misp-modules 2.4.196__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (194) hide show
  1. misp_modules/__init__.py +379 -0
  2. misp_modules/helpers/__init__.py +1 -0
  3. misp_modules/helpers/cache.py +84 -0
  4. misp_modules/lib/__init__.py +4 -0
  5. misp_modules/lib/_vmray/__init__.py +0 -0
  6. misp_modules/lib/_vmray/parser.py +1417 -0
  7. misp_modules/lib/_vmray/rest_api.py +148 -0
  8. misp_modules/lib/cof2misp/LICENSE-2.0.txt +202 -0
  9. misp_modules/lib/cof2misp/__init__.py +0 -0
  10. misp_modules/lib/cof2misp/cof.py +165 -0
  11. misp_modules/lib/joe_mapping.py +114 -0
  12. misp_modules/lib/joe_parser.py +573 -0
  13. misp_modules/lib/lastline_api.py +841 -0
  14. misp_modules/lib/qintel_helper.py +263 -0
  15. misp_modules/lib/stix2misp.py +2080 -0
  16. misp_modules/lib/stix2misp_mapping.py +460 -0
  17. misp_modules/lib/synonymsToTagNames.json +1 -0
  18. misp_modules/lib/vt_graph_parser/__init__.py +8 -0
  19. misp_modules/lib/vt_graph_parser/errors.py +20 -0
  20. misp_modules/lib/vt_graph_parser/helpers/__init__.py +7 -0
  21. misp_modules/lib/vt_graph_parser/helpers/parsers.py +88 -0
  22. misp_modules/lib/vt_graph_parser/helpers/rules.py +304 -0
  23. misp_modules/lib/vt_graph_parser/helpers/wrappers.py +58 -0
  24. misp_modules/lib/vt_graph_parser/importers/__init__.py +7 -0
  25. misp_modules/lib/vt_graph_parser/importers/base.py +98 -0
  26. misp_modules/lib/vt_graph_parser/importers/pymisp_response.py +73 -0
  27. misp_modules/modules/__init__.py +4 -0
  28. misp_modules/modules/action_mod/__init__.py +1 -0
  29. misp_modules/modules/action_mod/_utils/__init__.py +1 -0
  30. misp_modules/modules/action_mod/_utils/utils.py +70 -0
  31. misp_modules/modules/action_mod/mattermost.py +113 -0
  32. misp_modules/modules/action_mod/slack.py +96 -0
  33. misp_modules/modules/action_mod/testaction.py +68 -0
  34. misp_modules/modules/expansion/__init__.py +36 -0
  35. misp_modules/modules/expansion/_dnsdb_query/COPYRIGHT +27 -0
  36. misp_modules/modules/expansion/_dnsdb_query/LICENSE +202 -0
  37. misp_modules/modules/expansion/_dnsdb_query/README.md +162 -0
  38. misp_modules/modules/expansion/_dnsdb_query/__init__.py +0 -0
  39. misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +327 -0
  40. misp_modules/modules/expansion/_ransomcoindb/__init__.py +0 -0
  41. misp_modules/modules/expansion/_ransomcoindb/ransomcoindb.py +96 -0
  42. misp_modules/modules/expansion/_vulnerability_parser/__init__.py +0 -0
  43. misp_modules/modules/expansion/_vulnerability_parser/vulnerability_parser.py +118 -0
  44. misp_modules/modules/expansion/abuseipdb.py +146 -0
  45. misp_modules/modules/expansion/apiosintds.py +365 -0
  46. misp_modules/modules/expansion/apivoid.py +133 -0
  47. misp_modules/modules/expansion/assemblyline_query.py +179 -0
  48. misp_modules/modules/expansion/assemblyline_submit.py +100 -0
  49. misp_modules/modules/expansion/backscatter_io.py +84 -0
  50. misp_modules/modules/expansion/btc_scam_check.py +54 -0
  51. misp_modules/modules/expansion/btc_steroids.py +238 -0
  52. misp_modules/modules/expansion/censys_enrich.py +287 -0
  53. misp_modules/modules/expansion/circl_passivedns.py +85 -0
  54. misp_modules/modules/expansion/circl_passivessl.py +113 -0
  55. misp_modules/modules/expansion/clamav.py +129 -0
  56. misp_modules/modules/expansion/cluster25_expand.py +239 -0
  57. misp_modules/modules/expansion/countrycode.py +69 -0
  58. misp_modules/modules/expansion/cpe.py +140 -0
  59. misp_modules/modules/expansion/crowdsec.py +235 -0
  60. misp_modules/modules/expansion/crowdstrike_falcon.py +148 -0
  61. misp_modules/modules/expansion/cuckoo_submit.py +161 -0
  62. misp_modules/modules/expansion/cve.py +57 -0
  63. misp_modules/modules/expansion/cve_advanced.py +185 -0
  64. misp_modules/modules/expansion/cytomic_orion.py +196 -0
  65. misp_modules/modules/expansion/dbl_spamhaus.py +78 -0
  66. misp_modules/modules/expansion/dns.py +71 -0
  67. misp_modules/modules/expansion/docx_enrich.py +71 -0
  68. misp_modules/modules/expansion/domaintools.py +290 -0
  69. misp_modules/modules/expansion/eql.py +91 -0
  70. misp_modules/modules/expansion/eupi.py +86 -0
  71. misp_modules/modules/expansion/extract_url_components.py +83 -0
  72. misp_modules/modules/expansion/farsight_passivedns.py +243 -0
  73. misp_modules/modules/expansion/geoip_asn.py +75 -0
  74. misp_modules/modules/expansion/geoip_city.py +75 -0
  75. misp_modules/modules/expansion/geoip_country.py +73 -0
  76. misp_modules/modules/expansion/google_safe_browsing.py +86 -0
  77. misp_modules/modules/expansion/google_search.py +57 -0
  78. misp_modules/modules/expansion/google_threat_intelligence.py +453 -0
  79. misp_modules/modules/expansion/greynoise.py +346 -0
  80. misp_modules/modules/expansion/hashdd.py +53 -0
  81. misp_modules/modules/expansion/hashlookup.py +118 -0
  82. misp_modules/modules/expansion/hibp.py +62 -0
  83. misp_modules/modules/expansion/html_to_markdown.py +63 -0
  84. misp_modules/modules/expansion/hyasinsight.py +881 -0
  85. misp_modules/modules/expansion/intel471.py +73 -0
  86. misp_modules/modules/expansion/intelmq_eventdb.py.experimental +67 -0
  87. misp_modules/modules/expansion/ip2locationio.py +90 -0
  88. misp_modules/modules/expansion/ipasn.py +70 -0
  89. misp_modules/modules/expansion/ipinfo.py +112 -0
  90. misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py +633 -0
  91. misp_modules/modules/expansion/iprep.py +98 -0
  92. misp_modules/modules/expansion/jinja_template_rendering.py +54 -0
  93. misp_modules/modules/expansion/joesandbox_query.py +91 -0
  94. misp_modules/modules/expansion/joesandbox_submit.py +147 -0
  95. misp_modules/modules/expansion/lastline_query.py +148 -0
  96. misp_modules/modules/expansion/lastline_submit.py +180 -0
  97. misp_modules/modules/expansion/macaddress_io.py +130 -0
  98. misp_modules/modules/expansion/macvendors.py +55 -0
  99. misp_modules/modules/expansion/malshare_upload.py +107 -0
  100. misp_modules/modules/expansion/malwarebazaar.py +67 -0
  101. misp_modules/modules/expansion/mcafee_insights_enrich.py +249 -0
  102. misp_modules/modules/expansion/mmdb_lookup.py +138 -0
  103. misp_modules/modules/expansion/module.py.skeleton +44 -0
  104. misp_modules/modules/expansion/mwdb.py +152 -0
  105. misp_modules/modules/expansion/ocr_enrich.py +74 -0
  106. misp_modules/modules/expansion/ods_enrich.py +71 -0
  107. misp_modules/modules/expansion/odt_enrich.py +61 -0
  108. misp_modules/modules/expansion/onyphe.py +243 -0
  109. misp_modules/modules/expansion/onyphe_full.py +387 -0
  110. misp_modules/modules/expansion/otx.py +167 -0
  111. misp_modules/modules/expansion/passive_ssh.py +150 -0
  112. misp_modules/modules/expansion/passivetotal.py +358 -0
  113. misp_modules/modules/expansion/pdf_enrich.py +58 -0
  114. misp_modules/modules/expansion/pptx_enrich.py +65 -0
  115. misp_modules/modules/expansion/qintel_qsentry.py +229 -0
  116. misp_modules/modules/expansion/qrcode.py +99 -0
  117. misp_modules/modules/expansion/ransomcoindb.py +82 -0
  118. misp_modules/modules/expansion/rbl.py +126 -0
  119. misp_modules/modules/expansion/recordedfuture.py +544 -0
  120. misp_modules/modules/expansion/reversedns.py +77 -0
  121. misp_modules/modules/expansion/securitytrails.py +571 -0
  122. misp_modules/modules/expansion/shodan.py +244 -0
  123. misp_modules/modules/expansion/sigma_queries.py +61 -0
  124. misp_modules/modules/expansion/sigma_syntax_validator.py +49 -0
  125. misp_modules/modules/expansion/sigmf_expand.py +303 -0
  126. misp_modules/modules/expansion/socialscan.py +108 -0
  127. misp_modules/modules/expansion/sophoslabs_intelix.py +146 -0
  128. misp_modules/modules/expansion/sourcecache.py +57 -0
  129. misp_modules/modules/expansion/stairwell.py +156 -0
  130. misp_modules/modules/expansion/stix2_pattern_syntax_validator.py +56 -0
  131. misp_modules/modules/expansion/threatcrowd.py +170 -0
  132. misp_modules/modules/expansion/threatfox.py +75 -0
  133. misp_modules/modules/expansion/threatminer.py +152 -0
  134. misp_modules/modules/expansion/triage_submit.py +119 -0
  135. misp_modules/modules/expansion/trustar_enrich.py +235 -0
  136. misp_modules/modules/expansion/urlhaus.py +164 -0
  137. misp_modules/modules/expansion/urlscan.py +269 -0
  138. misp_modules/modules/expansion/variotdbs.py +133 -0
  139. misp_modules/modules/expansion/virustotal.py +311 -0
  140. misp_modules/modules/expansion/virustotal_public.py +272 -0
  141. misp_modules/modules/expansion/virustotal_upload.py +91 -0
  142. misp_modules/modules/expansion/vmray_submit.py +161 -0
  143. misp_modules/modules/expansion/vmware_nsx.py +628 -0
  144. misp_modules/modules/expansion/vulndb.py +292 -0
  145. misp_modules/modules/expansion/vulnerability_lookup.py +324 -0
  146. misp_modules/modules/expansion/vulners.py +81 -0
  147. misp_modules/modules/expansion/vysion.py +221 -0
  148. misp_modules/modules/expansion/whois.py +72 -0
  149. misp_modules/modules/expansion/whoisfreaks.py +232 -0
  150. misp_modules/modules/expansion/wiki.py +58 -0
  151. misp_modules/modules/expansion/xforceexchange.py +189 -0
  152. misp_modules/modules/expansion/xlsx_enrich.py +63 -0
  153. misp_modules/modules/expansion/yara_query.py +70 -0
  154. misp_modules/modules/expansion/yara_syntax_validator.py +49 -0
  155. misp_modules/modules/expansion/yeti.py +196 -0
  156. misp_modules/modules/export_mod/__init__.py +3 -0
  157. misp_modules/modules/export_mod/cef_export.py +93 -0
  158. misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py +150 -0
  159. misp_modules/modules/export_mod/defender_endpoint_export.py +141 -0
  160. misp_modules/modules/export_mod/goamlexport.py +255 -0
  161. misp_modules/modules/export_mod/liteexport.py +97 -0
  162. misp_modules/modules/export_mod/mass_eql_export.py +106 -0
  163. misp_modules/modules/export_mod/nexthinkexport.py +131 -0
  164. misp_modules/modules/export_mod/osqueryexport.py +125 -0
  165. misp_modules/modules/export_mod/pdfexport.py +107 -0
  166. misp_modules/modules/export_mod/testexport.py +73 -0
  167. misp_modules/modules/export_mod/threatStream_misp_export.py +114 -0
  168. misp_modules/modules/export_mod/threat_connect_export.py +125 -0
  169. misp_modules/modules/export_mod/virustotal_collections.py +141 -0
  170. misp_modules/modules/export_mod/vt_graph.py +120 -0
  171. misp_modules/modules/export_mod/yara_export.py +290 -0
  172. misp_modules/modules/import_mod/__init__.py +22 -0
  173. misp_modules/modules/import_mod/cof2misp.py +264 -0
  174. misp_modules/modules/import_mod/csvimport.py +319 -0
  175. misp_modules/modules/import_mod/cuckooimport.py +749 -0
  176. misp_modules/modules/import_mod/email_import.py +294 -0
  177. misp_modules/modules/import_mod/goamlimport.py +188 -0
  178. misp_modules/modules/import_mod/import_blueprint.py +93 -0
  179. misp_modules/modules/import_mod/joe_import.py +74 -0
  180. misp_modules/modules/import_mod/lastline_import.py +160 -0
  181. misp_modules/modules/import_mod/mispjson.py +73 -0
  182. misp_modules/modules/import_mod/ocr.py +122 -0
  183. misp_modules/modules/import_mod/openiocimport.py +99 -0
  184. misp_modules/modules/import_mod/taxii21.py +383 -0
  185. misp_modules/modules/import_mod/testimport.py +73 -0
  186. misp_modules/modules/import_mod/threatanalyzer_import.py +552 -0
  187. misp_modules/modules/import_mod/url_import.py +97 -0
  188. misp_modules/modules/import_mod/vmray_import.py +96 -0
  189. misp_modules/modules/import_mod/vmray_summary_json_import.py +87 -0
  190. misp_modules-2.4.196.dist-info/LICENSE +661 -0
  191. misp_modules-2.4.196.dist-info/METADATA +281 -0
  192. misp_modules-2.4.196.dist-info/RECORD +194 -0
  193. misp_modules-2.4.196.dist-info/WHEEL +4 -0
  194. misp_modules-2.4.196.dist-info/entry_points.txt +3 -0
@@ -0,0 +1,71 @@
1
+ import json
2
+ import binascii
3
+ import np
4
+ import ezodf
5
+ import pandas_ods_reader
6
+ import io
7
+ import logging
8
+
9
+ misperrors = {'error': 'Error'}
10
+ mispattributes = {'input': ['attachment'],
11
+ 'output': ['freetext', 'text']}
12
+ moduleinfo = {
13
+ 'version': '0.1',
14
+ 'author': 'Sascha Rommelfangen',
15
+ 'description': 'Module to extract freetext from a .ods document.',
16
+ 'module-type': ['expansion'],
17
+ 'name': 'ODS Enrich',
18
+ 'logo': 'ods.png',
19
+ 'requirements': ['ezodf: Python package to create/manipulate OpenDocumentFormat files.', 'pandas_ods_reader: Python library to read in ODS files.'],
20
+ 'features': 'The module reads the text contained in a .ods document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
21
+ 'references': [],
22
+ 'input': 'Attachment attribute containing a .ods document.',
23
+ 'output': 'Text and freetext parsed from the document.',
24
+ }
25
+
26
+ moduleconfig = []
27
+
28
+
29
+ def handler(q=False):
30
+ if q is False:
31
+ return False
32
+ q = json.loads(q)
33
+ filename = q['attachment']
34
+ try:
35
+ ods_array = np.frombuffer(binascii.a2b_base64(q['data']), np.uint8)
36
+ except Exception as e:
37
+ print(e)
38
+ err = "Couldn't fetch attachment (JSON 'data' is empty). Are you using the 'Query enrichment' action?"
39
+ misperrors['error'] = err
40
+ print(err)
41
+ return misperrors
42
+
43
+ ods_content = ""
44
+ ods_file = io.BytesIO(ods_array)
45
+ doc = ezodf.opendoc(ods_file)
46
+ num_sheets = len(doc.sheets)
47
+ try:
48
+ for i in range(0, num_sheets):
49
+ rows = pandas_ods_reader.parsers.ods.get_rows(doc, i)
50
+ try:
51
+ ods = pandas_ods_reader.algo.parse_data(pandas_ods_reader.parsers.ods, rows, headers=False, columns=[], skiprows=0)
52
+ ods = pandas_ods_reader.utils.sanitize_df(ods)
53
+ except TypeError:
54
+ ods = pandas_ods_reader.algo.read_data(pandas_ods_reader.parsers.ods, ods_file, i, headers=False)
55
+ ods_content = ods_content + "\n" + ods.to_string(max_rows=None)
56
+ return {'results': [{'types': ['freetext'], 'values': ods_content, 'comment': ".ods-to-text from file " + filename},
57
+ {'types': ['text'], 'values': ods_content, 'comment': ".ods-to-text from file " + filename}]}
58
+ except Exception as e:
59
+ logging.exception(e)
60
+ err = "Couldn't analyze file as .ods. Error was: " + str(e)
61
+ misperrors['error'] = err
62
+ return misperrors
63
+
64
+
65
+ def introspection():
66
+ return mispattributes
67
+
68
+
69
+ def version():
70
+ moduleinfo['config'] = moduleconfig
71
+ return moduleinfo
@@ -0,0 +1,61 @@
1
+ import json
2
+ import binascii
3
+ import np
4
+ from ODTReader.odtreader import odtToText
5
+ import io
6
+
7
+ misperrors = {'error': 'Error'}
8
+ mispattributes = {'input': ['attachment'],
9
+ 'output': ['freetext', 'text']}
10
+ moduleinfo = {
11
+ 'version': '0.1',
12
+ 'author': 'Sascha Rommelfangen',
13
+ 'description': 'Module to extract freetext from a .odt document.',
14
+ 'module-type': ['expansion'],
15
+ 'name': 'ODT Enrich',
16
+ 'logo': 'odt.png',
17
+ 'requirements': ['ODT reader python library.'],
18
+ 'features': 'The module reads the text contained in a .odt document. The result is passed to the freetext import parser so IoCs can be extracted out of it.',
19
+ 'references': [],
20
+ 'input': 'Attachment attribute containing a .odt document.',
21
+ 'output': 'Text and freetext parsed from the document.',
22
+ }
23
+
24
+ moduleconfig = []
25
+
26
+
27
+ def handler(q=False):
28
+ if q is False:
29
+ return False
30
+ q = json.loads(q)
31
+ filename = q['attachment']
32
+ try:
33
+ odt_array = np.frombuffer(binascii.a2b_base64(q['data']), np.uint8)
34
+ except Exception as e:
35
+ print(e)
36
+ err = "Couldn't fetch attachment (JSON 'data' is empty). Are you using the 'Query enrichment' action?"
37
+ misperrors['error'] = err
38
+ print(err)
39
+ return misperrors
40
+
41
+ odt_content = ""
42
+ odt_file = io.BytesIO(odt_array)
43
+ try:
44
+ odt_content = odtToText(odt_file)
45
+ print(odt_content)
46
+ return {'results': [{'types': ['freetext'], 'values': odt_content, 'comment': ".odt-to-text from file " + filename},
47
+ {'types': ['text'], 'values': odt_content, 'comment': ".odt-to-text from file " + filename}]}
48
+ except Exception as e:
49
+ print(e)
50
+ err = "Couldn't analyze file as .odt. Error was: " + str(e)
51
+ misperrors['error'] = err
52
+ return misperrors
53
+
54
+
55
+ def introspection():
56
+ return mispattributes
57
+
58
+
59
+ def version():
60
+ moduleinfo['config'] = moduleconfig
61
+ return moduleinfo
@@ -0,0 +1,243 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ import json
4
+
5
+ from pymisp import MISPEvent, MISPObject
6
+
7
+ try:
8
+ from onyphe import Onyphe
9
+ except ImportError:
10
+ print("pyonyphe module not installed.")
11
+
12
+ misperrors = {'error': 'Error'}
13
+
14
+ mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'],
15
+ 'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url'],
16
+ 'format': 'misp_standard'}
17
+ # possible module-types: 'expansion', 'hover' or both
18
+ moduleinfo = {
19
+ 'version': '2',
20
+ 'author': 'Sebastien Larinier @sebdraven',
21
+ 'description': 'Module to process a query on Onyphe.',
22
+ 'module-type': ['expansion', 'hover'],
23
+ 'name': 'Onyphe Lookup',
24
+ 'logo': 'onyphe.jpg',
25
+ 'requirements': ['onyphe python library', 'An access to the Onyphe API (apikey)'],
26
+ 'features': 'This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.',
27
+ 'references': ['https://www.onyphe.io/', 'https://github.com/sebdraven/pyonyphe'],
28
+ 'input': 'A domain, hostname or IP address MISP attribute.',
29
+ 'output': 'MISP attributes fetched from the Onyphe query.',
30
+ }
31
+
32
+ # config fields that your code expects from the site admin
33
+ moduleconfig = ['apikey']
34
+
35
+
36
+ class OnypheClient:
37
+
38
+ def __init__(self, api_key, attribute):
39
+ self.onyphe_client = Onyphe(api_key=api_key)
40
+ self.attribute = attribute
41
+ self.misp_event = MISPEvent()
42
+ self.misp_event.add_attribute(**attribute)
43
+
44
+ def get_results(self):
45
+ event = json.loads(self.misp_event.to_json())
46
+ results = {key: event[key]
47
+ for key in ('Attribute', 'Object') if key in event}
48
+ return results
49
+
50
+ def get_query_onyphe(self):
51
+ if self.attribute['type'] == 'ip-src' or self.attribute['type'] == 'ip-dst':
52
+ self.__summary_ip()
53
+ if self.attribute['type'] == 'domain':
54
+ self.__summary_domain()
55
+ if self.attribute['type'] == 'hostname':
56
+ self.__summary_hostname()
57
+
58
+ def __summary_ip(self):
59
+ results = self.onyphe_client.summary_ip(self.attribute['value'])
60
+ if 'results' in results:
61
+ for r in results['results']:
62
+ if 'domain' in r:
63
+ domain = r['domain']
64
+ if type(domain) == list:
65
+ for d in domain:
66
+ self.__get_object_domain_ip(d, 'domain')
67
+ elif type(domain) == str:
68
+ self.__get_object_domain_ip(domain, 'domain')
69
+
70
+ if 'hostname' in r:
71
+ hostname = r['hostname']
72
+ if type(hostname) == list:
73
+ for d in hostname:
74
+ self.__get_object_domain_ip(d, 'domain')
75
+ elif type(hostname) == str:
76
+ self.__get_object_domain_ip(hostname, 'domain')
77
+
78
+ if 'issuer' in r:
79
+ self.__get_object_certificate(r)
80
+
81
+ def __summary_domain(self):
82
+ results = self.onyphe_client.summary_domain(self.attribute['value'])
83
+ if 'results' in results:
84
+ for r in results['results']:
85
+
86
+ for domain in r.get('domain'):
87
+ self.misp_event.add_attribute('domain', domain)
88
+ for hostname in r.get('hostname'):
89
+ self.misp_event.add_attribute('hostname', hostname)
90
+ if 'ip' in r:
91
+ if type(r['ip']) is str:
92
+ self.__get_object_domain_ip(r['ip'], 'ip')
93
+ if type(r['ip']) is list:
94
+ for ip in r['ip']:
95
+ self.__get_object_domain_ip(ip, 'ip')
96
+ if 'issuer' in r:
97
+ self.__get_object_certificate(r)
98
+
99
+ def __summary_hostname(self):
100
+ results = self.onyphe_client.summary_hostname(self.attribute['value'])
101
+ if 'results' in results:
102
+
103
+ for r in results['results']:
104
+ if 'domain' in r:
105
+ if type(r['domain']) is str:
106
+ self.misp_event.add_attribute(
107
+ 'domain', r['domain'])
108
+ if type(r['domain']) is list:
109
+ for domain in r['domain']:
110
+ self.misp_event.add_attribute('domain', domain)
111
+
112
+ if 'hostname' in r:
113
+ if type(r['hostname']) is str:
114
+ self.misp_event.add_attribute(
115
+ 'hostname', r['hostname'])
116
+ if type(r['hostname']) is list:
117
+ for hostname in r['hostname']:
118
+ self.misp_event.add_attribute(
119
+ 'hostname', hostname)
120
+
121
+ if 'ip' in r:
122
+ if type(r['ip']) is str:
123
+ self.__get_object_domain_ip(r['ip'], 'ip')
124
+ if type(r['ip']) is list:
125
+ for ip in r['ip']:
126
+ self.__get_object_domain_ip(ip, 'ip')
127
+
128
+ if 'issuer' in r:
129
+ self.__get_object_certificate(r)
130
+
131
+ if 'cve' in r:
132
+ if type(r['cve']) is list:
133
+ for cve in r['cve']:
134
+ self.__get_object_cve(r, cve)
135
+
136
+ def __get_object_certificate(self, r):
137
+ object_certificate = MISPObject('x509')
138
+ object_certificate.add_attribute('ip', self.attribute['value'])
139
+ object_certificate.add_attribute('serial-number', r['serial'])
140
+ object_certificate.add_attribute(
141
+ 'x509-fingerprint-sha256', r['fingerprint']['sha256'])
142
+ object_certificate.add_attribute(
143
+ 'x509-fingerprint-sha1', r['fingerprint']['sha1'])
144
+ object_certificate.add_attribute(
145
+ 'x509-fingerprint-md5', r['fingerprint']['md5'])
146
+
147
+ signature = r['signature']['algorithm']
148
+ value = ''
149
+ if 'sha256' in signature and 'RSA' in signature:
150
+ value = 'SHA256_WITH_RSA_ENCRYPTION'
151
+ elif 'sha1' in signature and 'RSA' in signature:
152
+ value = 'SHA1_WITH_RSA_ENCRYPTION'
153
+ if value:
154
+ object_certificate.add_attribute('signature_algorithm', value)
155
+
156
+ object_certificate.add_attribute(
157
+ 'pubkey-info-algorithm', r['publickey']['algorithm'])
158
+
159
+ if 'exponent' in r['publickey']:
160
+ object_certificate.add_attribute(
161
+ 'pubkey-info-exponent', r['publickey']['exponent'])
162
+ if 'length' in r['publickey']:
163
+ object_certificate.add_attribute(
164
+ 'pubkey-info-size', r['publickey']['length'])
165
+
166
+ object_certificate.add_attribute('issuer', r['issuer']['commonname'])
167
+ object_certificate.add_attribute(
168
+ 'validity-not-before', r['validity']['notbefore'])
169
+ object_certificate.add_attribute(
170
+ 'validity-not-after', r['validity']['notbefore'])
171
+ object_certificate.add_reference(self.attribute['uuid'], 'related-to')
172
+ self.misp_event.add_object(object_certificate)
173
+
174
+ def __get_object_domain_ip(self, obs, relation):
175
+ objet_domain_ip = MISPObject('domain-ip')
176
+ objet_domain_ip.add_attribute(relation, obs)
177
+ relation_attr = self.__get_relation_attribute()
178
+ if relation_attr:
179
+ objet_domain_ip.add_attribute(
180
+ relation_attr, self.attribute['value'])
181
+ objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to')
182
+ self.misp_event.add_object(objet_domain_ip)
183
+
184
+ def __get_relation_attribute(self):
185
+
186
+ if self.attribute['type'] == 'ip-src':
187
+ return 'ip'
188
+ elif self.attribute['type'] == 'ip-dst':
189
+ return 'ip'
190
+ elif self.attribute['type'] == 'domain':
191
+ return 'domain'
192
+ elif self.attribute['type'] == 'hostname':
193
+ return 'domain'
194
+
195
+ def __get_object_cve(self, item, cve):
196
+ attributes = []
197
+ object_cve = MISPObject('vulnerability')
198
+ object_cve.add_attribute('id', cve)
199
+ object_cve.add_attribute('state', 'Published')
200
+
201
+ if type(item['ip']) is list:
202
+ for ip in item['ip']:
203
+ attributes.extend(
204
+ list(filter(lambda x: x['value'] == ip, self.misp_event['Attribute'])))
205
+ for obj in self.misp_event['Object']:
206
+ attributes.extend(
207
+ list(filter(lambda x: x['value'] == ip, obj['Attribute'])))
208
+ if type(item['ip']) is str:
209
+
210
+ for obj in self.misp_event['Object']:
211
+ for att in obj['Attribute']:
212
+ if att['value'] == item['ip']:
213
+ object_cve.add_reference(obj['uuid'], 'cve')
214
+
215
+ self.misp_event.add_object(object_cve)
216
+
217
+
218
+ def handler(q=False):
219
+ if q:
220
+
221
+ request = json.loads(q)
222
+ attribute = request['attribute']
223
+
224
+ if not request.get('config') or not request['config'].get('apikey'):
225
+ misperrors['error'] = 'Onyphe authentication is missing'
226
+ return misperrors
227
+
228
+ api_key = request['config'].get('apikey')
229
+
230
+ onyphe_client = OnypheClient(api_key, attribute)
231
+ onyphe_client.get_query_onyphe()
232
+ results = onyphe_client.get_results()
233
+
234
+ return {'results': results}
235
+
236
+
237
+ def introspection():
238
+ return mispattributes
239
+
240
+
241
+ def version():
242
+ moduleinfo['config'] = moduleconfig
243
+ return moduleinfo