AIL-framework/bin/export/MispImport.py

#!/usr/bin/env python3
# -*-coding:UTF-8 -*

import os
import sys
import uuid
import redis

sys.path.append(os.path.join(os.environ['AIL_BIN'], 'lib'))
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages'))
import Cryptocurrency
import Pgp
import Decoded
import Domain
import Item
import Screenshot
import Correlate_object

import Import

# MISP
from pymisp import MISPEvent, MISPObject, PyMISP

# # TODO: deplace me in another fil
def get_global_id(obj_type, obj_id, obj_subtype=None):
    if obj_subtype:
        return '{}:{}:{}'.format(obj_type, obj_subtype, obj_id)
    else:
        return '{}:{}'.format(obj_type, obj_id)

# sub type
# obj type
# obj value
def get_global_id_from_misp_obj(misp_obj):
    pass

def get_misp_obj_tag(misp_obj):
    if misp_obj.attributes:
        misp_tags = misp_obj.attributes[0].tags
        tags = []
        for misp_tag in misp_tags:
            tags.append(misp_tag.name)
        return tags
    else:
        return []

def get_object_metadata(misp_obj):
    obj_meta = {}
    if 'first_seen' in misp_obj.keys():
        obj_meta['first_seen'] = misp_obj.first_seen
    if 'last_seen' in misp_obj.keys():
        obj_meta['last_seen'] = misp_obj.first_seen
    obj_meta['tags'] = get_misp_obj_tag(misp_obj)
    return obj_meta

def unpack_item_obj(map_uuid_global_id, misp_obj):
    obj_meta = get_object_metadata(misp_obj)
    obj_id = None
    io_content = None

    for attribute in misp_obj.attributes:
        if attribute.object_relation == 'raw-data':
            obj_id = attribute.value               # # TODO: sanitize
            io_content = attribute.data             # # TODO: check if type == io

    if obj_id and io_content:
        res = Item.create_item(obj_id, obj_meta, io_content)
        print(res)

    map_uuid_global_id[misp_obj.uuid] = get_global_id('item', obj_id)


## TODO: handle multiple pgp in the same object
def unpack_obj_pgp(map_uuid_global_id, misp_obj):
    # get obj sub type
    obj_attr = misp_obj.attributes[0]
    obj_id = obj_attr.value
    if obj_attr.object_relation == 'key-id':
        obj_subtype = 'key'
    elif obj_attr.object_relation == 'user-id-name':
        obj_subtype = 'name'
    elif obj_attr.object_relation == 'user-id-email':
        obj_subtype = 'mail'

    if obj_id and obj_subtype:
        obj_meta = get_object_metadata(misp_obj)
        res = Pgp.pgp.create_correlation(obj_subtype, obj_id, obj_meta)
        print(res)

        map_uuid_global_id[misp_obj.uuid] = get_global_id('pgp', obj_id, obj_subtype=obj_subtype)

        #get_obj_relationship(misp_obj)

def unpack_obj_cryptocurrency(map_uuid_global_id, misp_obj):
    obj_id = None
    obj_subtype = None
    for attribute in misp_obj.attributes:
        if attribute.object_relation == 'address': # # TODO: handle xmr address field
            obj_id = attribute.value
        elif attribute.object_relation == 'symbol':
            obj_subtype = Cryptocurrency.get_cryptocurrency_type(attribute.value)

    # valid cryptocurrency type
    if obj_subtype and obj_id:
        print('crypto')
        print(obj_id)
        print(obj_subtype)

        obj_meta = get_object_metadata(misp_obj)
        print(obj_meta)
        res = Cryptocurrency.cryptocurrency.create_correlation(obj_subtype, obj_id, obj_meta)
        print(res)

        map_uuid_global_id[misp_obj.uuid] = get_global_id('pgp', obj_id, obj_subtype=obj_subtype)

    #get_obj_relationship(misp_obj)

def get_obj_type_from_relationship(misp_obj):
    obj_uuid = misp_obj.uuid
    obj_type = None

    for relation in misp_obj.ObjectReference:
        if relation.object_uuid == obj_uuid:
            if relation.relationship_type == "screenshot-of":
                return 'screenshot'
            if relation.relationship_type == "included-in":
                obj_type = 'decoded'
    return obj_type

def get_obj_relationship(misp_obj):
    for item in misp_obj.ObjectReference:
        print(item.to_json())


# # TODO: covert md5 and sha1 to expected
def unpack_file(map_uuid_global_id, misp_obj):

    obj_type = get_obj_type_from_relationship(misp_obj)
    if obj_type:
        obj_id = None
        io_content = None
        for attribute in misp_obj.attributes:
            # get file content
            if attribute.object_relation == 'attachment':
                io_content = attribute.data
            elif attribute.object_relation == 'malware-sample':
                io_content = attribute.data

            # # TODO: use/verify specified mimetype
            elif attribute.object_relation == 'mimetype':
                print(attribute.value)

            # # TODO: support more
            elif attribute.object_relation == 'sha1' and obj_type == 'decoded':
                obj_id = attribute.value
            elif attribute.object_relation == 'sha256' and obj_type == 'screenshot':
                obj_id = attribute.value

        if obj_id and io_content:
            print(obj_type)
            obj_meta = get_object_metadata(misp_obj)
            if obj_type == 'screenshot':
                #Screenshot.create_screenshot(obj_id, obj_meta, io_content)
                pass
            else: #decoded
                Decoded.create_decoded(obj_id, obj_meta, io_content)

def get_misp_import_fct(map_uuid_global_id, misp_obj):
    #print(misp_obj.ObjectReference)
    #for item in misp_obj.ObjectReference:
    #    print(item.to_json())
    #obj_meta = get_object_metadata(misp_obj)

    #print(misp_obj.name)

    if misp_obj.name == 'ail-leak':
        #unpack_item_obj(map_uuid_global_id, misp_obj)
        #print(misp_obj.to_json())
        pass
    elif misp_obj.name == 'domain-ip':
        pass
    elif misp_obj.name == 'pgp-meta':
        #unpack_obj_pgp(map_uuid_global_id, misp_obj)
        pass
    elif misp_obj.name == 'coin-address':
        #unpack_obj_cryptocurrency(map_uuid_global_id, misp_obj)
        pass
    elif misp_obj.name == 'file':
        unpack_file(map_uuid_global_id, misp_obj)
        print()
        print('---')
        print()
        #unpack_item_obj(map_uuid_global_id, misp_obj)
        pass

def import_objs_from_file(filepath):
    event_to_import = MISPEvent()
    event_to_import.load_file(filepath)

    map_uuid_global_id = {}

    for misp_obj in event_to_import.objects:
        get_misp_import_fct(map_uuid_global_id, misp_obj)

    print(map_uuid_global_id)


if __name__ == '__main__':

    # misp = PyMISP('https://127.0.0.1:8443/', 'uXgcN42b7xuL88XqK5hubwD8Q8596VrrBvkHQzB0', False)

    #import_objs_from_file('test_import_item.json')
    import_objs_from_file('test_import_item.json')
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00			`#!/usr/bin/env python3`
			`# --coding:UTF-8 -`

			`import os`
			`import sys`
			`import uuid`
			`import redis`

			`sys.path.append(os.path.join(os.environ['AIL_BIN'], 'lib'))`
			`sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages'))`
			`import Cryptocurrency`
			`import Pgp`
			`import Decoded`
			`import Domain`
			`import Item`
			`import Screenshot`
			`import Correlate_object`

			`import Import`

			`# MISP`
			`from pymisp import MISPEvent, MISPObject, PyMISP`

			`# # TODO: deplace me in another fil`
			`def get_global_id(obj_type, obj_id, obj_subtype=None):`
			`if obj_subtype:`
			`return '{}:{}:{}'.format(obj_type, obj_subtype, obj_id)`
			`else:`
			`return '{}:{}'.format(obj_type, obj_id)`

			`# sub type`
			`# obj type`
			`# obj value`
			`def get_global_id_from_misp_obj(misp_obj):`
			`pass`

			`def get_misp_obj_tag(misp_obj):`
			`if misp_obj.attributes:`
			`misp_tags = misp_obj.attributes[0].tags`
			`tags = []`
			`for misp_tag in misp_tags:`
			`tags.append(misp_tag.name)`
			`return tags`
			`else:`
			`return []`

			`def get_object_metadata(misp_obj):`
			`obj_meta = {}`
			`if 'first_seen' in misp_obj.keys():`
			`obj_meta['first_seen'] = misp_obj.first_seen`
			`if 'last_seen' in misp_obj.keys():`
			`obj_meta['last_seen'] = misp_obj.first_seen`
			`obj_meta['tags'] = get_misp_obj_tag(misp_obj)`
			`return obj_meta`

			`def unpack_item_obj(map_uuid_global_id, misp_obj):`
			`obj_meta = get_object_metadata(misp_obj)`
			`obj_id = None`
			`io_content = None`

			`for attribute in misp_obj.attributes:`
			`if attribute.object_relation == 'raw-data':`
			`obj_id = attribute.value # # TODO: sanitize`
			`io_content = attribute.data # # TODO: check if type == io`

			`if obj_id and io_content:`
			`res = Item.create_item(obj_id, obj_meta, io_content)`
			`print(res)`

chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`map_uuid_global_id[misp_obj.uuid] = get_global_id('item', obj_id)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00


			`## TODO: handle multiple pgp in the same object`
			`def unpack_obj_pgp(map_uuid_global_id, misp_obj):`
			`# get obj sub type`
			`obj_attr = misp_obj.attributes[0]`
			`obj_id = obj_attr.value`
			`if obj_attr.object_relation == 'key-id':`
			`obj_subtype = 'key'`
			`elif obj_attr.object_relation == 'user-id-name':`
			`obj_subtype = 'name'`
			`elif obj_attr.object_relation == 'user-id-email':`
			`obj_subtype = 'mail'`

chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`if obj_id and obj_subtype:`
			`obj_meta = get_object_metadata(misp_obj)`
			`res = Pgp.pgp.create_correlation(obj_subtype, obj_id, obj_meta)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00			`print(res)`

chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`map_uuid_global_id[misp_obj.uuid] = get_global_id('pgp', obj_id, obj_subtype=obj_subtype)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00
chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`#get_obj_relationship(misp_obj)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00
			`def unpack_obj_cryptocurrency(map_uuid_global_id, misp_obj):`
			`obj_id = None`
chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`obj_subtype = None`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00			`for attribute in misp_obj.attributes:`
chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`if attribute.object_relation == 'address': # # TODO: handle xmr address field`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00			`obj_id = attribute.value`
			`elif attribute.object_relation == 'symbol':`
chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`obj_subtype = Cryptocurrency.get_cryptocurrency_type(attribute.value)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00
chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`# valid cryptocurrency type`
			`if obj_subtype and obj_id:`
			`print('crypto')`
			`print(obj_id)`
			`print(obj_subtype)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00
			`obj_meta = get_object_metadata(misp_obj)`
chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`print(obj_meta)`
			`res = Cryptocurrency.cryptocurrency.create_correlation(obj_subtype, obj_id, obj_meta)`
			`print(res)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00
			`map_uuid_global_id[misp_obj.uuid] = get_global_id('pgp', obj_id, obj_subtype=obj_subtype)`

chg: [MISP import] import files obj: decoded + screenshot 2020-02-11 15:48:30 +01:00			`#get_obj_relationship(misp_obj)`

			`def get_obj_type_from_relationship(misp_obj):`
			`obj_uuid = misp_obj.uuid`
			`obj_type = None`

			`for relation in misp_obj.ObjectReference:`
			`if relation.object_uuid == obj_uuid:`
			`if relation.relationship_type == "screenshot-of":`
			`return 'screenshot'`
			`if relation.relationship_type == "included-in":`
			`obj_type = 'decoded'`
			`return obj_type`

			`def get_obj_relationship(misp_obj):`
			`for item in misp_obj.ObjectReference:`
			`print(item.to_json())`


			`# # TODO: covert md5 and sha1 to expected`
			`def unpack_file(map_uuid_global_id, misp_obj):`

			`obj_type = get_obj_type_from_relationship(misp_obj)`
			`if obj_type:`
			`obj_id = None`
			`io_content = None`
			`for attribute in misp_obj.attributes:`
			`# get file content`
			`if attribute.object_relation == 'attachment':`
			`io_content = attribute.data`
			`elif attribute.object_relation == 'malware-sample':`
			`io_content = attribute.data`

			`# # TODO: use/verify specified mimetype`
			`elif attribute.object_relation == 'mimetype':`
			`print(attribute.value)`

			`# # TODO: support more`
			`elif attribute.object_relation == 'sha1' and obj_type == 'decoded':`
			`obj_id = attribute.value`
			`elif attribute.object_relation == 'sha256' and obj_type == 'screenshot':`
			`obj_id = attribute.value`

			`if obj_id and io_content:`
			`print(obj_type)`
			`obj_meta = get_object_metadata(misp_obj)`
			`if obj_type == 'screenshot':`
			`#Screenshot.create_screenshot(obj_id, obj_meta, io_content)`
			`pass`
			`else: #decoded`
			`Decoded.create_decoded(obj_id, obj_meta, io_content)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00
			`def get_misp_import_fct(map_uuid_global_id, misp_obj):`
			`#print(misp_obj.ObjectReference)`
			`#for item in misp_obj.ObjectReference:`
			`# print(item.to_json())`
			`#obj_meta = get_object_metadata(misp_obj)`

			`#print(misp_obj.name)`

			`if misp_obj.name == 'ail-leak':`
chg: [MISP import] import files obj: decoded + screenshot 2020-02-11 15:48:30 +01:00			`#unpack_item_obj(map_uuid_global_id, misp_obj)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00			`#print(misp_obj.to_json())`
			`pass`
			`elif misp_obj.name == 'domain-ip':`
			`pass`
			`elif misp_obj.name == 'pgp-meta':`
chg: [MISP import] import files obj: decoded + screenshot 2020-02-11 15:48:30 +01:00			`#unpack_obj_pgp(map_uuid_global_id, misp_obj)`
			`pass`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00			`elif misp_obj.name == 'coin-address':`
chg: [MISP import] import files obj: decoded + screenshot 2020-02-11 15:48:30 +01:00			`#unpack_obj_cryptocurrency(map_uuid_global_id, misp_obj)`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00			`pass`
			`elif misp_obj.name == 'file':`
chg: [MISP import] import files obj: decoded + screenshot 2020-02-11 15:48:30 +01:00			`unpack_file(map_uuid_global_id, misp_obj)`
			`print()`
			`print('---')`
			`print()`
chg: [add MISP import](no correlations) import item + pgp(incomplete) + screenshot(incomplete) 2020-02-06 17:14:08 +01:00			`#unpack_item_obj(map_uuid_global_id, misp_obj)`
			`pass`

			`def import_objs_from_file(filepath):`
			`event_to_import = MISPEvent()`
			`event_to_import.load_file(filepath)`

			`map_uuid_global_id = {}`

			`for misp_obj in event_to_import.objects:`
			`get_misp_import_fct(map_uuid_global_id, misp_obj)`

			`print(map_uuid_global_id)`


			`if __name__ == '__main__':`

			`# misp = PyMISP('https://127.0.0.1:8443/', 'uXgcN42b7xuL88XqK5hubwD8Q8596VrrBvkHQzB0', False)`

chg: [add MISP import] correlation TODO: create correlation 2020-02-07 15:08:41 +01:00			`#import_objs_from_file('test_import_item.json')`
chg: [MISP import] import files obj: decoded + screenshot 2020-02-11 15:48:30 +01:00			`import_objs_from_file('test_import_item.json')`