From a7484e6cc4fbe3c1b9f20b23467055d00cfdefba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Mon, 1 Feb 2021 18:07:10 +0100
Subject: [PATCH] chg: Improve MISP export

* IPs of redirects
* default tags
* auto publish
---
 config/modules.json.sample |  4 +++-
 lookyloo/lookyloo.py       | 16 +++++++++++++++-
 lookyloo/modules.py        |  6 ++++++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/config/modules.json.sample b/config/modules.json.sample
index 9c3d899..caed51b 100644
--- a/config/modules.json.sample
+++ b/config/modules.json.sample
@@ -16,7 +16,9 @@
     "verify_tls_cert": true,
     "timeout": 10,
     "enable_lookup": false,
-    "enable_push": false
+    "enable_push": false,
+    "default_tags": [],
+    "auto_publish": false
   },
   "_notes": {
     "apikey": "null disables the module. Pass a string otherwise.",
diff --git a/lookyloo/lookyloo.py b/lookyloo/lookyloo.py
index d2a49ef..01d0c63 100644
--- a/lookyloo/lookyloo.py
+++ b/lookyloo/lookyloo.py
@@ -899,6 +899,13 @@ class Lookyloo():
                     return 'embedded_ressource.bin', blob, mimetype
         return None
 
+    def __misp_add_ips_to_URLObject(self, obj: URLObject, hostname_tree: HostNode) -> None:
+        hosts = obj.get_attributes_by_relation('host')
+        if hosts:
+            hostnodes = hostname_tree.search_nodes(name=hosts[0].value)
+            if hostnodes and hasattr(hostnodes[0], 'resolved_ips'):
+                obj.add_attributes('ip', *hostnodes[0].resolved_ips)
+
     def misp_export(self, capture_uuid: str) -> Union[MISPEvent, Dict[str, str]]:
         '''Export a capture in MISP format. You can POST the return of this method
         directly to a MISP instance and it will create an event.'''
@@ -921,7 +928,14 @@ class Lookyloo():
             lookyloo_link.distribution = 0
 
         initial_url = URLObject(cache.url)
-        redirects = [URLObject(url) for url in cache.redirects if url != cache.url]
+        self.__misp_add_ips_to_URLObject(initial_url, ct.root_hartree.hostname_tree)
+        redirects: List[URLObject] = []
+        for url in cache.redirects:
+            if url == cache.url:
+                continue
+            obj = URLObject(url)
+            self.__misp_add_ips_to_URLObject(obj, ct.root_hartree.hostname_tree)
+            redirects.append(obj)
 
         if redirects:
             prec_object = initial_url
diff --git a/lookyloo/modules.py b/lookyloo/modules.py
index 3e8aae2..c8b762a 100644
--- a/lookyloo/modules.py
+++ b/lookyloo/modules.py
@@ -44,11 +44,17 @@ class MISP():
             self.enable_lookup = True
         if config.get('enable_push'):
             self.enable_push = True
+        self.default_tags: List[str] = config.get('default_tags') # type: ignore
+        self.auto_publish = config.get('auto_publish')
         self.storage_dir_misp = get_homedir() / 'misp'
         self.storage_dir_misp.mkdir(parents=True, exist_ok=True)
 
     def push(self, event: MISPEvent) -> Union[MISPEvent, Dict]:
         if self.available and self.enable_push:
+            for tag in self.default_tags:
+                event.add_tag(tag)
+            if self.auto_publish:
+                event.publish()
             return self.client.add_event(event, pythonify=True)
         else:
             return {'error': 'Module not available or push not enabled.'}