chg: Improve MISP export

* IPs of redirects * default tags * auto publish
2021-02-01 18:07:10 +01:00 · 2021-02-01 18:07:10 +01:00 · a7484e6cc4
parent 54ba67bb87
commit a7484e6cc4
3 changed files with 24 additions and 2 deletions
--- a/config/modules.json.sample
+++ b/config/modules.json.sample
@ -16,7 +16,9 @@
    "verify_tls_cert": true,
    "timeout": 10,
    "enable_lookup": false,
-    "enable_push": false
+    "enable_push": false,
+    "default_tags": [],
+    "auto_publish": false
  },
  "_notes": {
    "apikey": "null disables the module. Pass a string otherwise.",
--- a/lookyloo/lookyloo.py
+++ b/lookyloo/lookyloo.py
@ -899,6 +899,13 @@ class Lookyloo():
                    return 'embedded_ressource.bin', blob, mimetype
        return None

+    def __misp_add_ips_to_URLObject(self, obj: URLObject, hostname_tree: HostNode) -> None:
+        hosts = obj.get_attributes_by_relation('host')
+        if hosts:
+            hostnodes = hostname_tree.search_nodes(name=hosts[0].value)
+            if hostnodes and hasattr(hostnodes[0], 'resolved_ips'):
+                obj.add_attributes('ip', *hostnodes[0].resolved_ips)
+
    def misp_export(self, capture_uuid: str) -> Union[MISPEvent, Dict[str, str]]:
        '''Export a capture in MISP format. You can POST the return of this method
        directly to a MISP instance and it will create an event.'''
@ -921,7 +928,14 @@ class Lookyloo():
            lookyloo_link.distribution = 0

        initial_url = URLObject(cache.url)
-        redirects = [URLObject(url) for url in cache.redirects if url != cache.url]
+        self.__misp_add_ips_to_URLObject(initial_url, ct.root_hartree.hostname_tree)
+        redirects: List[URLObject] = []
+        for url in cache.redirects:
+            if url == cache.url:
+                continue
+            obj = URLObject(url)
+            self.__misp_add_ips_to_URLObject(obj, ct.root_hartree.hostname_tree)
+            redirects.append(obj)

        if redirects:
            prec_object = initial_url
--- a/lookyloo/modules.py
+++ b/lookyloo/modules.py
@ -44,11 +44,17 @@ class MISP():
            self.enable_lookup = True
        if config.get('enable_push'):
            self.enable_push = True
+        self.default_tags: List[str] = config.get('default_tags') # type: ignore
+        self.auto_publish = config.get('auto_publish')
        self.storage_dir_misp = get_homedir() / 'misp'
        self.storage_dir_misp.mkdir(parents=True, exist_ok=True)

    def push(self, event: MISPEvent) -> Union[MISPEvent, Dict]:
        if self.available and self.enable_push:
+            for tag in self.default_tags:
+                event.add_tag(tag)
+            if self.auto_publish:
+                event.publish()
            return self.client.add_event(event, pythonify=True)
        else:
            return {'error': 'Module not available or push not enabled.'}