CIRCL
/
AIL-framework
mirror of https://github.com/CIRCL/AIL-framework
2
1
Fork 0
Code Issues Releases Wiki Activity

update/feature: Max number of duplicate push to MISP + duplicate are pushed as attachment

pull/151/head
Sami Mokaddem 2017-11-23 07:13:44 +01:00
parent 805171a8a5
commit 2a967c4d92
3 changed files with 37 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
bin/ailleakObject.py
View File

@ -2,58 +2,69 @@
# -*-coding:UTF-8 -* # -*-coding:UTF-8 -*
from pymisp.tools.abstractgenerator import AbstractMISPObjectGenerator from pymisp.tools.abstractgenerator import AbstractMISPObjectGenerator
import configparser
from packages import Paste from packages import Paste
import datetime import datetime
import json import json
from io import BytesIO
class AilleakObject(AbstractMISPObjectGenerator): class AilleakObject(AbstractMISPObjectGenerator):
def __init__(self, moduleName, p_source, p_date, p_content, p_duplicate): def __init__(self, moduleName, p_source, p_date, p_content, p_duplicate, p_duplicate_number):
super(AbstractMISPObjectGenerator, self).__init__('ail-leak') super(AbstractMISPObjectGenerator, self).__init__('ail-leak')
self.moduleName = moduleName self._moduleName = moduleName
self.p_source = p_source self._p_source = p_source.split('/')[-5:]
self.p_date = p_date self._p_source = '/'.join(self._p_source)[:-3] # -3 removes .gz
self.p_content = p_content self._p_date = p_date
self.p_duplicate = p_duplicate self._p_content = p_content.encode('utf8')
self._p_duplicate = p_duplicate
self._p_duplicate_number = p_duplicate_number
self.generate_attributes() self.generate_attributes()
def generate_attributes(self): def generate_attributes(self):
self.add_attribute('type', value=self.moduleName) self.add_attribute('type', value=self._moduleName)
self.add_attribute('origin', value=self.p_source) self.add_attribute('origin', value=self._p_source, type='text')
self.add_attribute('last-seen', value=self.p_date) self.add_attribute('last-seen', value=self._p_date)
self.add_attribute('duplicate-list', value=self.p_duplicate) if self._p_duplicate_number > 0:
self.add_attribute('raw-data', value=self.p_content) self.add_attribute('duplicate', value=self._p_duplicate, type='text')
self.add_attribute('duplicate_number', value=self._p_duplicate_number, type='counter')
self._pseudofile = BytesIO(self._p_content)
self.add_attribute('raw-data', value=self._p_source, data=self._pseudofile, type="attachment")
class ObjectWrapper: class ObjectWrapper:
def __init__(self, pymisp): def __init__(self, pymisp):
self.pymisp = pymisp self.pymisp = pymisp
self.currentID_date = None self.currentID_date = None
self.eventID_to_push = self.get_daily_event_id() self.eventID_to_push = self.get_daily_event_id()
cfg = configparser.ConfigParser()
cfg.read('./packages/config.cfg')
self.maxDuplicateToPushToMISP = cfg.getint("ailleakObject", "maxDuplicateToPushToMISP")
def add_new_object(self, moduleName, path): def add_new_object(self, moduleName, path):
self.moduleName = moduleName self.moduleName = moduleName
self.path = path self.path = path
self.paste = Paste.Paste(path) self.paste = Paste.Paste(path)
self.p_date = self.date_to_str(self.paste.p_date) self.p_date = self.date_to_str(self.paste.p_date)
self.p_source = self.paste.supposed_url self.p_source = self.paste.p_path
self.p_content = self.paste.get_p_content().decode('utf8') self.p_content = self.paste.get_p_content().decode('utf8')
temp = self.paste._get_p_duplicate() temp = self.paste._get_p_duplicate()
try: try:
temp = temp.decode('utf8') temp = temp.decode('utf8')
except AttributeError: except AttributeError:
print('decode error') pass
#beautifier #beautifier
temp = json.loads(temp) temp = json.loads(temp)
to_ret = [] self.p_duplicate_number = len(temp) if len(temp) >= 0 else 0
for dup in temp: to_ret = ""
for dup in temp[:self.maxDuplicateToPushToMISP]:
algo = dup[0] algo = dup[0]
path = dup[1].split('/')[-5:] path = dup[1].split('/')[-5:]
path = '/'.join(path)[:-3] # -3 removes .gz
perc = dup[2] perc = dup[2]
to_ret.append([path, algo, perc]) to_ret += "{}: {} [{}%]\n".format(path, algo, perc)
self.p_duplicate = str(to_ret) self.p_duplicate = to_ret
self.mispObject = AilleakObject(self.moduleName, self.p_source, self.p_date, self.p_content, self.p_duplicate) self.mispObject = AilleakObject(self.moduleName, self.p_source, self.p_date, self.p_content, self.p_duplicate, self.p_duplicate_number)
''' '''
# duplicated # duplicated
@ -137,9 +148,10 @@ if __name__ == "__main__":
pymisp = PyMISP(misp_url, misp_key, misp_verifycert) pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
moduleName = "Credentials" moduleName = "credentials"
path = "/home/sami/git/AIL-framework/PASTES/archive/pastebin.com_pro/2017/08/23/bPFaJymf.gz" path = "/home/sami/git/AIL-framework/PASTES/archive/pastebin.com_pro/2017/08/23/bPFaJymf.gz"
wrapper = ObjectWrapper(moduleName, path, pymisp) wrapper = ObjectWrapper(pymisp)
wrapper.add_new_object(moduleName, path)
wrapper.pushToMISP() wrapper.pushToMISP()
''' '''

2
bin/alertHandler.py
View File

@ -66,7 +66,7 @@ if __name__ == "__main__":
publisher.info('Saved warning paste {}'.format(p_path)) publisher.info('Saved warning paste {}'.format(p_path))
# Create MISP AIL-leak object and push it # Create MISP AIL-leak object and push it
allowed_modules = ['credential'] allowed_modules = ['credential', 'phone', 'creditcards']
if module_name in allowed_modules: if module_name in allowed_modules:
wrapper.add_new_object(module_name, p_path) wrapper.add_new_object(module_name, p_path)
wrapper.pushToMISP() wrapper.pushToMISP()

3
bin/packages/config.cfg.sample
View File

@ -130,6 +130,9 @@ register = indexdir/all_index.txt
#size in Mb #size in Mb
index_max_size = 2000 index_max_size = 2000
[ailleakObject]
maxDuplicateToPushToMISP=10
############################################################################### ###############################################################################
# For multiple feed, add them with "," without space # For multiple feed, add them with "," without space