misp-modules/misp_modules/modules/expansion/threatminer.py

import json
import requests

misperrors = {'error': 'Error'}
mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'md5', 'sha1', 'sha256', 'sha512'],
                  'output': ['domain', 'ip-src', 'ip-dst', 'text', 'md5', 'sha1', 'sha256', 'sha512', 'ssdeep',
                             'authentihash', 'filename', 'whois-registrant-email', 'url', 'link']
                  }

# possible module-types: 'expansion', 'hover' or both
moduleinfo = {'version': '1', 'author': 'KX499',
              'description': 'Get information from ThreatMiner',
              'module-type': ['expansion']}

desc = '{}: Threatminer - {}'


def handler(q=False):
    if q is False:
        return False

    q = json.loads(q)

    r = {'results': []}

    if 'ip-src' in q:
        r['results'] += get_ip(q['ip-src'])
    if 'ip-dst' in q:
        r['results'] += get_ip(q['ip-dst'])
    if 'domain' in q:
        r['results'] += get_domain(q['domain'])
    if 'hostname' in q:
        r['results'] += get_domain(q['hostname'])
    if 'md5' in q:
        r['results'] += get_hash(q['md5'])
    if 'sha1' in q:
        r['results'] += get_hash(q['sha1'])
    if 'sha256' in q:
        r['results'] += get_hash(q['sha256'])
    if 'sha512' in q:
        r['results'] += get_hash(q['sha512'])

    uniq = []
    for res in r['results']:
        if res not in uniq:
            uniq.append(res)
    r['results'] = uniq
    return r


def get_domain(q):
    ret = []
    for flag in [1, 2, 3, 4, 5, 6]:
        req = requests.get('https://www.threatminer.org/domain.php', params={'q': q, 'api': 'True', 'rt': flag})
        if not req.status_code == 200:
            continue
        results = req.json().get('results')
        if not results:
            continue

        for result in results:
            if flag == 1:  # whois
                emails = result.get('whois', {}).get('emails')
                if not emails:
                    continue
                for em_type, email in emails.items():
                    ret.append({'types': ['whois-registrant-email'], 'values': [email], 'comment': desc.format(q, 'whois')})
            if flag == 2:  # pdns
                ip = result.get('ip')
                if ip:
                    ret.append({'types': ['ip-src', 'ip-dst'], 'values': [ip], 'comment': desc.format(q, 'pdns')})
            if flag == 3:  # uri
                uri = result.get('uri')
                if uri:
                    ret.append({'types': ['url'], 'values': [uri], 'comment': desc.format(q, 'uri')})
            if flag == 4:  # samples
                if type(result) is str:
                    ret.append({'types': ['sha256'], 'values': [result], 'comment': desc.format(q, 'samples')})
            if flag == 5:  # subdomains
                if type(result) is str:
                    ret.append({'types': ['domain'], 'values': [result], 'comment': desc.format(q, 'subdomain')})
            if flag == 6:  # reports
                link = result.get('URL')
                if link:
                    ret.append({'types': ['url'], 'values': [link], 'comment': desc.format(q, 'report')})

    return ret


def get_ip(q):
    ret = []
    for flag in [1, 2, 3, 4, 5, 6]:
        req = requests.get('https://www.threatminer.org/host.php', params={'q': q, 'api': 'True', 'rt': flag})
        if not req.status_code == 200:
            continue
        results = req.json().get('results')
        if not results:
            continue

        for result in results:
            if flag == 1:  # whois
                emails = result.get('whois', {}).get('emails')
                if not emails:
                    continue
                for em_type, email in emails.items():
                    ret.append({'types': ['whois-registrant-email'], 'values': [email], 'comment': desc.format(q, 'whois')})
            if flag == 2:  # pdns
                ip = result.get('ip')
                if ip:
                    ret.append({'types': ['ip-src', 'ip-dst'], 'values': [ip], 'comment': desc.format(q, 'pdns')})
            if flag == 3:  # uri
                uri = result.get('uri')
                if uri:
                    ret.append({'types': ['url'], 'values': [uri], 'comment': desc.format(q, 'uri')})
            if flag == 4:  # samples
                if type(result) is str:
                    ret.append({'types': ['sha256'], 'values': [result], 'comment': desc.format(q, 'samples')})
            if flag == 5:  # ssl
                if type(result) is str:
                    ret.append({'types': ['x509-fingerprint-sha1'], 'values': [result], 'comment': desc.format(q, 'ssl')})
            if flag == 6:  # reports
                link = result.get('URL')
                if link:
                    ret.append({'types': ['url'], 'values': [link], 'comment': desc.format(q, 'report')})

    return ret


def get_hash(q):
    ret = []
    for flag in [1, 3, 6, 7]:
        req = requests.get('https://www.threatminer.org/sample.php', params={'q': q, 'api': 'True', 'rt': flag})
        if not req.status_code == 200:
            continue
        results = req.json().get('results')
        if not results:
            continue

        for result in results:
            if flag == 1:  # meta (filename)
                name = result.get('file_name')
                if name:
                    ret.append({'types': ['filename'], 'values': [name], 'comment': desc.format(q, 'file')})
            if flag == 3:  # network
                domains = result.get('domains')
                for dom in domains:
                    if dom.get('domain'):
                        ret.append({'types': ['domain'], 'values': [dom['domain']], 'comment': desc.format(q, 'network')})

                hosts = result.get('hosts')
                for h in hosts:
                    if type(h) is str:
                        ret.append({'types': ['ip-src', 'ip-dst'], 'values': [h], 'comment': desc.format(q, 'network')})
            if flag == 6:  # detections
                detections = result.get('av_detections')
                for d in detections:
                    if d.get('detection'):
                        ret.append({'types': ['text'], 'values': [d['detection']], 'comment': desc.format(q, 'detection')})
            if flag == 7:  # report
                if type(result) is str:
                    ret.append({'types': ['sha256'], 'values': [result], 'comment': desc.format(q, 'report')})

    return ret


def introspection():
    return mispattributes


def version():
    return moduleinfo
threatminer initial commit 2017-03-07 03:36:00 +01:00			`import json`
			`import requests`

			`misperrors = {'error': 'Error'}`
			`mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'md5', 'sha1', 'sha256', 'sha512'],`
			`'output': ['domain', 'ip-src', 'ip-dst', 'text', 'md5', 'sha1', 'sha256', 'sha512', 'ssdeep',`
			`'authentihash', 'filename', 'whois-registrant-email', 'url', 'link']`
			`}`

			`# possible module-types: 'expansion', 'hover' or both`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`moduleinfo = {'version': '1', 'author': 'KX499',`
			`'description': 'Get information from ThreatMiner',`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`'module-type': ['expansion']}`

fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`desc = '{}: Threatminer - {}'`
threatminer initial commit 2017-03-07 03:36:00 +01:00

			`def handler(q=False):`
			`if q is False:`
			`return False`

			`q = json.loads(q)`

			`r = {'results': []}`

			`if 'ip-src' in q:`
			`r['results'] += get_ip(q['ip-src'])`
			`if 'ip-dst' in q:`
			`r['results'] += get_ip(q['ip-dst'])`
			`if 'domain' in q:`
			`r['results'] += get_domain(q['domain'])`
			`if 'hostname' in q:`
			`r['results'] += get_domain(q['hostname'])`
			`if 'md5' in q:`
			`r['results'] += get_hash(q['md5'])`
			`if 'sha1' in q:`
			`r['results'] += get_hash(q['sha1'])`
			`if 'sha256' in q:`
			`r['results'] += get_hash(q['sha256'])`
			`if 'sha512' in q:`
			`r['results'] += get_hash(q['sha512'])`

			`uniq = []`
			`for res in r['results']:`
			`if res not in uniq:`
			`uniq.append(res)`
			`r['results'] = uniq`
			`return r`


			`def get_domain(q):`
			`ret = []`
			`for flag in [1, 2, 3, 4, 5, 6]:`
			`req = requests.get('https://www.threatminer.org/domain.php', params={'q': q, 'api': 'True', 'rt': flag})`
			`if not req.status_code == 200:`
bug fixes 2017-03-08 04:08:23 +01:00			`continue`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`results = req.json().get('results')`
			`if not results:`
bug fixes 2017-03-08 04:08:23 +01:00			`continue`
threatminer initial commit 2017-03-07 03:36:00 +01:00
			`for result in results:`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 1: # whois`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`emails = result.get('whois', {}).get('emails')`
bug fixes 2017-03-08 04:08:23 +01:00			`if not emails:`
			`continue`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`for em_type, email in emails.items():`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['whois-registrant-email'], 'values': [email], 'comment': desc.format(q, 'whois')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 2: # pdns`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`ip = result.get('ip')`
			`if ip:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['ip-src', 'ip-dst'], 'values': [ip], 'comment': desc.format(q, 'pdns')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 3: # uri`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`uri = result.get('uri')`
			`if uri:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['url'], 'values': [uri], 'comment': desc.format(q, 'uri')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 4: # samples`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`if type(result) is str:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['sha256'], 'values': [result], 'comment': desc.format(q, 'samples')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 5: # subdomains`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`if type(result) is str:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['domain'], 'values': [result], 'comment': desc.format(q, 'subdomain')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 6: # reports`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`link = result.get('URL')`
			`if link:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['url'], 'values': [link], 'comment': desc.format(q, 'report')})`
threatminer initial commit 2017-03-07 03:36:00 +01:00
			`return ret`


			`def get_ip(q):`
			`ret = []`
			`for flag in [1, 2, 3, 4, 5, 6]:`
			`req = requests.get('https://www.threatminer.org/host.php', params={'q': q, 'api': 'True', 'rt': flag})`
			`if not req.status_code == 200:`
bug fixes 2017-03-08 04:08:23 +01:00			`continue`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`results = req.json().get('results')`
			`if not results:`
bug fixes 2017-03-08 04:08:23 +01:00			`continue`
threatminer initial commit 2017-03-07 03:36:00 +01:00
			`for result in results:`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 1: # whois`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`emails = result.get('whois', {}).get('emails')`
bug fixes 2017-03-08 04:08:23 +01:00			`if not emails:`
			`continue`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`for em_type, email in emails.items():`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['whois-registrant-email'], 'values': [email], 'comment': desc.format(q, 'whois')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 2: # pdns`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`ip = result.get('ip')`
			`if ip:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['ip-src', 'ip-dst'], 'values': [ip], 'comment': desc.format(q, 'pdns')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 3: # uri`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`uri = result.get('uri')`
			`if uri:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['url'], 'values': [uri], 'comment': desc.format(q, 'uri')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 4: # samples`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`if type(result) is str:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['sha256'], 'values': [result], 'comment': desc.format(q, 'samples')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 5: # ssl`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`if type(result) is str:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['x509-fingerprint-sha1'], 'values': [result], 'comment': desc.format(q, 'ssl')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 6: # reports`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`link = result.get('URL')`
			`if link:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['url'], 'values': [link], 'comment': desc.format(q, 'report')})`
threatminer initial commit 2017-03-07 03:36:00 +01:00
			`return ret`


			`def get_hash(q):`
			`ret = []`
			`for flag in [1, 3, 6, 7]:`
			`req = requests.get('https://www.threatminer.org/sample.php', params={'q': q, 'api': 'True', 'rt': flag})`
			`if not req.status_code == 200:`
bug fixes 2017-03-08 04:08:23 +01:00			`continue`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`results = req.json().get('results')`
			`if not results:`
bug fixes 2017-03-08 04:08:23 +01:00			`continue`
threatminer initial commit 2017-03-07 03:36:00 +01:00
			`for result in results:`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 1: # meta (filename)`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`name = result.get('file_name')`
			`if name:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['filename'], 'values': [name], 'comment': desc.format(q, 'file')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 3: # network`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`domains = result.get('domains')`
			`for dom in domains:`
			`if dom.get('domain'):`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['domain'], 'values': [dom['domain']], 'comment': desc.format(q, 'network')})`
threatminer initial commit 2017-03-07 03:36:00 +01:00
			`hosts = result.get('hosts')`
			`for h in hosts:`
			`if type(h) is str:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['ip-src', 'ip-dst'], 'values': [h], 'comment': desc.format(q, 'network')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 6: # detections`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`detections = result.get('av_detections')`
			`for d in detections:`
			`if d.get('detection'):`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['text'], 'values': [d['detection']], 'comment': desc.format(q, 'detection')})`
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00			`if flag == 7: # report`
threatminer initial commit 2017-03-07 03:36:00 +01:00			`if type(result) is str:`
fix: Use the proper formatting method and not the horrible % one 2017-03-08 17:35:03 +01:00			`ret.append({'types': ['sha256'], 'values': [result], 'comment': desc.format(q, 'report')})`
threatminer initial commit 2017-03-07 03:36:00 +01:00
			`return ret`


			`def introspection():`
			`return mispattributes`


			`def version():`
			`return moduleinfo`