From 3e6eb7e3de36c1b8651464a01b9be3c3300dd383 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 30 Apr 2019 21:41:12 +0200 Subject: [PATCH] new: [transform] added separate Event to * transforms and a massive cleanup in the code --- setup.py | 2 +- .../transforms/eventtoattributes.py | 177 +++++++++++------- 2 files changed, 114 insertions(+), 65 deletions(-) diff --git a/setup.py b/setup.py index f50357b..7a4b3e0 100755 --- a/setup.py +++ b/setup.py @@ -5,7 +5,7 @@ from setuptools import setup, find_packages setup( name='MISP_maltego', author='Christophe Vandeplas', - version='1.1', + version='1.3', author_email='christophe@vandeplas.com', maintainer='Christophe Vandeplas', url='https://github.com/MISP/MISP-maltego', diff --git a/src/MISP_maltego/transforms/eventtoattributes.py b/src/MISP_maltego/transforms/eventtoattributes.py index 4b964fc..4828276 100644 --- a/src/MISP_maltego/transforms/eventtoattributes.py +++ b/src/MISP_maltego/transforms/eventtoattributes.py @@ -17,91 +17,141 @@ __email__ = 'christophe@vandeplas.com' __status__ = 'Development' -# @EnableDebugWindow -class EventToTags(Transform): - """"Expands an object to its attributes""" - input_type = MISPEvent - description = 'Expands an Event with tags' +class EventToTransform(Transform): + input_type = None + """Generic EventTo class containing multiple reusable functions for the subclasses.""" + + def __init__(self): + self.request = None + self.response = None + self.config = None + self.misp = None + self.event_json = None + self.event_tags = None def do_transform(self, request, response, config): + self.request = request + self.response = response + self.config = config maltego_misp_event = request.entity - misp = get_misp_connection(config) - event_json = misp.get_event(maltego_misp_event.id) - event_tags = [] + self.misp = get_misp_connection(config) + self.event_json = self.misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body + if not self.event_json.get('Event'): + return False - if 'Tag' in event_json['Event']: - for t in event_json['Event']['Tag']: - event_tags.append(t['name']) + self.response += event_to_entity(self.event_json) + return True + + def gen_response_tags(self, gen_response=True): + self.event_tags = [] + if 'Tag' in self.event_json['Event']: + for t in self.event_json['Event']['Tag']: + self.event_tags.append(t['name']) # ignore all misp-galaxies if t['name'].startswith('misp-galaxy'): continue # ignore all those we add as notes if tag_matches_note_prefix(t['name']): continue - response += Hashtag(t['name']) - for g in event_json['Event']['Galaxy']: + if gen_response: + self.response += Hashtag(t['name']) + + def gen_response_galaxies(self): + for g in self.event_json['Event']['Galaxy']: for c in g['GalaxyCluster']: - response += galaxycluster_to_entity(c) - return response + self.response += galaxycluster_to_entity(c) - -# @EnableDebugWindow -class EventToAttributes(Transform): - """Expands an event to attributes, objects, tags and galaxies.""" - - # The transform input entity type. - input_type = MISPEvent - description = 'Expands an Event to Attributes, Tags, Galaxies' - - def do_transform(self, request, response, config): - maltego_misp_event = request.entity - misp = get_misp_connection(config) - event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body - if not event_json.get('Event'): - return response - - response += event_to_entity(event_json) - event_tags = [] - if 'Tag' in event_json['Event']: - for t in event_json['Event']['Tag']: - event_tags.append(t['name']) - # ignore all misp-galaxies - if t['name'].startswith('misp-galaxy'): - continue - # ignore all those we add as notes - if tag_matches_note_prefix(t['name']): - continue - response += Hashtag(t['name']) - for g in event_json['Event']['Galaxy']: - for c in g['GalaxyCluster']: - response += galaxycluster_to_entity(c) - - for a in event_json['Event']["Attribute"]: - for entity in attribute_to_entity(a, event_tags=event_tags): + def gen_response_attributes(self): + if not self.event_tags: + self.gen_response_tags(gen_response=False) + for a in self.event_json['Event']["Attribute"]: + for entity in attribute_to_entity(a, event_tags=self.event_tags): if entity: - response += entity + self.response += entity - for o in event_json['Event']['Object']: - response += object_to_entity(o) - return response + def gen_response_objects(self): + for o in self.event_json['Event']['Object']: + self.response += object_to_entity(o) + + def gen_response_relations(self): + for e in self.event_json['Event']['RelatedEvent']: + self.response += event_to_entity(e, link_style=LinkStyle.DashDot) # @EnableDebugWindow -class EventToRelations(Transform): +class EventToAll(EventToTransform): + input_type = MISPEvent + description = 'Expands an Event to Attributes, Objects, Tags, Galaxies' + + def do_transform(self, request, response, config): + if super().do_transform(request, response, config): + self.gen_response_tags() + self.gen_response_galaxies() + self.gen_response_attributes() + self.gen_response_objects() + + return self.response + + +# @EnableDebugWindow +class EventToAttributes(EventToTransform): + input_type = MISPEvent + description = 'Expands an Event to Attributes' + + def do_transform(self, request, response, config): + if super().do_transform(request, response, config): + self.gen_response_attributes() + + return self.response + + +# @EnableDebugWindow +class EventToTags(EventToTransform): + input_type = MISPEvent + description = 'Expands an Event to Tags and Galaxies' + + def do_transform(self, request, response, config): + if super().do_transform(request, response, config): + self.gen_response_tags() + self.gen_response_galaxies() + + return self.response + + +# @EnableDebugWindow +class EventToGalaxies(EventToTransform): + input_type = MISPEvent + description = 'Expands an Event to Galaxies' + + def do_transform(self, request, response, config): + if super().do_transform(request, response, config): + self.gen_response_galaxies() + + return self.response + + +# @EnableDebugWindow +class EventToObjects(EventToTransform): + input_type = MISPEvent + description = 'Expands an Event to Objects' + + def do_transform(self, request, response, config): + if super().do_transform(request, response, config): + self.gen_response_objects() + + return self.response + + +# @EnableDebugWindow +class EventToRelations(EventToTransform): input_type = MISPEvent description = 'Expands an Event to related Events' def do_transform(self, request, response, config): - maltego_misp_event = request.entity - misp = get_misp_connection(config) - event_json = misp.get_event(maltego_misp_event.id) # FIXME get it without attachments # FIXME use search + includeAttachments:0, eventid: as request body - if not event_json.get('Event'): - return response + if super().do_transform(request, response, config): + self.gen_response_relations() - response += event_to_entity(event_json) - for e in event_json['Event']['RelatedEvent']: - response += event_to_entity(e, link_style=LinkStyle.DashDot) - return response + return self.response # @EnableDebugWindow @@ -121,4 +171,3 @@ class ObjectToAttributes(Transform): response += entity return response -