2021-03-13 20:36:49 +01:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
import requests
|
|
|
|
import json
|
|
|
|
|
|
|
|
misperrors = {'error': 'Error'}
|
2021-03-18 19:22:26 +01:00
|
|
|
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'], 'output': ['text']}
|
2024-08-12 11:23:10 +02:00
|
|
|
moduleinfo = {
|
|
|
|
'version': '0.1',
|
|
|
|
'author': 'Corsin Camichel',
|
|
|
|
'description': 'Module to search for an IOC on ThreatFox by abuse.ch.',
|
|
|
|
'module-type': ['hover', 'expansion'],
|
|
|
|
'name': 'ThreadFox Lookup',
|
|
|
|
'logo': '',
|
|
|
|
'requirements': [],
|
|
|
|
'features': '',
|
|
|
|
'references': [],
|
|
|
|
'input': '',
|
|
|
|
'output': '',
|
|
|
|
}
|
2021-03-13 20:36:49 +01:00
|
|
|
moduleconfig = []
|
|
|
|
|
|
|
|
API_URL = "https://threatfox-api.abuse.ch/api/v1/"
|
|
|
|
|
2021-03-18 19:22:26 +01:00
|
|
|
|
2021-03-13 20:36:49 +01:00
|
|
|
# copied from
|
|
|
|
# https://github.com/marjatech/threatfox2misp/blob/main/threatfox2misp.py
|
|
|
|
def confidence_level_to_tag(level: int) -> str:
|
|
|
|
confidence_tagging = {
|
|
|
|
0: 'misp:confidence-level="unconfident"',
|
|
|
|
10: 'misp:confidence-level="rarely-confident"',
|
|
|
|
37: 'misp:confidence-level="fairly-confident"',
|
|
|
|
63: 'misp:confidence-level="usually-confident"',
|
|
|
|
90: 'misp:confidence-level="completely-confident"',
|
|
|
|
}
|
|
|
|
|
|
|
|
confidence_tag = ""
|
|
|
|
for tag_minvalue, tag in confidence_tagging.items():
|
|
|
|
if level >= tag_minvalue:
|
|
|
|
confidence_tag = tag
|
|
|
|
return confidence_tag
|
|
|
|
|
2021-03-18 19:22:26 +01:00
|
|
|
|
2021-03-13 20:36:49 +01:00
|
|
|
def handler(q=False):
|
|
|
|
if q is False:
|
|
|
|
return False
|
|
|
|
|
|
|
|
request = json.loads(q)
|
|
|
|
ret_val = ""
|
|
|
|
|
|
|
|
for input_type in mispattributes['input']:
|
|
|
|
if input_type in request:
|
|
|
|
to_query = request[input_type]
|
|
|
|
break
|
|
|
|
else:
|
|
|
|
misperrors['error'] = "Unsupported attributes type:"
|
|
|
|
return misperrors
|
|
|
|
|
2021-03-18 19:22:26 +01:00
|
|
|
data = {"query": "search_ioc", "search_term": f"{to_query}"}
|
2021-03-13 20:36:49 +01:00
|
|
|
response = requests.post(API_URL, data=json.dumps(data))
|
|
|
|
if response.status_code == 200:
|
|
|
|
result = json.loads(response.text)
|
|
|
|
if(result["query_status"] == "ok"):
|
|
|
|
confidence_tag = confidence_level_to_tag(result["data"][0]["confidence_level"])
|
2021-03-18 19:22:26 +01:00
|
|
|
ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], result["data"][0]["malware_printable"], confidence_tag]}]}
|
2021-03-13 20:36:49 +01:00
|
|
|
|
|
|
|
return ret_val
|
|
|
|
|
2021-03-18 19:22:26 +01:00
|
|
|
|
2021-03-13 20:36:49 +01:00
|
|
|
def introspection():
|
|
|
|
return mispattributes
|
|
|
|
|
2021-03-18 19:22:26 +01:00
|
|
|
|
2021-03-13 20:36:49 +01:00
|
|
|
def version():
|
|
|
|
moduleinfo['config'] = moduleconfig
|
|
|
|
return moduleinfo
|