misp-modules/misp_modules/modules/expansion/abuseipdb.py

147 lines
5.4 KiB
Python
Raw Permalink Normal View History

2023-07-10 21:08:47 +02:00
import requests
import json
from pymisp import MISPObject, MISPAttribute, MISPEvent
2023-07-10 21:08:47 +02:00
from . import check_input_attribute, checking_error, standard_error_message
import dns.resolver
misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain', 'domain|ip'], 'format': 'misp_standard'}
2024-08-12 11:23:10 +02:00
moduleinfo = {
'version': '0.1',
'author': 'Stephanie S',
'description': 'AbuseIPDB MISP expansion module',
'module-type': ['expansion', 'hover'],
'name': 'Abuse IPDB',
'logo': '',
'requirements': [],
'features': '',
'references': [],
'input': '',
'output': '',
}
2023-07-10 21:08:47 +02:00
moduleconfig = ['api_key', 'max_age_in_days', 'abuse_threshold']
2023-07-10 21:08:47 +02:00
def get_ip(request):
2023-07-10 21:08:47 +02:00
# Need to get the ip from the domain
resolver = dns.resolver.Resolver()
resolver.timeout = 2
resolver.lifetime = 2
try:
ip = resolver.query(request["attribute"]["value"], 'A')
return ip
2023-07-10 21:08:47 +02:00
except dns.resolver.NXDOMAIN:
misperrors['error'] = "NXDOMAIN"
return misperrors
except dns.exception.Timeout:
misperrors['error'] = "Timeout"
return misperrors
except Exception:
misperrors['error'] = "DNS resolving error"
return misperrors
def handler(q=False):
if q is False:
return False
request = json.loads(q)
if "config" not in request or "api_key" not in request["config"]:
return {"error": "AbuseIPDB API key is missing"}
if "max_age_in_days" not in request["config"]:
return {"error": "AbuseIPDB max age in days is missing"}
if "abuse_threshold" not in request["config"]:
return {"error": "AbuseIPDB abuse threshold is missing"}
if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')):
return {'error': f'{standard_error_message}, {checking_error}.'}
if request['attribute']['type'] not in mispattributes['input']:
return {'error': 'Unsupported attribute type.'}
if (request['attribute']['type'] == 'hostname' or request['attribute']['type'] == 'domain' or request['attribute']['type'] == 'domain|ip'):
ip = get_ip(request)[0]
else:
ip = request["attribute"]["value"]
2024-08-12 11:23:10 +02:00
api_key = request["config"]["api_key"]
2023-07-10 21:08:47 +02:00
max_age_in_days = request["config"]["max_age_in_days"]
api_endpoint = 'https://api.abuseipdb.com/api/v2/check'
querystring = {
'ipAddress': ip,
2023-07-10 21:08:47 +02:00
'maxAgeInDays': max_age_in_days
}
headers = {
'Accept': 'application/json',
'key': api_key
}
2024-08-12 11:23:10 +02:00
r = {"results": []}
2023-07-10 21:08:47 +02:00
response = requests.request(method='GET', url=api_endpoint, headers=headers, params=querystring)
if (response.status_code == 200):
response_json = json.loads(response.text)
2024-08-12 11:23:10 +02:00
is_whitelisted = response_json['data']['isWhitelisted']
is_tor = response_json['data']['isTor']
is_public = response_json['data']['isPublic']
abuse_confidence_score = response_json['data']['abuseConfidenceScore']
2023-07-10 21:08:47 +02:00
abuse_threshold = request["config"]["abuse_threshold"]
if (request["config"]["abuse_threshold"] is not None):
abuse_threshold = request["config"]["abuse_threshold"]
else:
abuse_threshold = 70
if (is_whitelisted == False):
is_whitelisted = 0
if (is_tor == False):
is_tor = 0
if (is_public == False):
is_public = 0
if (abuse_confidence_score == None):
abuse_confidence_score = 0
2023-07-10 21:08:47 +02:00
if (response_json.get("errors")):
return {'error': 'AbuseIPDB error, check logs'}
else:
event = MISPEvent()
obj = MISPObject('abuseipdb')
event.add_attribute(**request['attribute'])
if int(abuse_confidence_score) >= int(abuse_threshold):
malicious_attribute = obj.add_attribute('is-malicious', **{'type': 'boolean', 'value': 1})
malicious_attribute.add_tag(f'ioc:artifact-state="malicious"')
else:
malicious_attribute = obj.add_attribute('is-malicious', **{'type': 'boolean', 'value': 0})
malicious_attribute.add_tag(f'ioc:artifact-state="not-malicious"')
if is_whitelisted is not None:
obj.add_attribute('is-whitelisted', **{'type': 'boolean', 'value': is_whitelisted})
obj.add_attribute('is-tor', **{'type': 'boolean', 'value': is_tor})
obj.add_attribute('is-public', **{'type': 'boolean', 'value': is_public})
obj.add_attribute('abuse-confidence-score', **{'type': 'counter', 'value': abuse_confidence_score})
obj.add_reference(request['attribute']['uuid'], "describes")
event.add_object(obj)
2024-08-12 11:23:10 +02:00
# Avoid serialization issue
event = json.loads(event.to_json())
2023-07-10 21:08:47 +02:00
r['results'] = {'Object': event['Object'], 'Attribute': event['Attribute']}
return r
else:
2024-08-12 11:23:10 +02:00
try:
response_json = json.loads(response.text)
if (response_json['errors']):
return {"error": "API not reachable, status code: " + str(response.status_code) + " " + str(response_json['errors'][0]['detail'])}
except:
pass
return {"error": "API not reachable, status code: " + str(response.status_code)}
2023-07-10 21:08:47 +02:00
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo