misp-modules/misp_modules/modules/expansion/ipasn.py

# -*- coding: utf-8 -*-

import json
from . import check_input_attribute, standard_error_message
from pyipasnhistory import IPASNHistory
from pymisp import MISPAttribute, MISPEvent, MISPObject

misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src', 'ip-dst', 'ip'], 'format': 'misp_standard'}
moduleinfo = {
    'version': '0.3',
    'author': 'Raphaël Vinot',
    'description': 'Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).',
    'module-type': ['expansion', 'hover'],
    'name': 'IPASN-History Lookup',
    'logo': '',
    'requirements': ['pyipasnhistory: Python library to access IPASN-history instance'],
    'features': 'This module takes an IP address attribute as input and queries the CIRCL IPASN service. The result of the query is the latest asn related to the IP address, that is returned as a MISP object.',
    'references': ['https://github.com/D4-project/IPASN-History'],
    'input': 'An IP address MISP attribute.',
    'output': 'Asn object(s) objects related to the IP address used as input.',
}


def parse_result(attribute, values):
    event = MISPEvent()
    initial_attribute = MISPAttribute()
    initial_attribute.from_dict(**attribute)
    event.add_attribute(**initial_attribute)
    mapping = {'asn': ('AS', 'asn'), 'prefix': ('ip-src', 'subnet-announced')}
    for last_seen, response in values['response'].items():
        asn = MISPObject('asn')
        asn.add_attribute('last-seen', **{'type': 'datetime', 'value': last_seen})
        for feature, attribute_fields in mapping.items():
            attribute_type, object_relation = attribute_fields
            asn.add_attribute(object_relation, **{'type': attribute_type, 'value': response[feature]})
        asn.add_reference(initial_attribute.uuid, 'related-to')
        event.add_object(**asn)
    event = json.loads(event.to_json())
    return {key: event[key] for key in ('Attribute', 'Object')}


def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    if not request.get('attribute') or not check_input_attribute(request['attribute']):
        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
    if request['attribute']['type'] not in mispattributes['input']:
        return {'error': 'Unsupported attribute type.'}
    if request['attribute']['type'] == 'ip':
        request['attribute']['type'] = 'ip-src'

    toquery = request['attribute']['value']

    ipasn = IPASNHistory()
    values = ipasn.query(toquery)

    if not values:
        misperrors['error'] = 'Unable to find the history of this IP'
        return misperrors
    return {'results': parse_result(request['attribute'], values)}


def introspection():
    return mispattributes


def version():
    return moduleinfo
Add IPASN history module 2016-05-01 12:09:33 +02:00			`# -- coding: utf-8 --`

			`import json`
add: Specific error message for misp_standard format expansion modules - Checking if the input format is respected and displaying an error message if it is not 2020-07-28 11:47:53 +02:00			`from . import check_input_attribute, standard_error_message`
chg: Use pipenv, update bgpranking/ipasn modules 2019-01-21 13:31:52 +01:00			`from pyipasnhistory import IPASNHistory`
chg: Making ipasn module return asn object(s) - Latest changes on the returned value as string broke the freetext parser, because no asn number could be parsed when we return the full json blob as a freetext attribute - Now returning asn object(s) with a reference to the initial attribute 2020-01-10 15:02:59 +01:00			`from pymisp import MISPAttribute, MISPEvent, MISPObject`
Add IPASN history module 2016-05-01 12:09:33 +02:00
			`misperrors = {'error': 'Error'}`
fix: [ipasn] add support for `ip` type 2024-06-06 09:54:20 +02:00			`mispattributes = {'input': ['ip-src', 'ip-dst', 'ip'], 'format': 'misp_standard'}`
chg: [doc] Big doc revamp #680 2024-08-12 11:23:10 +02:00			`moduleinfo = {`
			`'version': '0.3',`
			`'author': 'Raphaël Vinot',`
			`'description': 'Module to query an IP ASN history service (https://github.com/D4-project/IPASN-History).',`
			`'module-type': ['expansion', 'hover'],`
			`'name': 'IPASN-History Lookup',`
			`'logo': '',`
			`'requirements': ['pyipasnhistory: Python library to access IPASN-history instance'],`
			`'features': 'This module takes an IP address attribute as input and queries the CIRCL IPASN service. The result of the query is the latest asn related to the IP address, that is returned as a MISP object.',`
			`'references': ['https://github.com/D4-project/IPASN-History'],`
			`'input': 'An IP address MISP attribute.',`
			`'output': 'Asn object(s) objects related to the IP address used as input.',`
			`}`
Add IPASN history module 2016-05-01 12:09:33 +02:00

chg: Making ipasn module return asn object(s) - Latest changes on the returned value as string broke the freetext parser, because no asn number could be parsed when we return the full json blob as a freetext attribute - Now returning asn object(s) with a reference to the initial attribute 2020-01-10 15:02:59 +01:00			`def parse_result(attribute, values):`
			`event = MISPEvent()`
			`initial_attribute = MISPAttribute()`
			`initial_attribute.from_dict(**attribute)`
			`event.add_attribute(**initial_attribute)`
			`mapping = {'asn': ('AS', 'asn'), 'prefix': ('ip-src', 'subnet-announced')}`
			`for last_seen, response in values['response'].items():`
			`asn = MISPObject('asn')`
			`asn.add_attribute('last-seen', **{'type': 'datetime', 'value': last_seen})`
			`for feature, attribute_fields in mapping.items():`
			`attribute_type, object_relation = attribute_fields`
			`asn.add_attribute(object_relation, **{'type': attribute_type, 'value': response[feature]})`
			`asn.add_reference(initial_attribute.uuid, 'related-to')`
			`event.add_object(**asn)`
			`event = json.loads(event.to_json())`
			`return {key: event[key] for key in ('Attribute', 'Object')}`


Add IPASN history module 2016-05-01 12:09:33 +02:00			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`
add: Specific error message for misp_standard format expansion modules - Checking if the input format is respected and displaying an error message if it is not 2020-07-28 11:47:53 +02:00			`if not request.get('attribute') or not check_input_attribute(request['attribute']):`
			`return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}`
			`if request['attribute']['type'] not in mispattributes['input']:`
			`return {'error': 'Unsupported attribute type.'}`
fix: [ipasn] add support for `ip` type 2024-06-06 09:54:20 +02:00			`if request['attribute']['type'] == 'ip':`
			`request['attribute']['type'] = 'ip-src'`

add: Specific error message for misp_standard format expansion modules - Checking if the input format is respected and displaying an error message if it is not 2020-07-28 11:47:53 +02:00			`toquery = request['attribute']['value']`
Add IPASN history module 2016-05-01 12:09:33 +02:00
chg: Use pipenv, update bgpranking/ipasn modules 2019-01-21 13:31:52 +01:00			`ipasn = IPASNHistory()`
			`values = ipasn.query(toquery)`
Fix again IPASN module 2016-05-04 12:52:01 +02:00
Add IPASN history module 2016-05-01 12:09:33 +02:00			`if not values:`
			`misperrors['error'] = 'Unable to find the history of this IP'`
			`return misperrors`
chg: Making ipasn module return asn object(s) - Latest changes on the returned value as string broke the freetext parser, because no asn number could be parsed when we return the full json blob as a freetext attribute - Now returning asn object(s) with a reference to the initial attribute 2020-01-10 15:02:59 +01:00			`return {'results': parse_result(request['attribute'], values)}`
Add IPASN history module 2016-05-01 12:09:33 +02:00

			`def introspection():`
			`return mispattributes`


			`def version():`
			`return moduleinfo`