2016-10-29 21:27:48 +02:00
|
|
|
#!/usr/bin/env python
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
2017-02-27 11:33:07 +01:00
|
|
|
import os
|
|
|
|
|
2016-10-29 21:27:48 +02:00
|
|
|
from pymisp import MISPEvent
|
|
|
|
try:
|
|
|
|
from bs4 import BeautifulSoup
|
|
|
|
has_bs4 = True
|
|
|
|
except ImportError:
|
|
|
|
has_bs4 = False
|
|
|
|
|
|
|
|
|
|
|
|
iocMispMapping = {
|
|
|
|
'DriverItem/DriverName': {'category': 'Artifacts dropped', 'type': 'other', 'comment': 'DriverName.'},
|
|
|
|
|
|
|
|
'DnsEntryItem/Host': {'type': 'domain'},
|
|
|
|
|
|
|
|
'Email/To': {'type': 'target-email'},
|
|
|
|
'Email/Date': {'type': 'comment', 'comment': 'EmailDate.'},
|
2016-11-10 11:41:13 +01:00
|
|
|
# 'Email/Body': {'type': 'email-subject'},
|
2016-10-29 21:27:48 +02:00
|
|
|
'Email/From': {'type': 'email-dst'},
|
|
|
|
'Email/Subject': {'type': 'email-subject'},
|
|
|
|
'Email/Attachment/Name': {'type': 'email-attachment'},
|
|
|
|
|
|
|
|
'FileItem/Md5sum': {'type': 'md5'},
|
|
|
|
'FileItem/Sha1sum': {'type': 'sha1'},
|
|
|
|
'FileItem/Sha256sum': {'type': 'sha256'},
|
2016-11-10 11:41:13 +01:00
|
|
|
|
|
|
|
'ServiceItem/serviceDLLmd5sum': {'type': 'md5', 'category': 'Payload installation'},
|
|
|
|
'ServiceItem/serviceDLLsha1sum': {'type': 'sha1', 'category': 'Payload installation'},
|
|
|
|
'ServiceItem/serviceDLLsha256sum': {'type': 'sha256', 'category': 'Payload installation'},
|
|
|
|
|
|
|
|
'TaskItem/md5sum': {'type': 'md5'},
|
|
|
|
'TaskItem/sha1sum': {'type': 'sha1'},
|
|
|
|
'TaskItem/Sha256sum': {'type': 'sha256'},
|
|
|
|
|
2016-10-29 21:27:48 +02:00
|
|
|
'FileItem/FileName': {'type': 'filename'},
|
|
|
|
'FileItem/FullPath': {'type': 'filename'},
|
|
|
|
'FileItem/FilePath': {'type': 'filename'},
|
2016-11-03 21:01:48 +01:00
|
|
|
'DriverItem/DriverName': {'type': 'filename'},
|
2016-10-29 21:27:48 +02:00
|
|
|
|
|
|
|
'Network/URI': {'type': 'uri'},
|
|
|
|
'Network/DNS': {'type': 'domain'},
|
|
|
|
'Network/String': {'type': 'ip-dst'},
|
2016-11-03 21:01:48 +01:00
|
|
|
'RouteEntryItem/Destination': {'type': 'ip-dst'},
|
2016-10-29 21:27:48 +02:00
|
|
|
'Network/UserAgent': {'type': 'user-agent'},
|
|
|
|
|
2016-11-10 11:41:13 +01:00
|
|
|
'PortItem/localIP': {'type': 'ip-src'},
|
|
|
|
'PortItem/remoteIP': {'type': 'ip-dst'},
|
2016-10-29 21:27:48 +02:00
|
|
|
|
|
|
|
'ProcessItem/name': {'type': 'pattern-in-memory', 'comment': 'ProcessName.'},
|
|
|
|
'ProcessItem/path': {'type': 'pattern-in-memory', 'comment': 'ProcessPath.'},
|
|
|
|
'ProcessItem/Mutex': {'type': 'mutex'},
|
|
|
|
'ProcessItem/Pipe/Name': {'type': 'named pipe'},
|
|
|
|
'ProcessItem/Mutex/Name': {'type': 'mutex', 'comment': 'MutexName.'},
|
|
|
|
|
2016-11-03 21:01:48 +01:00
|
|
|
'CookieHistoryItem/HostName': {'type': 'hostname'},
|
|
|
|
'FormHistoryItem/HostName': {'type': 'hostname'},
|
|
|
|
'SystemInfoItem/HostName': {'type': 'hostname'},
|
|
|
|
'UrlHistoryItem/HostName': {'type': 'hostname'},
|
|
|
|
'DnsEntryItem/RecordName': {'type': 'hostname'},
|
|
|
|
'DnsEntryItem/Host': {'type': 'hostname'},
|
|
|
|
|
2016-10-29 21:27:48 +02:00
|
|
|
# Is it the regkey value?
|
|
|
|
# 'RegistryItem/Text': {'type': 'regkey', 'RegistryText. '},
|
2016-11-03 21:01:48 +01:00
|
|
|
'RegistryItem/KeyPath': {'type': 'regkey'},
|
2016-10-29 21:27:48 +02:00
|
|
|
'RegistryItem/Path': {'type': 'regkey'},
|
|
|
|
|
|
|
|
'ServiceItem/name': {'type': 'windows-service-name'},
|
|
|
|
'ServiceItem/type': {'type': 'pattern-in-memory', 'comment': 'ServiceType. '},
|
|
|
|
|
|
|
|
'Snort/Snort': {'type': 'snort'},
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
def extract_field(report, field_name):
|
|
|
|
data = report.find(field_name.lower())
|
|
|
|
if data and hasattr(data, 'text'):
|
|
|
|
return data.text
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
2017-02-27 11:33:07 +01:00
|
|
|
def load_openioc_file(openioc_path):
|
|
|
|
if not os.path.exists(openioc_path):
|
|
|
|
raise Exception("Path doesn't exists.")
|
|
|
|
with open(openioc_path, 'r') as f:
|
|
|
|
return load_openioc(f)
|
|
|
|
|
|
|
|
|
2016-10-29 21:27:48 +02:00
|
|
|
def load_openioc(openioc):
|
2017-02-27 11:33:07 +01:00
|
|
|
# Takes a opened file, or a string
|
2016-10-29 21:27:48 +02:00
|
|
|
if not has_bs4:
|
|
|
|
raise Exception('You need to install BeautifulSoup: pip install bs4')
|
|
|
|
misp_event = MISPEvent()
|
2017-02-27 18:01:37 +01:00
|
|
|
iocreport = BeautifulSoup(openioc, "html.parser")
|
2017-02-27 11:33:07 +01:00
|
|
|
# Set event fields
|
|
|
|
info = extract_field(iocreport, 'short_description')
|
|
|
|
if info:
|
|
|
|
misp_event.info = info
|
|
|
|
date = extract_field(iocreport, 'authored_date')
|
|
|
|
if date:
|
|
|
|
misp_event.set_date(date)
|
|
|
|
# Set special attributes
|
|
|
|
description = extract_field(iocreport, 'description')
|
|
|
|
if description:
|
2017-02-27 18:01:37 +01:00
|
|
|
if not misp_event.info:
|
|
|
|
misp_event.info = description
|
|
|
|
else:
|
|
|
|
misp_event.add_attribute('comment', description)
|
|
|
|
if not misp_event.info:
|
|
|
|
misp_event.info = 'OpenIOC import'
|
2017-02-27 11:33:07 +01:00
|
|
|
author = extract_field(iocreport, 'authored_by')
|
|
|
|
if author:
|
|
|
|
misp_event.add_attribute('comment', author)
|
|
|
|
misp_event = set_all_attributes(iocreport, misp_event)
|
2016-10-29 21:27:48 +02:00
|
|
|
return misp_event
|
|
|
|
|
|
|
|
|
|
|
|
def get_mapping(openioc_type):
|
|
|
|
t = openioc_type.lower()
|
|
|
|
for k, v in iocMispMapping.items():
|
|
|
|
if k.lower() == t:
|
|
|
|
return v
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
def set_all_attributes(openioc, misp_event):
|
|
|
|
for item in openioc.find_all("indicatoritem"):
|
|
|
|
attribute_values = {'comment': ''}
|
|
|
|
if item.find('context'):
|
|
|
|
mapping = get_mapping(item.find('context')['search'])
|
|
|
|
if mapping:
|
|
|
|
attribute_values.update(mapping)
|
|
|
|
else:
|
|
|
|
# Unknown mapping, ignoring
|
|
|
|
# print(item.find('context'))
|
|
|
|
continue
|
|
|
|
else:
|
|
|
|
continue
|
2016-11-10 11:41:13 +01:00
|
|
|
value = extract_field(item, 'Content')
|
2016-10-29 21:27:48 +02:00
|
|
|
if value:
|
|
|
|
attribute_values['value'] = value
|
|
|
|
else:
|
|
|
|
# No value, ignoring
|
|
|
|
continue
|
2016-11-10 11:41:13 +01:00
|
|
|
comment = extract_field(item, 'Comment')
|
2016-10-29 21:27:48 +02:00
|
|
|
if comment:
|
|
|
|
attribute_values["comment"] = '{} {}'.format(attribute_values["comment"], comment)
|
2017-02-27 18:38:52 +01:00
|
|
|
|
|
|
|
if mapping['type'] in ['ip-src', 'ip-dst'] and value.count(':') == 1:
|
|
|
|
attribute_values['type'] = mapping['type'] + '|port'
|
|
|
|
attribute_values['value'] = attribute_values['value'].replace(':', '|')
|
2016-10-29 21:27:48 +02:00
|
|
|
misp_event.add_attribute(**attribute_values)
|
|
|
|
return misp_event
|