misp-modules 2.4.196__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (194) hide show
  1. misp_modules/__init__.py +379 -0
  2. misp_modules/helpers/__init__.py +1 -0
  3. misp_modules/helpers/cache.py +84 -0
  4. misp_modules/lib/__init__.py +4 -0
  5. misp_modules/lib/_vmray/__init__.py +0 -0
  6. misp_modules/lib/_vmray/parser.py +1417 -0
  7. misp_modules/lib/_vmray/rest_api.py +148 -0
  8. misp_modules/lib/cof2misp/LICENSE-2.0.txt +202 -0
  9. misp_modules/lib/cof2misp/__init__.py +0 -0
  10. misp_modules/lib/cof2misp/cof.py +165 -0
  11. misp_modules/lib/joe_mapping.py +114 -0
  12. misp_modules/lib/joe_parser.py +573 -0
  13. misp_modules/lib/lastline_api.py +841 -0
  14. misp_modules/lib/qintel_helper.py +263 -0
  15. misp_modules/lib/stix2misp.py +2080 -0
  16. misp_modules/lib/stix2misp_mapping.py +460 -0
  17. misp_modules/lib/synonymsToTagNames.json +1 -0
  18. misp_modules/lib/vt_graph_parser/__init__.py +8 -0
  19. misp_modules/lib/vt_graph_parser/errors.py +20 -0
  20. misp_modules/lib/vt_graph_parser/helpers/__init__.py +7 -0
  21. misp_modules/lib/vt_graph_parser/helpers/parsers.py +88 -0
  22. misp_modules/lib/vt_graph_parser/helpers/rules.py +304 -0
  23. misp_modules/lib/vt_graph_parser/helpers/wrappers.py +58 -0
  24. misp_modules/lib/vt_graph_parser/importers/__init__.py +7 -0
  25. misp_modules/lib/vt_graph_parser/importers/base.py +98 -0
  26. misp_modules/lib/vt_graph_parser/importers/pymisp_response.py +73 -0
  27. misp_modules/modules/__init__.py +4 -0
  28. misp_modules/modules/action_mod/__init__.py +1 -0
  29. misp_modules/modules/action_mod/_utils/__init__.py +1 -0
  30. misp_modules/modules/action_mod/_utils/utils.py +70 -0
  31. misp_modules/modules/action_mod/mattermost.py +113 -0
  32. misp_modules/modules/action_mod/slack.py +96 -0
  33. misp_modules/modules/action_mod/testaction.py +68 -0
  34. misp_modules/modules/expansion/__init__.py +36 -0
  35. misp_modules/modules/expansion/_dnsdb_query/COPYRIGHT +27 -0
  36. misp_modules/modules/expansion/_dnsdb_query/LICENSE +202 -0
  37. misp_modules/modules/expansion/_dnsdb_query/README.md +162 -0
  38. misp_modules/modules/expansion/_dnsdb_query/__init__.py +0 -0
  39. misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +327 -0
  40. misp_modules/modules/expansion/_ransomcoindb/__init__.py +0 -0
  41. misp_modules/modules/expansion/_ransomcoindb/ransomcoindb.py +96 -0
  42. misp_modules/modules/expansion/_vulnerability_parser/__init__.py +0 -0
  43. misp_modules/modules/expansion/_vulnerability_parser/vulnerability_parser.py +118 -0
  44. misp_modules/modules/expansion/abuseipdb.py +146 -0
  45. misp_modules/modules/expansion/apiosintds.py +365 -0
  46. misp_modules/modules/expansion/apivoid.py +133 -0
  47. misp_modules/modules/expansion/assemblyline_query.py +179 -0
  48. misp_modules/modules/expansion/assemblyline_submit.py +100 -0
  49. misp_modules/modules/expansion/backscatter_io.py +84 -0
  50. misp_modules/modules/expansion/btc_scam_check.py +54 -0
  51. misp_modules/modules/expansion/btc_steroids.py +238 -0
  52. misp_modules/modules/expansion/censys_enrich.py +287 -0
  53. misp_modules/modules/expansion/circl_passivedns.py +85 -0
  54. misp_modules/modules/expansion/circl_passivessl.py +113 -0
  55. misp_modules/modules/expansion/clamav.py +129 -0
  56. misp_modules/modules/expansion/cluster25_expand.py +239 -0
  57. misp_modules/modules/expansion/countrycode.py +69 -0
  58. misp_modules/modules/expansion/cpe.py +140 -0
  59. misp_modules/modules/expansion/crowdsec.py +235 -0
  60. misp_modules/modules/expansion/crowdstrike_falcon.py +148 -0
  61. misp_modules/modules/expansion/cuckoo_submit.py +161 -0
  62. misp_modules/modules/expansion/cve.py +57 -0
  63. misp_modules/modules/expansion/cve_advanced.py +185 -0
  64. misp_modules/modules/expansion/cytomic_orion.py +196 -0
  65. misp_modules/modules/expansion/dbl_spamhaus.py +78 -0
  66. misp_modules/modules/expansion/dns.py +71 -0
  67. misp_modules/modules/expansion/docx_enrich.py +71 -0
  68. misp_modules/modules/expansion/domaintools.py +290 -0
  69. misp_modules/modules/expansion/eql.py +91 -0
  70. misp_modules/modules/expansion/eupi.py +86 -0
  71. misp_modules/modules/expansion/extract_url_components.py +83 -0
  72. misp_modules/modules/expansion/farsight_passivedns.py +243 -0
  73. misp_modules/modules/expansion/geoip_asn.py +75 -0
  74. misp_modules/modules/expansion/geoip_city.py +75 -0
  75. misp_modules/modules/expansion/geoip_country.py +73 -0
  76. misp_modules/modules/expansion/google_safe_browsing.py +86 -0
  77. misp_modules/modules/expansion/google_search.py +57 -0
  78. misp_modules/modules/expansion/google_threat_intelligence.py +453 -0
  79. misp_modules/modules/expansion/greynoise.py +346 -0
  80. misp_modules/modules/expansion/hashdd.py +53 -0
  81. misp_modules/modules/expansion/hashlookup.py +118 -0
  82. misp_modules/modules/expansion/hibp.py +62 -0
  83. misp_modules/modules/expansion/html_to_markdown.py +63 -0
  84. misp_modules/modules/expansion/hyasinsight.py +881 -0
  85. misp_modules/modules/expansion/intel471.py +73 -0
  86. misp_modules/modules/expansion/intelmq_eventdb.py.experimental +67 -0
  87. misp_modules/modules/expansion/ip2locationio.py +90 -0
  88. misp_modules/modules/expansion/ipasn.py +70 -0
  89. misp_modules/modules/expansion/ipinfo.py +112 -0
  90. misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py +633 -0
  91. misp_modules/modules/expansion/iprep.py +98 -0
  92. misp_modules/modules/expansion/jinja_template_rendering.py +54 -0
  93. misp_modules/modules/expansion/joesandbox_query.py +91 -0
  94. misp_modules/modules/expansion/joesandbox_submit.py +147 -0
  95. misp_modules/modules/expansion/lastline_query.py +148 -0
  96. misp_modules/modules/expansion/lastline_submit.py +180 -0
  97. misp_modules/modules/expansion/macaddress_io.py +130 -0
  98. misp_modules/modules/expansion/macvendors.py +55 -0
  99. misp_modules/modules/expansion/malshare_upload.py +107 -0
  100. misp_modules/modules/expansion/malwarebazaar.py +67 -0
  101. misp_modules/modules/expansion/mcafee_insights_enrich.py +249 -0
  102. misp_modules/modules/expansion/mmdb_lookup.py +138 -0
  103. misp_modules/modules/expansion/module.py.skeleton +44 -0
  104. misp_modules/modules/expansion/mwdb.py +152 -0
  105. misp_modules/modules/expansion/ocr_enrich.py +74 -0
  106. misp_modules/modules/expansion/ods_enrich.py +71 -0
  107. misp_modules/modules/expansion/odt_enrich.py +61 -0
  108. misp_modules/modules/expansion/onyphe.py +243 -0
  109. misp_modules/modules/expansion/onyphe_full.py +387 -0
  110. misp_modules/modules/expansion/otx.py +167 -0
  111. misp_modules/modules/expansion/passive_ssh.py +150 -0
  112. misp_modules/modules/expansion/passivetotal.py +358 -0
  113. misp_modules/modules/expansion/pdf_enrich.py +58 -0
  114. misp_modules/modules/expansion/pptx_enrich.py +65 -0
  115. misp_modules/modules/expansion/qintel_qsentry.py +229 -0
  116. misp_modules/modules/expansion/qrcode.py +99 -0
  117. misp_modules/modules/expansion/ransomcoindb.py +82 -0
  118. misp_modules/modules/expansion/rbl.py +126 -0
  119. misp_modules/modules/expansion/recordedfuture.py +544 -0
  120. misp_modules/modules/expansion/reversedns.py +77 -0
  121. misp_modules/modules/expansion/securitytrails.py +571 -0
  122. misp_modules/modules/expansion/shodan.py +244 -0
  123. misp_modules/modules/expansion/sigma_queries.py +61 -0
  124. misp_modules/modules/expansion/sigma_syntax_validator.py +49 -0
  125. misp_modules/modules/expansion/sigmf_expand.py +303 -0
  126. misp_modules/modules/expansion/socialscan.py +108 -0
  127. misp_modules/modules/expansion/sophoslabs_intelix.py +146 -0
  128. misp_modules/modules/expansion/sourcecache.py +57 -0
  129. misp_modules/modules/expansion/stairwell.py +156 -0
  130. misp_modules/modules/expansion/stix2_pattern_syntax_validator.py +56 -0
  131. misp_modules/modules/expansion/threatcrowd.py +170 -0
  132. misp_modules/modules/expansion/threatfox.py +75 -0
  133. misp_modules/modules/expansion/threatminer.py +152 -0
  134. misp_modules/modules/expansion/triage_submit.py +119 -0
  135. misp_modules/modules/expansion/trustar_enrich.py +235 -0
  136. misp_modules/modules/expansion/urlhaus.py +164 -0
  137. misp_modules/modules/expansion/urlscan.py +269 -0
  138. misp_modules/modules/expansion/variotdbs.py +133 -0
  139. misp_modules/modules/expansion/virustotal.py +311 -0
  140. misp_modules/modules/expansion/virustotal_public.py +272 -0
  141. misp_modules/modules/expansion/virustotal_upload.py +91 -0
  142. misp_modules/modules/expansion/vmray_submit.py +161 -0
  143. misp_modules/modules/expansion/vmware_nsx.py +628 -0
  144. misp_modules/modules/expansion/vulndb.py +292 -0
  145. misp_modules/modules/expansion/vulnerability_lookup.py +324 -0
  146. misp_modules/modules/expansion/vulners.py +81 -0
  147. misp_modules/modules/expansion/vysion.py +221 -0
  148. misp_modules/modules/expansion/whois.py +72 -0
  149. misp_modules/modules/expansion/whoisfreaks.py +232 -0
  150. misp_modules/modules/expansion/wiki.py +58 -0
  151. misp_modules/modules/expansion/xforceexchange.py +189 -0
  152. misp_modules/modules/expansion/xlsx_enrich.py +63 -0
  153. misp_modules/modules/expansion/yara_query.py +70 -0
  154. misp_modules/modules/expansion/yara_syntax_validator.py +49 -0
  155. misp_modules/modules/expansion/yeti.py +196 -0
  156. misp_modules/modules/export_mod/__init__.py +3 -0
  157. misp_modules/modules/export_mod/cef_export.py +93 -0
  158. misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py +150 -0
  159. misp_modules/modules/export_mod/defender_endpoint_export.py +141 -0
  160. misp_modules/modules/export_mod/goamlexport.py +255 -0
  161. misp_modules/modules/export_mod/liteexport.py +97 -0
  162. misp_modules/modules/export_mod/mass_eql_export.py +106 -0
  163. misp_modules/modules/export_mod/nexthinkexport.py +131 -0
  164. misp_modules/modules/export_mod/osqueryexport.py +125 -0
  165. misp_modules/modules/export_mod/pdfexport.py +107 -0
  166. misp_modules/modules/export_mod/testexport.py +73 -0
  167. misp_modules/modules/export_mod/threatStream_misp_export.py +114 -0
  168. misp_modules/modules/export_mod/threat_connect_export.py +125 -0
  169. misp_modules/modules/export_mod/virustotal_collections.py +141 -0
  170. misp_modules/modules/export_mod/vt_graph.py +120 -0
  171. misp_modules/modules/export_mod/yara_export.py +290 -0
  172. misp_modules/modules/import_mod/__init__.py +22 -0
  173. misp_modules/modules/import_mod/cof2misp.py +264 -0
  174. misp_modules/modules/import_mod/csvimport.py +319 -0
  175. misp_modules/modules/import_mod/cuckooimport.py +749 -0
  176. misp_modules/modules/import_mod/email_import.py +294 -0
  177. misp_modules/modules/import_mod/goamlimport.py +188 -0
  178. misp_modules/modules/import_mod/import_blueprint.py +93 -0
  179. misp_modules/modules/import_mod/joe_import.py +74 -0
  180. misp_modules/modules/import_mod/lastline_import.py +160 -0
  181. misp_modules/modules/import_mod/mispjson.py +73 -0
  182. misp_modules/modules/import_mod/ocr.py +122 -0
  183. misp_modules/modules/import_mod/openiocimport.py +99 -0
  184. misp_modules/modules/import_mod/taxii21.py +383 -0
  185. misp_modules/modules/import_mod/testimport.py +73 -0
  186. misp_modules/modules/import_mod/threatanalyzer_import.py +552 -0
  187. misp_modules/modules/import_mod/url_import.py +97 -0
  188. misp_modules/modules/import_mod/vmray_import.py +96 -0
  189. misp_modules/modules/import_mod/vmray_summary_json_import.py +87 -0
  190. misp_modules-2.4.196.dist-info/LICENSE +661 -0
  191. misp_modules-2.4.196.dist-info/METADATA +281 -0
  192. misp_modules-2.4.196.dist-info/RECORD +194 -0
  193. misp_modules-2.4.196.dist-info/WHEEL +4 -0
  194. misp_modules-2.4.196.dist-info/entry_points.txt +3 -0
@@ -0,0 +1,263 @@
1
+ # Copyright (c) 2009-2021 Qintel, LLC
2
+ # Licensed under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt)
3
+
4
+ from urllib.request import Request, urlopen
5
+ from urllib.parse import urlencode
6
+ from urllib.error import HTTPError
7
+ from time import sleep
8
+ from json import loads
9
+ import os
10
+ from copy import deepcopy
11
+ from datetime import datetime, timedelta
12
+ from gzip import GzipFile
13
+
14
+ VERSION = '1.0.1'
15
+ USER_AGENT = 'integrations-helper'
16
+ MAX_RETRY_ATTEMPTS = 5
17
+
18
+ DEFAULT_HEADERS = {
19
+ 'User-Agent': f'{USER_AGENT}/{VERSION}'
20
+ }
21
+
22
+ REMOTE_MAP = {
23
+ 'pmi': 'https://api.pmi.qintel.com',
24
+ 'qwatch': 'https://api.qwatch.qintel.com',
25
+ 'qauth': 'https://api.qauth.qintel.com',
26
+ 'qsentry_feed': 'https://qsentry.qintel.com',
27
+ 'qsentry': 'https://api.qsentry.qintel.com'
28
+ }
29
+
30
+ ENDPOINT_MAP = {
31
+ 'pmi': {
32
+ 'ping': '/users/me',
33
+ 'cve': 'cves'
34
+ },
35
+ 'qsentry_feed': {
36
+ 'anon': '/files/anonymization',
37
+ 'mal_hosting': '/files/malicious_hosting'
38
+ },
39
+ 'qsentry': {},
40
+ 'qwatch': {
41
+ 'ping': '/users/me',
42
+ 'exposures': 'exposures'
43
+ },
44
+ 'qauth': {}
45
+ }
46
+
47
+
48
+ def _get_request_wait_time(attempts):
49
+ """ Use Fibonacci numbers for determining the time to wait when rate limits
50
+ have been encountered.
51
+ """
52
+
53
+ n = attempts + 3
54
+ a, b = 1, 0
55
+ for _ in range(n):
56
+ a, b = a + b, a
57
+
58
+ return a
59
+
60
+
61
+ def _search(**kwargs):
62
+ remote = kwargs.get('remote')
63
+ max_retries = int(kwargs.get('max_retries', MAX_RETRY_ATTEMPTS))
64
+ params = kwargs.get('params', {})
65
+ headers = _set_headers(**kwargs)
66
+
67
+ logger = kwargs.get('logger')
68
+
69
+ params = urlencode(params)
70
+ url = remote + "?" + params
71
+ req = Request(url, headers=headers)
72
+
73
+ request_attempts = 1
74
+ while request_attempts < max_retries:
75
+ try:
76
+ return urlopen(req)
77
+
78
+ except HTTPError as e:
79
+ response = e
80
+
81
+ except Exception as e:
82
+ raise Exception('API connection error') from e
83
+
84
+ if response.code not in [429, 504]:
85
+ raise Exception(f'API connection error: {response}')
86
+
87
+ if request_attempts < max_retries:
88
+ wait_time = _get_request_wait_time(request_attempts)
89
+
90
+ if response.code == 429:
91
+ msg = 'rate limit reached on attempt {request_attempts}, ' \
92
+ 'waiting {wait_time} seconds'
93
+
94
+ if logger:
95
+ logger(msg)
96
+
97
+ else:
98
+ msg = f'connection timed out, retrying in {wait_time} seconds'
99
+ if logger:
100
+ logger(msg)
101
+
102
+ sleep(wait_time)
103
+
104
+ else:
105
+ raise Exception('Max API retries exceeded')
106
+
107
+ request_attempts += 1
108
+
109
+
110
+ def _set_headers(**kwargs):
111
+ headers = deepcopy(DEFAULT_HEADERS)
112
+
113
+ if kwargs.get('user_agent'):
114
+ headers['User-Agent'] = \
115
+ f"{kwargs['user_agent']}/{USER_AGENT}/{VERSION}"
116
+
117
+ # TODO: deprecate
118
+ if kwargs.get('client_id') or kwargs.get('client_secret'):
119
+ try:
120
+ headers['Cf-Access-Client-Id'] = kwargs['client_id']
121
+ headers['Cf-Access-Client-Secret'] = kwargs['client_secret']
122
+ except KeyError:
123
+ raise Exception('missing client_id or client_secret')
124
+
125
+ if kwargs.get('token'):
126
+ headers['x-api-key'] = kwargs['token']
127
+
128
+ return headers
129
+
130
+
131
+ def _set_remote(product, query_type, **kwargs):
132
+ remote = kwargs.get('remote')
133
+ endpoint = kwargs.get('endpoint', ENDPOINT_MAP[product].get(query_type))
134
+
135
+ if not remote:
136
+ remote = REMOTE_MAP[product]
137
+
138
+ if not endpoint:
139
+ raise Exception('invalid search type')
140
+
141
+ remote = remote.rstrip('/')
142
+ endpoint = endpoint.lstrip('/')
143
+
144
+ return f'{remote}/{endpoint}'
145
+
146
+
147
+ def _process_qsentry(resp):
148
+ if resp.getheader('Content-Encoding', '') == 'gzip':
149
+ with GzipFile(fileobj=resp) as file:
150
+ for line in file.readlines():
151
+ yield loads(line)
152
+
153
+
154
+ def search_pmi(search_term, query_type, **kwargs):
155
+ """
156
+ Search PMI
157
+
158
+ :param str search_term: Search term
159
+ :param str query_type: Query type [cve|ping]
160
+ :param dict kwargs: extra client args [remote|token|params]
161
+ :return: API JSON response object
162
+ :rtype: dict
163
+ """
164
+
165
+ kwargs['remote'] = _set_remote('pmi', query_type, **kwargs)
166
+ kwargs['token'] = kwargs.get('token', os.getenv('PMI_TOKEN'))
167
+
168
+ params = kwargs.get('params', {})
169
+ params.update({'identifier': search_term})
170
+ kwargs['params'] = params
171
+
172
+ return loads(_search(**kwargs).read())
173
+
174
+
175
+ def search_qwatch(search_term, search_type, query_type, **kwargs):
176
+ """
177
+ Search QWatch for exposed credentials
178
+
179
+ :param str search_term: Search term
180
+ :param str search_type: Search term type [domain|email]
181
+ :param str query_type: Query type [exposures]
182
+ :param dict kwargs: extra client args [remote|token|params]
183
+ :return: API JSON response object
184
+ :rtype: dict
185
+ """
186
+
187
+ kwargs['remote'] = _set_remote('qwatch', query_type, **kwargs)
188
+ kwargs['token'] = kwargs.get('token', os.getenv('QWATCH_TOKEN'))
189
+
190
+ params = kwargs.get('params', {})
191
+ if search_type:
192
+ params.update({search_type: search_term})
193
+ kwargs['params'] = params
194
+
195
+ return loads(_search(**kwargs).read())
196
+
197
+
198
+ def search_qauth(search_term, **kwargs):
199
+ """
200
+ Search QAuth
201
+
202
+ :param str search_term: Search term
203
+ :param dict kwargs: extra client args [remote|token|params]
204
+ :return: API JSON response object
205
+ :rtype: dict
206
+ """
207
+
208
+ if not kwargs.get('endpoint'):
209
+ kwargs['endpoint'] = '/'
210
+
211
+ kwargs['remote'] = _set_remote('qauth', None, **kwargs)
212
+ kwargs['token'] = kwargs.get('token', os.getenv('QAUTH_TOKEN'))
213
+
214
+ params = kwargs.get('params', {})
215
+ params.update({'q': search_term})
216
+ kwargs['params'] = params
217
+
218
+ return loads(_search(**kwargs).read())
219
+
220
+
221
+ def search_qsentry(search_term, **kwargs):
222
+ """
223
+ Search QSentry
224
+
225
+ :param str search_term: Search term
226
+ :param dict kwargs: extra client args [remote|token|params]
227
+ :return: API JSON response object
228
+ :rtype: dict
229
+ """
230
+
231
+ if not kwargs.get('endpoint'):
232
+ kwargs['endpoint'] = '/'
233
+
234
+ kwargs['remote'] = _set_remote('qsentry', None, **kwargs)
235
+ kwargs['token'] = kwargs.get('token', os.getenv('QSENTRY_TOKEN'))
236
+
237
+ params = kwargs.get('params', {})
238
+ params.update({'q': search_term})
239
+ kwargs['params'] = params
240
+
241
+ return loads(_search(**kwargs).read())
242
+
243
+
244
+ def qsentry_feed(query_type='anon', feed_date=datetime.today(), **kwargs):
245
+ """
246
+ Fetch the most recent QSentry Feed
247
+
248
+ :param str query_type: Feed type [anon|mal_hosting]
249
+ :param dict kwargs: extra client args [remote|token|params]
250
+ :param datetime feed_date: feed date to fetch
251
+ :return: API JSON response object
252
+ :rtype: Iterator[dict]
253
+ """
254
+
255
+ remote = _set_remote('qsentry_feed', query_type, **kwargs)
256
+ kwargs['token'] = kwargs.get('token', os.getenv('QSENTRY_TOKEN'))
257
+
258
+ feed_date = (feed_date - timedelta(days=1)).strftime('%Y%m%d')
259
+ kwargs['remote'] = f'{remote}/{feed_date}'
260
+
261
+ resp = _search(**kwargs)
262
+ for r in _process_qsentry(resp):
263
+ yield r