MISP
/
MISP-maltego
mirror of https://github.com/MISP/MISP-maltego
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: in MISP? as transform to all Entities 

this replaces the machine and gazillion of transforms
pull/15/head
Christophe Vandeplas 2019-02-08 22:41:33 +01:00
parent cb485d63d4
commit 7b6796cda2
4 changed files with 45 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/MISP_maltego/resources/maltego/misp_inMISP.machine
View File

@ -1,24 +0,0 @@
machine("misp.inMISP",
displayName:"in MISP?",
author:"Christophe Vandeplas",
description: "Bookmarks in GREEN data that is in MISP") {
start {
paths {
run("MISP_maltego.AliasInMISP")
run("MISP_maltego.ASInMISP")
run("MISP_maltego.CompanyInMISP")
run("MISP_maltego.DNSNameInMISP")
run("MISP_maltego.DomainInMISP")
run("MISP_maltego.EmailAddressInMISP")
run("MISP_maltego.FileInMISP")
run("MISP_maltego.HashInMISP")
run("MISP_maltego.HashtagInMISP")
run("MISP_maltego.IPv4AddressInMISP")
run("MISP_maltego.NSRecordInMISP")
run("MISP_maltego.PhoneNumberInMISP")
run("MISP_maltego.TwitterInMISP")
run("MISP_maltego.URLInMISP")
run("MISP_maltego.WebsiteInMISP")
}
}
}

169
src/MISP_maltego/transforms/attributetoevent.py
View File

@ -2,7 +2,8 @@ from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS,
from canari.maltego.transform import Transform
from canari.maltego.message import Bookmark
# from canari.framework import EnableDebugWindow
from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity
from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity, get_attribute_in_event, attribute_to_entity
from MISP_maltego.transforms.common.entities import Unknown
__author__ = 'Christophe Vandeplas'
__copyright__ = 'Copyright 2018, MISP_maltego Project'
@ -17,9 +18,9 @@ __status__ = 'Development'
# @EnableDebugWindow
class AttributeInMISP(Transform):
"""This method puts a green bookmark on each of the Entities that are present in the MISP database"""
"""Green bookmark if known in MISP"""
display_name = 'in MISP?'
input_type = None
input_type = Unknown
def do_transform(self, request, response, config):
maltego_misp_attribute = request.entity
@ -29,16 +30,21 @@ class AttributeInMISP(Transform):
for e in events_json['response']:
in_misp = True
break
# find the object again, and bookmark it green
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
if in_misp:
request.entity.bookmark = Bookmark.Green
response += request.entity
for e in events_json['response']:
attr = get_attribute_in_event(e, maltego_misp_attribute.value)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
return response
# @EnableDebugWindow
class AttributeToEvent(Transform):
# The transform input entity type.
input_type = None
display_name = 'to MISP Event'
input_type = Unknown
def do_transform(self, request, response, config):
maltego_misp_attribute = request.entity
@ -48,152 +54,17 @@ class AttributeToEvent(Transform):
for e in events_json['response']:
in_misp = True
response += event_to_entity(e)
# find the object again, and bookmark it green
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
if in_misp:
request.entity.bookmark = Bookmark.Green
response += request.entity
for e in events_json['response']:
attr = get_attribute_in_event(e, maltego_misp_attribute.value)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
return response
def on_terminate(self):
"""This method gets called when transform execution is prematurely terminated. It is only applicable for local
transforms. It can be excluded if you don't need it."""
pass
class HashToEvent(AttributeToEvent):
input_type = Hash
class DomainToEvent(AttributeToEvent):
input_type = Domain
class IPv4AddressToEvent(AttributeToEvent):
display_name = 'IPv4Address To Event'
input_type = IPv4Address
class URLToEvent(AttributeToEvent):
display_name = 'URL To Event'
input_type = URL
class DNSNameToEvent(AttributeToEvent):
display_name = 'DNSName To Event'
input_type = DNSName
class ASToEvent(AttributeToEvent):
display_name = 'AS To Event'
input_type = AS
class WebsiteToEvent(AttributeToEvent):
input_type = Website
class NSRecordToEvent(AttributeToEvent):
display_name = 'NSRecord To Event'
input_type = NSRecord
class PhoneNumberToEvent(AttributeToEvent):
input_type = PhoneNumber
class EmailAddressToEvent(AttributeToEvent):
input_type = EmailAddress
class FileToEvent(AttributeToEvent):
input_type = File
class HashtagToEvent(AttributeToEvent):
input_type = Hashtag
class AliasToEvent(AttributeToEvent):
input_type = Alias
class TwitterToEvent(AttributeToEvent):
input_type = Twitter
class CompanyToEvent(AttributeToEvent):
input_type = Company
class HashInMISP(AttributeInMISP):
display_name = 'Hash in MISP?'
input_type = Hash
class DomainInMISP(AttributeInMISP):
display_name = 'Domain in MISP?'
input_type = Domain
class IPv4AddressInMISP(AttributeInMISP):
display_name = 'IPv4Address in MISP?'
input_type = IPv4Address
class URLInMISP(AttributeInMISP):
display_name = 'URL in MISP?'
input_type = URL
class DNSNameInMISP(AttributeInMISP):
display_name = 'DNSName in MISP?'
input_type = DNSName
class ASInMISP(AttributeInMISP):
display_name = 'AS in MISP?'
input_type = AS
class WebsiteInMISP(AttributeInMISP):
display_name = 'Website in MISP?'
input_type = Website
class NSRecordInMISP(AttributeInMISP):
display_name = 'NSRecord in MISP?'
input_type = NSRecord
class PhoneNumberInMISP(AttributeInMISP):
display_name = 'PhoneNumber in MISP?'
input_type = PhoneNumber
class EmailAddressInMISP(AttributeInMISP):
display_name = 'EmailAddress in MISP?'
input_type = EmailAddress
class FileInMISP(AttributeInMISP):
display_name = 'File in MISP?'
input_type = File
class HashtagInMISP(AttributeInMISP):
display_name = 'Hashtag in MISP?'
input_type = Hashtag
class AliasInMISP(AttributeInMISP):
display_name = 'Alias in MISP?'
input_type = Alias
class TwitterInMISP(AttributeInMISP):
display_name = 'Twitter in MISP?'
input_type = Twitter
class CompanyInMISP(AttributeInMISP):
display_name = 'Company in MISP?'
input_type = Company

8
src/MISP_maltego/transforms/common/entities.py
View File

@ -13,10 +13,16 @@ __status__ = 'Development'
__all__ = [
'MISPEvent',
'MISPObject',
'MISPGalaxy'
'MISPGalaxy',
'Unknown'
]
class Unknown(Entity):
_category_ = 'Unknown'
_namespace_ = 'maltego'
class MISPEvent(Entity):
_category_ = 'MISP'
_namespace_ = 'misp'

25
src/MISP_maltego/transforms/common/util.py
View File

@ -1,5 +1,5 @@
from canari.maltego.entities import Unknown, Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy
from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy, Unknown
from canari.maltego.message import UIMessageType, UIMessage, Label, LinkStyle, MaltegoException, Bookmark
from pymisp import PyMISP
import json
@ -128,12 +128,12 @@ def get_misp_connection(config=None):
def entity_obj_to_entity(entity_obj, v, t, **kwargs):
if entity_obj == Hash:
return entity_obj(v, _type=t, bookmark=Bookmark.Green, **kwargs) # LATER type is conflicting with type of Entity, Report this as bug see line 326 /usr/local/lib/python3.5/dist-packages/canari/maltego/entities.py
return entity_obj(v, _type=t, **kwargs) # LATER type is conflicting with type of Entity, Report this as bug see line 326 /usr/local/lib/python3.5/dist-packages/canari/maltego/entities.py
return entity_obj(v, bookmark=Bookmark.Green, **kwargs)
return entity_obj(v, **kwargs)
def attribute_to_entity(a, link_label=None, event_tags=None):
def attribute_to_entity(a, link_label=None, event_tags=None, only_self=False):
# prepare some attributes to a better form
a['data'] = None # empty the file content as we really don't need this here
if a['type'] == 'malware-sample':
@ -142,13 +142,13 @@ def attribute_to_entity(a, link_label=None, event_tags=None):
a['type'] = 'regkey'
combined_tags = event_tags
if 'Galaxy' in a:
if 'Galaxy' in a and not only_self:
for g in a['Galaxy']:
for c in g['GalaxyCluster']:
yield galaxycluster_to_entity(c)
# TODO today the tag is attached to the event, not the attribute, this is something we want to fix soon.
if 'Tag' in a:
if 'Tag' in a and not only_self:
for t in a['Tag']:
combined_tags.append(t['name'])
# ignore all misp-galaxies
@ -302,6 +302,17 @@ def get_attribute_in_object(o, attribute_type, drop=False):
return found_attribute
def get_attribute_in_event(e, attribute_value):
for a in e['Event']["Attribute"]:
if a['value'] == attribute_value:
return a
for o in e['Event']['Object']:
for a in o['Attribute']:
if a['value'] == attribute_value:
return a
return None
def convert_tags_to_note(tags):
if not tags:
return None