CIRCL
/
lookyloo
mirror of https://github.com/CIRCL/lookyloo
2
0
Fork 0
Code Issues Releases Wiki Activity

new: Add first seen key to captured element in MISP export 

Fix https://github.com/Lookyloo/lookyloo/issues/985
pull/986/head
Raphaël Vinot 2024-11-06 16:23:59 +01:00
parent 50c29f17dd
commit f3db8b91c0
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lookyloo/modules/misp.py
View File

@ -8,7 +8,8 @@ import re
from io import BytesIO from io import BytesIO
from collections import defaultdict from collections import defaultdict
from collections.abc import Mapping from collections.abc import Mapping
from typing import Any, TYPE_CHECKING, Iterator from typing import Any, TYPE_CHECKING
from collections.abc import Iterator
import requests import requests
from har2tree import HostNode, URLNode, Har2TreeError from har2tree import HostNode, URLNode, Har2TreeError
@ -93,11 +94,13 @@ class MISPs(Mapping, AbstractModule): # type: ignore[type-arg]
initial_file = FileObject(pseudofile=pseudofile, filename=filename) initial_file = FileObject(pseudofile=pseudofile, filename=filename)
initial_file.comment = 'This is a capture of a file, rendered in the browser' initial_file.comment = 'This is a capture of a file, rendered in the browser'
initial_file.first_seen = cache.timestamp
initial_obj = event.add_object(initial_file) initial_obj = event.add_object(initial_file)
else: else:
event.info = f'Lookyloo Capture ({cache.url})' event.info = f'Lookyloo Capture ({cache.url})'
initial_url = URLObject(cache.url) initial_url = URLObject(cache.url)
initial_url.comment = 'Submitted URL' initial_url.comment = 'Submitted URL'
initial_url.first_seen = cache.timestamp
self.__misp_add_ips_to_URLObject(initial_url, cache.tree.root_hartree.hostname_tree) self.__misp_add_ips_to_URLObject(initial_url, cache.tree.root_hartree.hostname_tree)
initial_obj = event.add_object(initial_url) initial_obj = event.add_object(initial_url)
@ -132,6 +135,7 @@ class MISPs(Mapping, AbstractModule): # type: ignore[type-arg]
fo = FileObject(pseudofile=cache.tree.root_hartree.rendered_node.body, filename=cache.tree.root_hartree.rendered_node.filename) fo = FileObject(pseudofile=cache.tree.root_hartree.rendered_node.body, filename=cache.tree.root_hartree.rendered_node.filename)
fo.comment = 'Content received for the final redirect (before rendering)' fo.comment = 'Content received for the final redirect (before rendering)'
fo.add_reference(final_redirect, 'loaded-by', 'URL loading that content') fo.add_reference(final_redirect, 'loaded-by', 'URL loading that content')
fo.first_seen = cache.tree.root_hartree.rendered_node.start_time
event.add_object(fo) event.add_object(fo)
except Har2TreeError: except Har2TreeError:
pass pass
@ -143,9 +147,14 @@ class MISPs(Mapping, AbstractModule): # type: ignore[type-arg]
def __misp_add_ips_to_URLObject(self, obj: URLObject, hostname_tree: HostNode) -> None: def __misp_add_ips_to_URLObject(self, obj: URLObject, hostname_tree: HostNode) -> None:
hosts = obj.get_attributes_by_relation('host') hosts = obj.get_attributes_by_relation('host')
if hosts: if hosts:
hostnodes = hostname_tree.search_nodes(name=hosts[0].value) if hostnodes := hostname_tree.search_nodes(name=hosts[0].value):
if hostnodes and hasattr(hostnodes[0], 'resolved_ips'): first_host = hostnodes[0]
obj.add_attributes('ip', *hostnodes[0].resolved_ips) obj.first_seen = first_host.urls[0].start_time
if hasattr(first_host, 'resolved_ips'):
if 'v4' in hostnodes[0].resolved_ips:
obj.add_attributes('ip', *first_host.resolved_ips['v4'])
if 'v6' in hostnodes[0].resolved_ips:
obj.add_attributes('ip', *first_host.resolved_ips['v6'])
class MISP(AbstractModule): class MISP(AbstractModule):