fix: Fixed references between domaininfo/ipinfo & their targets

- Fixed references when no target id is set - Fixed domaininfo parsing when no ip is defined
2019-06-03 18:38:58 +10:00 · 2019-06-03 18:38:58 +10:00 · 07698e5c72
parent 0d40830a7f
commit 07698e5c72
1 changed files with 22 additions and 13 deletions
--- a/misp_modules/lib/joe_parser.py
+++ b/misp_modules/lib/joe_parser.py
@ -241,25 +241,28 @@ class JoeParser():
        domaininfo = self.data['domaininfo']
        if domaininfo:
            for domain in domaininfo['domain']:
-                domain_object = MISPObject('domain-ip')
-                for key, mapping in domain_object_mapping.items():
-                    attribute_type, object_relation = mapping
-                    domain_object.add_attribute(object_relation, **{'type': attribute_type, 'value': domain[key]})
-                self.misp_event.add_object(**domain_object)
-                self.references[self.process_references[(int(domain['@targetid']), domain['@currentpath'])]].append({
-                    'idref': domain_object.uuid,
-                    'relationship': 'contacts'
-                })
+                if domain['@ip'] != 'unknown':
+                    domain_object = MISPObject('domain-ip')
+                    for key, mapping in domain_object_mapping.items():
+                        attribute_type, object_relation = mapping
+                        domain_object.add_attribute(object_relation,
+                                                    **{'type': attribute_type, 'value': domain[key]})
+                    self.misp_event.add_object(**domain_object)
+                    reference = {'idref': domain_object.uuid, 'relationship': 'contacts'}
+                    self.add_process_reference(domain['@targetid'], domain['@currentpath'], reference)
+                else:
+                    attribute = MISPAttribute()
+                    attribute.from_dict(**{'type': 'domain', 'value': domain['@name']})
+                    reference = {'idref': attribute.uuid, 'relationship': 'contacts'}
+                    self.add_process_reference(domain['@targetid'], domain['@currentpath'], reference)
        ipinfo = self.data['ipinfo']
        if ipinfo:
            for ip in ipinfo['ip']:
                attribute = MISPAttribute()
                attribute.from_dict(**{'type': 'ip-dst', 'value': ip['@ip']})
                self.misp_event.add_attribute(**attribute)
-                self.references[self.process_references[(int(ip['@targetid']), ip['@currentpath'])]].append({
-                    'idref': attribute.uuid,
-                    'relationship': 'contacts'
-                })
+                reference = {'idref': attribute.uuid, 'relationship': 'contacts'}
+                self.add_process_reference(ip['@targetid'], ip['@currentpath'], reference)
        urlinfo = self.data['urlinfo']
        if urlinfo:
            for url in urlinfo['url']:
@ -299,6 +302,12 @@ class JoeParser():
                    self.misp_event.add_object(**registry_key)
                    self.references[process_uuid].append({'idref': registry_key.uuid, 'relationship': relationship_type})

+    def add_process_reference(self, target, currentpath, reference):
+        try:
+            self.references[self.process_references[(int(target), currentpath)]].append(reference)
+        except KeyError:
+            self.references[self.analysisinfo_uuid].append(reference)
+
    def create_attribute(self, attribute_type, attribute_value):
        attribute = MISPAttribute()
        attribute.from_dict(**{'type': attribute_type, 'value': attribute_value})