misp-modules/misp_modules/modules/expansion/onyphe_full.py

388 lines
12 KiB
Python
Raw Permalink Normal View History

# -*- coding: utf-8 -*-
import json
try:
from onyphe import Onyphe
except ImportError:
print("pyonyphe module not installed.")
misperrors = {'error': 'Error'}
2018-06-20 15:33:21 +02:00
mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'],
2018-12-11 15:29:09 +01:00
'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url']}
2018-06-20 15:33:21 +02:00
# possible module-types: 'expansion', 'hover' or both
2024-08-12 11:23:10 +02:00
moduleinfo = {
'version': '1',
'author': 'Sebastien Larinier @sebdraven',
'description': 'Module to process a full query on Onyphe.',
'module-type': ['expansion', 'hover'],
'name': 'Onyphe Full Lookup',
'logo': 'onyphe.jpg',
'requirements': ['onyphe python library', 'An access to the Onyphe API (apikey)'],
'features': 'This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.\n\nThe parsing is here more advanced than the one on onyphe module, and is returning more attributes, since more fields of the query result are watched and parsed.',
'references': ['https://www.onyphe.io/', 'https://github.com/sebdraven/pyonyphe'],
'input': 'A domain, hostname or IP address MISP attribute.',
'output': 'MISP attributes fetched from the Onyphe query.',
}
# config fields that your code expects from the site admin
moduleconfig = ['apikey']
def handler(q=False):
if q:
request = json.loads(q)
if not request.get('config') or not request['config'].get('apikey'):
misperrors['error'] = 'Onyphe authentication is missing'
return misperrors
api = Onyphe(request['config'].get('apikey'))
if not api:
misperrors['error'] = 'Onyphe Error instance api'
ip = ''
if request.get('ip-src'):
ip = request['ip-src']
2018-12-11 15:29:09 +01:00
return handle_ip(api, ip, misperrors)
elif request.get('ip-dst'):
ip = request['ip-dst']
2018-12-11 15:29:09 +01:00
return handle_ip(api, ip, misperrors)
elif request.get('domain'):
domain = request['domain']
2018-06-22 16:06:34 +02:00
return handle_domain(api, domain, misperrors)
elif request.get('hostname'):
hostname = request['hostname']
2018-06-22 16:06:34 +02:00
return handle_domain(api, hostname, misperrors)
else:
misperrors['error'] = "Unsupported attributes type"
return misperrors
else:
return False
def handle_domain(api, domain, misperrors):
2018-06-22 15:57:52 +02:00
result_filtered = {"results": []}
r, status_ok = expand_pastries(api, misperrors, domain=domain)
if status_ok:
result_filtered['results'].extend(r)
else:
misperrors['error'] = 'Error pastries result'
return misperrors
r, status_ok = expand_datascan(api, misperrors, domain=domain)
if status_ok:
result_filtered['results'].extend(r)
else:
misperrors['error'] = 'Error datascan result '
return misperrors
r, status_ok = expand_threatlist(api, misperrors, domain=domain)
if status_ok:
result_filtered['results'].extend(r)
else:
misperrors['error'] = 'Error threat list'
return misperrors
2018-06-22 16:18:23 +02:00
return result_filtered
2018-06-20 11:07:33 +02:00
def handle_ip(api, ip, misperrors):
result_filtered = {"results": []}
2018-06-20 11:07:33 +02:00
r, status_ok = expand_syscan(api, ip, misperrors)
2018-06-20 14:41:57 +02:00
if status_ok:
2018-12-11 15:29:09 +01:00
result_filtered['results'].extend(r)
2018-06-20 14:41:57 +02:00
else:
2018-12-11 15:29:09 +01:00
misperrors['error'] = "Error syscan result"
2018-12-11 15:29:09 +01:00
r, status_ok = expand_pastries(api, misperrors, ip=ip)
if status_ok:
2018-06-20 12:38:41 +02:00
result_filtered['results'].extend(r)
else:
2018-06-20 12:32:54 +02:00
misperrors['error'] = 'Error pastries result'
return misperrors
2018-06-20 17:47:11 +02:00
r, status_ok = expand_datascan(api, misperrors, ip=ip)
if status_ok:
2018-06-20 18:05:28 +02:00
result_filtered['results'].extend(r)
2018-06-20 17:47:11 +02:00
else:
2018-06-22 11:59:09 +02:00
misperrors['error'] = 'Error datascan result '
2018-06-20 17:59:49 +02:00
return misperrors
2018-06-20 17:47:11 +02:00
2018-06-20 15:33:21 +02:00
r, status_ok = expand_forward(api, ip, misperrors)
if status_ok:
result_filtered['results'].extend(r)
else:
2018-06-22 11:59:09 +02:00
misperrors['error'] = 'Error forward result'
2018-06-20 17:59:49 +02:00
return misperrors
2018-06-20 16:29:04 +02:00
r, status_ok = expand_reverse(api, ip, misperrors)
if status_ok:
result_filtered['results'].extend(r)
else:
misperrors['error'] = 'Error reverse result'
return misperrors
2018-06-22 11:59:09 +02:00
r, status_ok = expand_threatlist(api, misperrors, ip=ip)
if status_ok:
result_filtered['results'].extend(r)
else:
misperrors['error'] = 'Error threat list'
return misperrors
return result_filtered
def expand_syscan(api, ip, misperror):
status_ok = False
2018-06-20 14:41:57 +02:00
r = []
asn_list = []
os_list = []
geoloc = []
orgs = []
results = api.synscan(ip)
if results['status'] == 'ok':
status_ok = True
2018-06-20 14:45:06 +02:00
for elem in results['results']:
2018-06-20 14:41:57 +02:00
asn_list.append(elem['asn'])
2018-06-20 14:48:18 +02:00
os_target = elem['os']
2018-06-20 14:41:57 +02:00
geoloc.append(elem['location'])
orgs.append(elem['organization'])
2018-06-20 15:05:00 +02:00
if os_target != 'Unknown' and os_target != 'Undefined':
2018-06-20 14:41:57 +02:00
os_list.append(elem['os'])
2018-06-20 14:53:08 +02:00
r.append({'types': ['target-machine'],
2018-06-20 15:33:21 +02:00
'values': list(set(os_list)),
'categories': ['Targeting data'],
'comment': 'OS found on %s with synscan of Onyphe' % ip})
2018-06-20 14:41:57 +02:00
2018-06-20 14:53:08 +02:00
r.append({'types': ['target-location'],
2018-06-20 15:33:21 +02:00
'values': list(set(geoloc)),
'categories': ['Targeting data'],
'comment': 'Geolocalisation of %s found with synscan of Onyphe'
2018-06-20 15:05:00 +02:00
% ip
})
2018-06-20 14:41:57 +02:00
2018-06-20 14:53:08 +02:00
r.append({'types': ['target-org'],
2018-06-20 15:05:00 +02:00
'values': list(set(orgs)),
'categories': ['Targeting data'],
'comment': 'Organisations of %s found with synscan of Onyphe'
2018-06-20 17:47:11 +02:00
% ip
2018-06-20 15:05:00 +02:00
})
2018-06-20 14:41:57 +02:00
2018-06-20 15:05:00 +02:00
r.append({'types': ['AS'],
'values': list(set(asn_list)),
'categories': ['Network activity'],
2018-06-20 17:47:11 +02:00
'comment': 'As number of %s found with synscan of Onyphe' % ip
2018-06-20 15:05:00 +02:00
})
2018-06-20 11:07:33 +02:00
return r, status_ok
2018-12-11 15:29:09 +01:00
def expand_datascan(api, misperror, **kwargs):
status_ok = False
2018-06-20 17:47:11 +02:00
r = []
2018-12-11 15:29:09 +01:00
# ip = ''
query = ''
2018-06-20 17:47:11 +02:00
asn_list = []
geoloc = []
orgs = []
ports = []
2018-06-22 16:15:34 +02:00
2018-06-20 17:47:11 +02:00
if 'ip' in kwargs:
query = kwargs.get('ip')
2018-06-22 16:15:34 +02:00
results = api.datascan(query)
2018-06-20 17:47:11 +02:00
else:
query = kwargs.get('domain')
2018-06-22 16:15:34 +02:00
results = api.search_datascan('domain:%s' % query)
2018-06-20 18:03:34 +02:00
2018-06-20 17:47:11 +02:00
if results['status'] == 'ok':
2018-06-20 18:04:12 +02:00
status_ok = True
2018-06-20 17:47:11 +02:00
for elem in results['results']:
asn_list.append(elem['asn'])
geoloc.append(elem['location'])
orgs.append(elem['organization'])
ports.append(elem['port'])
r.append({'types': ['port'],
'values': list(set(ports)),
'categories': ['Other'],
'comment': 'Ports of %s found with datascan of Onyphe'
2018-06-22 13:03:09 +02:00
% query
2018-06-20 17:47:11 +02:00
})
r.append({'types': ['target-location'],
'values': list(set(geoloc)),
'categories': ['Targeting data'],
'comment': 'Geolocalisation of %s found with synscan of Onyphe'
2018-06-22 13:03:09 +02:00
% query
2018-06-20 17:47:11 +02:00
})
r.append({'types': ['target-org'],
'values': list(set(orgs)),
'categories': ['Targeting data'],
'comment': 'Organisations of %s found with synscan of Onyphe'
2018-06-22 13:03:09 +02:00
% query
2018-06-20 17:47:11 +02:00
})
r.append({'types': ['AS'],
'values': list(set(asn_list)),
'categories': ['Network activity'],
2018-06-22 13:03:09 +02:00
'comment': 'As number of %s found with synscan of Onyphe' % query
2018-06-20 17:47:11 +02:00
})
2018-06-20 15:33:21 +02:00
return r, status_ok
def expand_reverse(api, ip, misperror):
status_ok = False
r = None
2018-06-20 16:24:17 +02:00
status_ok = False
r = []
2018-06-20 16:30:56 +02:00
results = api.reverse(ip)
2018-06-20 16:24:17 +02:00
domains_reverse = []
domains = []
if results['status'] == 'ok':
status_ok = True
2018-06-20 16:24:17 +02:00
for elem in results['results']:
2018-06-20 16:26:09 +02:00
domains_reverse.append(elem['reverse'])
2018-06-20 16:24:17 +02:00
domains.append(elem['domain'])
r.append({'types': ['domain'],
'values': list(set(domains)),
'categories': ['Network activity'],
'comment': 'Domains of %s from forward service of Onyphe' % ip})
r.append({'types': ['domain'],
'values': list(set(domains_reverse)),
'categories': ['Network activity'],
'comment': 'Reverse Domains of %s from forward service of Onyphe' % ip})
2018-06-20 11:07:33 +02:00
return r, status_ok
def expand_forward(api, ip, misperror):
status_ok = False
2018-06-20 15:33:21 +02:00
r = []
results = api.forward(ip)
domains_forward = []
domains = []
if results['status'] == 'ok':
status_ok = True
for elem in results['results']:
domains_forward.append(elem['forward'])
domains.append(elem['domain'])
r.append({'types': ['domain'],
'values': list(set(domains)),
'categories': ['Network activity'],
'comment': 'Domains of %s from forward service of Onyphe' % ip})
2018-06-20 15:33:21 +02:00
r.append({'types': ['domain'],
'values': list(set(domains_forward)),
'categories': ['Network activity'],
'comment': 'Forward Domains of %s from forward service of Onyphe' % ip})
2018-06-20 11:07:33 +02:00
return r, status_ok
def expand_pastries(api, misperror, **kwargs):
status_ok = False
r = []
2018-06-22 15:57:52 +02:00
query = None
2018-06-20 11:07:33 +02:00
result = None
urls_pasties = []
domains = []
ips = []
if 'ip' in kwargs:
2018-06-22 15:57:52 +02:00
query = kwargs.get('ip')
2018-06-22 16:15:34 +02:00
result = api.pastries(query)
2018-06-20 11:07:33 +02:00
if 'domain' in kwargs:
2018-06-22 15:57:52 +02:00
query = kwargs.get('domain')
2018-06-22 16:15:34 +02:00
result = api.search_pastries('domain:%s' % query)
2018-06-20 11:07:33 +02:00
2018-12-11 15:29:09 +01:00
if result['status'] == 'ok':
2018-06-20 11:07:33 +02:00
status_ok = True
for item in result['results']:
if item['@category'] == 'pastries':
2018-11-11 15:49:14 +01:00
if item['source'] == 'pastebin':
2018-06-20 11:07:33 +02:00
urls_pasties.append('https://pastebin.com/raw/%s' % item['key'])
if 'domain' in item:
domains.extend(item['domain'])
if 'ip' in item:
2018-06-20 12:34:07 +02:00
ips.extend(item['ip'])
2018-06-20 11:07:33 +02:00
if 'hostname' in item:
domains.extend(item['hostname'])
2018-06-20 15:07:55 +02:00
r.append({'types': ['url'],
'values': urls_pasties,
'categories': ['External analysis'],
2018-12-11 15:29:09 +01:00
'comment': 'URLs of pasties where %s has found' % query})
2018-06-20 12:40:52 +02:00
r.append({'types': ['domain'], 'values': list(set(domains)),
2018-06-20 15:05:00 +02:00
'categories': ['Network activity'],
2018-06-20 15:07:55 +02:00
'comment': 'Domains found in pasties of Onyphe'})
2018-06-20 11:07:33 +02:00
r.append({'types': ['ip-dst'], 'values': list(set(ips)),
2018-06-20 15:05:00 +02:00
'categories': ['Network activity'],
'comment': 'IPs found in pasties of Onyphe'})
2018-06-20 11:07:33 +02:00
return r, status_ok
2018-12-11 15:29:09 +01:00
def expand_threatlist(api, misperror, **kwargs):
2018-06-22 11:59:09 +02:00
status_ok = False
r = []
query = None
threat_list = []
if 'ip' in kwargs:
query = kwargs.get('ip')
2018-06-22 16:15:34 +02:00
results = api.threatlist(query)
2018-06-22 11:59:09 +02:00
else:
query = kwargs.get('domain')
2018-06-22 16:15:34 +02:00
results = api.search_threatlist('domain:%s' % query)
2018-06-22 11:59:09 +02:00
if results['status'] == 'ok':
status_ok = True
threat_list = ['seen %s on %s ' % (item['seen_date'], item['threatlist'])
for item in results['results']]
r.append({'types': ['comment'],
'categories': ['Other'],
2018-06-22 15:14:44 +02:00
'values': threat_list,
'comment': '%s is present in threatlist' % query
2018-06-22 11:59:09 +02:00
})
2018-12-11 15:29:09 +01:00
return r, status_ok
2018-06-22 11:59:09 +02:00
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
2018-11-11 15:49:14 +01:00
return moduleinfo