MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

fix: Some quick fixes 

- Fixed strptime matching because months are
  expressed in abbreviated format
- Made data loaded while the parsing function is
  called, in case it has to be called multiple
  times at some point
pull/305/head
chrisr3d 3 years ago
parent
74b73f9332
commit
0d40830a7f
No known key found for this signature in database GPG Key ID: 6BBED1B63A6D639F
2 changed files with 9 additions and 9 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      misp_modules/lib/joe_parser.py
  2. 6
      misp_modules/modules/import_mod/joe_import.py

12
misp_modules/lib/joe_parser.py
View File

@ -46,14 +46,14 @@ signerinfo_object_mapping = {'sigissuer': ('text', 'issuer'),
class JoeParser():
def __init__(self, data):
self.data = data
def __init__(self):
self.misp_event = MISPEvent()
self.references = defaultdict(list)
self.attributes = defaultdict(lambda: defaultdict(set))
self.process_references = {}
def parse_joe(self):
def parse_data(self, data):
self.data = data
if self.analysis_type() == "file":
self.parse_fileinfo()
else:
@ -66,8 +66,6 @@ class JoeParser():
if self.attributes:
self.handle_attributes()
if self.references:
self.build_references()
self.parse_mitre_attack()
self.finalize_results()
@ -119,7 +117,7 @@ class JoeParser():
for protocol, layer in protocols.items():
if network.get(protocol):
for packet in network[protocol]['packet']:
timestamp = datetime.strptime(self.parse_timestamp(packet['timestamp']), '%B %d, %Y %H:%M:%S.%f')
timestamp = datetime.strptime(self.parse_timestamp(packet['timestamp']), '%b %d, %Y %H:%M:%S.%f')
connections[tuple(packet[field] for field in network_behavior_fields)][protocol].add(timestamp)
for connection, data in connections.items():
attributes = self.prefetch_attributes_data(connection)
@ -308,6 +306,8 @@ class JoeParser():
return attribute.uuid
def finalize_results(self):
if self.references:
self.build_references()
event = json.loads(self.misp_event.to_json())['Event']
self.results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}

6
misp_modules/modules/import_mod/joe_import.py
View File

@ -24,9 +24,9 @@ def handler(q=False):
data = base64.b64decode(q.get('data')).decode('utf-8')
if not data:
return json.dumps({'success': 0})
joe_data = json.loads(data)['analysis']
joe_parser = JoeParser(joe_data)
joe_parser.parse_joe()
joe_parser = JoeParser()
joe_parser.parse_data(json.loads(data)['analysis'])
joe_parser.finalize_results()
return {'results': joe_parser.results}

Write Preview
Loading…
Cancel
Save