mirror of https://github.com/MISP/misp-modules
parent
f0d47fbc63
commit
0c6a205136
2 changed files with 94 additions and 1 deletions
@ -1 +1 @@ |
||||
__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export'] |
||||
__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export', 'osqueryexport'] |
||||
|
@ -0,0 +1,93 @@ |
||||
""" |
||||
Export module for coverting MISP events into OSQuery query pack. |
||||
Source: https://github.com/0xmilkmix/misp-modules/blob/master/misp_modules/modules/export_mod/osqueryexport.py |
||||
""" |
||||
|
||||
import base64 |
||||
import json |
||||
import csv |
||||
import re |
||||
|
||||
|
||||
misperrors = {"error": "Error"} |
||||
|
||||
types_to_use = ['regkey', 'mutex'] |
||||
|
||||
|
||||
userConfig = { |
||||
|
||||
}; |
||||
|
||||
moduleconfig = [] |
||||
|
||||
# fixed for now, options in the future: |
||||
# event, attribute, event-collection, attribute-collection |
||||
inputSource = ['event'] |
||||
|
||||
outputFileExtension = 'conf' |
||||
responseType = 'application/txt' |
||||
|
||||
|
||||
moduleinfo = {'version': '0.1', 'author': 'Julien Bachmann, Hacknowledge', |
||||
'description': 'OSQuery query export module', |
||||
'module-type': ['export']} |
||||
|
||||
# test : http://misp.vm/events/view/23 |
||||
def handle_regkey(value): |
||||
rep = {'HKCU': 'HKEY_USERS\\%', 'HKLM': 'HKEY_LOCAL_MACHINE'} |
||||
rep = dict((re.escape(k), v) for k, v in rep.items()) |
||||
pattern = re.compile("|".join(rep.keys())) |
||||
value = pattern.sub(lambda m: rep[re.escape(m.group(0))], value) |
||||
return 'SELECT * FROM registry WHERE path LIKE \'%s\';' % value |
||||
|
||||
def handle_mutex(value): |
||||
return '#waiting acceptance of Scott Lundgren PR that would allow to query Kernel Objects' |
||||
|
||||
handlers = { |
||||
'regkey' : handle_regkey, |
||||
'mutex' : handle_mutex |
||||
} |
||||
|
||||
def handler(q=False): |
||||
if q is False: |
||||
return False |
||||
r = {'results': []} |
||||
request = json.loads(q) |
||||
output = '' |
||||
|
||||
for event in request["data"]: |
||||
for attribute in event["Attribute"]: |
||||
if attribute['type'] in types_to_use: |
||||
output = output + handlers[attribute['type']](attribute['value']) + '\n' |
||||
r = {"response":[], "data":str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')} |
||||
return r |
||||
|
||||
|
||||
def introspection(): |
||||
modulesetup = {} |
||||
try: |
||||
responseType |
||||
modulesetup['responseType'] = responseType |
||||
except NameError: |
||||
pass |
||||
try: |
||||
userConfig |
||||
modulesetup['userConfig'] = userConfig |
||||
except NameError: |
||||
pass |
||||
try: |
||||
outputFileExtension |
||||
modulesetup['outputFileExtension'] = outputFileExtension |
||||
except NameError: |
||||
pass |
||||
try: |
||||
inputSource |
||||
modulesetup['inputSource'] = inputSource |
||||
except NameError: |
||||
pass |
||||
return modulesetup |
||||
|
||||
|
||||
def version(): |
||||
moduleinfo['config'] = moduleconfig |
||||
return moduleinfo |
Loading…
Reference in new issue