mirror of https://github.com/MISP/MISP
fix: [stix2 export] Cleaned up MISP attributes parsing
- Replaced multiple if statements in a for loop by a dictionary mappingpull/3725/head
parent
bf59f3bca0
commit
f4c6d98426
|
@ -97,22 +97,18 @@ class StixBuilder():
|
|||
def misp_types(self):
|
||||
describe_types_filename = os.path.join(pymisp.__path__[0], 'data/describeTypes.json')
|
||||
describe_types = open(describe_types_filename, 'r')
|
||||
self.categories_mapping = json.loads(describe_types.read())['result']['category_type_mappings']
|
||||
categories_mapping = json.loads(describe_types.read())['result']['category_type_mappings']
|
||||
for category in categories_mapping:
|
||||
mispTypesMapping[category] = {'to_call': 'handle_person'}
|
||||
|
||||
def read_attributes(self):
|
||||
self.misp_types()
|
||||
if hasattr(self.misp_event, 'attributes') and self.misp_event.attributes:
|
||||
for attribute in self.misp_event.attributes:
|
||||
attribute_type = attribute.type
|
||||
if attribute_type in non_indicator_attributes:
|
||||
self.handle_non_indicator(attribute, attribute_type)
|
||||
else:
|
||||
if attribute_type in self.categories_mapping['Person']:
|
||||
self.handle_person(attribute)
|
||||
elif attribute_type in mispTypesMapping:
|
||||
self.handle_usual_type(attribute)
|
||||
else:
|
||||
self.add_custom(attribute)
|
||||
try:
|
||||
getattr(self, mispTypesMapping[attribute.type]['to_call'])(attribute)
|
||||
except KeyError:
|
||||
self.add_custom(attribute)
|
||||
if hasattr(self.misp_event, 'objects') and self.misp_event.objects:
|
||||
self.load_objects_mapping()
|
||||
objects_to_parse = defaultdict(dict)
|
||||
|
@ -146,7 +142,8 @@ class StixBuilder():
|
|||
self.add_object_custom(misp_object, to_ids)
|
||||
else:
|
||||
self.add_object_custom(misp_object, to_ids)
|
||||
if objects_to_parse: self.resolve_objects2parse(objects_to_parse)
|
||||
if objects_to_parse:
|
||||
self.resolve_objects2parse(objects_to_parse)
|
||||
if hasattr(self.misp_event, 'Galaxy') and self.misp_event.Galaxy:
|
||||
for galaxy in self.misp_event.Galaxy:
|
||||
self.parse_galaxy(galaxy, self.report_id)
|
||||
|
@ -187,7 +184,7 @@ class StixBuilder():
|
|||
'x509': {'observable': self.resolve_x509_observable,
|
||||
'pattern': self.resolve_x509_pattern}
|
||||
}
|
||||
self.galaxies_mapping = {'branded-vulnerability': ['vulnerability', self.add_vulnerability]}
|
||||
self.galaxies_mapping = {'branded-vulnerability': ['vulnerability', self.add_vulnerability_from_galaxy]}
|
||||
self.galaxies_mapping.update(dict.fromkeys(attack_pattern_galaxies_list, ['attack-pattern', self.add_attack_pattern]))
|
||||
self.galaxies_mapping.update(dict.fromkeys(course_of_action_galaxies_list, ['course-of-action', self.add_course_of_action]))
|
||||
self.galaxies_mapping.update(dict.fromkeys(intrusion_set_galaxies_list, ['intrusion-set', self.add_intrusion_set]))
|
||||
|
@ -227,23 +224,6 @@ class StixBuilder():
|
|||
process['type'] = 'process'
|
||||
processes[pid] = process
|
||||
|
||||
def handle_non_indicator(self, attribute, attribute_type):
|
||||
if attribute_type == "link":
|
||||
self.handle_link(attribute)
|
||||
elif attribute_type in ('text', 'comment', 'other') or attribute_type not in mispTypesMapping:
|
||||
self.add_custom(attribute)
|
||||
else:
|
||||
try:
|
||||
self.handle_non_indicator_attribute(attribute, attribute_type)
|
||||
except:
|
||||
self.add_custom(attribute)
|
||||
|
||||
def handle_non_indicator_attribute(self, attribute, attribute_type):
|
||||
if attribute_type == "vulnerability":
|
||||
self.add_vulnerability(attribute, from_galaxy=False)
|
||||
else:
|
||||
self.add_observed_data(attribute)
|
||||
|
||||
def handle_person(self, attribute):
|
||||
if attribute.category == "Person":
|
||||
self.add_identity(attribute)
|
||||
|
@ -501,31 +481,33 @@ class StixBuilder():
|
|||
tool = Tool(**tool_args)
|
||||
self.append_object(tool, tool_id)
|
||||
|
||||
def add_vulnerability(self, attribute, from_galaxy=True):
|
||||
if from_galaxy:
|
||||
vulnerability_id = "vulnerability--{}".format(attribute['uuid'])
|
||||
cluster = attribute['GalaxyCluster'][0]
|
||||
name = cluster['value']
|
||||
if cluster['meta'] and cluster['meta']['aliases']:
|
||||
vulnerability_data = [mispTypesMapping['vulnerability'](alias) for alias in cluster['meta']['aliases']]
|
||||
else:
|
||||
vulnerability_data = [mispTypesMapping['vulnerability'](name)]
|
||||
labels = ['misp:type=\"{}\"'.format(attribute.get('type'))]
|
||||
if cluster['tag_name']:
|
||||
labels.append(cluster['tag_name'])
|
||||
description = "{} | {}".format(attribute.get('description'), cluster.get('description'))
|
||||
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
|
||||
'name': name, 'external_references': vulnerability_data,
|
||||
'created_by_ref': self.identity_id, 'labels': labels,
|
||||
'description': description}
|
||||
def add_vulnerability(self, attribute):
|
||||
vulnerability_id = "vulnerability--{}".format(attribute.uuid)
|
||||
name = attribute.value
|
||||
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](name)]
|
||||
labels = self.create_labels(attribute)
|
||||
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
|
||||
'name': name, 'external_references': vulnerability_data,
|
||||
'created_by_ref': self.identity_id, 'labels': labels}
|
||||
vulnerability = Vulnerability(**vulnerability_args)
|
||||
self.append_object(vulnerability, vulnerability_id)
|
||||
|
||||
def add_vulnerability_from_galaxy(self, attribute):
|
||||
vulnerability_id = "vulnerability--{}".format(attribute['uuid'])
|
||||
cluster = attribute['GalaxyCluster'][0]
|
||||
name = cluster['value']
|
||||
if cluster['meta'] and cluster['meta']['aliases']:
|
||||
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](alias) for alias in cluster['meta']['aliases']]
|
||||
else:
|
||||
vulnerability_id = "vulnerability--{}".format(attribute.uuid)
|
||||
name = attribute.value
|
||||
vulnerability_data = [mispTypesMapping['vulnerability'](name)]
|
||||
labels = self.create_labels(attribute)
|
||||
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
|
||||
'name': name, 'external_references': vulnerability_data,
|
||||
'created_by_ref': self.identity_id, 'labels': labels}
|
||||
vulnerability_data = [mispTypesMapping['vulnerability']['vulnerability_args'](name)]
|
||||
labels = ['misp:type=\"{}\"'.format(attribute.get('type'))]
|
||||
if cluster['tag_name']:
|
||||
labels.append(cluster['tag_name'])
|
||||
description = "{} | {}".format(attribute.get('description'), cluster.get('description'))
|
||||
vulnerability_args = {'id': vulnerability_id, 'type': 'vulnerability',
|
||||
'name': name, 'external_references': vulnerability_data,
|
||||
'created_by_ref': self.identity_id, 'labels': labels,
|
||||
'description': description}
|
||||
vulnerability = Vulnerability(**vulnerability_args)
|
||||
self.append_object(vulnerability, vulnerability_id)
|
||||
|
||||
|
|
|
@ -206,61 +206,62 @@ def return_vulnerability(name):
|
|||
return {'source_name': 'cve', 'external_id': name}
|
||||
|
||||
mispTypesMapping = {
|
||||
'vulnerability': return_vulnerability,
|
||||
'md5': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha1': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha256': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'filename': {'observable': observable_file, 'pattern': pattern_file},
|
||||
'filename|md5': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha1': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha256': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'ip-src': {'observable': observable_ip, 'pattern': pattern_ip},
|
||||
'ip-dst': {'observable': observable_ip, 'pattern': pattern_ip},
|
||||
'hostname': {'observable': observable_domain, 'pattern': pattern_domain},
|
||||
'domain': {'observable': observable_domain, 'pattern': pattern_domain},
|
||||
'domain|ip': {'observable': observable_domain_ip, 'pattern': pattern_domain_ip},
|
||||
'email-src': {'observable': observable_email_address, 'pattern': pattern_email_address},
|
||||
'email-dst': {'observable': observable_email_address, 'pattern': pattern_email_address},
|
||||
'email-subject': {'observable': observable_email_message, 'pattern': pattern_email_message},
|
||||
'email-body': {'observable': observable_email_message, 'pattern': pattern_email_message},
|
||||
'email-attachment': {'observable': observable_email_attachment, 'pattern': pattern_email_attachment},
|
||||
'url': {'observable': observable_url, 'pattern': pattern_url},
|
||||
'regkey': {'observable': observable_regkey, 'pattern': pattern_regkey},
|
||||
'regkey|value': {'observable': observable_regkey_value, 'pattern': pattern_regkey_value},
|
||||
'malware-sample': {'observable': observable_malware_sample, 'pattern': pattern_malware_sample},
|
||||
'mutex': {'observable': observable_mutex, 'pattern': pattern_mutex},
|
||||
'uri': {'observable': observable_url, 'pattern': pattern_url},
|
||||
'authentihash': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'ssdeep': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'imphash': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'pehash': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'impfuzzy': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha224': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha384': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512/224': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512/256': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'tlsh': {'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'filename|authentihash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|ssdeep': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|imphash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|impfuzzy': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|pehash': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha224': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha384': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512/224': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512/256': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|tlsh': {'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'x509-fingerprint-sha1': {'observable': observable_x509, 'pattern': pattern_x509},
|
||||
'port': {'observable': observable_port, 'pattern': pattern_port},
|
||||
'ip-dst|port': {'observable': observable_ip_port, 'pattern': pattern_ip_port},
|
||||
'ip-src|port': {'observable': observable_ip_port, 'pattern': pattern_ip_port},
|
||||
'hostname|port': {'observable': observable_hostname_port, 'pattern': pattern_hostname_port},
|
||||
'email-reply-to': {'observable': observable_reply_to, 'pattern': pattern_reply_to},
|
||||
'attachment': {'observable': observable_attachment, 'pattern': pattern_attachment},
|
||||
'mac-address': {'observable': observable_mac_address, 'pattern': pattern_mac_address},
|
||||
'AS': {'observable': observable_as, 'pattern': pattern_as}
|
||||
'link': {'to_call': 'handle_link'},
|
||||
'vulnerability': {'to_call': 'add_vulnerability', 'vulnerability_args': return_vulnerability},
|
||||
'md5': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha1': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha256': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'filename': {'to_call': 'handle_usual_type', 'observable': observable_file, 'pattern': pattern_file},
|
||||
'filename|md5': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha1': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha256': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'ip-src': {'to_call': 'handle_usual_type', 'observable': observable_ip, 'pattern': pattern_ip},
|
||||
'ip-dst': {'to_call': 'handle_usual_type', 'observable': observable_ip, 'pattern': pattern_ip},
|
||||
'hostname': {'to_call': 'handle_usual_type', 'observable': observable_domain, 'pattern': pattern_domain},
|
||||
'domain': {'to_call': 'handle_usual_type', 'observable': observable_domain, 'pattern': pattern_domain},
|
||||
'domain|ip': {'to_call': 'handle_usual_type', 'observable': observable_domain_ip, 'pattern': pattern_domain_ip},
|
||||
'email-src': {'to_call': 'handle_usual_type', 'observable': observable_email_address, 'pattern': pattern_email_address},
|
||||
'email-dst': {'to_call': 'handle_usual_type', 'observable': observable_email_address, 'pattern': pattern_email_address},
|
||||
'email-subject': {'to_call': 'handle_usual_type', 'observable': observable_email_message, 'pattern': pattern_email_message},
|
||||
'email-body': {'to_call': 'handle_usual_type', 'observable': observable_email_message, 'pattern': pattern_email_message},
|
||||
'email-attachment': {'to_call': 'handle_usual_type', 'observable': observable_email_attachment, 'pattern': pattern_email_attachment},
|
||||
'url': {'to_call': 'handle_usual_type', 'observable': observable_url, 'pattern': pattern_url},
|
||||
'regkey': {'to_call': 'handle_usual_type', 'observable': observable_regkey, 'pattern': pattern_regkey},
|
||||
'regkey|value': {'to_call': 'handle_usual_type', 'observable': observable_regkey_value, 'pattern': pattern_regkey_value},
|
||||
'malware-sample': {'to_call': 'handle_usual_type', 'observable': observable_malware_sample, 'pattern': pattern_malware_sample},
|
||||
'mutex': {'to_call': 'handle_usual_type', 'observable': observable_mutex, 'pattern': pattern_mutex},
|
||||
'uri': {'to_call': 'handle_usual_type', 'observable': observable_url, 'pattern': pattern_url},
|
||||
'authentihash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'ssdeep': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'imphash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'pehash': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'impfuzzy': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha224': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha384': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512/224': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'sha512/256': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'tlsh': {'to_call': 'handle_usual_type', 'observable': observable_hash, 'pattern': pattern_hash},
|
||||
'filename|authentihash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|ssdeep': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|imphash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|impfuzzy': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|pehash': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha224': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha384': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512/224': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|sha512/256': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'filename|tlsh': {'to_call': 'handle_usual_type', 'observable': observable_file_hash, 'pattern': pattern_file_hash},
|
||||
'x509-fingerprint-sha1': {'to_call': 'handle_usual_type', 'observable': observable_x509, 'pattern': pattern_x509},
|
||||
'port': {'to_call': 'handle_usual_type', 'observable': observable_port, 'pattern': pattern_port},
|
||||
'ip-dst|port': {'to_call': 'handle_usual_type', 'observable': observable_ip_port, 'pattern': pattern_ip_port},
|
||||
'ip-src|port': {'to_call': 'handle_usual_type', 'observable': observable_ip_port, 'pattern': pattern_ip_port},
|
||||
'hostname|port': {'to_call': 'handle_usual_type', 'observable': observable_hostname_port, 'pattern': pattern_hostname_port},
|
||||
'email-reply-to': {'to_call': 'handle_usual_type', 'observable': observable_reply_to, 'pattern': pattern_reply_to},
|
||||
'attachment': {'to_call': 'handle_usual_type', 'observable': observable_attachment, 'pattern': pattern_attachment},
|
||||
'mac-address': {'to_call': 'handle_usual_type', 'observable': observable_mac_address, 'pattern': pattern_mac_address},
|
||||
'AS': {'to_call': 'handle_usual_type', 'observable': observable_as, 'pattern': pattern_as}
|
||||
#'email-dst-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
|
||||
# 'pattern': 'email-addr:display_name = \'{0}\''},
|
||||
#'email-src-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
|
||||
|
|
Loading…
Reference in New Issue