fix: Handling case of multiple processes in behavior field

- Also starting parsing file activities
pull/304/head
chrisr3d 2019-05-15 22:06:55 +02:00
parent d195b554a5
commit 067b229224
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 19 additions and 10 deletions

View File

@ -1,7 +1,7 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from collections import defaultdict from collections import defaultdict
from datetime import datetime from datetime import datetime
from pymisp import MISPEvent, MISPObject from pymisp import MISPAttribute, MISPEvent, MISPObject
import json import json
import base64 import base64
@ -29,6 +29,8 @@ pe_object_mapping = {'CompanyName': 'company-name', 'FileDescription': 'file-des
process_object_fields = {'cmdline': 'command-line', 'name': 'name', process_object_fields = {'cmdline': 'command-line', 'name': 'name',
'parentpid': 'parent-pid', 'pid': 'pid', 'parentpid': 'parent-pid', 'pid': 'pid',
'path': 'current-directory'} 'path': 'current-directory'}
process_references_mapping = {'fileCreated': 'creates', 'fileDeleted': 'deletes',
'fileMoved': 'moves', 'fileRead': 'reads', 'fileWritten': 'writes'}
section_object_mapping = {'characteristics': ('text', 'characteristic'), section_object_mapping = {'characteristics': ('text', 'characteristic'),
'entropy': ('float', 'entropy'), 'entropy': ('float', 'entropy'),
'name': ('text', 'name'), 'rawaddr': ('hex', 'offset'), 'name': ('text', 'name'), 'rawaddr': ('hex', 'offset'),
@ -67,15 +69,22 @@ class JoeParser():
network = self.data['behavior']['network'] network = self.data['behavior']['network']
def parse_behavior_system(self): def parse_behavior_system(self):
processes = self.data['behavior']['system']['processes']['process'][0] for process in self.data['behavior']['system']['processes']['process']:
general = processes['general'] general = process['general']
process_object = MISPObject('process') process_object = MISPObject('process')
for feature, relation in process_object_fields.items(): for feature, relation in process_object_fields.items():
process_object.add_attribute(relation, **{'type': 'text', 'value': general[feature]}) process_object.add_attribute(relation, **{'type': 'text', 'value': general[feature]})
start_time = datetime.strptime('{} {}'.format(general['date'], general['time']), '%d/%m/%Y %H:%M:%S') start_time = datetime.strptime('{} {}'.format(general['date'], general['time']), '%d/%m/%Y %H:%M:%S')
process_object.add_attribute('start-time', **{'type': 'datetime', 'value': start_time}) process_object.add_attribute('start-time', **{'type': 'datetime', 'value': start_time})
self.misp_event.add_object(**process_object) for feature, files in process['fileactivities'].items():
self.references[self.fileinfo_uuid].append({'idref': process_object.uuid, 'relationship': 'calls'}) if files:
for call in files['call']:
file_attribute = MISPAttribute()
file_attribute.from_dict(**{'type': 'filename', 'value': call['path']})
process_object.add_reference(file_attribute.uuid, process_references_mapping[feature])
self.misp_event.add_attribute(**file_attribute)
self.misp_event.add_object(**process_object)
self.references[self.fileinfo_uuid].append({'idref': process_object.uuid, 'relationship': 'calls'})
def parse_fileinfo(self): def parse_fileinfo(self):
fileinfo = self.data['fileinfo'] fileinfo = self.data['fileinfo']