MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: Some quick fixes

Browse Source 
- Fixed strptime matching because months are
  expressed in abbreviated format
- Made data loaded while the parsing function is
  called, in case it has to be called multiple
  times at some point
pull/305/head
chrisr3d 4 years ago
parent 74b73f9332
commit 0d40830a7f
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
2 changed files with 9 additions and 9 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      misp_modules/lib/joe_parser.py
  2. 6
      misp_modules/modules/import_mod/joe_import.py

12
misp_modules/lib/joe_parser.py
Unescape View File

@ -46,14 +46,14 @@ signerinfo_object_mapping = {'sigissuer': ('text', 'issuer'),
class JoeParser():
def __init__(self, data):
self.data = data
def __init__(self):
self.misp_event = MISPEvent()
self.references = defaultdict(list)
self.attributes = defaultdict(lambda: defaultdict(set))
self.process_references = {}
def parse_joe(self):
def parse_data(self, data):
self.data = data
if self.analysis_type() == "file":
self.parse_fileinfo()
else:
@ -66,8 +66,6 @@ class JoeParser():
if self.attributes:
self.handle_attributes()
if self.references:
self.build_references()
self.parse_mitre_attack()
self.finalize_results()
@ -119,7 +117,7 @@ class JoeParser():
for protocol, layer in protocols.items():
if network.get(protocol):
for packet in network[protocol]['packet']:
timestamp = datetime.strptime(self.parse_timestamp(packet['timestamp']), '%B %d, %Y %H:%M:%S.%f')
timestamp = datetime.strptime(self.parse_timestamp(packet['timestamp']), '%b %d, %Y %H:%M:%S.%f')
connections[tuple(packet[field] for field in network_behavior_fields)][protocol].add(timestamp)
for connection, data in connections.items():
attributes = self.prefetch_attributes_data(connection)
@ -308,6 +306,8 @@ class JoeParser():
return attribute.uuid
def finalize_results(self):
if self.references:
self.build_references()
event = json.loads(self.misp_event.to_json())['Event']
self.results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}

6
misp_modules/modules/import_mod/joe_import.py
Unescape View File

@ -24,9 +24,9 @@ def handler(q=False):
data = base64.b64decode(q.get('data')).decode('utf-8')
if not data:
return json.dumps({'success': 0})
joe_data = json.loads(data)['analysis']
joe_parser = JoeParser(joe_data)
joe_parser.parse_joe()
joe_parser = JoeParser()
joe_parser.parse_data(json.loads(data)['analysis'])
joe_parser.finalize_results()
return {'results': joe_parser.results}

Write Preview
Loading…
Cancel
Save