misp-modules 2.4.196__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- misp_modules/__init__.py +379 -0
- misp_modules/helpers/__init__.py +1 -0
- misp_modules/helpers/cache.py +84 -0
- misp_modules/lib/__init__.py +4 -0
- misp_modules/lib/_vmray/__init__.py +0 -0
- misp_modules/lib/_vmray/parser.py +1417 -0
- misp_modules/lib/_vmray/rest_api.py +148 -0
- misp_modules/lib/cof2misp/LICENSE-2.0.txt +202 -0
- misp_modules/lib/cof2misp/__init__.py +0 -0
- misp_modules/lib/cof2misp/cof.py +165 -0
- misp_modules/lib/joe_mapping.py +114 -0
- misp_modules/lib/joe_parser.py +573 -0
- misp_modules/lib/lastline_api.py +841 -0
- misp_modules/lib/qintel_helper.py +263 -0
- misp_modules/lib/stix2misp.py +2080 -0
- misp_modules/lib/stix2misp_mapping.py +460 -0
- misp_modules/lib/synonymsToTagNames.json +1 -0
- misp_modules/lib/vt_graph_parser/__init__.py +8 -0
- misp_modules/lib/vt_graph_parser/errors.py +20 -0
- misp_modules/lib/vt_graph_parser/helpers/__init__.py +7 -0
- misp_modules/lib/vt_graph_parser/helpers/parsers.py +88 -0
- misp_modules/lib/vt_graph_parser/helpers/rules.py +304 -0
- misp_modules/lib/vt_graph_parser/helpers/wrappers.py +58 -0
- misp_modules/lib/vt_graph_parser/importers/__init__.py +7 -0
- misp_modules/lib/vt_graph_parser/importers/base.py +98 -0
- misp_modules/lib/vt_graph_parser/importers/pymisp_response.py +73 -0
- misp_modules/modules/__init__.py +4 -0
- misp_modules/modules/action_mod/__init__.py +1 -0
- misp_modules/modules/action_mod/_utils/__init__.py +1 -0
- misp_modules/modules/action_mod/_utils/utils.py +70 -0
- misp_modules/modules/action_mod/mattermost.py +113 -0
- misp_modules/modules/action_mod/slack.py +96 -0
- misp_modules/modules/action_mod/testaction.py +68 -0
- misp_modules/modules/expansion/__init__.py +36 -0
- misp_modules/modules/expansion/_dnsdb_query/COPYRIGHT +27 -0
- misp_modules/modules/expansion/_dnsdb_query/LICENSE +202 -0
- misp_modules/modules/expansion/_dnsdb_query/README.md +162 -0
- misp_modules/modules/expansion/_dnsdb_query/__init__.py +0 -0
- misp_modules/modules/expansion/_dnsdb_query/dnsdb_query.py +327 -0
- misp_modules/modules/expansion/_ransomcoindb/__init__.py +0 -0
- misp_modules/modules/expansion/_ransomcoindb/ransomcoindb.py +96 -0
- misp_modules/modules/expansion/_vulnerability_parser/__init__.py +0 -0
- misp_modules/modules/expansion/_vulnerability_parser/vulnerability_parser.py +118 -0
- misp_modules/modules/expansion/abuseipdb.py +146 -0
- misp_modules/modules/expansion/apiosintds.py +365 -0
- misp_modules/modules/expansion/apivoid.py +133 -0
- misp_modules/modules/expansion/assemblyline_query.py +179 -0
- misp_modules/modules/expansion/assemblyline_submit.py +100 -0
- misp_modules/modules/expansion/backscatter_io.py +84 -0
- misp_modules/modules/expansion/btc_scam_check.py +54 -0
- misp_modules/modules/expansion/btc_steroids.py +238 -0
- misp_modules/modules/expansion/censys_enrich.py +287 -0
- misp_modules/modules/expansion/circl_passivedns.py +85 -0
- misp_modules/modules/expansion/circl_passivessl.py +113 -0
- misp_modules/modules/expansion/clamav.py +129 -0
- misp_modules/modules/expansion/cluster25_expand.py +239 -0
- misp_modules/modules/expansion/countrycode.py +69 -0
- misp_modules/modules/expansion/cpe.py +140 -0
- misp_modules/modules/expansion/crowdsec.py +235 -0
- misp_modules/modules/expansion/crowdstrike_falcon.py +148 -0
- misp_modules/modules/expansion/cuckoo_submit.py +161 -0
- misp_modules/modules/expansion/cve.py +57 -0
- misp_modules/modules/expansion/cve_advanced.py +185 -0
- misp_modules/modules/expansion/cytomic_orion.py +196 -0
- misp_modules/modules/expansion/dbl_spamhaus.py +78 -0
- misp_modules/modules/expansion/dns.py +71 -0
- misp_modules/modules/expansion/docx_enrich.py +71 -0
- misp_modules/modules/expansion/domaintools.py +290 -0
- misp_modules/modules/expansion/eql.py +91 -0
- misp_modules/modules/expansion/eupi.py +86 -0
- misp_modules/modules/expansion/extract_url_components.py +83 -0
- misp_modules/modules/expansion/farsight_passivedns.py +243 -0
- misp_modules/modules/expansion/geoip_asn.py +75 -0
- misp_modules/modules/expansion/geoip_city.py +75 -0
- misp_modules/modules/expansion/geoip_country.py +73 -0
- misp_modules/modules/expansion/google_safe_browsing.py +86 -0
- misp_modules/modules/expansion/google_search.py +57 -0
- misp_modules/modules/expansion/google_threat_intelligence.py +453 -0
- misp_modules/modules/expansion/greynoise.py +346 -0
- misp_modules/modules/expansion/hashdd.py +53 -0
- misp_modules/modules/expansion/hashlookup.py +118 -0
- misp_modules/modules/expansion/hibp.py +62 -0
- misp_modules/modules/expansion/html_to_markdown.py +63 -0
- misp_modules/modules/expansion/hyasinsight.py +881 -0
- misp_modules/modules/expansion/intel471.py +73 -0
- misp_modules/modules/expansion/intelmq_eventdb.py.experimental +67 -0
- misp_modules/modules/expansion/ip2locationio.py +90 -0
- misp_modules/modules/expansion/ipasn.py +70 -0
- misp_modules/modules/expansion/ipinfo.py +112 -0
- misp_modules/modules/expansion/ipqs_fraud_and_risk_scoring.py +633 -0
- misp_modules/modules/expansion/iprep.py +98 -0
- misp_modules/modules/expansion/jinja_template_rendering.py +54 -0
- misp_modules/modules/expansion/joesandbox_query.py +91 -0
- misp_modules/modules/expansion/joesandbox_submit.py +147 -0
- misp_modules/modules/expansion/lastline_query.py +148 -0
- misp_modules/modules/expansion/lastline_submit.py +180 -0
- misp_modules/modules/expansion/macaddress_io.py +130 -0
- misp_modules/modules/expansion/macvendors.py +55 -0
- misp_modules/modules/expansion/malshare_upload.py +107 -0
- misp_modules/modules/expansion/malwarebazaar.py +67 -0
- misp_modules/modules/expansion/mcafee_insights_enrich.py +249 -0
- misp_modules/modules/expansion/mmdb_lookup.py +138 -0
- misp_modules/modules/expansion/module.py.skeleton +44 -0
- misp_modules/modules/expansion/mwdb.py +152 -0
- misp_modules/modules/expansion/ocr_enrich.py +74 -0
- misp_modules/modules/expansion/ods_enrich.py +71 -0
- misp_modules/modules/expansion/odt_enrich.py +61 -0
- misp_modules/modules/expansion/onyphe.py +243 -0
- misp_modules/modules/expansion/onyphe_full.py +387 -0
- misp_modules/modules/expansion/otx.py +167 -0
- misp_modules/modules/expansion/passive_ssh.py +150 -0
- misp_modules/modules/expansion/passivetotal.py +358 -0
- misp_modules/modules/expansion/pdf_enrich.py +58 -0
- misp_modules/modules/expansion/pptx_enrich.py +65 -0
- misp_modules/modules/expansion/qintel_qsentry.py +229 -0
- misp_modules/modules/expansion/qrcode.py +99 -0
- misp_modules/modules/expansion/ransomcoindb.py +82 -0
- misp_modules/modules/expansion/rbl.py +126 -0
- misp_modules/modules/expansion/recordedfuture.py +544 -0
- misp_modules/modules/expansion/reversedns.py +77 -0
- misp_modules/modules/expansion/securitytrails.py +571 -0
- misp_modules/modules/expansion/shodan.py +244 -0
- misp_modules/modules/expansion/sigma_queries.py +61 -0
- misp_modules/modules/expansion/sigma_syntax_validator.py +49 -0
- misp_modules/modules/expansion/sigmf_expand.py +303 -0
- misp_modules/modules/expansion/socialscan.py +108 -0
- misp_modules/modules/expansion/sophoslabs_intelix.py +146 -0
- misp_modules/modules/expansion/sourcecache.py +57 -0
- misp_modules/modules/expansion/stairwell.py +156 -0
- misp_modules/modules/expansion/stix2_pattern_syntax_validator.py +56 -0
- misp_modules/modules/expansion/threatcrowd.py +170 -0
- misp_modules/modules/expansion/threatfox.py +75 -0
- misp_modules/modules/expansion/threatminer.py +152 -0
- misp_modules/modules/expansion/triage_submit.py +119 -0
- misp_modules/modules/expansion/trustar_enrich.py +235 -0
- misp_modules/modules/expansion/urlhaus.py +164 -0
- misp_modules/modules/expansion/urlscan.py +269 -0
- misp_modules/modules/expansion/variotdbs.py +133 -0
- misp_modules/modules/expansion/virustotal.py +311 -0
- misp_modules/modules/expansion/virustotal_public.py +272 -0
- misp_modules/modules/expansion/virustotal_upload.py +91 -0
- misp_modules/modules/expansion/vmray_submit.py +161 -0
- misp_modules/modules/expansion/vmware_nsx.py +628 -0
- misp_modules/modules/expansion/vulndb.py +292 -0
- misp_modules/modules/expansion/vulnerability_lookup.py +324 -0
- misp_modules/modules/expansion/vulners.py +81 -0
- misp_modules/modules/expansion/vysion.py +221 -0
- misp_modules/modules/expansion/whois.py +72 -0
- misp_modules/modules/expansion/whoisfreaks.py +232 -0
- misp_modules/modules/expansion/wiki.py +58 -0
- misp_modules/modules/expansion/xforceexchange.py +189 -0
- misp_modules/modules/expansion/xlsx_enrich.py +63 -0
- misp_modules/modules/expansion/yara_query.py +70 -0
- misp_modules/modules/expansion/yara_syntax_validator.py +49 -0
- misp_modules/modules/expansion/yeti.py +196 -0
- misp_modules/modules/export_mod/__init__.py +3 -0
- misp_modules/modules/export_mod/cef_export.py +93 -0
- misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py +150 -0
- misp_modules/modules/export_mod/defender_endpoint_export.py +141 -0
- misp_modules/modules/export_mod/goamlexport.py +255 -0
- misp_modules/modules/export_mod/liteexport.py +97 -0
- misp_modules/modules/export_mod/mass_eql_export.py +106 -0
- misp_modules/modules/export_mod/nexthinkexport.py +131 -0
- misp_modules/modules/export_mod/osqueryexport.py +125 -0
- misp_modules/modules/export_mod/pdfexport.py +107 -0
- misp_modules/modules/export_mod/testexport.py +73 -0
- misp_modules/modules/export_mod/threatStream_misp_export.py +114 -0
- misp_modules/modules/export_mod/threat_connect_export.py +125 -0
- misp_modules/modules/export_mod/virustotal_collections.py +141 -0
- misp_modules/modules/export_mod/vt_graph.py +120 -0
- misp_modules/modules/export_mod/yara_export.py +290 -0
- misp_modules/modules/import_mod/__init__.py +22 -0
- misp_modules/modules/import_mod/cof2misp.py +264 -0
- misp_modules/modules/import_mod/csvimport.py +319 -0
- misp_modules/modules/import_mod/cuckooimport.py +749 -0
- misp_modules/modules/import_mod/email_import.py +294 -0
- misp_modules/modules/import_mod/goamlimport.py +188 -0
- misp_modules/modules/import_mod/import_blueprint.py +93 -0
- misp_modules/modules/import_mod/joe_import.py +74 -0
- misp_modules/modules/import_mod/lastline_import.py +160 -0
- misp_modules/modules/import_mod/mispjson.py +73 -0
- misp_modules/modules/import_mod/ocr.py +122 -0
- misp_modules/modules/import_mod/openiocimport.py +99 -0
- misp_modules/modules/import_mod/taxii21.py +383 -0
- misp_modules/modules/import_mod/testimport.py +73 -0
- misp_modules/modules/import_mod/threatanalyzer_import.py +552 -0
- misp_modules/modules/import_mod/url_import.py +97 -0
- misp_modules/modules/import_mod/vmray_import.py +96 -0
- misp_modules/modules/import_mod/vmray_summary_json_import.py +87 -0
- misp_modules-2.4.196.dist-info/LICENSE +661 -0
- misp_modules-2.4.196.dist-info/METADATA +281 -0
- misp_modules-2.4.196.dist-info/RECORD +194 -0
- misp_modules-2.4.196.dist-info/WHEEL +4 -0
- misp_modules-2.4.196.dist-info/entry_points.txt +3 -0
|
@@ -0,0 +1,460 @@
|
|
|
1
|
+
################################################################################
|
|
2
|
+
# ATTRIBUTES AND OBJECTS MAPPING #
|
|
3
|
+
################################################################################
|
|
4
|
+
|
|
5
|
+
attributes_mapping = {
|
|
6
|
+
'filename': '_parse_name',
|
|
7
|
+
'ip-src': '_parse_value',
|
|
8
|
+
'ip-dst': '_parse_value',
|
|
9
|
+
'hostname': '_parse_value',
|
|
10
|
+
'domain': '_parse_value',
|
|
11
|
+
'domain|ip': '_parse_domain_ip_attribute',
|
|
12
|
+
'email-src': '_parse_value',
|
|
13
|
+
'email-dst': '_parse_value',
|
|
14
|
+
'email-attachment': '_parse_name',
|
|
15
|
+
'url': '_parse_value',
|
|
16
|
+
'regkey': '_parse_regkey_attribute',
|
|
17
|
+
'regkey|value': '_parse_regkey_value',
|
|
18
|
+
'malware-sample': '_parse_malware_sample',
|
|
19
|
+
'mutex': '_parse_name',
|
|
20
|
+
'uri': '_parse_value',
|
|
21
|
+
'port': '_parse_port',
|
|
22
|
+
'ip-dst|port': '_parse_network_attribute',
|
|
23
|
+
'ip-src|port': '_parse_network_attribute',
|
|
24
|
+
'hostname|port': '_parse_network_attribute',
|
|
25
|
+
'email-reply-to': '_parse_email_reply_to',
|
|
26
|
+
'attachment': '_parse_attachment',
|
|
27
|
+
'mac-address': '_parse_value',
|
|
28
|
+
'AS': '_parse_number'
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
attributes_type_mapping = {
|
|
32
|
+
'md5': '_parse_hash',
|
|
33
|
+
'sha1': '_parse_hash',
|
|
34
|
+
'sha256': '_parse_hash',
|
|
35
|
+
'filename|md5': '_parse_filename_hash',
|
|
36
|
+
'filename|sha1': '_parse_filename_hash',
|
|
37
|
+
'filename|sha256': '_parse_filename_hash',
|
|
38
|
+
'email-subject': '_parse_email_message',
|
|
39
|
+
'email-body': '_parse_email_message',
|
|
40
|
+
'authentihash': '_parse_hash',
|
|
41
|
+
'ssdeep': '_parse_hash',
|
|
42
|
+
'imphash': '_parse_hash',
|
|
43
|
+
'pehash': '_parse_hash',
|
|
44
|
+
'impfuzzy': '_parse_hash',
|
|
45
|
+
'sha224': '_parse_hash',
|
|
46
|
+
'sha384': '_parse_hash',
|
|
47
|
+
'sha512': '_parse_hash',
|
|
48
|
+
'sha512/224': '_parse_hash',
|
|
49
|
+
'sha512/256': '_parse_hash',
|
|
50
|
+
'tlsh': '_parse_hash',
|
|
51
|
+
'cdhash': '_parse_hash',
|
|
52
|
+
'filename|authentihash': '_parse_filename_hash',
|
|
53
|
+
'filename|ssdeep': '_parse_filename_hash',
|
|
54
|
+
'filename|imphash': '_parse_filename_hash',
|
|
55
|
+
'filename|impfuzzy': '_parse_filename_hash',
|
|
56
|
+
'filename|pehash': '_parse_filename_hash',
|
|
57
|
+
'filename|sha224': '_parse_filename_hash',
|
|
58
|
+
'filename|sha384': '_parse_filename_hash',
|
|
59
|
+
'filename|sha512': '_parse_filename_hash',
|
|
60
|
+
'filename|sha512/224': '_parse_filename_hash',
|
|
61
|
+
'filename|sha512/256': '_parse_filename_hash',
|
|
62
|
+
'filename|tlsh': '_parse_filename_hash',
|
|
63
|
+
'x509-fingerprint-md5': '_parse_x509_attribute',
|
|
64
|
+
'x509-fingerprint-sha1': '_parse_x509_attribute',
|
|
65
|
+
'x509-fingerprint-sha256': '_parse_x509_attribute'
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
objects_mapping = {
|
|
69
|
+
'asn': {
|
|
70
|
+
'observable': 'parse_asn_observable',
|
|
71
|
+
'pattern': 'parse_asn_pattern'},
|
|
72
|
+
'credential': {
|
|
73
|
+
'observable': 'parse_credential_observable',
|
|
74
|
+
'pattern': 'parse_credential_pattern'},
|
|
75
|
+
'domain-ip': {
|
|
76
|
+
'observable': 'parse_domain_ip_observable',
|
|
77
|
+
'pattern': 'parse_domain_ip_pattern'},
|
|
78
|
+
'email': {
|
|
79
|
+
'observable': 'parse_email_observable',
|
|
80
|
+
'pattern': 'parse_email_pattern'},
|
|
81
|
+
'file': {
|
|
82
|
+
'observable': 'parse_file_observable',
|
|
83
|
+
'pattern': 'parse_file_pattern'},
|
|
84
|
+
'ip-port': {
|
|
85
|
+
'observable': 'parse_ip_port_observable',
|
|
86
|
+
'pattern': 'parse_ip_port_pattern'},
|
|
87
|
+
'network-connection': {
|
|
88
|
+
'observable': 'parse_network_connection_observable',
|
|
89
|
+
'pattern': 'parse_network_connection_pattern'},
|
|
90
|
+
'network-socket': {
|
|
91
|
+
'observable': 'parse_network_socket_observable',
|
|
92
|
+
'pattern': 'parse_network_socket_pattern'},
|
|
93
|
+
'process': {
|
|
94
|
+
'observable': 'parse_process_observable',
|
|
95
|
+
'pattern': 'parse_process_pattern'},
|
|
96
|
+
'registry-key': {
|
|
97
|
+
'observable': 'parse_regkey_observable',
|
|
98
|
+
'pattern': 'parse_regkey_pattern'},
|
|
99
|
+
'url': {
|
|
100
|
+
'observable': 'parse_url_observable',
|
|
101
|
+
'pattern': 'parse_url_pattern'},
|
|
102
|
+
'user-account': {
|
|
103
|
+
'observable': 'parse_user_account_observable',
|
|
104
|
+
'pattern': 'parse_user_account_pattern'},
|
|
105
|
+
'WindowsPEBinaryFile': {
|
|
106
|
+
'observable': 'parse_pe_observable',
|
|
107
|
+
'pattern': 'parse_pe_pattern'},
|
|
108
|
+
'x509': {
|
|
109
|
+
'observable': 'parse_x509_observable',
|
|
110
|
+
'pattern': 'parse_x509_pattern'}
|
|
111
|
+
}
|
|
112
|
+
|
|
113
|
+
observable_mapping = {
|
|
114
|
+
('artifact', 'file'): 'parse_file_observable',
|
|
115
|
+
('artifact', 'directory', 'file'): 'parse_file_observable',
|
|
116
|
+
('artifact', 'email-addr', 'email-message', 'file'): 'parse_email_observable',
|
|
117
|
+
('autonomous-system',): 'parse_asn_observable',
|
|
118
|
+
('autonomous-system', 'ipv4-addr'): 'parse_asn_observable',
|
|
119
|
+
('autonomous-system', 'ipv6-addr'): 'parse_asn_observable',
|
|
120
|
+
('autonomous-system', 'ipv4-addr', 'ipv6-addr'): 'parse_asn_observable',
|
|
121
|
+
('directory', 'file'): 'parse_file_observable',
|
|
122
|
+
('domain-name',): 'parse_domain_ip_observable',
|
|
123
|
+
('domain-name', 'ipv4-addr'): 'parse_domain_ip_observable',
|
|
124
|
+
('domain-name', 'ipv6-addr'): 'parse_domain_ip_observable',
|
|
125
|
+
('domain-name', 'ipv4-addr', 'ipv6-addr'): 'parse_domain_ip_observable',
|
|
126
|
+
('domain-name', 'ipv4-addr', 'network-traffic'): 'parse_domain_ip_network_traffic_observable',
|
|
127
|
+
('domain-name', 'ipv6-addr', 'network-traffic'): 'parse_domain_ip_network_traffic_observable',
|
|
128
|
+
('domain-name', 'ipv4-addr', 'ipv6-addr', 'network-traffic'): 'parse_domain_ip_network_traffic_observable',
|
|
129
|
+
('domain-name', 'network-traffic'): 'parse_domain_network_traffic_observable',
|
|
130
|
+
('domain-name', 'network-traffic', 'url'): 'parse_url_observable',
|
|
131
|
+
('email-addr',): 'parse_email_address_observable',
|
|
132
|
+
('email-addr', 'email-message'): 'parse_email_observable',
|
|
133
|
+
('email-addr', 'email-message', 'file'): 'parse_email_observable',
|
|
134
|
+
('email-message',): 'parse_email_observable',
|
|
135
|
+
('file',): 'parse_file_observable',
|
|
136
|
+
('file', 'process'): 'parse_process_observable',
|
|
137
|
+
('ipv4-addr',): 'parse_ip_address_observable',
|
|
138
|
+
('ipv6-addr',): 'parse_ip_address_observable',
|
|
139
|
+
('ipv4-addr', 'network-traffic'): 'parse_ip_network_traffic_observable',
|
|
140
|
+
('ipv6-addr', 'network-traffic'): 'parse_ip_network_traffic_observable',
|
|
141
|
+
('ipv4-addr', 'ipv6-addr', 'network-traffic'): 'parse_ip_network_traffic_observable',
|
|
142
|
+
('mac-addr',): 'parse_mac_address_observable',
|
|
143
|
+
('mutex',): 'parse_mutex_observable',
|
|
144
|
+
('process',): 'parse_process_observable',
|
|
145
|
+
('x509-certificate',): 'parse_x509_observable',
|
|
146
|
+
('url',): 'parse_url_observable',
|
|
147
|
+
('user-account',): 'parse_user_account_observable',
|
|
148
|
+
('windows-registry-key',): 'parse_regkey_observable'
|
|
149
|
+
}
|
|
150
|
+
|
|
151
|
+
pattern_mapping = {
|
|
152
|
+
('artifact', 'file'): 'parse_file_pattern',
|
|
153
|
+
('artifact', 'directory', 'file'): 'parse_file_pattern',
|
|
154
|
+
('autonomous-system', ): 'parse_as_pattern',
|
|
155
|
+
('autonomous-system', 'ipv4-addr'): 'parse_as_pattern',
|
|
156
|
+
('autonomous-system', 'ipv6-addr'): 'parse_as_pattern',
|
|
157
|
+
('autonomous-system', 'ipv4-addr', 'ipv6-addr'): 'parse_as_pattern',
|
|
158
|
+
('directory',): 'parse_file_pattern',
|
|
159
|
+
('directory', 'file'): 'parse_file_pattern',
|
|
160
|
+
('domain-name',): 'parse_domain_ip_port_pattern',
|
|
161
|
+
('domain-name', 'ipv4-addr'): 'parse_domain_ip_port_pattern',
|
|
162
|
+
('domain-name', 'ipv6-addr'): 'parse_domain_ip_port_pattern',
|
|
163
|
+
('domain-name', 'ipv4-addr', 'ipv6-addr'): 'parse_domain_ip_port_pattern',
|
|
164
|
+
('domain-name', 'ipv4-addr', 'url'): 'parse_url_pattern',
|
|
165
|
+
('domain-name', 'ipv6-addr', 'url'): 'parse_url_pattern',
|
|
166
|
+
('domain-name', 'ipv4-addr', 'ipv6-addr', 'url'): 'parse_url_pattern',
|
|
167
|
+
('domain-name', 'network-traffic'): 'parse_domain_ip_port_pattern',
|
|
168
|
+
('domain-name', 'network-traffic', 'url'): 'parse_url_pattern',
|
|
169
|
+
('email-addr',): 'parse_email_address_pattern',
|
|
170
|
+
('email-message',): 'parse_email_message_pattern',
|
|
171
|
+
('file',): 'parse_file_pattern',
|
|
172
|
+
('ipv4-addr',): 'parse_ip_address_pattern',
|
|
173
|
+
('ipv6-addr',): 'parse_ip_address_pattern',
|
|
174
|
+
('ipv4-addr', 'ipv6-addr'): 'parse_ip_address_pattern',
|
|
175
|
+
('mac-addr',): 'parse_mac_address_pattern',
|
|
176
|
+
('mutex',): 'parse_mutex_pattern',
|
|
177
|
+
('network-traffic',): 'parse_network_traffic_pattern',
|
|
178
|
+
('process',): 'parse_process_pattern',
|
|
179
|
+
('url',): 'parse_url_pattern',
|
|
180
|
+
('user-account',): 'parse_user_account_pattern',
|
|
181
|
+
('windows-registry-key',): 'parse_regkey_pattern',
|
|
182
|
+
('x509-certificate',): 'parse_x509_pattern'
|
|
183
|
+
}
|
|
184
|
+
|
|
185
|
+
pattern_forbidden_relations = (' LIKE ', ' FOLLOWEDBY ', ' MATCHES ', ' ISSUBSET ', ' ISSUPERSET ', ' REPEATS ')
|
|
186
|
+
single_attribute_fields = ('type', 'value', 'to_ids')
|
|
187
|
+
|
|
188
|
+
|
|
189
|
+
################################################################################
|
|
190
|
+
# OBSERVABLE OBJECTS AND PATTERNS MAPPING. #
|
|
191
|
+
################################################################################
|
|
192
|
+
|
|
193
|
+
address_family_attribute_mapping = {'type': 'text','object_relation': 'address-family'}
|
|
194
|
+
as_number_attribute_mapping = {'type': 'AS', 'object_relation': 'asn'}
|
|
195
|
+
description_attribute_mapping = {'type': 'text', 'object_relation': 'description'}
|
|
196
|
+
asn_subnet_attribute_mapping = {'type': 'ip-src', 'object_relation': 'subnet-announced'}
|
|
197
|
+
cc_attribute_mapping = {'type': 'email-dst', 'object_relation': 'cc'}
|
|
198
|
+
credential_attribute_mapping = {'type': 'text', 'object_relation': 'password'}
|
|
199
|
+
data_attribute_mapping = {'type': 'text', 'object_relation': 'data'}
|
|
200
|
+
data_type_attribute_mapping = {'type': 'text', 'object_relation': 'data-type'}
|
|
201
|
+
domain_attribute_mapping = {'type': 'domain', 'object_relation': 'domain'}
|
|
202
|
+
domain_family_attribute_mapping = {'type': 'text', 'object_relation': 'domain-family'}
|
|
203
|
+
dst_port_attribute_mapping = {'type': 'port', 'object_relation': 'dst-port'}
|
|
204
|
+
email_attachment_attribute_mapping = {'type': 'email-attachment', 'object_relation': 'attachment'}
|
|
205
|
+
email_date_attribute_mapping = {'type': 'datetime', 'object_relation': 'send-date'}
|
|
206
|
+
email_subject_attribute_mapping = {'type': 'email-subject', 'object_relation': 'subject'}
|
|
207
|
+
encoding_attribute_mapping = {'type': 'text', 'object_relation': 'file-encoding'}
|
|
208
|
+
end_datetime_attribute_mapping = {'type': 'datetime', 'object_relation': 'last-seen'}
|
|
209
|
+
entropy_mapping = {'type': 'float', 'object_relation': 'entropy'}
|
|
210
|
+
filename_attribute_mapping = {'type': 'filename', 'object_relation': 'filename'}
|
|
211
|
+
from_attribute_mapping = {'type': 'email-src', 'object_relation': 'from'}
|
|
212
|
+
imphash_mapping = {'type': 'imphash', 'object_relation': 'imphash'}
|
|
213
|
+
id_attribute_mapping = {'type': 'text', 'object_relation': 'id'}
|
|
214
|
+
ip_attribute_mapping = {'type': 'ip-dst', 'object_relation': 'ip'}
|
|
215
|
+
issuer_attribute_mapping = {'type': 'text', 'object_relation': 'issuer'}
|
|
216
|
+
key_attribute_mapping = {'type': 'regkey', 'object_relation': 'key'}
|
|
217
|
+
malware_sample_attribute_mapping = {'type': 'malware-sample', 'object_relation': 'malware-sample'}
|
|
218
|
+
mime_type_attribute_mapping = {'type': 'mime-type', 'object_relation': 'mimetype'}
|
|
219
|
+
modified_attribute_mapping = {'type': 'datetime', 'object_relation': 'last-modified'}
|
|
220
|
+
name_attribute_mapping = {'type': 'text', 'object_relation': 'name'}
|
|
221
|
+
network_traffic_ip = {'type': 'ip-{}', 'object_relation': 'ip-{}'}
|
|
222
|
+
number_sections_mapping = {'type': 'counter', 'object_relation': 'number-sections'}
|
|
223
|
+
password_mapping = {'type': 'text', 'object_relation': 'password'}
|
|
224
|
+
path_attribute_mapping = {'type': 'text', 'object_relation': 'path'}
|
|
225
|
+
pe_type_mapping = {'type': 'text', 'object_relation': 'type'}
|
|
226
|
+
pid_attribute_mapping = {'type': 'text', 'object_relation': 'pid'}
|
|
227
|
+
process_command_line_mapping = {'type': 'text', 'object_relation': 'command-line'}
|
|
228
|
+
process_creation_time_mapping = {'type': 'datetime', 'object_relation': 'creation-time'}
|
|
229
|
+
process_image_mapping = {'type': 'filename', 'object_relation': 'image'}
|
|
230
|
+
process_name_mapping = {'type': 'text', 'object_relation': 'name'}
|
|
231
|
+
regkey_name_attribute_mapping = {'type': 'text', 'object_relation': 'name'}
|
|
232
|
+
references_attribute_mapping = {'type': 'link', 'object_relation': 'references'}
|
|
233
|
+
reply_to_attribute_mapping = {'type': 'email-reply-to', 'object_relation': 'reply-to'}
|
|
234
|
+
screenshot_attribute_mapping = {'type': 'attachment', 'object_relation': 'screenshot'}
|
|
235
|
+
section_name_mapping = {'type': 'text', 'object_relation': 'name'}
|
|
236
|
+
serial_number_attribute_mapping = {'type': 'text', 'object_relation': 'serial-number'}
|
|
237
|
+
size_attribute_mapping = {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'}
|
|
238
|
+
src_port_attribute_mapping = {'type': 'port', 'object_relation': 'src-port'}
|
|
239
|
+
start_datetime_attribute_mapping = {'type': 'datetime', 'object_relation': 'first-seen'}
|
|
240
|
+
state_attribute_mapping = {'type': 'text', 'object_relation': 'state'}
|
|
241
|
+
summary_attribute_mapping = {'type': 'text', 'object_relation': 'summary'}
|
|
242
|
+
to_attribute_mapping = {'type': 'email-dst', 'object_relation': 'to'}
|
|
243
|
+
url_attribute_mapping = {'type': 'url', 'object_relation': 'url'}
|
|
244
|
+
url_port_attribute_mapping = {'type': 'port', 'object_relation': 'port'}
|
|
245
|
+
user_id_mapping = {'type': 'text', 'object_relation': 'username'}
|
|
246
|
+
x_mailer_attribute_mapping = {'type': 'email-x-mailer', 'object_relation': 'x-mailer'}
|
|
247
|
+
x509_md5_attribute_mapping = {'type': 'x509-fingerprint-md5', 'object_relation': 'x509-fingerprint-md5'}
|
|
248
|
+
x509_sha1_attribute_mapping = {'type': 'x509-fingerprint-sha1', 'object_relation': 'x509-fingerprint-sha1'}
|
|
249
|
+
x509_sha256_attribute_mapping = {'type': 'x509-fingerprint-sha256', 'object_relation': 'x509-fingerprint-sha256'}
|
|
250
|
+
x509_spka_attribute_mapping = {'type': 'text', 'object_relation': 'pubkey-info-algorithm'} # x509 subject public key algorithm
|
|
251
|
+
x509_spke_attribute_mapping = {'type': 'text', 'object_relation': 'pubkey-info-exponent'} # x509 subject public key exponent
|
|
252
|
+
x509_spkm_attribute_mapping = {'type': 'text', 'object_relation': 'pubkey-info-modulus'} # x509 subject public key modulus
|
|
253
|
+
x509_subject_attribute_mapping = {'type': 'text', 'object_relation': 'subject'}
|
|
254
|
+
x509_version_attribute_mapping = {'type': 'text', 'object_relation': 'version'}
|
|
255
|
+
x509_vna_attribute_mapping = {'type': 'datetime', 'object_relation': 'validity-not-after'} # x509 validity not after
|
|
256
|
+
x509_vnb_attribute_mapping = {'type': 'datetime', 'object_relation': 'validity-not-before'} # x509 validity not before
|
|
257
|
+
|
|
258
|
+
asn_mapping = {'number': as_number_attribute_mapping,
|
|
259
|
+
'autonomous-system:number': as_number_attribute_mapping,
|
|
260
|
+
'name': description_attribute_mapping,
|
|
261
|
+
'autonomous-system:name': description_attribute_mapping,
|
|
262
|
+
'ipv4-addr': asn_subnet_attribute_mapping,
|
|
263
|
+
'ipv6-addr': asn_subnet_attribute_mapping,
|
|
264
|
+
'ipv4-addr:value': asn_subnet_attribute_mapping,
|
|
265
|
+
'ipv6-addr:value': asn_subnet_attribute_mapping}
|
|
266
|
+
|
|
267
|
+
attack_pattern_mapping = {'name': name_attribute_mapping,
|
|
268
|
+
'description': summary_attribute_mapping}
|
|
269
|
+
|
|
270
|
+
attack_pattern_references_mapping = {'mitre-attack': references_attribute_mapping,
|
|
271
|
+
'capec': id_attribute_mapping}
|
|
272
|
+
|
|
273
|
+
course_of_action_mapping = {'description': description_attribute_mapping,
|
|
274
|
+
'name': name_attribute_mapping}
|
|
275
|
+
|
|
276
|
+
credential_mapping = {'credential': credential_attribute_mapping,
|
|
277
|
+
'user-account:credential': credential_attribute_mapping,
|
|
278
|
+
'user_id': user_id_mapping,
|
|
279
|
+
'user-account:user_id': user_id_mapping}
|
|
280
|
+
|
|
281
|
+
domain_ip_mapping = {'domain-name': domain_attribute_mapping,
|
|
282
|
+
'domain-name:value': domain_attribute_mapping,
|
|
283
|
+
'ipv4-addr': ip_attribute_mapping,
|
|
284
|
+
'ipv6-addr': ip_attribute_mapping,
|
|
285
|
+
'ipv4-addr:value': ip_attribute_mapping,
|
|
286
|
+
'ipv6-addr:value': ip_attribute_mapping,
|
|
287
|
+
'domain-name:resolves_to_refs[*].value': ip_attribute_mapping,
|
|
288
|
+
'network-traffic:dst_port': dst_port_attribute_mapping,
|
|
289
|
+
'network-traffic:src_port': src_port_attribute_mapping}
|
|
290
|
+
|
|
291
|
+
email_mapping = {'date': email_date_attribute_mapping,
|
|
292
|
+
'email-message:date': email_date_attribute_mapping,
|
|
293
|
+
'email-message:to_refs[*].value': to_attribute_mapping,
|
|
294
|
+
'email-message:cc_refs[*].value': cc_attribute_mapping,
|
|
295
|
+
'subject': email_subject_attribute_mapping,
|
|
296
|
+
'email-message:subject': email_subject_attribute_mapping,
|
|
297
|
+
'X-Mailer': x_mailer_attribute_mapping,
|
|
298
|
+
'email-message:additional_header_fields.x_mailer': x_mailer_attribute_mapping,
|
|
299
|
+
'Reply-To': reply_to_attribute_mapping,
|
|
300
|
+
'email-message:additional_header_fields.reply_to': reply_to_attribute_mapping,
|
|
301
|
+
'email-message:from_ref.value': from_attribute_mapping,
|
|
302
|
+
'email-addr:value': to_attribute_mapping}
|
|
303
|
+
|
|
304
|
+
email_references_mapping = {'attachment': email_attachment_attribute_mapping,
|
|
305
|
+
'cc_refs': cc_attribute_mapping,
|
|
306
|
+
'from_ref': from_attribute_mapping,
|
|
307
|
+
'screenshot': screenshot_attribute_mapping,
|
|
308
|
+
'to_refs': to_attribute_mapping}
|
|
309
|
+
|
|
310
|
+
file_mapping = {'artifact:mime_type': mime_type_attribute_mapping,
|
|
311
|
+
'file:content_ref.mime_type': mime_type_attribute_mapping,
|
|
312
|
+
'mime_type': mime_type_attribute_mapping,
|
|
313
|
+
'file:mime_type': mime_type_attribute_mapping,
|
|
314
|
+
'name': filename_attribute_mapping,
|
|
315
|
+
'file:name': filename_attribute_mapping,
|
|
316
|
+
'name_enc': encoding_attribute_mapping,
|
|
317
|
+
'file:name_enc': encoding_attribute_mapping,
|
|
318
|
+
'file:parent_directory_ref.path': path_attribute_mapping,
|
|
319
|
+
'directory:path': path_attribute_mapping,
|
|
320
|
+
'size': size_attribute_mapping,
|
|
321
|
+
'file:size': size_attribute_mapping}
|
|
322
|
+
|
|
323
|
+
network_traffic_mapping = {'dst_port':dst_port_attribute_mapping,
|
|
324
|
+
'src_port': src_port_attribute_mapping,
|
|
325
|
+
'network-traffic:dst_port': dst_port_attribute_mapping,
|
|
326
|
+
'network-traffic:src_port': src_port_attribute_mapping}
|
|
327
|
+
|
|
328
|
+
ip_port_mapping = {'value': domain_attribute_mapping,
|
|
329
|
+
'domain-name:value': domain_attribute_mapping,
|
|
330
|
+
'network-traffic:dst_ref.value': {'type': 'ip-dst', 'object_relation': 'ip-dst'},
|
|
331
|
+
'network-traffic:src_ref.value': {'type': 'ip-src', 'object_relation': 'ip-src'}}
|
|
332
|
+
ip_port_mapping.update(network_traffic_mapping)
|
|
333
|
+
|
|
334
|
+
ip_port_references_mapping = {'domain-name': domain_attribute_mapping,
|
|
335
|
+
'ipv4-addr': network_traffic_ip,
|
|
336
|
+
'ipv6-addr': network_traffic_ip}
|
|
337
|
+
|
|
338
|
+
network_socket_extension_mapping = {'address_family': address_family_attribute_mapping,
|
|
339
|
+
"network-traffic:extensions.'socket-ext'.address_family": address_family_attribute_mapping,
|
|
340
|
+
'protocol_family': domain_family_attribute_mapping,
|
|
341
|
+
"network-traffic:extensions.'socket-ext'.protocol_family": domain_family_attribute_mapping,
|
|
342
|
+
'is_blocking': state_attribute_mapping,
|
|
343
|
+
"network-traffic:extensions.'socket-ext'.is_blocking": state_attribute_mapping,
|
|
344
|
+
'is_listening': state_attribute_mapping,
|
|
345
|
+
"network-traffic:extensions.'socket-ext'.is_listening": state_attribute_mapping}
|
|
346
|
+
|
|
347
|
+
network_traffic_references_mapping = {'domain-name': {'type': 'hostname', 'object_relation': 'hostname-{}'},
|
|
348
|
+
'ipv4-addr': network_traffic_ip,
|
|
349
|
+
'ipv6-addr': network_traffic_ip}
|
|
350
|
+
|
|
351
|
+
pe_mapping = {'pe_type': pe_type_mapping, 'number_of_sections': number_sections_mapping, 'imphash': imphash_mapping}
|
|
352
|
+
|
|
353
|
+
pe_section_mapping = {'name': section_name_mapping, 'size': size_attribute_mapping, 'entropy': entropy_mapping}
|
|
354
|
+
|
|
355
|
+
hash_types = ('MD5', 'SHA-1', 'SHA-256', 'SHA-224', 'SHA-384', 'SHA-512', 'ssdeep', 'tlsh')
|
|
356
|
+
for hash_type in hash_types:
|
|
357
|
+
misp_hash_type = hash_type.replace('-', '').lower()
|
|
358
|
+
attribute = {'type': misp_hash_type, 'object_relation': misp_hash_type}
|
|
359
|
+
file_mapping[hash_type] = attribute
|
|
360
|
+
file_mapping.update({f"file:hashes.'{feature}'": attribute for feature in (hash_type, misp_hash_type)})
|
|
361
|
+
file_mapping.update({f"file:hashes.{feature}": attribute for feature in (hash_type, misp_hash_type)})
|
|
362
|
+
pe_section_mapping[hash_type] = attribute
|
|
363
|
+
pe_section_mapping[misp_hash_type] = attribute
|
|
364
|
+
|
|
365
|
+
process_mapping = {'name': process_name_mapping,
|
|
366
|
+
'process:name': process_name_mapping,
|
|
367
|
+
'pid': pid_attribute_mapping,
|
|
368
|
+
'process:pid': pid_attribute_mapping,
|
|
369
|
+
'created': process_creation_time_mapping,
|
|
370
|
+
'process:created': process_creation_time_mapping,
|
|
371
|
+
'command_line': process_command_line_mapping,
|
|
372
|
+
'process:command_line': process_command_line_mapping,
|
|
373
|
+
'process:parent_ref.pid': {'type': 'text', 'object_relation': 'parent-pid'},
|
|
374
|
+
'process:child_refs[*].pid': {'type': 'text', 'object_relation': 'child-pid'},
|
|
375
|
+
'process:binary_ref.name': process_image_mapping}
|
|
376
|
+
|
|
377
|
+
child_process_reference_mapping = {'pid': {'type': 'text', 'object_relation': 'child-pid'}}
|
|
378
|
+
|
|
379
|
+
parent_process_reference_mapping = {'command_line': {'type': 'text', 'object_relation': 'parent-command-line'},
|
|
380
|
+
'pid': {'type': 'text', 'object_relation': 'parent-pid'},
|
|
381
|
+
'process-name': {'type': 'text', 'object_relation': 'parent-process-name'}}
|
|
382
|
+
|
|
383
|
+
regkey_mapping = {'data': data_attribute_mapping,
|
|
384
|
+
'windows-registry-key:values.data': data_attribute_mapping,
|
|
385
|
+
'data_type': data_type_attribute_mapping,
|
|
386
|
+
'windows-registry-key:values.data_type': data_type_attribute_mapping,
|
|
387
|
+
'modified': modified_attribute_mapping,
|
|
388
|
+
'windows-registry-key:modified': modified_attribute_mapping,
|
|
389
|
+
'name': regkey_name_attribute_mapping,
|
|
390
|
+
'windows-registry-key:values.name': regkey_name_attribute_mapping,
|
|
391
|
+
'key': key_attribute_mapping,
|
|
392
|
+
'windows-registry-key:key': key_attribute_mapping,
|
|
393
|
+
'windows-registry-key:value': {'type': 'text', 'object_relation': 'hive'}
|
|
394
|
+
}
|
|
395
|
+
|
|
396
|
+
url_mapping = {'url': url_attribute_mapping,
|
|
397
|
+
'url:value': url_attribute_mapping,
|
|
398
|
+
'domain-name': domain_attribute_mapping,
|
|
399
|
+
'domain-name:value': domain_attribute_mapping,
|
|
400
|
+
'network-traffic': url_port_attribute_mapping,
|
|
401
|
+
'network-traffic:dst_port': url_port_attribute_mapping,
|
|
402
|
+
'ipv4-addr:value': ip_attribute_mapping,
|
|
403
|
+
'ipv6-addr:value': ip_attribute_mapping
|
|
404
|
+
}
|
|
405
|
+
|
|
406
|
+
user_account_mapping = {'account_created': {'type': 'datetime', 'object_relation': 'created'},
|
|
407
|
+
'account_expires': {'type': 'datetime', 'object_relation': 'expires'},
|
|
408
|
+
'account_first_login': {'type': 'datetime', 'object_relation': 'first_login'},
|
|
409
|
+
'account_last_login': {'type': 'datetime', 'object_relation': 'last_login'},
|
|
410
|
+
'account_login': user_id_mapping,
|
|
411
|
+
'account_type': {'type': 'text', 'object_relation': 'account-type'},
|
|
412
|
+
'can_escalate_privs': {'type': 'boolean', 'object_relation': 'can_escalate_privs'},
|
|
413
|
+
'credential': credential_attribute_mapping,
|
|
414
|
+
'credential_last_changed': {'type': 'datetime', 'object_relation': 'password_last_changed'},
|
|
415
|
+
'display_name': {'type': 'text', 'object_relation': 'display-name'},
|
|
416
|
+
'gid': {'type': 'text', 'object_relation': 'group-id'},
|
|
417
|
+
'home_dir': {'type': 'text', 'object_relation': 'home_dir'},
|
|
418
|
+
'is_disabled': {'type': 'boolean', 'object_relation': 'disabled'},
|
|
419
|
+
'is_privileged': {'type': 'boolean', 'object_relation': 'privileged'},
|
|
420
|
+
'is_service_account': {'type': 'boolean', 'object_relation': 'is_service_account'},
|
|
421
|
+
'shell': {'type': 'text', 'object_relation': 'shell'},
|
|
422
|
+
'user_id': {'type': 'text', 'object_relation': 'user-id'}}
|
|
423
|
+
|
|
424
|
+
vulnerability_mapping = {'name': id_attribute_mapping,
|
|
425
|
+
'description': summary_attribute_mapping}
|
|
426
|
+
|
|
427
|
+
x509_mapping = {'issuer': issuer_attribute_mapping,
|
|
428
|
+
'x509-certificate:issuer': issuer_attribute_mapping,
|
|
429
|
+
'serial_number': serial_number_attribute_mapping,
|
|
430
|
+
'x509-certificate:serial_number': serial_number_attribute_mapping,
|
|
431
|
+
'subject': x509_subject_attribute_mapping,
|
|
432
|
+
'x509-certificate:subject': x509_subject_attribute_mapping,
|
|
433
|
+
'subject_public_key_algorithm': x509_spka_attribute_mapping,
|
|
434
|
+
'x509-certificate:subject_public_key_algorithm': x509_spka_attribute_mapping,
|
|
435
|
+
'subject_public_key_exponent': x509_spke_attribute_mapping,
|
|
436
|
+
'x509-certificate:subject_public_key_exponent': x509_spke_attribute_mapping,
|
|
437
|
+
'subject_public_key_modulus': x509_spkm_attribute_mapping,
|
|
438
|
+
'x509-certificate:subject_public_key_modulus': x509_spkm_attribute_mapping,
|
|
439
|
+
'validity_not_before': x509_vnb_attribute_mapping,
|
|
440
|
+
'x509-certificate:validity_not_before': x509_vnb_attribute_mapping,
|
|
441
|
+
'validity_not_after': x509_vna_attribute_mapping,
|
|
442
|
+
'x509-certificate:validity_not_after': x509_vna_attribute_mapping,
|
|
443
|
+
'version': x509_version_attribute_mapping,
|
|
444
|
+
'x509-certificate:version': x509_version_attribute_mapping,
|
|
445
|
+
'SHA-1': x509_sha1_attribute_mapping,
|
|
446
|
+
"x509-certificate:hashes.'sha1'": x509_sha1_attribute_mapping,
|
|
447
|
+
'SHA-256': x509_sha256_attribute_mapping,
|
|
448
|
+
"x509-certificate:hashes.'sha256'": x509_sha256_attribute_mapping,
|
|
449
|
+
'MD5': x509_md5_attribute_mapping,
|
|
450
|
+
"x509-certificate:hashes.'md5'": x509_md5_attribute_mapping,
|
|
451
|
+
}
|
|
452
|
+
|
|
453
|
+
attachment_types = ('file:content_ref.name', 'file:content_ref.payload_bin',
|
|
454
|
+
'artifact:x_misp_text_name', 'artifact:payload_bin',
|
|
455
|
+
"file:hashes.'MD5'", "file:content_ref.hashes.'MD5'",
|
|
456
|
+
'file:name')
|
|
457
|
+
|
|
458
|
+
connection_protocols = {"IP": "3", "ICMP": "3", "ARP": "3",
|
|
459
|
+
"TCP": "4", "UDP": "4",
|
|
460
|
+
"HTTP": "7", "HTTPS": "7", "FTP": "7"}
|