misp-modules/misp_modules/modules/expansion/xforceexchange.py

import requests
import json
import sys

BASEurl = "https://api.xforce.ibmcloud.com/"

extensions = {"ip1": "ipr/%s",
			  "ip2": "ipr/malware/%s",
			  "url": "url/%s",
			  "hash": "malware/%s",
			  "vuln": "/vulnerabilities/search/%s"}

sys.path.append('./')

misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src','ip-dst' 'vulnerability', 'md5', 'sha1', 'sha256'], 
				'output': ['ip-src', 'ip-dst', 'text']}

# possible module-types: 'expansion', 'hover' or both
moduleinfo = {'version': '1', 'author': 'Joerg Stephan (@johest)',
              'description': 'IBM X-Force Exchange expansion module',
              'module-type': ['expansion', 'hover']}

# config fields that your code expects from the site admin
moduleconfig = ["apikey", "event_limit"]
limit = 5000 #Default


def MyHeader(key=False):
	global limit
	if key is False:
		return None
	
	return {"Authorization": "Basic %s " % key,
		   "Accept": "application/json",
		   'User-Agent': 'Mozilla 5.0'}

def handler(q=False):
	global limit
	if q is False:
		return False

	q = json.loads(q)
	
	key = q["config"]["apikey"]
	limit = int(q["config"].get("event_limit", 5))

	r = {"results": []}
	
	if "ip-src" in q:
		r["results"] += dict( (apicall("ip1", q["ip-src"], key)).items() + (apicall("ip2", q["ip-src"], key)).items())
	if "ip-dst" in q:
		r["results"] += dict( (apicall("ip1", q["ip-src"], key)).items() + (apicall("ip2", q["ip-src"], key)).items())
	if "md5" in q:
		r["results"] += apicall("hash", q["md5"], key)
	if "sha1" in q:
		r["results"] += apicall("hash", q["sha1"], key)
	if "sha256" in q:
		r["results"] += apicall("hash", q["sha256"], key)  
	if 'vulnerability' in q:
		r["results"] += apicall("vuln", q["vulnerability"], key)

	uniq = []
	for res in r["results"]:
		if res not in uniq:
			uniq.append(res)
	r["results"] = uniq
	return r
	
def apicall(indicator_type, indicator, key=False):
	try:
		myURL = BASEurl + (extensions[str(indicator_type)])%indicator
		jsondata = requests.get(myURL, headers=MyHeader(key)).json()
	except:
		return None
	return jsondata

def introspection():
	return mispattributes


def version():
	moduleinfo['config'] = moduleconfig
	return moduleinfo
python3 changes 2017-01-31 16:34:41 +01:00			`import requests`
XForce Exchange v1 (alpha) 2017-01-21 23:31:19 +01:00			`import json`
			`import sys`
v1 2017-01-31 16:57:16 +01:00
XForce Exchange v1 (alpha) 2017-01-21 23:31:19 +01:00			`BASEurl = "https://api.xforce.ibmcloud.com/"`

			`extensions = {"ip1": "ipr/%s",`
			`"ip2": "ipr/malware/%s",`
			`"url": "url/%s",`
			`"hash": "malware/%s",`
			`"vuln": "/vulnerabilities/search/%s"}`

			`sys.path.append('./')`

			`misperrors = {'error': 'Error'}`
			`mispattributes = {'input': ['ip-src','ip-dst' 'vulnerability', 'md5', 'sha1', 'sha256'],`
			`'output': ['ip-src', 'ip-dst', 'text']}`

			`# possible module-types: 'expansion', 'hover' or both`
			`moduleinfo = {'version': '1', 'author': 'Joerg Stephan (@johest)',`
			`'description': 'IBM X-Force Exchange expansion module',`
			`'module-type': ['expansion', 'hover']}`

			`# config fields that your code expects from the site admin`
			`moduleconfig = ["apikey", "event_limit"]`
			`limit = 5000 #Default`



			`def MyHeader(key=False):`
			`global limit`
			`if key is False:`
			`return None`

			`return {"Authorization": "Basic %s " % key,`
			`"Accept": "application/json",`
			`'User-Agent': 'Mozilla 5.0'}`

			`def handler(q=False):`
			`global limit`
			`if q is False:`
			`return False`

			`q = json.loads(q)`

			`key = q["config"]["apikey"]`
			`limit = int(q["config"].get("event_limit", 5))`

			`r = {"results": []}`

			`if "ip-src" in q:`
			`r["results"] += dict( (apicall("ip1", q["ip-src"], key)).items() + (apicall("ip2", q["ip-src"], key)).items())`
			`if "ip-dst" in q:`
			`r["results"] += dict( (apicall("ip1", q["ip-src"], key)).items() + (apicall("ip2", q["ip-src"], key)).items())`
			`if "md5" in q:`
			`r["results"] += apicall("hash", q["md5"], key)`
			`if "sha1" in q:`
			`r["results"] += apicall("hash", q["sha1"], key)`
			`if "sha256" in q:`
			`r["results"] += apicall("hash", q["sha256"], key)`
			`if 'vulnerability' in q:`
			`r["results"] += apicall("vuln", q["vulnerability"], key)`

			`uniq = []`
			`for res in r["results"]:`
			`if res not in uniq:`
			`uniq.append(res)`
			`r["results"] = uniq`
			`return r`

			`def apicall(indicator_type, indicator, key=False):`
v1 2017-01-31 16:57:16 +01:00			`try:`
XForce Exchange v1 (alpha) 2017-01-21 23:31:19 +01:00			`myURL = BASEurl + (extensions[str(indicator_type)])%indicator`
python3 changes 2017-01-31 16:34:41 +01:00			`jsondata = requests.get(myURL, headers=MyHeader(key)).json()`
v1 2017-01-31 16:57:16 +01:00			`except:`
			`return None`
			`return jsondata`
XForce Exchange v1 (alpha) 2017-01-21 23:31:19 +01:00
			`def introspection():`
python3 changes 2017-01-31 16:34:41 +01:00			`return mispattributes`
XForce Exchange v1 (alpha) 2017-01-21 23:31:19 +01:00

			`def version():`
python3 changes 2017-01-31 16:34:41 +01:00			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`