From 07698e5c72ef28c7d9b7eb91989e5c994b3092a4 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 3 Jun 2019 18:38:58 +1000 Subject: [PATCH] fix: Fixed references between domaininfo/ipinfo & their targets - Fixed references when no target id is set - Fixed domaininfo parsing when no ip is defined --- misp_modules/lib/joe_parser.py | 35 +++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/misp_modules/lib/joe_parser.py b/misp_modules/lib/joe_parser.py index 5af78f2..bf5c974 100644 --- a/misp_modules/lib/joe_parser.py +++ b/misp_modules/lib/joe_parser.py @@ -241,25 +241,28 @@ class JoeParser(): domaininfo = self.data['domaininfo'] if domaininfo: for domain in domaininfo['domain']: - domain_object = MISPObject('domain-ip') - for key, mapping in domain_object_mapping.items(): - attribute_type, object_relation = mapping - domain_object.add_attribute(object_relation, **{'type': attribute_type, 'value': domain[key]}) - self.misp_event.add_object(**domain_object) - self.references[self.process_references[(int(domain['@targetid']), domain['@currentpath'])]].append({ - 'idref': domain_object.uuid, - 'relationship': 'contacts' - }) + if domain['@ip'] != 'unknown': + domain_object = MISPObject('domain-ip') + for key, mapping in domain_object_mapping.items(): + attribute_type, object_relation = mapping + domain_object.add_attribute(object_relation, + **{'type': attribute_type, 'value': domain[key]}) + self.misp_event.add_object(**domain_object) + reference = {'idref': domain_object.uuid, 'relationship': 'contacts'} + self.add_process_reference(domain['@targetid'], domain['@currentpath'], reference) + else: + attribute = MISPAttribute() + attribute.from_dict(**{'type': 'domain', 'value': domain['@name']}) + reference = {'idref': attribute.uuid, 'relationship': 'contacts'} + self.add_process_reference(domain['@targetid'], domain['@currentpath'], reference) ipinfo = self.data['ipinfo'] if ipinfo: for ip in ipinfo['ip']: attribute = MISPAttribute() attribute.from_dict(**{'type': 'ip-dst', 'value': ip['@ip']}) self.misp_event.add_attribute(**attribute) - self.references[self.process_references[(int(ip['@targetid']), ip['@currentpath'])]].append({ - 'idref': attribute.uuid, - 'relationship': 'contacts' - }) + reference = {'idref': attribute.uuid, 'relationship': 'contacts'} + self.add_process_reference(ip['@targetid'], ip['@currentpath'], reference) urlinfo = self.data['urlinfo'] if urlinfo: for url in urlinfo['url']: @@ -299,6 +302,12 @@ class JoeParser(): self.misp_event.add_object(**registry_key) self.references[process_uuid].append({'idref': registry_key.uuid, 'relationship': relationship_type}) + def add_process_reference(self, target, currentpath, reference): + try: + self.references[self.process_references[(int(target), currentpath)]].append(reference) + except KeyError: + self.references[self.analysisinfo_uuid].append(reference) + def create_attribute(self, attribute_type, attribute_value): attribute = MISPAttribute() attribute.from_dict(**{'type': attribute_type, 'value': attribute_value})