MISP
/
MISP-maltego
mirror of https://github.com/MISP/MISP-maltego
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: in MISP? as transform to all Entities 

this replaces the machine and gazillion of transforms
pull/15/head
Christophe Vandeplas 2019-02-08 22:41:33 +01:00
parent cb485d63d4
commit 7b6796cda2
4 changed files with 45 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/MISP_maltego/resources/maltego/misp_inMISP.machine
View File

@ -1,24 +0,0 @@
machine("misp.inMISP",
displayName:"in MISP?",
author:"Christophe Vandeplas",
description: "Bookmarks in GREEN data that is in MISP") {
start {
paths {
run("MISP_maltego.AliasInMISP")
run("MISP_maltego.ASInMISP")
run("MISP_maltego.CompanyInMISP")
run("MISP_maltego.DNSNameInMISP")
run("MISP_maltego.DomainInMISP")
run("MISP_maltego.EmailAddressInMISP")
run("MISP_maltego.FileInMISP")
run("MISP_maltego.HashInMISP")
run("MISP_maltego.HashtagInMISP")
run("MISP_maltego.IPv4AddressInMISP")
run("MISP_maltego.NSRecordInMISP")
run("MISP_maltego.PhoneNumberInMISP")
run("MISP_maltego.TwitterInMISP")
run("MISP_maltego.URLInMISP")
run("MISP_maltego.WebsiteInMISP")
}
}
}

169
src/MISP_maltego/transforms/attributetoevent.py
View File

@ -2,7 +2,8 @@ from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS,
from canari.maltego.transform import Transform from canari.maltego.transform import Transform
from canari.maltego.message import Bookmark from canari.maltego.message import Bookmark
# from canari.framework import EnableDebugWindow # from canari.framework import EnableDebugWindow
from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity from MISP_maltego.transforms.common.util import get_misp_connection, event_to_entity, get_attribute_in_event, attribute_to_entity
from MISP_maltego.transforms.common.entities import Unknown
__author__ = 'Christophe Vandeplas' __author__ = 'Christophe Vandeplas'
__copyright__ = 'Copyright 2018, MISP_maltego Project' __copyright__ = 'Copyright 2018, MISP_maltego Project'
@ -17,9 +18,9 @@ __status__ = 'Development'
# @EnableDebugWindow # @EnableDebugWindow
class AttributeInMISP(Transform): class AttributeInMISP(Transform):
"""This method puts a green bookmark on each of the Entities that are present in the MISP database""" """Green bookmark if known in MISP"""
display_name = 'in MISP?' display_name = 'in MISP?'
input_type = None input_type = Unknown
def do_transform(self, request, response, config): def do_transform(self, request, response, config):
maltego_misp_attribute = request.entity maltego_misp_attribute = request.entity
@ -29,16 +30,21 @@ class AttributeInMISP(Transform):
for e in events_json['response']: for e in events_json['response']:
in_misp = True in_misp = True
break break
# find the object again, and bookmark it green
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
if in_misp: if in_misp:
request.entity.bookmark = Bookmark.Green for e in events_json['response']:
response += request.entity attr = get_attribute_in_event(e, maltego_misp_attribute.value)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
return response return response
# @EnableDebugWindow # @EnableDebugWindow
class AttributeToEvent(Transform): class AttributeToEvent(Transform):
# The transform input entity type. display_name = 'to MISP Event'
input_type = None input_type = Unknown
def do_transform(self, request, response, config): def do_transform(self, request, response, config):
maltego_misp_attribute = request.entity maltego_misp_attribute = request.entity
@ -48,152 +54,17 @@ class AttributeToEvent(Transform):
for e in events_json['response']: for e in events_json['response']:
in_misp = True in_misp = True
response += event_to_entity(e) response += event_to_entity(e)
# find the object again, and bookmark it green
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
if in_misp: if in_misp:
request.entity.bookmark = Bookmark.Green for e in events_json['response']:
response += request.entity attr = get_attribute_in_event(e, maltego_misp_attribute.value)
if attr:
for item in attribute_to_entity(attr, only_self=True):
response += item
return response return response
def on_terminate(self): def on_terminate(self):
"""This method gets called when transform execution is prematurely terminated. It is only applicable for local """This method gets called when transform execution is prematurely terminated. It is only applicable for local
transforms. It can be excluded if you don't need it.""" transforms. It can be excluded if you don't need it."""
pass pass
class HashToEvent(AttributeToEvent):
input_type = Hash
class DomainToEvent(AttributeToEvent):
input_type = Domain
class IPv4AddressToEvent(AttributeToEvent):
display_name = 'IPv4Address To Event'
input_type = IPv4Address
class URLToEvent(AttributeToEvent):
display_name = 'URL To Event'
input_type = URL
class DNSNameToEvent(AttributeToEvent):
display_name = 'DNSName To Event'
input_type = DNSName
class ASToEvent(AttributeToEvent):
display_name = 'AS To Event'
input_type = AS
class WebsiteToEvent(AttributeToEvent):
input_type = Website
class NSRecordToEvent(AttributeToEvent):
display_name = 'NSRecord To Event'
input_type = NSRecord
class PhoneNumberToEvent(AttributeToEvent):
input_type = PhoneNumber
class EmailAddressToEvent(AttributeToEvent):
input_type = EmailAddress
class FileToEvent(AttributeToEvent):
input_type = File
class HashtagToEvent(AttributeToEvent):
input_type = Hashtag
class AliasToEvent(AttributeToEvent):
input_type = Alias
class TwitterToEvent(AttributeToEvent):
input_type = Twitter
class CompanyToEvent(AttributeToEvent):
input_type = Company
class HashInMISP(AttributeInMISP):
display_name = 'Hash in MISP?'
input_type = Hash
class DomainInMISP(AttributeInMISP):
display_name = 'Domain in MISP?'
input_type = Domain
class IPv4AddressInMISP(AttributeInMISP):
display_name = 'IPv4Address in MISP?'
input_type = IPv4Address
class URLInMISP(AttributeInMISP):
display_name = 'URL in MISP?'
input_type = URL
class DNSNameInMISP(AttributeInMISP):
display_name = 'DNSName in MISP?'
input_type = DNSName
class ASInMISP(AttributeInMISP):
display_name = 'AS in MISP?'
input_type = AS
class WebsiteInMISP(AttributeInMISP):
display_name = 'Website in MISP?'
input_type = Website
class NSRecordInMISP(AttributeInMISP):
display_name = 'NSRecord in MISP?'
input_type = NSRecord
class PhoneNumberInMISP(AttributeInMISP):
display_name = 'PhoneNumber in MISP?'
input_type = PhoneNumber
class EmailAddressInMISP(AttributeInMISP):
display_name = 'EmailAddress in MISP?'
input_type = EmailAddress
class FileInMISP(AttributeInMISP):
display_name = 'File in MISP?'
input_type = File
class HashtagInMISP(AttributeInMISP):
display_name = 'Hashtag in MISP?'
input_type = Hashtag
class AliasInMISP(AttributeInMISP):
display_name = 'Alias in MISP?'
input_type = Alias
class TwitterInMISP(AttributeInMISP):
display_name = 'Twitter in MISP?'
input_type = Twitter
class CompanyInMISP(AttributeInMISP):
display_name = 'Company in MISP?'
input_type = Company

8
src/MISP_maltego/transforms/common/entities.py
View File

@ -13,10 +13,16 @@ __status__ = 'Development'
__all__ = [ __all__ = [
'MISPEvent', 'MISPEvent',
'MISPObject', 'MISPObject',
'MISPGalaxy' 'MISPGalaxy',
'Unknown'
] ]
class Unknown(Entity):
_category_ = 'Unknown'
_namespace_ = 'maltego'
class MISPEvent(Entity): class MISPEvent(Entity):
_category_ = 'MISP' _category_ = 'MISP'
_namespace_ = 'misp' _namespace_ = 'misp'

25
src/MISP_maltego/transforms/common/util.py
View File

@ -1,5 +1,5 @@
from canari.maltego.entities import Unknown, Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter from canari.maltego.entities import Hash, Domain, IPv4Address, URL, DNSName, AS, Website, NSRecord, PhoneNumber, EmailAddress, File, Person, Hashtag, Location, Company, Alias, Port, Twitter
from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy from MISP_maltego.transforms.common.entities import MISPEvent, MISPObject, MISPGalaxy, Unknown
from canari.maltego.message import UIMessageType, UIMessage, Label, LinkStyle, MaltegoException, Bookmark from canari.maltego.message import UIMessageType, UIMessage, Label, LinkStyle, MaltegoException, Bookmark
from pymisp import PyMISP from pymisp import PyMISP
import json import json
@ -128,12 +128,12 @@ def get_misp_connection(config=None):
def entity_obj_to_entity(entity_obj, v, t, **kwargs): def entity_obj_to_entity(entity_obj, v, t, **kwargs):
if entity_obj == Hash: if entity_obj == Hash:
return entity_obj(v, _type=t, bookmark=Bookmark.Green, **kwargs) # LATER type is conflicting with type of Entity, Report this as bug see line 326 /usr/local/lib/python3.5/dist-packages/canari/maltego/entities.py return entity_obj(v, _type=t, **kwargs) # LATER type is conflicting with type of Entity, Report this as bug see line 326 /usr/local/lib/python3.5/dist-packages/canari/maltego/entities.py
return entity_obj(v, bookmark=Bookmark.Green, **kwargs) return entity_obj(v, **kwargs)
def attribute_to_entity(a, link_label=None, event_tags=None): def attribute_to_entity(a, link_label=None, event_tags=None, only_self=False):
# prepare some attributes to a better form # prepare some attributes to a better form
a['data'] = None # empty the file content as we really don't need this here a['data'] = None # empty the file content as we really don't need this here
if a['type'] == 'malware-sample': if a['type'] == 'malware-sample':
@ -142,13 +142,13 @@ def attribute_to_entity(a, link_label=None, event_tags=None):
a['type'] = 'regkey' a['type'] = 'regkey'
combined_tags = event_tags combined_tags = event_tags
if 'Galaxy' in a: if 'Galaxy' in a and not only_self:
for g in a['Galaxy']: for g in a['Galaxy']:
for c in g['GalaxyCluster']: for c in g['GalaxyCluster']:
yield galaxycluster_to_entity(c) yield galaxycluster_to_entity(c)
# TODO today the tag is attached to the event, not the attribute, this is something we want to fix soon. # TODO today the tag is attached to the event, not the attribute, this is something we want to fix soon.
if 'Tag' in a: if 'Tag' in a and not only_self:
for t in a['Tag']: for t in a['Tag']:
combined_tags.append(t['name']) combined_tags.append(t['name'])
# ignore all misp-galaxies # ignore all misp-galaxies
@ -302,6 +302,17 @@ def get_attribute_in_object(o, attribute_type, drop=False):
return found_attribute return found_attribute
def get_attribute_in_event(e, attribute_value):
for a in e['Event']["Attribute"]:
if a['value'] == attribute_value:
return a
for o in e['Event']['Object']:
for a in o['Attribute']:
if a['value'] == attribute_value:
return a
return None
def convert_tags_to_note(tags): def convert_tags_to_note(tags):
if not tags: if not tags:
return None return None