mirror of https://github.com/MISP/misp-galaxy
Merge branch 'gallypette-main'
commit
1be0094cb4
|
@ -203,6 +203,14 @@ Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* eleme
|
||||||
|
|
||||||
[[HTML](https://www.misp-galaxy.org/firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)]
|
[[HTML](https://www.misp-galaxy.org/firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)]
|
||||||
|
|
||||||
|
## FIRST CSIRT Services Framework
|
||||||
|
|
||||||
|
[FIRST CSIRT Services Framework](https://www.misp-galaxy.org/first-csirt-services-framework) - The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide
|
||||||
|
|
||||||
|
Category: *csirt* - source: *https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1* - total: *97* elements
|
||||||
|
|
||||||
|
[[HTML](https://www.misp-galaxy.org/first-csirt-services-framework)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-csirt-services-framework.json)]
|
||||||
|
|
||||||
## FIRST DNS Abuse Techniques Matrix
|
## FIRST DNS Abuse Techniques Matrix
|
||||||
|
|
||||||
[FIRST DNS Abuse Techniques Matrix](https://www.misp-galaxy.org/first-dns) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
|
[FIRST DNS Abuse Techniques Matrix](https://www.misp-galaxy.org/first-dns) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide",
|
||||||
|
"icon": "user",
|
||||||
|
"name": "FIRST CSIRT Services Framework",
|
||||||
|
"namespace": "first",
|
||||||
|
"type": "first-csirt-services-framework",
|
||||||
|
"uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb",
|
||||||
|
"version": 1
|
||||||
|
}
|
|
@ -0,0 +1,226 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
#
|
||||||
|
# A simple convertor script to generate galaxies from the MITRE NICE framework
|
||||||
|
# https://niccs.cisa.gov/workforce-development/nice-framework
|
||||||
|
# Copyright (C) 2024 Jean-Louis Huynen
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU Affero General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 3 of the
|
||||||
|
# License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU Affero General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU Affero General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
import pdb
|
||||||
|
import requests
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
import uuid
|
||||||
|
import re
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
|
||||||
|
# uuidv4 generated to be concatenated in v5: 43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0
|
||||||
|
|
||||||
|
galaxy = {
|
||||||
|
"namespace": "first",
|
||||||
|
"type": "first-csirt-services-framework",
|
||||||
|
"name": "FIRST CSIRT Services Framework",
|
||||||
|
"description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide",
|
||||||
|
"uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb",
|
||||||
|
"version": 1,
|
||||||
|
"icon": 'user',
|
||||||
|
}
|
||||||
|
|
||||||
|
cluster = {
|
||||||
|
'authors': ["FIRST", "CIRCL", "Jean-Louis Huynen"],
|
||||||
|
'category': 'csirt',
|
||||||
|
"type": "first-csirt-services-framework",
|
||||||
|
"name": "FIRST CSIRT Services Framework",
|
||||||
|
"description": "The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide",
|
||||||
|
"uuid": "4a72488f-ef5b-4895-a5d9-c625dee663cb",
|
||||||
|
'source': 'https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1',
|
||||||
|
'values': [],
|
||||||
|
'version': 1,
|
||||||
|
}
|
||||||
|
|
||||||
|
# URL to download
|
||||||
|
url = "https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#5-Service-Area-Information-Security-Event-Management"
|
||||||
|
|
||||||
|
# Send a GET request to the webpage
|
||||||
|
response = requests.get(url)
|
||||||
|
|
||||||
|
|
||||||
|
def extract_nostrong_content(element):
|
||||||
|
content = element.find_next_siblings('p', limit=3)
|
||||||
|
extracted = {}
|
||||||
|
|
||||||
|
extracted["purpose"] = content[0].text.strip()[8:]
|
||||||
|
for sibling in content[0].find_next_siblings():
|
||||||
|
if "Description:" in sibling.text:
|
||||||
|
break
|
||||||
|
extracted["purpose"] += f" {sibling.text.strip()}"
|
||||||
|
|
||||||
|
extracted["description"] = content[1].text.strip()[12:]
|
||||||
|
for sibling in content[1].find_next_siblings():
|
||||||
|
if "Outcome:" in sibling.text:
|
||||||
|
break
|
||||||
|
extracted["description"] += f" {sibling.text.strip()}"
|
||||||
|
|
||||||
|
extracted["outcome"] = content[2].text.strip()[8:]
|
||||||
|
for sibling in content[2].find_next_siblings():
|
||||||
|
if sibling.name == "h4":
|
||||||
|
break
|
||||||
|
extracted["outcome"] += f" {sibling.text.strip()}"
|
||||||
|
|
||||||
|
return extracted
|
||||||
|
|
||||||
|
|
||||||
|
def extract_content(element):
|
||||||
|
content = {}
|
||||||
|
description_title = element.find_next(
|
||||||
|
"em", string=lambda text: "Description:" in text
|
||||||
|
)
|
||||||
|
purpose_title = element.find_next("em", string=lambda text: "Purpose:" in text)
|
||||||
|
outcome_title = element.find_next("em", string=lambda text: "Outcome:" in text)
|
||||||
|
|
||||||
|
content["purpose"] = (
|
||||||
|
purpose_title.parent.parent.get_text(strip=True).replace("Purpose:", "").strip()
|
||||||
|
)
|
||||||
|
for sibling in purpose_title.parent.parent.find_next_siblings():
|
||||||
|
if "Description:" in sibling.text:
|
||||||
|
break
|
||||||
|
content["purpose"] += f" {sibling.text.strip()}"
|
||||||
|
|
||||||
|
content["description"] = (
|
||||||
|
description_title.parent.parent.get_text(strip=True)
|
||||||
|
.replace("Description:", "")
|
||||||
|
.strip()
|
||||||
|
)
|
||||||
|
for sibling in description_title.parent.parent.find_next_siblings():
|
||||||
|
if "Outcome:" in sibling.text:
|
||||||
|
break
|
||||||
|
content["description"] += f" {sibling.text.strip()}"
|
||||||
|
|
||||||
|
content["outcome"] = (
|
||||||
|
outcome_title.parent.parent.get_text(strip=True).replace("Outcome:", "").strip()
|
||||||
|
)
|
||||||
|
for sibling in outcome_title.parent.parent.find_next_siblings():
|
||||||
|
if sibling.name == "h4":
|
||||||
|
break
|
||||||
|
content["outcome"] += f" {sibling.text.strip()}"
|
||||||
|
|
||||||
|
return content
|
||||||
|
|
||||||
|
|
||||||
|
def remove_heading(input_string):
|
||||||
|
return re.sub(r'^\d+(\.\d+)*\s+', '', input_string)
|
||||||
|
|
||||||
|
|
||||||
|
# Check if the request was successful
|
||||||
|
if response.status_code == 200:
|
||||||
|
# Parse the page content with BeautifulSoup
|
||||||
|
soup = BeautifulSoup(response.content, 'html.parser')
|
||||||
|
|
||||||
|
# Extract the section titled "4 CSIRT Services Framework Structure"
|
||||||
|
section_header = soup.find(
|
||||||
|
'h2', id="5-Service-Area-Information-Security-Event-Management"
|
||||||
|
)
|
||||||
|
if section_header:
|
||||||
|
|
||||||
|
services = section_header.find_next_siblings('h3')
|
||||||
|
functions = section_header.find_next_siblings('h4')
|
||||||
|
|
||||||
|
for service in services:
|
||||||
|
if "Monitoring and detection" in service.text:
|
||||||
|
content = extract_nostrong_content(service)
|
||||||
|
else:
|
||||||
|
content = extract_content(service)
|
||||||
|
name = remove_heading(service.text.strip())
|
||||||
|
suuid = str(
|
||||||
|
uuid.uuid5(uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name)
|
||||||
|
)
|
||||||
|
cluster["values"].append(
|
||||||
|
{
|
||||||
|
"description": content["description"],
|
||||||
|
"meta": {
|
||||||
|
"purpose": content["purpose"],
|
||||||
|
"outcome": content["outcome"],
|
||||||
|
},
|
||||||
|
"uuid": suuid,
|
||||||
|
"value": name,
|
||||||
|
"related": [],
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
for function in functions:
|
||||||
|
content = extract_content(function)
|
||||||
|
# get the parent service
|
||||||
|
parent_service = function.find_previous('h3')
|
||||||
|
relationship = {
|
||||||
|
"dest-uuid": str(
|
||||||
|
uuid.uuid5(
|
||||||
|
uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"),
|
||||||
|
remove_heading(parent_service.text.strip()),
|
||||||
|
)
|
||||||
|
),
|
||||||
|
"type": "part-of",
|
||||||
|
}
|
||||||
|
|
||||||
|
name = remove_heading(function.text.strip())
|
||||||
|
|
||||||
|
cluster["values"].append(
|
||||||
|
{
|
||||||
|
"description": content["description"],
|
||||||
|
"meta": {
|
||||||
|
"purpose": content["purpose"],
|
||||||
|
"outcome": content["outcome"],
|
||||||
|
},
|
||||||
|
"uuid": str(
|
||||||
|
uuid.uuid5(
|
||||||
|
uuid.UUID("43803a9f-9ea6-4ebc-9cb5-68ccdc2c23e0"), name
|
||||||
|
)
|
||||||
|
),
|
||||||
|
"value": name,
|
||||||
|
"related": [relationship],
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
with open(
|
||||||
|
os.path.join(
|
||||||
|
os.path.dirname(__file__),
|
||||||
|
'..',
|
||||||
|
'galaxies',
|
||||||
|
f'first-csirt-services-framework.json',
|
||||||
|
),
|
||||||
|
'w',
|
||||||
|
) as f:
|
||||||
|
json.dump(galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
|
||||||
|
f.write(
|
||||||
|
'\n'
|
||||||
|
) # only needed for the beauty and to be compliant with jq_all_the_things
|
||||||
|
|
||||||
|
with open(
|
||||||
|
os.path.join(
|
||||||
|
os.path.dirname(__file__),
|
||||||
|
'..',
|
||||||
|
'clusters',
|
||||||
|
f'first-csirt-services-framework.json',
|
||||||
|
),
|
||||||
|
'w',
|
||||||
|
) as f:
|
||||||
|
json.dump(cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
|
||||||
|
f.write(
|
||||||
|
'\n'
|
||||||
|
) # only needed for the beauty and to be compliant with jq_all_the_things
|
||||||
|
|
||||||
|
else:
|
||||||
|
print("Couldn't find the section header.")
|
||||||
|
else:
|
||||||
|
print(f"Failed to download the webpage. Status code: {response.status_code}")
|
Loading…
Reference in New Issue