misp-modules/misp_modules/modules/expansion/yeti.py

197 lines
7.5 KiB
Python
Raw Normal View History

2021-02-05 10:18:52 +01:00
import json
import logging
2021-02-05 10:18:52 +01:00
try:
import pyeti
except ImportError:
print("pyeti module not installed.")
from pymisp import MISPEvent, MISPObject
2021-03-05 19:01:25 +01:00
2021-02-05 10:18:52 +01:00
misperrors = {'error': 'Error'}
2021-04-21 14:45:07 +02:00
mispattributes = {'input': ['AS', 'ip-src', 'ip-dst', 'hostname', 'domain', 'sha256', 'sha1', 'md5', 'url'],
2021-03-05 16:53:49 +01:00
'format': 'misp_standard'
}
2021-02-05 10:18:52 +01:00
# possible module-types: 'expansion', 'hover' or both
2024-08-12 11:23:10 +02:00
moduleinfo = {
'version': '1',
'author': 'Sebastien Larinier @sebdraven',
'description': 'Module to process a query on Yeti.',
'module-type': ['expansion', 'hover'],
'name': 'Yeti Lookup',
'logo': 'yeti.png',
'requirements': ['pyeti', 'API key '],
'features': 'This module add context and links between observables using yeti',
'references': ['https://github.com/yeti-platform/yeti', 'https://github.com/sebdraven/pyeti'],
'input': 'A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute.',
'output': 'MISP attributes and objects fetched from the Yeti instances.',
}
2021-02-05 10:18:52 +01:00
2021-02-05 11:17:40 +01:00
moduleconfig = ['apikey', 'url']
2021-03-05 11:34:01 +01:00
class Yeti():
2021-02-05 11:17:40 +01:00
2021-04-20 13:53:06 +02:00
def __init__(self, url, key, attribute):
self.misp_mapping = {'Ip': 'ip-dst', 'Domain': 'domain', 'Hostname': 'hostname', 'Url': 'url',
'AutonomousSystem': 'AS', 'File': 'sha256'}
2021-03-05 11:40:11 +01:00
self.yeti_client = pyeti.YetiApi(url=url, api_key=key)
2021-03-05 19:01:25 +01:00
self.attribute = attribute
self.misp_event = MISPEvent()
2021-03-19 15:55:18 +01:00
self.misp_event.add_attribute(**attribute)
2021-02-05 11:17:40 +01:00
def search(self, value):
2021-03-05 11:34:01 +01:00
obs = self.yeti_client.observable_search(value=value)
2021-02-05 11:17:40 +01:00
if obs:
return obs[0]
2021-02-05 11:17:40 +01:00
def get_neighboors(self, obs_id):
2021-03-05 11:34:01 +01:00
neighboors = self.yeti_client.neighbors_observables(obs_id)
if neighboors and 'objs' in neighboors:
2021-04-21 15:41:20 +02:00
links_by_id = {link['dst']['id']: (link['description'], 'dst') for link in neighboors['links']
2021-04-20 12:40:01 +02:00
if link['dst']['id'] != obs_id}
2021-04-20 14:05:51 +02:00
links_by_id.update({link['src']['id']: (link['description'], 'src') for link in neighboors['links']
2021-04-20 12:40:01 +02:00
if link['src']['id'] != obs_id})
2021-03-05 15:19:30 +01:00
for n in neighboors['objs']:
2021-04-20 12:24:34 +02:00
yield n, links_by_id[n['id']]
2021-03-05 19:01:25 +01:00
def parse_yeti_result(self):
obs = self.search(self.attribute['value'])
2021-04-21 18:15:16 +02:00
2021-04-20 12:24:34 +02:00
for obs_to_add, link in self.get_neighboors(obs['id']):
object_misp_domain_ip = self.__get_object_domain_ip(obs_to_add)
if object_misp_domain_ip:
self.misp_event.add_object(object_misp_domain_ip)
2021-04-20 13:38:45 +02:00
continue
2021-04-19 11:49:24 +02:00
object_misp_url = self.__get_object_url(obs_to_add)
if object_misp_url:
self.misp_event.add_object(object_misp_url)
2021-04-20 13:38:45 +02:00
continue
if link[0] == 'NS record':
object_ns_record = self.__get_object_ns_record(obs_to_add, link[1])
2021-04-20 14:35:18 +02:00
if object_ns_record:
self.misp_event.add_object(object_ns_record)
continue
2021-04-20 14:05:51 +02:00
self.__get_attribute(obs_to_add, link[0])
2021-03-05 19:01:25 +01:00
def get_result(self):
event = json.loads(self.misp_event.to_json())
results = {key: event[key] for key in ('Attribute', 'Object') if key in event}
2021-03-05 19:01:25 +01:00
return results
2021-04-20 12:43:43 +02:00
def __get_attribute(self, obs_to_add, link):
2021-04-19 17:55:29 +02:00
try:
2021-04-19 17:55:29 +02:00
type_attr = self.misp_mapping[obs_to_add['type']]
value = None
if obs_to_add['type'] == 'File':
value = obs_to_add['value'].split(':')[1]
else:
value = obs_to_add['value']
attr = self.misp_event.add_attribute(value=value, type=type_attr)
2021-04-20 14:35:18 +02:00
attr.comment = '%s: %s' % (link, self.attribute['value'])
except KeyError:
logging.error('type not found %s' % obs_to_add['type'])
return
2021-04-19 17:16:59 +02:00
for t in obs_to_add['tags']:
2021-04-19 17:55:29 +02:00
self.misp_event.add_attribute_tag(t['name'], attr['uuid'])
def __get_object_domain_ip(self, obj_to_add):
2021-04-21 15:41:20 +02:00
if (obj_to_add['type'] == 'Ip' and self.attribute['type'] in ['hostname', 'domain']) or \
2021-03-05 19:01:25 +01:00
(obj_to_add['type'] in ('Hostname', 'Domain') and self.attribute['type'] in ('ip-src', 'ip-dst')):
domain_ip_object = MISPObject('domain-ip')
2021-03-19 15:16:00 +01:00
domain_ip_object.add_attribute(self.__get_relation(obj_to_add),
obj_to_add['value'])
domain_ip_object.add_attribute(self.__get_relation(self.attribute, is_yeti_object=False),
self.attribute['value'])
2021-03-19 15:16:00 +01:00
domain_ip_object.add_reference(self.attribute['uuid'], 'related_to')
2021-03-05 19:01:25 +01:00
return domain_ip_object
def __get_object_url(self, obj_to_add):
2021-04-19 11:03:39 +02:00
if (obj_to_add['type'] == 'Url' and self.attribute['type'] in ['hostname', 'domain', 'ip-src', 'ip-dst']) or (
2021-04-21 15:41:20 +02:00
obj_to_add['type'] in ('Hostname', 'Domain', 'Ip') and self.attribute['type'] == 'url'
2021-04-19 11:00:55 +02:00
):
2021-04-19 12:20:25 +02:00
url_object = MISPObject('url')
2021-04-19 11:24:01 +02:00
obj_relation = self.__get_relation(obj_to_add)
if obj_relation:
2021-04-19 11:49:24 +02:00
url_object.add_attribute(obj_relation, obj_to_add['value'])
2021-04-19 13:47:45 +02:00
obj_relation = self.__get_relation(self.attribute, is_yeti_object=False)
2021-04-19 11:24:01 +02:00
if obj_relation:
2021-04-19 13:47:45 +02:00
url_object.add_attribute(obj_relation,
2021-04-19 13:45:29 +02:00
self.attribute['value'])
url_object.add_reference(self.attribute['uuid'], 'related_to')
2021-04-19 13:49:02 +02:00
return url_object
def __get_object_ns_record(self, obj_to_add, link):
2021-04-20 14:35:18 +02:00
queried_domain = None
ns_domain = None
2021-04-20 13:53:06 +02:00
object_dns_record = MISPObject('dns-record')
if link == 'dst':
queried_domain = self.attribute['value']
ns_domain = obj_to_add['value']
2021-04-21 15:41:20 +02:00
elif link == 'src':
queried_domain = obj_to_add['value']
ns_domain = self.attribute['value']
2021-04-20 14:35:18 +02:00
if queried_domain and ns_domain:
object_dns_record.add_attribute('queried-domain', queried_domain)
object_dns_record.add_attribute('ns-record', ns_domain)
object_dns_record.add_reference(self.attribute['uuid'], 'related_to')
2021-04-20 14:35:18 +02:00
return object_dns_record
2021-04-20 13:53:06 +02:00
def __get_relation(self, obj, is_yeti_object=True):
if is_yeti_object:
type_attribute = self.misp_mapping[obj['type']]
else:
type_attribute = obj['type']
if type_attribute == 'ip-src' or type_attribute == 'ip-dst':
2021-03-19 15:16:00 +01:00
return 'ip'
elif 'domain' == type_attribute:
2021-03-19 15:16:00 +01:00
return 'domain'
elif 'hostname' == type_attribute:
2021-03-19 15:16:00 +01:00
return 'domain'
elif type_attribute == 'url':
2021-04-19 11:09:38 +02:00
return type_attribute
2021-03-19 10:52:48 +01:00
2021-03-19 11:40:23 +01:00
2021-02-05 11:17:40 +01:00
def handler(q=False):
if q is False:
return False
2021-03-05 11:34:01 +01:00
apikey = None
yeti_url = None
2021-03-05 11:34:01 +01:00
yeti_client = None
request = json.loads(q)
2021-03-05 19:01:25 +01:00
attribute = request['attribute']
if attribute['type'] not in mispattributes['input']:
return {'error': 'Unsupported attributes type'}
2021-03-19 11:01:02 +01:00
if 'config' in request and 'url' in request['config']:
yeti_url = request['config']['url']
if 'config' in request and 'apikey' in request['config']:
apikey = request['config']['apikey']
2021-03-05 11:22:53 +01:00
if apikey and yeti_url:
2021-03-05 19:01:25 +01:00
yeti_client = Yeti(yeti_url, apikey, attribute)
2021-03-05 11:22:53 +01:00
if yeti_client:
2021-03-19 10:52:48 +01:00
yeti_client.parse_yeti_result()
2021-03-19 15:55:18 +01:00
return {'results': yeti_client.get_result()}
2021-03-05 11:22:53 +01:00
else:
misperrors['error'] = 'Yeti Config Error'
return misperrors
2021-02-05 11:47:27 +01:00
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo
2021-04-21 15:41:20 +02:00
def introspection():
2021-04-21 15:41:20 +02:00
return mispattributes