mirror of https://github.com/MISP/PyMISP
Make pep8 happy
parent
699a35e507
commit
b43722c73f
|
@ -11,15 +11,15 @@ except ImportError:
|
||||||
has_bs4 = False
|
has_bs4 = False
|
||||||
|
|
||||||
iocMispMapping = {
|
iocMispMapping = {
|
||||||
#~ @Link https://wiki.ops.fr/doku.php/manuels:misp:event-guidelines
|
# ~ @Link https://wiki.ops.fr/doku.php/manuels:misp:event-guidelines
|
||||||
'CookieHistoryItem/HostName': {'type': 'hostname', 'comment': 'CookieHistory.'},
|
'CookieHistoryItem/HostName': {'type': 'hostname', 'comment': 'CookieHistory.'},
|
||||||
|
|
||||||
'DriverItem/DriverName': {'category': 'Artifacts dropped', 'type': 'other', 'comment': 'DriverName.'},
|
'DriverItem/DriverName': {'category': 'Artifacts dropped', 'type': 'other', 'comment': 'DriverName.'},
|
||||||
'DriverItem/CertificateIssuer' : {'category': 'Artifacts dropped', 'type': 'other', 'comment': 'DriverCertificateIssuer.'},
|
'DriverItem/CertificateIssuer': {'category': 'Artifacts dropped', 'type': 'other', 'comment': 'DriverCertificateIssuer.'},
|
||||||
'DriverItem/DeviceItem/AttachedDeviceName' : {'category': 'Artifacts dropped','type': 'other', 'comment': 'DriverDeviceName. '},
|
'DriverItem/DeviceItem/AttachedDeviceName': {'category': 'Artifacts dropped', 'type': 'other', 'comment': 'DriverDeviceName. '},
|
||||||
|
|
||||||
'DnsEntryItem/Host': {'type': 'domain'},
|
'DnsEntryItem/Host': {'type': 'domain'},
|
||||||
'DnsEntryItem/RecordName' : {'type': 'domain'},
|
'DnsEntryItem/RecordName': {'type': 'domain'},
|
||||||
|
|
||||||
'Email/To': {'type': 'target-email'},
|
'Email/To': {'type': 'target-email'},
|
||||||
'Email/Date': {'type': 'comment', 'comment': 'EmailDate.'},
|
'Email/Date': {'type': 'comment', 'comment': 'EmailDate.'},
|
||||||
|
@ -28,123 +28,124 @@ iocMispMapping = {
|
||||||
'Email/Subject': {'type': 'email-subject'},
|
'Email/Subject': {'type': 'email-subject'},
|
||||||
'Email/Attachment/Name': {'type': 'email-attachment'},
|
'Email/Attachment/Name': {'type': 'email-attachment'},
|
||||||
|
|
||||||
'FileItem/Md5sum' : {'type': 'md5'},
|
'FileItem/Md5sum': {'type': 'md5'},
|
||||||
'FileItem/Sha1sum' : {'type': 'sha1'},
|
'FileItem/Sha1sum': {'type': 'sha1'},
|
||||||
'FileItem/FileName' : {'type': 'filename'},
|
'FileItem/FileName': {'type': 'filename'},
|
||||||
'FileItem/FullPath' : {'type': 'filename'},
|
'FileItem/FullPath': {'type': 'filename'},
|
||||||
'FileItem/FilePath' : {'type': 'filename'},
|
'FileItem/FilePath': {'type': 'filename'},
|
||||||
'FileItem/Sha256sum' : {'type': 'sha256'},
|
'FileItem/Sha256sum': {'type': 'sha256'},
|
||||||
'FileItem/DevicePath' : {'type': 'comment', 'comment': 'DevicePath. '},
|
'FileItem/DevicePath': {'type': 'comment', 'comment': 'DevicePath. '},
|
||||||
'FileItem/SizeInBytes' : {'type': 'size-in-bytes'},
|
'FileItem/SizeInBytes': {'type': 'size-in-bytes'},
|
||||||
'FileItem/PEInfo/Type' : {'type': 'comment','comment': 'PE Type. '},
|
'FileItem/PEInfo/Type': {'type': 'comment', 'comment': 'PE Type. '},
|
||||||
'FileItem/FileExtension' : {'type': 'comment','comment': 'FileExtension. '},
|
'FileItem/FileExtension': {'type': 'comment', 'comment': 'FileExtension. '},
|
||||||
'FileItem/FilenameCreated' : {'type': 'filename', 'comment': 'FilenameCreated. '},
|
'FileItem/FilenameCreated': {'type': 'filename', 'comment': 'FilenameCreated. '},
|
||||||
'FileItem/StringList/string' : {'type': 'pattern-in-file', 'comment': 'string list. '},
|
'FileItem/StringList/string': {'type': 'pattern-in-file', 'comment': 'string list. '},
|
||||||
'FileItem/PEInfo/PETimeStamp' : {'type': 'pattern-in-file', 'comment': 'PE TimeStamp. '},
|
'FileItem/PEInfo/PETimeStamp': {'type': 'pattern-in-file', 'comment': 'PE TimeStamp. '},
|
||||||
'FileItem/PEInfo/Exports/DllName' : {'type': 'pattern-in-memory', 'comment': 'PE export DllName. '},
|
'FileItem/PEInfo/Exports/DllName': {'type': 'pattern-in-memory', 'comment': 'PE export DllName. '},
|
||||||
'FileItem/PEInfo/Sections/Section/Name' : {'type': 'pattern-in-memory', 'comment': 'PE SectionName. '},
|
'FileItem/PEInfo/Sections/Section/Name': {'type': 'pattern-in-memory', 'comment': 'PE SectionName. '},
|
||||||
'FileItem/PEInfo/DetectedAnomalies/string' : {'type': 'pattern-in-file', 'comment': 'PE DEtected AnomaliesString. '},
|
'FileItem/PEInfo/DetectedAnomalies/string': {'type': 'pattern-in-file', 'comment': 'PE DEtected AnomaliesString. '},
|
||||||
'FileItem/PEInfo/Exports/NumberOfFunctions' : {'type': 'pattern-in-file', 'comment': 'PE Export NumberOfFunctions. '},
|
'FileItem/PEInfo/Exports/NumberOfFunctions': {'type': 'pattern-in-file', 'comment': 'PE Export NumberOfFunctions. '},
|
||||||
'FileItem/PEInfo/ImportedModules/Module/Name' : {'type': 'pattern-in-file', 'comment': 'PE ImportedModulesName. '},
|
'FileItem/PEInfo/ImportedModules/Module/Name': {'type': 'pattern-in-file', 'comment': 'PE ImportedModulesName. '},
|
||||||
'FileItem/PEInfo/DigitalSignature/Description' : {'type': 'comment', 'comment': 'PE DigitalSignatureDescription. '},
|
'FileItem/PEInfo/DigitalSignature/Description': {'type': 'comment', 'comment': 'PE DigitalSignatureDescription. '},
|
||||||
'FileItem/PEInfo/DigitalSignature/SignatureExists' : {'type': 'comment','comment': 'PE SignatureExists. '},
|
'FileItem/PEInfo/DigitalSignature/SignatureExists': {'type': 'comment', 'comment': 'PE SignatureExists. '},
|
||||||
'FileItem/PEInfo/Exports/ExportedFunctions/string' : {'type': 'comment', 'comment': 'PE ExportedFunctions. '},
|
'FileItem/PEInfo/Exports/ExportedFunctions/string': {'type': 'comment', 'comment': 'PE ExportedFunctions. '},
|
||||||
'FileItem/PEInfo/DigitalSignature/CertificateIssuer' : {'type': 'comment', 'comment': 'PE SignatureCertificateIssuer. '},
|
'FileItem/PEInfo/DigitalSignature/CertificateIssuer': {'type': 'comment', 'comment': 'PE SignatureCertificateIssuer. '},
|
||||||
'FileItem/PEInfo/DigitalSignature/SignatureVerified' : {'type': 'comment', 'comment': 'PE SignatureVerified. '},
|
'FileItem/PEInfo/DigitalSignature/SignatureVerified': {'type': 'comment', 'comment': 'PE SignatureVerified. '},
|
||||||
'FileItem/PEInfo/DigitalSignature/CertificateSubject' : {'type': 'other', 'comment': 'PE CertificateDigitalSignatureSubject. '},
|
'FileItem/PEInfo/DigitalSignature/CertificateSubject': {'type': 'other', 'comment': 'PE CertificateDigitalSignatureSubject. '},
|
||||||
'FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name' : {'type': 'comment', 'comment': 'PE ResourceName. '},
|
'FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name': {'type': 'comment', 'comment': 'PE ResourceName. '},
|
||||||
'FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type' : {'type': 'comment', 'comment': 'PE ResourceType. '},
|
'FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type': {'type': 'comment', 'comment': 'PE ResourceType. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language' : {'type': 'pattern-in-file', 'comment': 'PE LanguageVersion. '},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language': {'type': 'pattern-in-file', 'comment': 'PE LanguageVersion. '},
|
||||||
'FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Language' : {'type': 'pattern-in-file', 'comment': 'PE LanguageResource. '},
|
'FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Language': {'type': 'pattern-in-file', 'comment': 'PE LanguageResource. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName' : {'type': 'pattern-in-file','comment': 'PE versionInfo CompanyName. '},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName': {'type': 'pattern-in-file', 'comment': 'PE versionInfo CompanyName. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileVersion' : {'type': 'pattern-in-file', 'comment': 'PE Version. '},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileVersion': {'type': 'pattern-in-file', 'comment': 'PE Version. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName' : {'type': 'pattern-in-file', 'comment': 'PE ProductName. '},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName': {'type': 'pattern-in-file', 'comment': 'PE ProductName. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName' : {'type': 'pattern-in-file', 'comment': 'PE InternalName. '},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName': {'type': 'pattern-in-file', 'comment': 'PE InternalName. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright' : {'type': 'pattern-in-file', 'comment': 'PE LegalCopyright. '},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright': {'type': 'pattern-in-file', 'comment': 'PE LegalCopyright. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductVersion' : {'type': 'pattern-in-file', 'comment': 'PE ProductVersion. '},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductVersion': {'type': 'pattern-in-file', 'comment': 'PE ProductVersion. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription' : {'type': 'comment', 'comment': 'PE FileDescription .'},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription': {'type': 'comment', 'comment': 'PE FileDescription .'},
|
||||||
'FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string' : {'type': 'pattern-in-file', 'comment': 'PE ImportedModules. '},
|
'FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string': {'type': 'pattern-in-file', 'comment': 'PE ImportedModules. '},
|
||||||
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename' : {'type': 'pattern-in-file', 'comment': 'OriginalFilename of PE. '},
|
'FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename': {'type': 'pattern-in-file', 'comment': 'OriginalFilename of PE. '},
|
||||||
|
|
||||||
'FormHistoryItem/HostName': {'type': 'hostname', 'comment': 'FormHistory. '},
|
'FormHistoryItem/HostName': {'type': 'hostname', 'comment': 'FormHistory. '},
|
||||||
|
|
||||||
'Network/URI' : {'type': 'uri'},
|
'Network/URI': {'type': 'uri'},
|
||||||
'Network/DNS' : {'type': 'domain'},
|
'Network/DNS': {'type': 'domain'},
|
||||||
'Network/String' : {'type': 'url'},
|
'Network/String': {'type': 'url'},
|
||||||
'Network/IPRange' : {'type': 'ip-dst'},
|
'Network/IPRange': {'type': 'ip-dst'},
|
||||||
'Network/UserAgent' : {'type': 'user-agent'},
|
'Network/UserAgent': {'type': 'user-agent'},
|
||||||
|
|
||||||
'PortItem/localIP' : {'type': 'ip-src'},
|
'PortItem/localIP': {'type': 'ip-src'},
|
||||||
'PortItem/remoteIP' : {'type': 'ip-dst'},
|
'PortItem/remoteIP': {'type': 'ip-dst'},
|
||||||
'PortItem/remotePort' : {'type': 'pattern-in-traffic', 'comment': 'RemotePort. '},
|
'PortItem/remotePort': {'type': 'pattern-in-traffic', 'comment': 'RemotePort. '},
|
||||||
|
|
||||||
|
'ProcessItem/name': {'type': 'pattern-in-memory', 'comment': 'ProcessName. '},
|
||||||
|
'ProcessItem/path': {'type': 'pattern-in-memory', 'comment': 'ProcessPath. '},
|
||||||
|
'ProcessItem/Mutex': {'type': 'mutex', 'comment': 'mutex'},
|
||||||
|
'ProcessItem/arguments': {'type': 'pattern-in-memory', 'comment': 'ProcessArguments. '},
|
||||||
|
'ProcessItem/NamedPipe': {'type': 'named pipe'},
|
||||||
|
'ProcessItem/Pipe/Name': {'type': 'named pipe'},
|
||||||
|
'ProcessItem/Mutex/Name': {'type': 'mutex', 'comment': 'MutexName. '},
|
||||||
|
'ProcessItem/Event/Name': {'type': 'pattern-in-memory', 'comment': 'ProcessEventName. '},
|
||||||
|
'ProcessItem/StringList/string': {'type': 'pattern-in-memory', 'comment': 'StringlistName. '},
|
||||||
|
'ProcessItem/HandleList/Handle/Name': {'type': 'pattern-in-memory', 'comment': 'ProcessHandleListName'},
|
||||||
|
'ProcessItem/HandleList/Handle/Type': {'type': 'pattern-in-memory', 'comment': 'ProcessHandleType'},
|
||||||
|
'ProcessItem/SectionList/MemorySection/Name': {'type': 'pattern-in-memory', 'comment': 'ProcessSectionMemoryName'},
|
||||||
|
'ProcessItem/SectionList/MemorySection/PEInfo/Exports/DllName': {'type': 'pattern-in-memory', 'comment': 'ProcessMemoryPEExportsDllName'},
|
||||||
|
'ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/Name': {'type': 'pattern-in-memory', 'comment': 'Section name from PE in process memory section'},
|
||||||
|
|
||||||
|
'RegistryItem/Text': {'type': 'regkey', 'comment': 'RegistryText. '},
|
||||||
|
'RegistryItem/Path': {'type': 'regkey', 'comment': 'RegistryPath. '},
|
||||||
|
'RegistryItem/Value': {'type': 'regkey', 'comment': 'RegistryValue. '},
|
||||||
|
'RegistryItem/KeyPath': {'type': 'regkey', 'comment': 'RegistryKeyPath. '},
|
||||||
|
'RegistryItem/ValueName': {'type': 'regkey', 'comment': 'RegistryValueName. '},
|
||||||
|
|
||||||
'ProcessItem/name' : {'type': 'pattern-in-memory', 'comment': 'ProcessName. '},
|
|
||||||
'ProcessItem/path' : {'type': 'pattern-in-memory', 'comment': 'ProcessPath. '},
|
|
||||||
'ProcessItem/Mutex' : {'type': 'mutex', 'comment': 'mutex'},
|
|
||||||
'ProcessItem/arguments' : {'type': 'pattern-in-memory', 'comment': 'ProcessArguments. '},
|
|
||||||
'ProcessItem/NamedPipe' : {'type': 'named pipe'},
|
|
||||||
'ProcessItem/Pipe/Name' : {'type': 'named pipe'},
|
|
||||||
'ProcessItem/Mutex/Name' : {'type': 'mutex', 'comment': 'MutexName. '},
|
|
||||||
'ProcessItem/Event/Name' : {'type': 'pattern-in-memory', 'comment': 'ProcessEventName. '},
|
|
||||||
'ProcessItem/StringList/string' : {'type': 'pattern-in-memory', 'comment': 'StringlistName. '},
|
|
||||||
'ProcessItem/HandleList/Handle/Name' : {'type': 'pattern-in-memory', 'comment': 'ProcessHandleListName'},
|
|
||||||
'ProcessItem/HandleList/Handle/Type' : {'type': 'pattern-in-memory', 'comment': 'ProcessHandleType'},
|
|
||||||
'ProcessItem/SectionList/MemorySection/Name' : {'type': 'pattern-in-memory', 'comment': 'ProcessSectionMemoryName'},
|
|
||||||
'ProcessItem/SectionList/MemorySection/PEInfo/Exports/DllName' : {'type': 'pattern-in-memory', 'comment': 'ProcessMemoryPEExportsDllName'},
|
|
||||||
'ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/Name' : {'type': 'pattern-in-memory', 'comment': 'Section name from PE in process memory section'},
|
|
||||||
|
|
||||||
'RegistryItem/Text' : {'type': 'regkey', 'comment': 'RegistryText. '},
|
|
||||||
'RegistryItem/Path' : {'type': 'regkey', 'comment': 'RegistryPath. '},
|
|
||||||
'RegistryItem/Value' : {'type': 'regkey', 'comment': 'RegistryValue. '},
|
|
||||||
'RegistryItem/KeyPath' : {'type': 'regkey', 'comment': 'RegistryKeyPath. '},
|
|
||||||
'RegistryItem/ValueName' : {'type': 'regkey', 'comment': 'RegistryValueName. '},
|
|
||||||
|
|
||||||
'RouteEntryItem/Destination': {'type': 'ip-dst'},
|
'RouteEntryItem/Destination': {'type': 'ip-dst'},
|
||||||
'RouteEntryItem/Destination/IP' : {'type': 'ip-dst', 'comment': 'RouteDestination. '},
|
'RouteEntryItem/Destination/IP': {'type': 'ip-dst', 'comment': 'RouteDestination. '},
|
||||||
'RouteEntryItem/Destination/string' : {'type': 'url', 'comment': 'RouteDestination. '},
|
'RouteEntryItem/Destination/string': {'type': 'url', 'comment': 'RouteDestination. '},
|
||||||
|
|
||||||
|
|
||||||
'ServiceItem/name' : {'type': 'windows-service-name'},
|
'ServiceItem/name': {'type': 'windows-service-name'},
|
||||||
'ServiceItem/type' : {'type': 'pattern-in-memory', 'comment': 'ServiceType. '},
|
'ServiceItem/type': {'type': 'pattern-in-memory', 'comment': 'ServiceType. '},
|
||||||
'ServiceItem/startedAs' : {'type': 'pattern-in-memory', 'comment': 'ServiceStartedAs. '},
|
'ServiceItem/startedAs': {'type': 'pattern-in-memory', 'comment': 'ServiceStartedAs. '},
|
||||||
'ServiceItem/serviceDLL' : {'type': 'pattern-in-memory', 'comment': 'ServiceDll. '},
|
'ServiceItem/serviceDLL': {'type': 'pattern-in-memory', 'comment': 'ServiceDll. '},
|
||||||
'ServiceItem/description' : {'type': 'comment', 'comment': 'ServiceDescription. '},
|
'ServiceItem/description': {'type': 'comment', 'comment': 'ServiceDescription. '},
|
||||||
'ServiceItem/descriptiveName' : {'type': 'windows-service-displayname'},
|
'ServiceItem/descriptiveName': {'type': 'windows-service-displayname'},
|
||||||
'ServiceItem/serviceDLLmd5sum': {'type': 'md5', 'comment': 'ServiceDLL. '},
|
'ServiceItem/serviceDLLmd5sum': {'type': 'md5', 'comment': 'ServiceDLL. '},
|
||||||
'ServiceItem/serviceDLLsha1sum': {'type': 'sha1', 'comment': 'ServiceDLL. '},
|
'ServiceItem/serviceDLLsha1sum': {'type': 'sha1', 'comment': 'ServiceDLL. '},
|
||||||
'ServiceItem/serviceDLLsha256sum': {'type': 'sha256', 'comment': 'ServiceDLL. '},
|
'ServiceItem/serviceDLLsha256sum': {'type': 'sha256', 'comment': 'ServiceDLL. '},
|
||||||
'ServiceItem/serviceDLLSignatureVerified' : {'type': 'pattern-in-memory', 'comment': 'ServiceDllSignatureVerified. '},
|
'ServiceItem/serviceDLLSignatureVerified': {'type': 'pattern-in-memory', 'comment': 'ServiceDllSignatureVerified. '},
|
||||||
|
|
||||||
'Snort/Snort' : {'type': 'snort'},
|
'Snort/Snort': {'type': 'snort'},
|
||||||
|
|
||||||
'SystemInfoItem/HostName': {'type': 'hostname', 'comment': 'SystemInfo. '},
|
'SystemInfoItem/HostName': {'type': 'hostname', 'comment': 'SystemInfo. '},
|
||||||
|
|
||||||
'TaskItem/Name' : {'type': 'windows-scheduled-task', 'comment': 'TaskName. '},
|
'TaskItem/Name': {'type': 'windows-scheduled-task', 'comment': 'TaskName. '},
|
||||||
'TaskItem/sha1sum' : {'type': 'windows-scheduled-task', 'comment': 'TashSha1. '},
|
'TaskItem/sha1sum': {'type': 'windows-scheduled-task', 'comment': 'TashSha1. '},
|
||||||
'TaskItem/sha256sum' : {'type': 'windows-scheduled-task', 'comment': 'TashSha256. '},
|
'TaskItem/sha256sum': {'type': 'windows-scheduled-task', 'comment': 'TashSha256. '},
|
||||||
'TaskItem/AccountName' : {'type': 'windows-scheduled-task', 'comment': 'TaskAccountName'},
|
'TaskItem/AccountName': {'type': 'windows-scheduled-task', 'comment': 'TaskAccountName'},
|
||||||
'TaskItem/ActionList/Action/ExecProgramPath' : {'type': 'windows-scheduled-task', 'comment': 'TaskExecProgramPath. '},
|
'TaskItem/ActionList/Action/ExecProgramPath': {'type': 'windows-scheduled-task', 'comment': 'TaskExecProgramPath. '},
|
||||||
'TaskItem/TriggerList/Trigger/TriggerFrequency' : {'type': 'windows-scheduled-task', 'comment': 'TaskTriggerFrequency. '},
|
'TaskItem/TriggerList/Trigger/TriggerFrequency': {'type': 'windows-scheduled-task', 'comment': 'TaskTriggerFrequency. '},
|
||||||
|
|
||||||
'UrlHistoryItem/URL' : {'type': 'url','comment': 'UrlHistory. '},
|
'UrlHistoryItem/URL': {'type': 'url', 'comment': 'UrlHistory. '},
|
||||||
'UrlHistoryItem/HostName': {'type': 'hostname','comment': 'UrlHistory. '},
|
'UrlHistoryItem/HostName': {'type': 'hostname', 'comment': 'UrlHistory. '},
|
||||||
|
|
||||||
'Yara/Yara' : {'type': 'yara'}
|
'Yara/Yara': {'type': 'yara'}
|
||||||
}
|
}
|
||||||
|
|
||||||
iocMispCompositeMapping = {
|
iocMispCompositeMapping = {
|
||||||
# mapping for composite object
|
# mapping for composite object
|
||||||
# maybe later filename|sizeinbyte
|
# maybe later filename|sizeinbyte
|
||||||
'FileItem/FileName|FileItem/Md5sum' : {'type': 'filename|md5'},
|
'FileItem/FileName|FileItem/Md5sum': {'type': 'filename|md5'},
|
||||||
'FileItem/FileName|FileItem/Sha1sum' : {'type': 'filename|sha1'},
|
'FileItem/FileName|FileItem/Sha1sum': {'type': 'filename|sha1'},
|
||||||
'FileItem/FileName|FileItem/Sha256sum' : {'type': 'filename|sha256'},
|
'FileItem/FileName|FileItem/Sha256sum': {'type': 'filename|sha256'},
|
||||||
'Network/DNS|PortItem/remoteIP' : {'type': 'domain|ip'},
|
'Network/DNS|PortItem/remoteIP': {'type': 'domain|ip'},
|
||||||
'PortItem/remoteIP|PortItem/remotePort' : {'comment': 'ip-dst|port'},
|
'PortItem/remoteIP|PortItem/remotePort': {'comment': 'ip-dst|port'},
|
||||||
'RegistryItem/Path|RegistryItem/Value' : {'type': 'regkey|value'},
|
'RegistryItem/Path|RegistryItem/Value': {'type': 'regkey|value'},
|
||||||
'RegistryItem/KeyPath|RegistryItem/Value' : {'type': 'regkey|value'},
|
'RegistryItem/KeyPath|RegistryItem/Value': {'type': 'regkey|value'},
|
||||||
'RegistryItem/Path|RegistryItem/Text' : {'type': 'regkey|value'}
|
'RegistryItem/Path|RegistryItem/Text': {'type': 'regkey|value'}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
def extract_field(report, field_name):
|
def extract_field(report, field_name):
|
||||||
if report:
|
if report:
|
||||||
data = report.find(field_name.lower())
|
data = report.find(field_name.lower())
|
||||||
|
@ -202,10 +203,9 @@ def set_values(value1, value2=None):
|
||||||
|
|
||||||
if value2 is not None:
|
if value2 is not None:
|
||||||
# construct attribut composite value
|
# construct attribut composite value
|
||||||
value = "{}|{}".format(
|
value = "{}|{}".format(extract_field(value1, 'Content'),
|
||||||
extract_field(value1, 'Content'),
|
extract_field(value2, 'Content')
|
||||||
extract_field(value2, 'Content')
|
)
|
||||||
)
|
|
||||||
else:
|
else:
|
||||||
value = extract_field(value1, 'Content')
|
value = extract_field(value1, 'Content')
|
||||||
|
|
||||||
|
@ -216,7 +216,7 @@ def set_values(value1, value2=None):
|
||||||
|
|
||||||
if value2 is not None:
|
if value2 is not None:
|
||||||
# construct attribut composite type
|
# construct attribut composite type
|
||||||
compositeMapping = value1.find('context')['search']+'|'+value2.find('context')['search']
|
compositeMapping = '{}|{}'.format(value1.find('context')['search'], value2.find('context')['search'])
|
||||||
mapping = get_mapping(compositeMapping, mappingDict=iocMispCompositeMapping)
|
mapping = get_mapping(compositeMapping, mappingDict=iocMispCompositeMapping)
|
||||||
else:
|
else:
|
||||||
mapping = get_mapping(value1.find('context')['search'])
|
mapping = get_mapping(value1.find('context')['search'])
|
||||||
|
@ -234,13 +234,13 @@ def set_values(value1, value2=None):
|
||||||
attribute_values['type'] = attribute_values['type'] + '|port'
|
attribute_values['type'] = attribute_values['type'] + '|port'
|
||||||
attribute_values['value'] = attribute_values['value'].replace(':', '|')
|
attribute_values['value'] = attribute_values['value'].replace(':', '|')
|
||||||
|
|
||||||
attribute_values["comment"] = '{}{}'.format(
|
attribute_values["comment"] = '{}{}'.format(extract_field(value1, 'Comment'),
|
||||||
extract_field(value1, 'Comment'),
|
extract_field(value2, 'Comment')
|
||||||
extract_field(value2, 'Comment')
|
)
|
||||||
)
|
|
||||||
|
|
||||||
return attribute_values
|
return attribute_values
|
||||||
|
|
||||||
|
|
||||||
def set_all_attributes(openioc, misp_event):
|
def set_all_attributes(openioc, misp_event):
|
||||||
processed = set()
|
processed = set()
|
||||||
|
|
||||||
|
@ -272,7 +272,7 @@ def set_all_attributes(openioc, misp_event):
|
||||||
if item['id'] in processed:
|
if item['id'] in processed:
|
||||||
continue
|
continue
|
||||||
attribute_values = set_values(item)
|
attribute_values = set_values(item)
|
||||||
|
|
||||||
if attribute_values is None:
|
if attribute_values is None:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
@ -280,15 +280,16 @@ def set_all_attributes(openioc, misp_event):
|
||||||
|
|
||||||
return misp_event
|
return misp_event
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
import requests
|
import requests
|
||||||
# test file for composite
|
# test file for composite
|
||||||
url = 'https://raw.githubusercontent.com/fireeye/iocs/master/BlogPosts/9cee306d-5441-4cd3-932d-f3119752634c.ioc'
|
url = 'https://raw.githubusercontent.com/fireeye/iocs/master/BlogPosts/9cee306d-5441-4cd3-932d-f3119752634c.ioc'
|
||||||
#~ url = 'https://raw.githubusercontent.com/MISP/misp-modules/master/tests/openioc.xml'
|
# ~ url = 'https://raw.githubusercontent.com/MISP/misp-modules/master/tests/openioc.xml'
|
||||||
x = requests.get(url)
|
x = requests.get(url)
|
||||||
mispEvent = load_openioc(x.text)
|
mispEvent = load_openioc(x.text)
|
||||||
print(mispEvent)
|
print(mispEvent)
|
||||||
#~ from pymisp import PyMISP
|
# ~ from pymisp import PyMISP
|
||||||
#~ misp = PyMISP('http://misp.local', 'xxxxx')
|
# ~ misp = PyMISP('http://misp.local', 'xxxxx')
|
||||||
#~ r = misp.add_event(mispEvent)
|
# ~ r = misp.add_event(mispEvent)
|
||||||
#~ print(r)
|
# ~ print(r)
|
||||||
|
|
Loading…
Reference in New Issue