fix: Fixed references between domaininfo/ipinfo & their targets

- Fixed references when no target id is set
- Fixed domaininfo parsing when no ip is defined

misp_modules/lib/joe_parser.py

@@ -241,25 +241,28 @@ class JoeParser():
         domaininfo = self.data['domaininfo']
         if domaininfo:
             for domain in domaininfo['domain']:
-                domain_object = MISPObject('domain-ip')
-                for key, mapping in domain_object_mapping.items():
-                    attribute_type, object_relation = mapping
-                    domain_object.add_attribute(object_relation, **{'type': attribute_type, 'value': domain[key]})
-                self.misp_event.add_object(**domain_object)
-                self.references[self.process_references[(int(domain['@targetid']), domain['@currentpath'])]].append({
-                    'idref': domain_object.uuid,
-                    'relationship': 'contacts'
-                })
+                if domain['@ip'] != 'unknown':
+                    domain_object = MISPObject('domain-ip')
+                    for key, mapping in domain_object_mapping.items():
+                        attribute_type, object_relation = mapping
+                        domain_object.add_attribute(object_relation,
+                                                    **{'type': attribute_type, 'value': domain[key]})
+                    self.misp_event.add_object(**domain_object)
+                    reference = {'idref': domain_object.uuid, 'relationship': 'contacts'}
+                    self.add_process_reference(domain['@targetid'], domain['@currentpath'], reference)
+                else:
+                    attribute = MISPAttribute()
+                    attribute.from_dict(**{'type': 'domain', 'value': domain['@name']})
+                    reference = {'idref': attribute.uuid, 'relationship': 'contacts'}
+                    self.add_process_reference(domain['@targetid'], domain['@currentpath'], reference)
         ipinfo = self.data['ipinfo']
         if ipinfo:
             for ip in ipinfo['ip']:
                 attribute = MISPAttribute()
                 attribute.from_dict(**{'type': 'ip-dst', 'value': ip['@ip']})
                 self.misp_event.add_attribute(**attribute)
-                self.references[self.process_references[(int(ip['@targetid']), ip['@currentpath'])]].append({
-                    'idref': attribute.uuid,
-                    'relationship': 'contacts'
-                })
+                reference = {'idref': attribute.uuid, 'relationship': 'contacts'}
+                self.add_process_reference(ip['@targetid'], ip['@currentpath'], reference)
         urlinfo = self.data['urlinfo']
         if urlinfo:
             for url in urlinfo['url']:
@@ -299,6 +302,12 @@ class JoeParser():
                     self.misp_event.add_object(**registry_key)
                     self.references[process_uuid].append({'idref': registry_key.uuid, 'relationship': relationship_type})
 
+    def add_process_reference(self, target, currentpath, reference):
+        try:
+            self.references[self.process_references[(int(target), currentpath)]].append(reference)
+        except KeyError:
+            self.references[self.analysisinfo_uuid].append(reference)
+
     def create_attribute(self, attribute_type, attribute_value):
         attribute = MISPAttribute()
         attribute.from_dict(**{'type': attribute_type, 'value': attribute_value})