|
+
object_cve.add_attribute('state', 'Published')
|
|
200
|
+
|
|
201
|
+
if type(item['ip']) is list:
|
|
202
|
+
for ip in item['ip']:
|
|
203
|
+
attributes.extend(
|
|
204
|
+
list(filter(lambda x: x['value'] == ip, self.misp_event['Attribute'])))
|
|
205
|
+
for obj in self.misp_event['Object']:
|
|
206
|
+
attributes.extend(
|
|
207
|
+
list(filter(lambda x: x['value'] == ip, obj['Attribute'])))
|
|
208
|
+
if type(item['ip']) is str:
|
|
209
|
+
|
|
210
|
+
for obj in self.misp_event['Object']:
|
|
211
|
+
for att in obj['Attribute']:
|
|
212
|
+
if att['value'] == item['ip']:
|
|
213
|
+
object_cve.add_reference(obj['uuid'], 'cve')
|
|
214
|
+
|
|
215
|
+
self.misp_event.add_object(object_cve)
|
|
216
|
+
|
|
217
|
+
|
|
218
|
+
def handler(q=False):
|
|
219
|
+
if q:
|
|
220
|
+
|
|
221
|
+
request = json.loads(q)
|
|
222
|
+
attribute = request['attribute']
|
|
223
|
+
|
|
224
|
+
if not request.get('config') or not request['config'].get('apikey'):
|
|
225
|
+
misperrors['error'] = 'Onyphe authentication is missing'
|
|
226
|
+
return misperrors
|
|
227
|
+
|
|
228
|
+
api_key = request['config'].get('apikey')
|
|
229
|
+
|
|
230
|
+
onyphe_client = OnypheClient(api_key, attribute)
|
|
231
|
+
onyphe_client.get_query_onyphe()
|
|
232
|
+
results = onyphe_client.get_results()
|
|
233
|
+
|
|
234
|
+
return {'results': results}
|
|
235
|
+
|
|
236
|
+
|
|
237
|
+
def introspection():
|
|
238
|
+
return mispattributes
|
|
239
|
+
|
|
240
|
+
|
|
241
|
+
def version():
|
|
242
|
+
moduleinfo['config'] = moduleconfig
|
|
243
|
+
return moduleinfo
|