misp-modules/misp_modules/modules/expansion/abuseipdb.py

import requests
import json
from pymisp import MISPObject, MISPAttribute, MISPEvent
from . import check_input_attribute, checking_error, standard_error_message
import dns.resolver

misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain', 'domain|ip'], 'format': 'misp_standard'}
moduleinfo = {'version': '0.1', 'author': 'Stephanie S',
              'description': 'AbuseIPDB MISP expansion module',
              'module-type': ['expansion', 'hover']}

moduleconfig = ['api_key', 'max_age_in_days', 'abuse_threshold']

def get_ip(request):
    # Need to get the ip from the domain
    resolver = dns.resolver.Resolver()
    resolver.timeout = 2
    resolver.lifetime = 2

    try:
        ip = resolver.query(request["attribute"]["value"], 'A')
        return ip
    except dns.resolver.NXDOMAIN:
        misperrors['error'] = "NXDOMAIN"
        return misperrors
    except dns.exception.Timeout:
        misperrors['error'] = "Timeout"
        return misperrors
    except Exception:
        misperrors['error'] = "DNS resolving error"
        return misperrors

def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)

    if "config" not in request or "api_key" not in request["config"]:
        return {"error": "AbuseIPDB API key is missing"}
    if "max_age_in_days" not in request["config"]:
        return {"error": "AbuseIPDB max age in days is missing"}
    if "abuse_threshold" not in request["config"]:
        return {"error": "AbuseIPDB abuse threshold is missing"}
    if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')):
        return {'error': f'{standard_error_message}, {checking_error}.'}
    if request['attribute']['type'] not in mispattributes['input']:
        return {'error': 'Unsupported attribute type.'}

    if (request['attribute']['type'] == 'hostname' or request['attribute']['type'] == 'domain' or request['attribute']['type'] == 'domain|ip'):
       ip = get_ip(request)[0]

    else:
        ip = request["attribute"]["value"]
    
    api_key = request["config"]["api_key"]   
    max_age_in_days = request["config"]["max_age_in_days"]
    api_endpoint = 'https://api.abuseipdb.com/api/v2/check'
    querystring = {
        'ipAddress': ip,
        'maxAgeInDays': max_age_in_days
    }
    headers = {
        'Accept': 'application/json',
        'key': api_key
    }
    r = {"results": []} 

    response = requests.request(method='GET', url=api_endpoint, headers=headers, params=querystring)

    if (response.status_code == 200):
        response_json = json.loads(response.text)
        is_whitelisted = response_json['data']['isWhitelisted'] 
        is_tor = response_json['data']['isTor']
        is_public = response_json['data']['isPublic']
        abuse_confidence_score = response_json['data']['abuseConfidenceScore']

        abuse_threshold = request["config"]["abuse_threshold"]

        if (request["config"]["abuse_threshold"] is not None):
            abuse_threshold = request["config"]["abuse_threshold"]
        else:
            abuse_threshold = 70

        if (is_whitelisted == False):
            is_whitelisted = 0
        if (is_tor == False):
            is_tor = 0
        if (is_public == False):
            is_public = 0
        if (abuse_confidence_score == None):
            abuse_confidence_score = 0

        if (response_json.get("errors")):
            return {'error': 'AbuseIPDB error, check logs'}
        else:
            event = MISPEvent()
            obj = MISPObject('abuseipdb')
            event.add_attribute(**request['attribute'])

            if int(abuse_confidence_score) >= int(abuse_threshold):
                malicious_attribute = obj.add_attribute('is-malicious', **{'type': 'boolean', 'value': 1})
                malicious_attribute.add_tag(f'ioc:artifact-state="malicious"')
            else:
                malicious_attribute = obj.add_attribute('is-malicious', **{'type': 'boolean', 'value': 0})
                malicious_attribute.add_tag(f'ioc:artifact-state="not-malicious"')

            if is_whitelisted is not None:
                obj.add_attribute('is-whitelisted', **{'type': 'boolean', 'value': is_whitelisted})
            obj.add_attribute('is-tor', **{'type': 'boolean', 'value': is_tor})
            obj.add_attribute('is-public', **{'type': 'boolean', 'value': is_public})
            obj.add_attribute('abuse-confidence-score', **{'type': 'counter', 'value': abuse_confidence_score})
            obj.add_reference(request['attribute']['uuid'], "describes")
            event.add_object(obj)
            
            # Avoid serialization issue
            event = json.loads(event.to_json())

        r['results'] = {'Object': event['Object'], 'Attribute': event['Attribute']}
        return r

    else:
        try: 
            response_json = json.loads(response.text)
            if (response_json['errors']):
                return {"error": "API not reachable, status code: " + str(response.status_code) + " " + str(response_json['errors'][0]['detail'])}
        except:
            pass
        return {"error": "API not reachable, status code: " + str(response.status_code)}

def introspection():
    return mispattributes

def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00			`import requests`
			`import json`
Fixed object reference issue for the AbuseIPDB expansion module 2023-07-10 23:14:15 +02:00			`from pymisp import MISPObject, MISPAttribute, MISPEvent`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00			`from . import check_input_attribute, checking_error, standard_error_message`
			`import dns.resolver`

			`misperrors = {'error': 'Error'}`
Added the new attribute and tags for AbuseIPDB and added the google safe browsing expansion module 2023-07-13 15:33:59 +02:00			`mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain', 'domain\|ip'], 'format': 'misp_standard'}`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00			`moduleinfo = {'version': '0.1', 'author': 'Stephanie S',`
			`'description': 'AbuseIPDB MISP expansion module',`
			`'module-type': ['expansion', 'hover']}`

Added the new attribute and tags for AbuseIPDB and added the google safe browsing expansion module 2023-07-13 15:33:59 +02:00			`moduleconfig = ['api_key', 'max_age_in_days', 'abuse_threshold']`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00
Added the new attribute and tags for AbuseIPDB and added the google safe browsing expansion module 2023-07-13 15:33:59 +02:00			`def get_ip(request):`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00			`# Need to get the ip from the domain`
			`resolver = dns.resolver.Resolver()`
			`resolver.timeout = 2`
			`resolver.lifetime = 2`

			`try:`
			`ip = resolver.query(request["attribute"]["value"], 'A')`
Added the new attribute and tags for AbuseIPDB and added the google safe browsing expansion module 2023-07-13 15:33:59 +02:00			`return ip`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00			`except dns.resolver.NXDOMAIN:`
			`misperrors['error'] = "NXDOMAIN"`
			`return misperrors`
			`except dns.exception.Timeout:`
			`misperrors['error'] = "Timeout"`
			`return misperrors`
			`except Exception:`
			`misperrors['error'] = "DNS resolving error"`
			`return misperrors`
Added the new attribute and tags for AbuseIPDB and added the google safe browsing expansion module 2023-07-13 15:33:59 +02:00
			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`

			`if "config" not in request or "api_key" not in request["config"]:`
			`return {"error": "AbuseIPDB API key is missing"}`
			`if "max_age_in_days" not in request["config"]:`
			`return {"error": "AbuseIPDB max age in days is missing"}`
			`if "abuse_threshold" not in request["config"]:`
			`return {"error": "AbuseIPDB abuse threshold is missing"}`
			`if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')):`
			`return {'error': f'{standard_error_message}, {checking_error}.'}`
			`if request['attribute']['type'] not in mispattributes['input']:`
			`return {'error': 'Unsupported attribute type.'}`

			`if (request['attribute']['type'] == 'hostname' or request['attribute']['type'] == 'domain' or request['attribute']['type'] == 'domain\|ip'):`
			`ip = get_ip(request)[0]`

			`else:`
			`ip = request["attribute"]["value"]`

Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00			`api_key = request["config"]["api_key"]`
			`max_age_in_days = request["config"]["max_age_in_days"]`
			`api_endpoint = 'https://api.abuseipdb.com/api/v2/check'`
			`querystring = {`
Added the new attribute and tags for AbuseIPDB and added the google safe browsing expansion module 2023-07-13 15:33:59 +02:00			`'ipAddress': ip,`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00			`'maxAgeInDays': max_age_in_days`
			`}`
			`headers = {`
			`'Accept': 'application/json',`
			`'key': api_key`
			`}`
			`r = {"results": []}`

			`response = requests.request(method='GET', url=api_endpoint, headers=headers, params=querystring)`

Fixed object reference issue for the AbuseIPDB expansion module 2023-07-10 23:14:15 +02:00			`if (response.status_code == 200):`
			`response_json = json.loads(response.text)`
			`is_whitelisted = response_json['data']['isWhitelisted']`
			`is_tor = response_json['data']['isTor']`
			`is_public = response_json['data']['isPublic']`
			`abuse_confidence_score = response_json['data']['abuseConfidenceScore']`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00
Added the new attribute and tags for AbuseIPDB and added the google safe browsing expansion module 2023-07-13 15:33:59 +02:00			`abuse_threshold = request["config"]["abuse_threshold"]`

			`if (request["config"]["abuse_threshold"] is not None):`
			`abuse_threshold = request["config"]["abuse_threshold"]`
			`else:`
			`abuse_threshold = 70`

Fixed object reference issue for the AbuseIPDB expansion module 2023-07-10 23:14:15 +02:00			`if (is_whitelisted == False):`
			`is_whitelisted = 0`
			`if (is_tor == False):`
			`is_tor = 0`
			`if (is_public == False):`
			`is_public = 0`
			`if (abuse_confidence_score == None):`
			`abuse_confidence_score = 0`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00
Fixed object reference issue for the AbuseIPDB expansion module 2023-07-10 23:14:15 +02:00			`if (response_json.get("errors")):`
			`return {'error': 'AbuseIPDB error, check logs'}`
			`else:`
			`event = MISPEvent()`
			`obj = MISPObject('abuseipdb')`
			`event.add_attribute(**request['attribute'])`

Added the new attribute and tags for AbuseIPDB and added the google safe browsing expansion module 2023-07-13 15:33:59 +02:00			`if int(abuse_confidence_score) >= int(abuse_threshold):`
			`malicious_attribute = obj.add_attribute('is-malicious', **{'type': 'boolean', 'value': 1})`
			`malicious_attribute.add_tag(f'ioc:artifact-state="malicious"')`
			`else:`
			`malicious_attribute = obj.add_attribute('is-malicious', **{'type': 'boolean', 'value': 0})`
			`malicious_attribute.add_tag(f'ioc:artifact-state="not-malicious"')`

Fixed object reference issue for the AbuseIPDB expansion module 2023-07-10 23:14:15 +02:00			`if is_whitelisted is not None:`
			`obj.add_attribute('is-whitelisted', **{'type': 'boolean', 'value': is_whitelisted})`
			`obj.add_attribute('is-tor', **{'type': 'boolean', 'value': is_tor})`
			`obj.add_attribute('is-public', **{'type': 'boolean', 'value': is_public})`
			`obj.add_attribute('abuse-confidence-score', **{'type': 'counter', 'value': abuse_confidence_score})`
			`obj.add_reference(request['attribute']['uuid'], "describes")`
			`event.add_object(obj)`

			`# Avoid serialization issue`
			`event = json.loads(event.to_json())`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00
Fixed object reference issue for the AbuseIPDB expansion module 2023-07-10 23:14:15 +02:00			`r['results'] = {'Object': event['Object'], 'Attribute': event['Attribute']}`
			`return r`

			`else:`
			`try:`
			`response_json = json.loads(response.text)`
			`if (response_json['errors']):`
			`return {"error": "API not reachable, status code: " + str(response.status_code) + " " + str(response_json['errors'][0]['detail'])}`
			`except:`
			`pass`
			`return {"error": "API not reachable, status code: " + str(response.status_code)}`
Added AbuseIPDB expansion module 2023-07-10 21:08:47 +02:00
			`def introspection():`
			`return mispattributes`

			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`