MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge branch '2.4' of github.com:MISP/MISP into 2.4

pull/3608/head
iglocska 2018-08-29 09:57:03 +02:00
parent b34d99aa63 45520e2e61
commit 0a9fc52108
7 changed files with 30 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
PyMISP

@ -1 +1 @@
Subproject commit 5d16c97178453f2624ad0ffdccb06b16578401af
Subproject commit 8b8459ce5322a205454d87f0cf95ff042c9eb53a

2
app/Lib/Tools/IOCExportTool.php
View File

@ -55,7 +55,7 @@ class IOCExportTool
{
$temp = '';
// We will start adding all the components that will be in the xml file here
$date = date("Y-m-d\Th:i:s");
$date = date("Y-m-d\TH:i:s");
$temp .= '<?xml version="1.0" encoding="utf-8"?>' . PHP_EOL;
$temp .= '<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="' . CakeText::uuid() . '" last-modified="' . $date . '" xmlns="http://schemas.mandiant.com/2010/ioc">' . PHP_EOL;
$temp .= ' <short_description>Filtered indicator list</short_description>' . PHP_EOL;

8
app/Model/Attribute.php
View File

@ -144,6 +144,7 @@ class Attribute extends AppModel
'regkey|value' => array('desc' => "Registry value + data separated by |", 'default_category' => 'Persistence mechanism', 'to_ids' => 1),
'AS' => array('desc' => 'Autonomous system', 'default_category' => 'Network activity', 'to_ids' => 0),
'snort' => array('desc' => 'An IDS rule in Snort rule-format', 'formdesc' => "An IDS rule in Snort rule-format. This rule will be automatically rewritten in the NIDS exports.", 'default_category' => 'Network activity', 'to_ids' => 1),
'bro' => array('desc' => 'An NIDS rule in the Bro rule-format', 'formdesc' => "An NIDS rule in the Bro rule-format.", 'default_category' => 'Network activity', 'to_ids' => 1),
'pattern-in-file' => array('desc' => 'Pattern in file that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1),
'pattern-in-traffic' => array('desc' => 'Pattern in network traffic that identifies the malware', 'default_category' => 'Network activity', 'to_ids' => 1),
'pattern-in-memory' => array('desc' => 'Pattern in memory dump that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1),
@ -318,7 +319,7 @@ class Attribute extends AppModel
),
'Network activity' => array(
'desc' => 'Information about network traffic generated by the malware',
'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-sha1', 'other', 'hex', 'cookie', 'hostname|port')
'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-sha1', 'other', 'hex', 'cookie', 'hostname|port', 'bro')
),
'Payload type' => array(
'desc' => 'Information about the final payload(s)',
@ -332,7 +333,7 @@ class Attribute extends AppModel
'External analysis' => array(
'desc' => 'Any other result from additional analysis of the malware like tools output',
'formdesc' => 'Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'github-repository', 'other', 'cortex')
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'bro','pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'github-repository', 'other', 'cortex')
),
'Financial fraud' => array(
'desc' => 'Financial Fraud indicators',
@ -403,7 +404,7 @@ class Attribute extends AppModel
// This helps generate quick filtering for the event view, but we may reuse this and enhance it in the future for other uses (such as the API?)
public $typeGroupings = array(
'file' => array('attachment', 'pattern-in-file', 'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy','authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'malware-sample', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'x509-fingerprint-md5'),
'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256'),
'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'bro','pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256'),
'financial' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number')
);
@ -1123,6 +1124,7 @@ class Attribute extends AppModel
case 'mutex':
case 'AS':
case 'snort':
case 'bro' :
case 'pattern-in-file':
case 'pattern-in-traffic':
case 'pattern-in-memory':

2
app/View/Events/view.ctp
View File

@ -170,7 +170,7 @@
<dd><?php echo h($attribute_count);?></dd>
<dt><?php echo __('Last change');?></dt>
<dd>
<?php echo date('Y/m/d h:i:s', $event['Event']['timestamp']);; ?>
<?php echo date('Y-m-d H:i:s', $event['Event']['timestamp']);; ?>
&nbsp;
</dd>
<dt><?php echo __('Extends');?></dt>

2
app/files/misp-objects

@ -1 +1 @@
Subproject commit 3036ec875c3f82d2284dff8b858d2d6474f8a175
Subproject commit e90b1ce4575c122d410f143d5205771614004d9f

31
app/files/scripts/misp2stix.py
View File

@ -546,16 +546,10 @@ class StixBuilder(object):
regkey, value = attribute.value.split('|')
else:
regkey = attribute.value
reghive, regkey = self.resolve_reg_hive(regkey)
reg_object = WinRegistryKey()
reg_object.key = regkey
reg_object.key.condition = "Equals"
if reghive:
reg_object.hive = reghive
reg_object.hive.condition = "Equals"
reg_object = self.create_regkey_object(regkey)
if value:
reg_value_object = RegistryValue()
reg_value_object.data = value
reg_value_object.data = value.strip()
reg_value_object.data.condition = "Equals"
reg_object.values = RegistryValues(reg_value_object)
reg_object.parent.id_ = "{}:WinRegistryKeyObject-{}".format(self.namespace_prefix, attribute.uuid)
@ -921,16 +915,9 @@ class StixBuilder(object):
def parse_regkey_object(self, misp_object):
to_ids, attributes_dict = self.create_attributes_dict(misp_object.attributes)
reg_object = WinRegistryKey()
registry_values = False
reg_value_object = RegistryValue()
if 'key' in attributes_dict:
reghive, regkey = self.resolve_reg_hive(attributes_dict['key'])
reg_object.key = regkey
reg_object.key.condition = "Equals"
if reghive:
reg_object.hive = reghive
reg_object.hive.condition = "Equals"
reg_object = self.create_regkey_object(attributes_dict['key']) if 'key' in attributes_dict else WinRegistryKey()
if 'last-modified' in attributes_dict:
reg_object.modified_time = attributes_dict['last-modified']
reg_object.modified_time.condition = "Equals"
@ -939,7 +926,7 @@ class StixBuilder(object):
reg_value_object.name.condition = "Equals"
registry_values = True
if 'data' in attributes_dict:
reg_value_object.data = attributes_dict['data']
reg_value_object.data = attributes_dict['data'].strip()
reg_value_object.data.condition = "Equals"
registry_values = True
if 'data-type' in attributes_dict:
@ -1393,6 +1380,16 @@ class StixBuilder(object):
port_observable.id_ = "{}:{}Port-{}".format(self.namespace_prefix, port_type, uuid)
return port_observable
def create_regkey_object(self, regkey):
reghive, regkey = self.resolve_reg_hive(regkey)
reg_object = WinRegistryKey()
reg_object.key = regkey.strip()
reg_object.key.condition = "Equals"
if reghive:
reg_object.hive = reghive.strip()
reg_object.hive.condition = "Equals"
return reg_object
def create_socket_address_object(self, sao_type, **kwargs):
socket_address_object = SocketAddress()
ip_type, port_type, hostname_type = [arg.format(sao_type) for arg in ('ip-{}', '{}-port', 'hostname-{}')]

7
app/files/scripts/stix2misp.py
View File

@ -607,6 +607,13 @@ class StixParser():
values = properties.values
value = values[0]
attributes += self.fetch_attributes_with_partial_key_parsing(value, stix2misp_mapping._regkey_value_mapping)
if len(attributes) in (2,3):
d_regkey = {key: value for (_, value, key) in attributes}
if 'hive' in d_regkey and 'key' in d_regkey:
regkey = "{}\\{}".format(d_regkey['hive'], d_regkey['key'])
if 'data' in d_regkey:
return "regkey|value", "{} | {}".format(regkey, d_regkey['data']), ""
return "regkey", regkey, ""
return "registry-key", self.return_attributes(attributes), ""
@staticmethod