From db235899bf480b2cd53805bd2f2646762e1ad1d6 Mon Sep 17 00:00:00 2001 From: garanews Date: Tue, 23 Jan 2018 10:35:21 +0100 Subject: [PATCH 1/3] sb-signature library Created sb-signature library with relative example for testing. Thanks @dadokkio --- examples/add_sbsignature.py | 17 +++++++++++++++++ pymisp/tools/__init__.py | 1 + pymisp/tools/sbsignatureobject.py | 26 ++++++++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 examples/add_sbsignature.py create mode 100644 pymisp/tools/sbsignatureobject.py diff --git a/examples/add_sbsignature.py b/examples/add_sbsignature.py new file mode 100644 index 0000000..5b3bff8 --- /dev/null +++ b/examples/add_sbsignature.py @@ -0,0 +1,17 @@ +import json +from pymisp import PyMISP +from keys import misp_url, misp_key, misp_verifycert +from pymisp.tools import SBSignatureObject + +pymisp = PyMISP(misp_url, misp_key, misp_verifycert) +a = json.loads('{"signatures":[{"new_data":[],"confidence":100,"families":[],"severity":1,"weight":0,"description":"AttemptstoconnecttoadeadIP:Port(2uniquetimes)","alert":false,"references":[],"data":[{"IP":"95.101.39.58:80(Europe)"},{"IP":"192.35.177.64:80(UnitedStates)"}],"name":"dead_connect"},{"new_data":[],"confidence":30,"families":[],"severity":2,"weight":1,"description":"PerformssomeHTTPrequests","alert":false,"references":[],"data":[{"url":"http://cert.int-x3.letsencrypt.org/"},{"url":"http://apps.identrust.com/roots/dstrootcax3.p7c"}],"name":"network_http"},{"new_data":[],"confidence":100,"families":[],"severity":2,"weight":1,"description":"Theofficefilehasaunconventionalcodepage:ANSICyrillic;Cyrillic(Windows)","alert":false,"references":[],"data":[],"name":"office_code_page"}]}') +a = [(x['name'], x['description']) for x in a["signatures"]] + + +b = SBSignatureObject(a) + + +template_id = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list( + ) if x['ObjectTemplate']['name'] == 'sb-signature'][0] + +pymisp.add_object(234111, template_id, b) \ No newline at end of file diff --git a/pymisp/tools/__init__.py b/pymisp/tools/__init__.py index b551432..87154ec 100644 --- a/pymisp/tools/__init__.py +++ b/pymisp/tools/__init__.py @@ -8,3 +8,4 @@ from .create_misp_object import make_binary_objects # noqa from .abstractgenerator import AbstractMISPObjectGenerator # noqa from .genericgenerator import GenericObjectGenerator # noqa from .openioc import load_openioc, load_openioc_file # noqa +from .sbsignatureobject import SBSignatureObject # noqa diff --git a/pymisp/tools/sbsignatureobject.py b/pymisp/tools/sbsignatureobject.py new file mode 100644 index 0000000..dd398f9 --- /dev/null +++ b/pymisp/tools/sbsignatureobject.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import re +import requests +from .abstractgenerator import AbstractMISPObjectGenerator +from .. import InvalidMISPObject + +class SBSignatureObject(AbstractMISPObjectGenerator): + ''' + Sandbox Analyzer + ''' + def __init__(self, report, software, parsed=None, filepath=None, pseudofile=None, standalone=True, **kwargs): + # PY3 way: + # super().__init__("virustotal-report") + super(SBSignatureObject, self).__init__("sb-signature", **kwargs) + self._report = report + self._software = software + self.generate_attributes() + + def generate_attributes(self): + ''' Parse the report for relevant attributes ''' + self.add_attribute("software", value=self._software, type="text") + for (name, description) in self._report: + self.add_attribute("signature", value=name, comment=description, type="text") + \ No newline at end of file From cb4d4645263a09901328386b38a155dd43af3138 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jan 2018 11:06:44 +0100 Subject: [PATCH 2/3] chg: Bump misp-objects --- pymisp/data/misp-objects | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pymisp/data/misp-objects b/pymisp/data/misp-objects index 21e58b3..333f9a4 160000 --- a/pymisp/data/misp-objects +++ b/pymisp/data/misp-objects @@ -1 +1 @@ -Subproject commit 21e58b3ddf1737028b556b93b20d848f86a71cd0 +Subproject commit 333f9a46e4bcc96cd2e5f276bff26c9dd9b1524f From e2bb66d01ca6c8053543964a18975e5680587628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jan 2018 11:07:36 +0100 Subject: [PATCH 3/3] chg: Cleanup new sbsignature generator --- examples/add_sbsignature.py | 5 ++--- pymisp/tools/sbsignatureobject.py | 17 ++++++----------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/examples/add_sbsignature.py b/examples/add_sbsignature.py index 5b3bff8..5a03068 100644 --- a/examples/add_sbsignature.py +++ b/examples/add_sbsignature.py @@ -11,7 +11,6 @@ a = [(x['name'], x['description']) for x in a["signatures"]] b = SBSignatureObject(a) -template_id = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list( - ) if x['ObjectTemplate']['name'] == 'sb-signature'][0] +template_id = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == 'sb-signature'][0] -pymisp.add_object(234111, template_id, b) \ No newline at end of file +pymisp.add_object(234111, template_id, b) diff --git a/pymisp/tools/sbsignatureobject.py b/pymisp/tools/sbsignatureobject.py index dd398f9..8b7f3c1 100644 --- a/pymisp/tools/sbsignatureobject.py +++ b/pymisp/tools/sbsignatureobject.py @@ -1,26 +1,21 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -import re -import requests from .abstractgenerator import AbstractMISPObjectGenerator -from .. import InvalidMISPObject + class SBSignatureObject(AbstractMISPObjectGenerator): ''' Sandbox Analyzer ''' - def __init__(self, report, software, parsed=None, filepath=None, pseudofile=None, standalone=True, **kwargs): - # PY3 way: - # super().__init__("virustotal-report") + def __init__(self, software, report, standalone=True, **kwargs): super(SBSignatureObject, self).__init__("sb-signature", **kwargs) - self._report = report self._software = software + self._report = report self.generate_attributes() def generate_attributes(self): ''' Parse the report for relevant attributes ''' - self.add_attribute("software", value=self._software, type="text") - for (name, description) in self._report: - self.add_attribute("signature", value=name, comment=description, type="text") - \ No newline at end of file + self.add_attribute("software", value=self._software) + for (signature_name, description) in self._report: + self.add_attribute("signature", value=signature_name, comment=description)