mirror of https://github.com/MISP/MISP
Merge branch '2.4' of github.com:MISP/MISP into 2.4
commit
84f1006ed6
|
@ -24,9 +24,6 @@ from misp2stix2_mapping import *
|
|||
from collections import defaultdict
|
||||
from copy import deepcopy
|
||||
|
||||
non_indicator_attributes = ['text', 'comment', 'other', 'link', 'target-user', 'target-email',
|
||||
'target-machine', 'target-org', 'target-location', 'target-external',
|
||||
'vulnerability']
|
||||
misp_hash_types = ["authentihash", "ssdeep", "imphash", "md5", "sha1", "sha224",
|
||||
"sha256", "sha384", "sha512", "sha512/224","sha512/256","tlsh"]
|
||||
attack_pattern_galaxies_list = ['mitre-attack-pattern', 'mitre-enterprise-attack-attack-pattern',
|
||||
|
@ -97,56 +94,32 @@ class StixBuilder():
|
|||
def misp_types(self):
|
||||
describe_types_filename = os.path.join(pymisp.__path__[0], 'data/describeTypes.json')
|
||||
describe_types = open(describe_types_filename, 'r')
|
||||
self.categories_mapping = json.loads(describe_types.read())['result']['category_type_mappings']
|
||||
categories_mapping = json.loads(describe_types.read())['result']['category_type_mappings']
|
||||
for category in categories_mapping:
|
||||
mispTypesMapping[category] = {'to_call': 'handle_person'}
|
||||
|
||||
def read_attributes(self):
|
||||
self.misp_types()
|
||||
if hasattr(self.misp_event, 'attributes') and self.misp_event.attributes:
|
||||
for attribute in self.misp_event.attributes:
|
||||
attribute_type = attribute.type
|
||||
if attribute_type in non_indicator_attributes:
|
||||
self.handle_non_indicator(attribute, attribute_type)
|
||||
else:
|
||||
if attribute_type in self.categories_mapping['Person']:
|
||||
self.handle_person(attribute)
|
||||
elif attribute_type in mispTypesMapping:
|
||||
self.handle_usual_type(attribute)
|
||||
else:
|
||||
self.add_custom(attribute)
|
||||
try:
|
||||
getattr(self, mispTypesMapping[attribute.type]['to_call'])(attribute)
|
||||
except KeyError:
|
||||
self.add_custom(attribute)
|
||||
if hasattr(self.misp_event, 'objects') and self.misp_event.objects:
|
||||
self.load_objects_mapping()
|
||||
objects_to_parse = defaultdict(dict)
|
||||
self.objects_to_parse = defaultdict(dict)
|
||||
misp_objects = self.misp_event.objects
|
||||
self.object_references, self.processes = self.fetch_object_references(misp_objects)
|
||||
for misp_object in misp_objects:
|
||||
to_ids = self.fetch_ids_flag(misp_object.attributes)
|
||||
name = misp_object.name
|
||||
if name == "vulnerability":
|
||||
self.add_object_vulnerability(misp_object, to_ids)
|
||||
elif name == "course-of-action":
|
||||
self.add_course_of_action(misp_object, from_object=True)
|
||||
elif name in ('pe', 'pe-section'):
|
||||
objects_to_parse[name][misp_object.uuid] = to_ids, misp_object
|
||||
elif name in objectsMapping:
|
||||
if name == 'file' and misp_object.references:
|
||||
to_parse = False
|
||||
for reference in misp_object.references:
|
||||
if reference.relationship_type == 'included-in' and reference.Object['name'] == "pe":
|
||||
objects_to_parse[name][misp_object.uuid] = to_ids, misp_object
|
||||
to_parse = True
|
||||
break
|
||||
if to_parse:
|
||||
continue
|
||||
try:
|
||||
if to_ids or name == "stix2-pattern":
|
||||
self.add_object_indicator(misp_object)
|
||||
else:
|
||||
self.add_object_observable(misp_object)
|
||||
except:
|
||||
self.add_object_custom(misp_object, to_ids)
|
||||
else:
|
||||
try:
|
||||
getattr(self, objectsMapping[name]['to_call'])(misp_object, to_ids)
|
||||
except KeyError:
|
||||
self.add_object_custom(misp_object, to_ids)
|
||||
if objects_to_parse: self.resolve_objects2parse(objects_to_parse)
|
||||
if self.objects_to_parse:
|
||||
self.resolve_objects2parse()
|
||||
if hasattr(self.misp_event, 'Galaxy') and self.misp_event.Galaxy:
|
||||
for galaxy in self.misp_event.Galaxy:
|
||||
self.parse_galaxy(galaxy, self.report_id)
|
||||
|
@ -187,7 +160,7 @@ class StixBuilder():
|
|||
'x509': {'observable': self.resolve_x509_observable,
|
||||
'pattern': self.resolve_x509_pattern}
|
||||
}
|
||||
self.galaxies_mapping = {'branded-vulnerability': ['vulnerability', self.add_vulnerability]}
|
||||
self.galaxies_mapping = {'branded-vulnerability': ['vulnerability', self.add_vulnerability_from_galaxy]}
|
||||
self.galaxies_mapping.update(dict.fromkeys(attack_pattern_galaxies_list, ['attack-pattern', self.add_attack_pattern]))
|
||||
self.galaxies_mapping.update(dict.fromkeys(course_of_action_galaxies_list, ['course-of-action', self.add_course_of_action]))
|
||||
self.galaxies_mapping.update(dict.fromkeys(intrusion_set_galaxies_list, ['intrusion-set', self.add_intrusion_set]))
|
||||
|
@ -227,23 +200,6 @@ class StixBuilder():
|
|||
process['type'] = 'process'
|
||||
processes[pid] = process
|
||||
|
||||
def handle_non_indicator(self, attribute, attribute_type):
|
||||
if attribute_type == "link":
|
||||
self.handle_link(attribute)
|
||||
elif attribute_type in ('text', 'comment', 'other') or attribute_type not in mispTypesMapping:
|
||||
self.add_custom(attribute)
|
||||
else:
|
||||
try:
|
||||
self.handle_non_indicator_attribute(attribute, attribute_type)
|
||||
except:
|
||||
self.add_custom(attribute)
|
||||
|
||||
def handle_non_indicator_attribute(self, attribute, attribute_type):
|
||||
if attribute_type == "vulnerability":
|
||||
self.add_vulnerability(attribute, from_galaxy=False)
|
||||
else:
|
||||
self.add_observed_data(attribute)
|
||||
|
||||
def handle_person(self, attribute):
|
||||
if attribute.category == "Person":
|
||||
self.add_identity(attribute)
|
||||
|
@ -259,6 +215,21 @@ class StixBuilder():
|
|||
except:
|
||||
self.add_custom(attribute)
|
||||
|
||||
def handle_usual_object_name(self, misp_object, to_ids):
|
||||
name = misp_object.name
|
||||
if name == 'file' and misp_object.references:
|
||||
for reference in misp_object.references:
|
||||
if reference.relationship_type == 'included-in' and reference.Object['name'] == "pe":
|
||||
self.objects_to_parse[name][misp_object.uuid] = to_ids, misp_object
|
||||
return
|
||||
try:
|
||||
if to_ids or name == "stix2-pattern":
|
||||
self.add_object_indicator(misp_object)
|
||||
else:
|
||||
self.add_object_observable(misp_object)
|
||||
except:
|
||||
self.add_object_custom(misp_object, to_ids)
|
||||
|
||||
def handle_link(self, attribute):
|
||||
url = attribute.value
|
||||
source = "url"
|
||||
|
@ -270,8 +241,11 @@ class StixBuilder():
|
|||
link = {'source_name': source, 'url': url}
|
||||
self.external_refs.append(link)
|
||||
|
||||
def resolve_objects2parse(self, objects2parse):
|
||||
for uuid, misp_object in objects2parse['file'].items():
|
||||
def populate_objects_to_parse(self, misp_object, to_ids):
|
||||
self.objects_to_parse[misp_object.name][misp_object.uuid] = to_ids, misp_object
|
||||
|
||||
def resolve_objects2parse(self):
|
||||
for uuid, misp_object in self.objects2parse['file'].items():
|
||||
to_ids_file, file_object = misp_object
|
||||
file_id = "file--{}".format(file_object.uuid)
|
||||
to_ids_list = [to_ids_file]
|
||||
|
@ -280,12 +254,12 @@ class StixBuilder():
|
|||
if reference.relationship_type == "included-in" and reference.Object['name'] == "pe":
|
||||
pe_uuid = reference.referenced_uuid
|
||||
break
|
||||
to_ids_pe, pe_object = objects2parse['pe'][pe_uuid]
|
||||
to_ids_pe, pe_object = self.objects2parse['pe'][pe_uuid]
|
||||
to_ids_list.append(to_ids_pe)
|
||||
sections = []
|
||||
for reference in pe_object.references:
|
||||
if reference.Object['name'] == "pe-section":
|
||||
to_ids_section, section_object = objects2parse['pe-section'][reference.referenced_uuid]
|
||||
to_ids_section, section_object = self.objects2parse['pe-section'][reference.referenced_uuid]
|
||||
to_ids_list.append(to_ids_section)
|
||||
sections.append(section_object)
|
||||
if True in to_ids_list:
|
||||
|
@ -389,21 +363,25 @@ class StixBuilder():
|
|||
attack_pattern = AttackPattern(**a_p_args)
|
||||
self.append_object(attack_pattern, a_p_id)
|
||||
|
||||
def add_course_of_action(self, misp_object, from_object=False):
|
||||
if from_object:
|
||||
coa_id = 'course-of-action--{}'.format(misp_object.uuid)
|
||||
coa_args = {'id': coa_id, 'type': 'course-of-action'}
|
||||
for attribute in misp_object.attributes:
|
||||
self.parse_galaxies(attribute.Galaxy, coa_id)
|
||||
relation = attribute.object_relation
|
||||
if relation == 'name':
|
||||
coa_args['name'] = attribute.value
|
||||
elif relation == 'description':
|
||||
coa_args['description'] = attribute.value
|
||||
if not 'name' in coa_args:
|
||||
return
|
||||
else:
|
||||
coa_args, coa_id = self.generate_galaxy_args(misp_object, False, False, 'course-of-action')
|
||||
def add_course_of_action(self, misp_object):
|
||||
coa_args, coa_id = self.generate_galaxy_args(misp_object, False, False, 'course-of-action')
|
||||
self.add_coa_stix_object(coa_args, coa_id)
|
||||
|
||||
def add_course_of_action_from_object(self, misp_object, _):
|
||||
coa_id = 'course-of-action--{}'.format(misp_object.uuid)
|
||||
coa_args = {'id': coa_id, 'type': 'course-of-action'}
|
||||
for attribute in misp_object.attributes:
|
||||
self.parse_galaxies(attribute.Galaxy, coa_id)
|
||||
relation = attribute.object_relation
|
||||
if relation == 'name':
|
||||
coa_args['name'] = attribute.value
|
||||
elif relation == 'description':
|
||||
coa_args['description'] = attribute.value
|
||||
if not 'name' in coa_args:
|
||||
return
|
||||
self.add_coa_stix_object(coa_args, coa_id)
|
||||
|
||||
def add_coa_stix_object(self, coa_args):
|
||||
coa_args['created_by_ref'] = self.identity_id
|
||||
course_of_action = CourseOfAction(**coa_args)
|
||||
self.append_object(course_of_action, coa_id)
|
||||
|
@ -501,31 +479,33 @@ class StixBuilder():
|
|||
tool = Tool(**tool_args)
|
||||
self.append_object(tool, tool_id)
|
||||
|
||||
def add_vulnerability(self, attribute, from_galaxy=True):
|
||||
if from_galaxy:
|
||||
vulnerability_id = "vulnerability--{}".format(attribute['uuid'])
|
||||
cluster = attribute['GalaxyCluster'][0]
|
||||
name = cluster['value']
|
||||
if cluster['meta'] and cluster['meta']['aliases']:
|
||||
vulnerability_data = [mispTypesMapping['vulnerability'](alias) for alias in cluster['meta']['aliases']]
|
||||
else:
|
||||
vulnerability_data = [mispTypesMapping['vulnerability'](name)]
|
||||
labels = ['misp:type=\"{}\"'.format(attribute.get('type'))]
|
||||
if cluster['tag_name']:
|
||||
labels.append(cluster['tag_name'])
|
||||
description = "{} | {}".format(attribute.get('description'), cluster.get('description'))
|
||||
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
|
||||
'name': name, 'external_references': vulnerability_data,
|
||||
'created_by_ref': self.identity_id, 'labels': labels,
|
||||
'description': description}
|
||||
def add_vulnerability(self, attribute):
|
||||
vulnerability_id = "vulnerability--{}".format(attribute.uuid)
|
||||
name = attribute.value
|
||||
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](name)]
|
||||
labels = self.create_labels(attribute)
|
||||
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
|
||||
'name': name, 'external_references': vulnerability_data,
|
||||
'created_by_ref': self.identity_id, 'labels': labels}
|
||||
vulnerability = Vulnerability(**vulnerability_args)
|
||||
self.append_object(vulnerability, vulnerability_id)
|
||||
|
||||
def add_vulnerability_from_galaxy(self, attribute):
|
||||
vulnerability_id = "vulnerability--{}".format(attribute['uuid'])
|
||||
cluster = attribute['GalaxyCluster'][0]
|
||||
name = cluster['value']
|
||||
if cluster['meta'] and cluster['meta']['aliases']:
|
||||
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](alias) for alias in cluster['meta']['aliases']]
|
||||
else:
|
||||
vulnerability_id = "vulnerability--{}".format(attribute.uuid)
|
||||
name = attribute.value
|
||||
vulnerability_data = [mispTypesMapping['vulnerability'](name)]
|
||||
labels = self.create_labels(attribute)
|
||||
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
|
||||
'name': name, 'external_references': vulnerability_data,
|
||||
'created_by_ref': self.identity_id, 'labels': labels}
|
||||
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](name)]
|
||||
labels = ['misp:type=\"{}\"'.format(attribute.get('type'))]
|
||||
if cluster['tag_name']:
|
||||
labels.append(cluster['tag_name'])
|
||||
description = "{} | {}".format(attribute.get('description'), cluster.get('description'))
|
||||
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
|
||||
'name': name, 'external_references': vulnerability_data,
|
||||
'created_by_ref': self.identity_id, 'labels': labels,
|
||||
'description': description}
|
||||
vulnerability = Vulnerability(**vulnerability_args)
|
||||
self.append_object(vulnerability, vulnerability_id)
|
||||
|
||||
|
|
|
@ -206,61 +206,62 @@ def return_vulnerability(name):
|
|||
return {'source_name': 'cve', 'external_id': name}
|
||||
|
||||
mispTypesMapping = {
|
||||
'vulnerability': return_vulnerability,
|
||||
'md5': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha1': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha256': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'filename': {'observable': observable_file, 'pattern': pattern_file},
|
||||
'filename|md5': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha1': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha256': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'ip-src': {'observable': observable_ip, 'pattern': pattern_ip},
|
||||
'ip-dst': {'observable': observable_ip, 'pattern': pattern_ip},
|
||||
'hostname': {'observable': observable_domain, 'pattern': pattern_domain},
|
||||
'domain': {'observable': observable_domain, 'pattern': pattern_domain},
|
||||
'domain|ip': {'observable': observable_domain_ip, 'pattern': pattern_domain_ip},
|
||||
'email-src': {'observable': observable_email_address, 'pattern': pattern_email_address},
|
||||
'email-dst': {'observable': observable_email_address, 'pattern': pattern_email_address},
|
||||
'email-subject': {'observable': observable_email_message, 'pattern': pattern_email_message},
|
||||
'email-body': {'observable': observable_email_message, 'pattern': pattern_email_message},
|
||||
'email-attachment': {'observable': observable_email_attachment, 'pattern': pattern_email_attachment},
|
||||
'url': {'observable': observable_url, 'pattern': pattern_url},
|
||||
'regkey': {'observable': observable_regkey, 'pattern': pattern_regkey},
|
||||
'regkey|value': {'observable': observable_regkey_value, 'pattern': pattern_regkey_value},
|
||||
'malware-sample': {'observable': observable_malware_sample, 'pattern': pattern_malware_sample},
|
||||
'mutex': {'observable': observable_mutex, 'pattern': pattern_mutex},
|
||||
'uri': {'observable': observable_url, 'pattern': pattern_url},
|
||||
'authentihash': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'ssdeep': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'imphash': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'pehash': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'impfuzzy': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha224': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha384': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512/224': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512/256': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'tlsh': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'filename|authentihash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|ssdeep': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|imphash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|impfuzzy': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|pehash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha224': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha384': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512/224': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512/256': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|tlsh': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'x509-fingerprint-sha1': {'observable': observable_x509, 'pattern': pattern_x509},
|
||||
'port': {'observable': observable_port, 'pattern': pattern_port},
|
||||
'ip-dst|port': {'observable': observable_ip_port, 'pattern': pattern_ip_port},
|
||||
'ip-src|port': {'observable': observable_ip_port, 'pattern': pattern_ip_port},
|
||||
'hostname|port': {'observable': observable_hostname_port, 'pattern': pattern_hostname_port},
|
||||
'email-reply-to': {'observable': observable_reply_to, 'pattern': pattern_reply_to},
|
||||
'attachment': {'observable': observable_attachment, 'pattern': pattern_attachment},
|
||||
'mac-address': {'observable': observable_mac_address, 'pattern': pattern_mac_address},
|
||||
'AS': {'observable': observable_as, 'pattern': pattern_as}
|
||||
'link': {'to_call': 'handle_link'},
|
||||
'vulnerability': {'to_call': 'add_vulnerability', 'vulnerability_args': return_vulnerability},
|
||||
'md5': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha1': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha256': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'filename': {'to_call': 'handle_usual_type', 'observable': observable_file, 'pattern': pattern_file},
|
||||
'filename|md5': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha1': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha256': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'ip-src': {'to_call': 'handle_usual_type', 'observable': observable_ip, 'pattern': pattern_ip},
|
||||
'ip-dst': {'to_call': 'handle_usual_type', 'observable': observable_ip, 'pattern': pattern_ip},
|
||||
'hostname': {'to_call': 'handle_usual_type', 'observable': observable_domain, 'pattern': pattern_domain},
|
||||
'domain': {'to_call': 'handle_usual_type', 'observable': observable_domain, 'pattern': pattern_domain},
|
||||
'domain|ip': {'to_call': 'handle_usual_type', 'observable': observable_domain_ip, 'pattern': pattern_domain_ip},
|
||||
'email-src': {'to_call': 'handle_usual_type', 'observable': observable_email_address, 'pattern': pattern_email_address},
|
||||
'email-dst': {'to_call': 'handle_usual_type', 'observable': observable_email_address, 'pattern': pattern_email_address},
|
||||
'email-subject': {'to_call': 'handle_usual_type', 'observable': observable_email_message, 'pattern': pattern_email_message},
|
||||
'email-body': {'to_call': 'handle_usual_type', 'observable': observable_email_message, 'pattern': pattern_email_message},
|
||||
'email-attachment': {'to_call': 'handle_usual_type', 'observable': observable_email_attachment, 'pattern': pattern_email_attachment},
|
||||
'url': {'to_call': 'handle_usual_type', 'observable': observable_url, 'pattern': pattern_url},
|
||||
'regkey': {'to_call': 'handle_usual_type', 'observable': observable_regkey, 'pattern': pattern_regkey},
|
||||
'regkey|value': {'to_call': 'handle_usual_type', 'observable': observable_regkey_value, 'pattern': pattern_regkey_value},
|
||||
'malware-sample': {'to_call': 'handle_usual_type', 'observable': observable_malware_sample, 'pattern': pattern_malware_sample},
|
||||
'mutex': {'to_call': 'handle_usual_type', 'observable': observable_mutex, 'pattern': pattern_mutex},
|
||||
'uri': {'to_call': 'handle_usual_type', 'observable': observable_url, 'pattern': pattern_url},
|
||||
'authentihash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'ssdeep': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'imphash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'pehash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'impfuzzy': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha224': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha384': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512/224': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512/256': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'tlsh': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'filename|authentihash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|ssdeep': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|imphash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|impfuzzy': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|pehash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha224': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha384': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512/224': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512/256': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|tlsh': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'x509-fingerprint-sha1': {'to_call': 'handle_usual_type', 'observable': observable_x509, 'pattern': pattern_x509},
|
||||
'port': {'to_call': 'handle_usual_type', 'observable': observable_port, 'pattern': pattern_port},
|
||||
'ip-dst|port': {'to_call': 'handle_usual_type', 'observable': observable_ip_port, 'pattern': pattern_ip_port},
|
||||
'ip-src|port': {'to_call': 'handle_usual_type', 'observable': observable_ip_port, 'pattern': pattern_ip_port},
|
||||
'hostname|port': {'to_call': 'handle_usual_type', 'observable': observable_hostname_port, 'pattern': pattern_hostname_port},
|
||||
'email-reply-to': {'to_call': 'handle_usual_type', 'observable': observable_reply_to, 'pattern': pattern_reply_to},
|
||||
'attachment': {'to_call': 'handle_usual_type', 'observable': observable_attachment, 'pattern': pattern_attachment},
|
||||
'mac-address': {'to_call': 'handle_usual_type', 'observable': observable_mac_address, 'pattern': pattern_mac_address},
|
||||
'AS': {'to_call': 'handle_usual_type', 'observable': observable_as, 'pattern': pattern_as}
|
||||
#'email-dst-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
|
||||
# 'pattern': 'email-addr:display_name = \'{0}\''},
|
||||
#'email-src-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
|
||||
|
@ -271,21 +272,35 @@ network_traffic_pattern = "network-traffic:{0} = '{1}' AND "
|
|||
network_traffic_src_ref = "src_ref.type = '{0}' AND network-traffic:src_ref.value"
|
||||
network_traffic_dst_ref = "dst_ref.type = '{0}' AND network-traffic:dst_ref.value"
|
||||
|
||||
objectsMapping = {'asn': {'observable': {'type': 'autonomous-system'},
|
||||
objectsMapping = {'asn': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'type': 'autonomous-system'},
|
||||
'pattern': "autonomous-system:{0} = '{1}' AND "},
|
||||
'domain-ip': {'pattern': "domain-name:{0} = '{1}' AND "},
|
||||
'email': {'observable': {'0': {'type': 'email-message'}},
|
||||
'course-of-action': {'to_call': 'add_course_of_action_from_object'},
|
||||
'domain-ip': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': "domain-name:{0} = '{1}' AND "},
|
||||
'email': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'0': {'type': 'email-message'}},
|
||||
'pattern': "email-{0}:{1} = '{2}' AND "},
|
||||
'file': {'observable': {'0': {'type': 'file', 'hashes': {}}},
|
||||
'file': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'0': {'type': 'file', 'hashes': {}}},
|
||||
'pattern': "file:{0} = '{1}' AND "},
|
||||
'ip-port': {'pattern': network_traffic_pattern},
|
||||
'network-socket': {'pattern': network_traffic_pattern},
|
||||
'process': {'pattern': "process:{0} = '{1}' AND "},
|
||||
'registry-key': {'observable': {'0': {'type': 'windows-registry-key'}},
|
||||
'ip-port': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': network_traffic_pattern},
|
||||
'network-socket': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': network_traffic_pattern},
|
||||
'pe': {'to_call': 'populate_objects_to_parse'},
|
||||
'pe-section': {'to_call': 'populate_objects_to_parse'},
|
||||
'process': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': "process:{0} = '{1}' AND "},
|
||||
'registry-key': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'0': {'type': 'windows-registry-key'}},
|
||||
'pattern': "windows-registry-key:{0} = '{1}' AND "},
|
||||
'url': {'observable': {'0': {'type': 'url'}},
|
||||
'url': {'to_call': 'handle_usual_object_name',
|
||||
'observable': {'0': {'type': 'url'}},
|
||||
'pattern': "url:{0} = '{1}' AND "},
|
||||
'x509': {'pattern': "x509-certificate:{0} = '{1}' AND "}
|
||||
'vulnerability': {'to_call': 'add_object_vulnerability'},
|
||||
'x509': {'to_call': 'handle_usual_object_name',
|
||||
'pattern': "x509-certificate:{0} = '{1}' AND "}
|
||||
}
|
||||
|
||||
asnObjectMapping = {'asn': 'number', 'description': 'name', 'subnet-announced': 'value'}
|
||||
|
|
Loading…
Reference in New Issue