misp-modules/misp_modules/modules/expansion/hashlookup.py

import json
import requests
from . import check_input_attribute, standard_error_message
from collections import defaultdict
from pymisp import MISPEvent, MISPObject

misperrors = {'error': 'Error'}
mispattributes = {'input': ['md5', 'sha1', 'sha256'], 'format': 'misp_standard'}
moduleinfo = {
    'version': '2',
    'author': 'Alexandre Dulaunoy',
    'description': 'An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.',
    'module-type': ['expansion', 'hover'],
    'name': 'CIRCL Hashlookup Lookup',
    'logo': 'circl.png',
    'requirements': [],
    'features': 'The module takes file hashes as input such as a MD5 or SHA1.\n It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required.\n The module can be used an hover module but also an expansion model to add related MISP objects.\n',
    'references': ['https://www.circl.lu/services/hashlookup/'],
    'input': 'File hashes (MD5, SHA1)',
    'output': 'Object with the filename associated hashes if the hash is part of a known set.',
}
moduleconfig = ["custom_API"]
hashlookup_url = 'https://hashlookup.circl.lu/'


class HashlookupParser():
    def __init__(self, attribute, hashlookupresult, api_url):
        self.attribute = attribute
        self.hashlookupresult = hashlookupresult
        self.api_url = api_url
        self.misp_event = MISPEvent()
        self.misp_event.add_attribute(**attribute)
        self.references = defaultdict(list)

    def get_result(self):
        if self.references:
            self.__build_references()
        event = json.loads(self.misp_event.to_json())
        results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}
        return {'results': results}

    def parse_hashlookup_information(self):
        hashlookup_object = MISPObject('hashlookup')
        if 'source' in self.hashlookupresult:
            hashlookup_object.add_attribute('source', **{'type': 'text', 'value': self.hashlookupresult['source']})
        if 'KnownMalicious' in self.hashlookupresult:
            hashlookup_object.add_attribute('KnownMalicious', **{'type': 'text', 'value': self.hashlookupresult['KnownMalicious']})
        if 'MD5' in self.hashlookupresult:
            hashlookup_object.add_attribute('MD5', **{'type': 'md5', 'value': self.hashlookupresult['MD5']})
        # SHA-1 is the default value in hashlookup it must always be present
        hashlookup_object.add_attribute('SHA-1', **{'type': 'sha1', 'value': self.hashlookupresult['SHA-1']})
        if 'SHA-256' in self.hashlookupresult:
            hashlookup_object.add_attribute('SHA-256', **{'type': 'sha256', 'value': self.hashlookupresult['SHA-256']})
        if 'SSDEEP' in self.hashlookupresult:
            hashlookup_object.add_attribute('SSDEEP', **{'type': 'ssdeep', 'value': self.hashlookupresult['SSDEEP']})
        if 'TLSH' in self.hashlookupresult:
            hashlookup_object.add_attribute('TLSH', **{'type': 'tlsh', 'value': self.hashlookupresult['TLSH']})
        if 'FileName' in self.hashlookupresult:
            hashlookup_object.add_attribute('FileName', **{'type': 'filename', 'value': self.hashlookupresult['FileName']})
        if 'FileSize' in self.hashlookupresult:
            hashlookup_object.add_attribute('FileSize', **{'type': 'size-in-bytes', 'value': self.hashlookupresult['FileSize']})
        hashlookup_object.add_reference(self.attribute['uuid'], 'related-to')
        self.misp_event.add_object(hashlookup_object)

    def __build_references(self):
        for object_uuid, references in self.references.items():
            for misp_object in self.misp_event.objects:
                if misp_object.uuid == object_uuid:
                    for reference in references:
                        misp_object.add_reference(**reference)
                    break

def check_url(url):
    return "{}/".format(url) if not url.endswith('/') else url


def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    if not request.get('attribute') or not check_input_attribute(request['attribute']):
        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
    attribute = request['attribute']
    if attribute.get('type') == 'md5':
        pass
    elif attribute.get('type') == 'sha1':
        pass
    elif attribute.get('type') == 'sha256':
        pass
    else:
        misperrors['error'] = 'md5 or sha1 or sha256 is missing.'
        return misperrors
    api_url = check_url(request['config']['custom_API']) if request['config'].get('custom_API') else hashlookup_url
    r = requests.get("{}/lookup/{}/{}".format(api_url, attribute.get('type'), attribute['value']))
    if r.status_code == 200:
        hashlookupresult = r.json()
        if not hashlookupresult:
            misperrors['error'] = 'Empty result'
            return misperrors
    elif r.status_code == 404:
        misperrors['error'] = 'Non existing hash'
        return misperrors
    else:
        misperrors['error'] = 'API not accessible'
        return misperrors
    parser = HashlookupParser(attribute, hashlookupresult, api_url)
    parser.parse_hashlookup_information()
    result = parser.get_result()
    return result


def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`import json`
			`import requests`
			`from . import check_input_attribute, standard_error_message`
			`from collections import defaultdict`
			`from pymisp import MISPEvent, MISPObject`

			`misperrors = {'error': 'Error'}`
chg: [hashlookup] support for sha256 and bug fix for non-exising MD5 2021-12-18 09:22:32 +01:00			`mispattributes = {'input': ['md5', 'sha1', 'sha256'], 'format': 'misp_standard'}`
chg: [doc] Big doc revamp #680 2024-08-12 11:23:10 +02:00			`moduleinfo = {`
			`'version': '2',`
			`'author': 'Alexandre Dulaunoy',`
			`'description': 'An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.',`
			`'module-type': ['expansion', 'hover'],`
			`'name': 'CIRCL Hashlookup Lookup',`
			`'logo': 'circl.png',`
			`'requirements': [],`
			`'features': 'The module takes file hashes as input such as a MD5 or SHA1.\n It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required.\n The module can be used an hover module but also an expansion model to add related MISP objects.\n',`
			`'references': ['https://www.circl.lu/services/hashlookup/'],`
			`'input': 'File hashes (MD5, SHA1)',`
			`'output': 'Object with the filename associated hashes if the hash is part of a known set.',`
			`}`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`moduleconfig = ["custom_API"]`
			`hashlookup_url = 'https://hashlookup.circl.lu/'`


			`class HashlookupParser():`
			`def __init__(self, attribute, hashlookupresult, api_url):`
			`self.attribute = attribute`
chg: [hashlookup] KnownMalicious field added 2021-09-24 15:35:14 +02:00			`self.hashlookupresult = hashlookupresult`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`self.api_url = api_url`
			`self.misp_event = MISPEvent()`
			`self.misp_event.add_attribute(**attribute)`
			`self.references = defaultdict(list)`

			`def get_result(self):`
			`if self.references:`
			`self.__build_references()`
			`event = json.loads(self.misp_event.to_json())`
			`results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}`
			`return {'results': results}`

			`def parse_hashlookup_information(self):`
			`hashlookup_object = MISPObject('hashlookup')`
chg: [hashlookup] add new fields such as source, SSDEEP and TLSH 2021-09-24 15:29:23 +02:00			`if 'source' in self.hashlookupresult:`
			`hashlookup_object.add_attribute('source', **{'type': 'text', 'value': self.hashlookupresult['source']})`
chg: [hashlookup] KnownMalicious field added 2021-09-24 15:35:14 +02:00			`if 'KnownMalicious' in self.hashlookupresult:`
			`hashlookup_object.add_attribute('KnownMalicious', **{'type': 'text', 'value': self.hashlookupresult['KnownMalicious']})`
chg: [hashlookup] support for sha256 and bug fix for non-exising MD5 2021-12-18 09:22:32 +01:00			`if 'MD5' in self.hashlookupresult:`
			`hashlookup_object.add_attribute('MD5', **{'type': 'md5', 'value': self.hashlookupresult['MD5']})`
			`# SHA-1 is the default value in hashlookup it must always be present`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`hashlookup_object.add_attribute('SHA-1', **{'type': 'sha1', 'value': self.hashlookupresult['SHA-1']})`
chg: [hashlookup] support for sha256 and bug fix for non-exising MD5 2021-12-18 09:22:32 +01:00			`if 'SHA-256' in self.hashlookupresult:`
fix: [hashlookup] typo fixed 2021-12-18 17:11:06 +01:00			`hashlookup_object.add_attribute('SHA-256', **{'type': 'sha256', 'value': self.hashlookupresult['SHA-256']})`
chg: [hashlookup] add new fields such as source, SSDEEP and TLSH 2021-09-24 15:29:23 +02:00			`if 'SSDEEP' in self.hashlookupresult:`
			`hashlookup_object.add_attribute('SSDEEP', **{'type': 'ssdeep', 'value': self.hashlookupresult['SSDEEP']})`
			`if 'TLSH' in self.hashlookupresult:`
			`hashlookup_object.add_attribute('TLSH', **{'type': 'tlsh', 'value': self.hashlookupresult['TLSH']})`
fix: [hashlookup] FileName and size are not required fields and can be missing in a hashlookup record 2021-09-24 15:09:07 +02:00			`if 'FileName' in self.hashlookupresult:`
			`hashlookup_object.add_attribute('FileName', **{'type': 'filename', 'value': self.hashlookupresult['FileName']})`
			`if 'FileSize' in self.hashlookupresult:`
			`hashlookup_object.add_attribute('FileSize', **{'type': 'size-in-bytes', 'value': self.hashlookupresult['FileSize']})`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`hashlookup_object.add_reference(self.attribute['uuid'], 'related-to')`
			`self.misp_event.add_object(hashlookup_object)`

			`def __build_references(self):`
			`for object_uuid, references in self.references.items():`
			`for misp_object in self.misp_event.objects:`
			`if misp_object.uuid == object_uuid:`
			`for reference in references:`
			`misp_object.add_reference(**reference)`
			`break`

			`def check_url(url):`
			`return "{}/".format(url) if not url.endswith('/') else url`


			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`
			`if not request.get('attribute') or not check_input_attribute(request['attribute']):`
			`return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}`
			`attribute = request['attribute']`
			`if attribute.get('type') == 'md5':`
			`pass`
			`elif attribute.get('type') == 'sha1':`
			`pass`
chg: [hashlookup] support for sha256 and bug fix for non-exising MD5 2021-12-18 09:22:32 +01:00			`elif attribute.get('type') == 'sha256':`
			`pass`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`else:`
chg: [hashlookup] support for sha256 and bug fix for non-exising MD5 2021-12-18 09:22:32 +01:00			`misperrors['error'] = 'md5 or sha1 or sha256 is missing.'`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`return misperrors`
			`api_url = check_url(request['config']['custom_API']) if request['config'].get('custom_API') else hashlookup_url`
			`r = requests.get("{}/lookup/{}/{}".format(api_url, attribute.get('type'), attribute['value']))`
			`if r.status_code == 200:`
			`hashlookupresult = r.json()`
			`if not hashlookupresult:`
			`misperrors['error'] = 'Empty result'`
fix: [hashlookup] Fixed the errors handling - Since the modules system is waiting for a dict, we return `misperrors` instead of the actual value of the 'error' key, and the module will no longer fail when there is no result to parse 2021-08-26 15:02:32 +02:00			`return misperrors`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`elif r.status_code == 404:`
			`misperrors['error'] = 'Non existing hash'`
fix: [hashlookup] Fixed the errors handling - Since the modules system is waiting for a dict, we return `misperrors` instead of the actual value of the 'error' key, and the module will no longer fail when there is no result to parse 2021-08-26 15:02:32 +02:00			`return misperrors`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`else:`
			`misperrors['error'] = 'API not accessible'`
fix: [hashlookup] Fixed the errors handling - Since the modules system is waiting for a dict, we return `misperrors` instead of the actual value of the 'error' key, and the module will no longer fail when there is no result to parse 2021-08-26 15:02:32 +02:00			`return misperrors`
new: [hashlookup] new hashlookup module added 2021-08-25 18:38:09 +02:00			`parser = HashlookupParser(attribute, hashlookupresult, api_url)`
			`parser.parse_hashlookup_information()`
			`result = parser.get_result()`
			`return result`


			`def introspection():`
			`return mispattributes`


			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`