mirror of https://github.com/MISP/MISP
Merge branch '2.4' of github.com:MISP/MISP into 2.4
commit
0a9fc52108
2
PyMISP
2
PyMISP
|
@ -1 +1 @@
|
|||
Subproject commit 5d16c97178453f2624ad0ffdccb06b16578401af
|
||||
Subproject commit 8b8459ce5322a205454d87f0cf95ff042c9eb53a
|
|
@ -55,7 +55,7 @@ class IOCExportTool
|
|||
{
|
||||
$temp = '';
|
||||
// We will start adding all the components that will be in the xml file here
|
||||
$date = date("Y-m-d\Th:i:s");
|
||||
$date = date("Y-m-d\TH:i:s");
|
||||
$temp .= '<?xml version="1.0" encoding="utf-8"?>' . PHP_EOL;
|
||||
$temp .= '<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="' . CakeText::uuid() . '" last-modified="' . $date . '" xmlns="http://schemas.mandiant.com/2010/ioc">' . PHP_EOL;
|
||||
$temp .= ' <short_description>Filtered indicator list</short_description>' . PHP_EOL;
|
||||
|
|
|
@ -144,6 +144,7 @@ class Attribute extends AppModel
|
|||
'regkey|value' => array('desc' => "Registry value + data separated by |", 'default_category' => 'Persistence mechanism', 'to_ids' => 1),
|
||||
'AS' => array('desc' => 'Autonomous system', 'default_category' => 'Network activity', 'to_ids' => 0),
|
||||
'snort' => array('desc' => 'An IDS rule in Snort rule-format', 'formdesc' => "An IDS rule in Snort rule-format. This rule will be automatically rewritten in the NIDS exports.", 'default_category' => 'Network activity', 'to_ids' => 1),
|
||||
'bro' => array('desc' => 'An NIDS rule in the Bro rule-format', 'formdesc' => "An NIDS rule in the Bro rule-format.", 'default_category' => 'Network activity', 'to_ids' => 1),
|
||||
'pattern-in-file' => array('desc' => 'Pattern in file that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1),
|
||||
'pattern-in-traffic' => array('desc' => 'Pattern in network traffic that identifies the malware', 'default_category' => 'Network activity', 'to_ids' => 1),
|
||||
'pattern-in-memory' => array('desc' => 'Pattern in memory dump that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1),
|
||||
|
@ -318,7 +319,7 @@ class Attribute extends AppModel
|
|||
),
|
||||
'Network activity' => array(
|
||||
'desc' => 'Information about network traffic generated by the malware',
|
||||
'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-sha1', 'other', 'hex', 'cookie', 'hostname|port')
|
||||
'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-sha1', 'other', 'hex', 'cookie', 'hostname|port', 'bro')
|
||||
),
|
||||
'Payload type' => array(
|
||||
'desc' => 'Information about the final payload(s)',
|
||||
|
@ -332,7 +333,7 @@ class Attribute extends AppModel
|
|||
'External analysis' => array(
|
||||
'desc' => 'Any other result from additional analysis of the malware like tools output',
|
||||
'formdesc' => 'Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
|
||||
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'github-repository', 'other', 'cortex')
|
||||
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'bro','pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'github-repository', 'other', 'cortex')
|
||||
),
|
||||
'Financial fraud' => array(
|
||||
'desc' => 'Financial Fraud indicators',
|
||||
|
@ -403,7 +404,7 @@ class Attribute extends AppModel
|
|||
// This helps generate quick filtering for the event view, but we may reuse this and enhance it in the future for other uses (such as the API?)
|
||||
public $typeGroupings = array(
|
||||
'file' => array('attachment', 'pattern-in-file', 'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy','authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'malware-sample', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'x509-fingerprint-md5'),
|
||||
'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256'),
|
||||
'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'bro','pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256'),
|
||||
'financial' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number')
|
||||
);
|
||||
|
||||
|
@ -1123,6 +1124,7 @@ class Attribute extends AppModel
|
|||
case 'mutex':
|
||||
case 'AS':
|
||||
case 'snort':
|
||||
case 'bro' :
|
||||
case 'pattern-in-file':
|
||||
case 'pattern-in-traffic':
|
||||
case 'pattern-in-memory':
|
||||
|
|
|
@ -170,7 +170,7 @@
|
|||
<dd><?php echo h($attribute_count);?></dd>
|
||||
<dt><?php echo __('Last change');?></dt>
|
||||
<dd>
|
||||
<?php echo date('Y/m/d h:i:s', $event['Event']['timestamp']);; ?>
|
||||
<?php echo date('Y-m-d H:i:s', $event['Event']['timestamp']);; ?>
|
||||
|
||||
</dd>
|
||||
<dt><?php echo __('Extends');?></dt>
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit 3036ec875c3f82d2284dff8b858d2d6474f8a175
|
||||
Subproject commit e90b1ce4575c122d410f143d5205771614004d9f
|
|
@ -546,16 +546,10 @@ class StixBuilder(object):
|
|||
regkey, value = attribute.value.split('|')
|
||||
else:
|
||||
regkey = attribute.value
|
||||
reghive, regkey = self.resolve_reg_hive(regkey)
|
||||
reg_object = WinRegistryKey()
|
||||
reg_object.key = regkey
|
||||
reg_object.key.condition = "Equals"
|
||||
if reghive:
|
||||
reg_object.hive = reghive
|
||||
reg_object.hive.condition = "Equals"
|
||||
reg_object = self.create_regkey_object(regkey)
|
||||
if value:
|
||||
reg_value_object = RegistryValue()
|
||||
reg_value_object.data = value
|
||||
reg_value_object.data = value.strip()
|
||||
reg_value_object.data.condition = "Equals"
|
||||
reg_object.values = RegistryValues(reg_value_object)
|
||||
reg_object.parent.id_ = "{}:WinRegistryKeyObject-{}".format(self.namespace_prefix, attribute.uuid)
|
||||
|
@ -921,16 +915,9 @@ class StixBuilder(object):
|
|||
|
||||
def parse_regkey_object(self, misp_object):
|
||||
to_ids, attributes_dict = self.create_attributes_dict(misp_object.attributes)
|
||||
reg_object = WinRegistryKey()
|
||||
registry_values = False
|
||||
reg_value_object = RegistryValue()
|
||||
if 'key' in attributes_dict:
|
||||
reghive, regkey = self.resolve_reg_hive(attributes_dict['key'])
|
||||
reg_object.key = regkey
|
||||
reg_object.key.condition = "Equals"
|
||||
if reghive:
|
||||
reg_object.hive = reghive
|
||||
reg_object.hive.condition = "Equals"
|
||||
reg_object = self.create_regkey_object(attributes_dict['key']) if 'key' in attributes_dict else WinRegistryKey()
|
||||
if 'last-modified' in attributes_dict:
|
||||
reg_object.modified_time = attributes_dict['last-modified']
|
||||
reg_object.modified_time.condition = "Equals"
|
||||
|
@ -939,7 +926,7 @@ class StixBuilder(object):
|
|||
reg_value_object.name.condition = "Equals"
|
||||
registry_values = True
|
||||
if 'data' in attributes_dict:
|
||||
reg_value_object.data = attributes_dict['data']
|
||||
reg_value_object.data = attributes_dict['data'].strip()
|
||||
reg_value_object.data.condition = "Equals"
|
||||
registry_values = True
|
||||
if 'data-type' in attributes_dict:
|
||||
|
@ -1393,6 +1380,16 @@ class StixBuilder(object):
|
|||
port_observable.id_ = "{}:{}Port-{}".format(self.namespace_prefix, port_type, uuid)
|
||||
return port_observable
|
||||
|
||||
def create_regkey_object(self, regkey):
|
||||
reghive, regkey = self.resolve_reg_hive(regkey)
|
||||
reg_object = WinRegistryKey()
|
||||
reg_object.key = regkey.strip()
|
||||
reg_object.key.condition = "Equals"
|
||||
if reghive:
|
||||
reg_object.hive = reghive.strip()
|
||||
reg_object.hive.condition = "Equals"
|
||||
return reg_object
|
||||
|
||||
def create_socket_address_object(self, sao_type, **kwargs):
|
||||
socket_address_object = SocketAddress()
|
||||
ip_type, port_type, hostname_type = [arg.format(sao_type) for arg in ('ip-{}', '{}-port', 'hostname-{}')]
|
||||
|
|
|
@ -607,6 +607,13 @@ class StixParser():
|
|||
values = properties.values
|
||||
value = values[0]
|
||||
attributes += self.fetch_attributes_with_partial_key_parsing(value, stix2misp_mapping._regkey_value_mapping)
|
||||
if len(attributes) in (2,3):
|
||||
d_regkey = {key: value for (_, value, key) in attributes}
|
||||
if 'hive' in d_regkey and 'key' in d_regkey:
|
||||
regkey = "{}\\{}".format(d_regkey['hive'], d_regkey['key'])
|
||||
if 'data' in d_regkey:
|
||||
return "regkey|value", "{} | {}".format(regkey, d_regkey['data']), ""
|
||||
return "regkey", regkey, ""
|
||||
return "registry-key", self.return_attributes(attributes), ""
|
||||
|
||||
@staticmethod
|
||||
|
|
Loading…
Reference in New Issue