MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: Some quick fixes 

- Fixed strptime matching because months are
  expressed in abbreviated format
- Made data loaded while the parsing function is
  called, in case it has to be called multiple
  times at some point
pull/305/head
chrisr3d 2019-06-03 18:35:58 +10:00
parent 74b73f9332
commit 0d40830a7f
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
misp_modules/lib/joe_parser.py
View File

@ -46,14 +46,14 @@ signerinfo_object_mapping = {'sigissuer': ('text', 'issuer'),
class JoeParser(): class JoeParser():
def __init__(self, data): def __init__(self):
self.data = data
self.misp_event = MISPEvent() self.misp_event = MISPEvent()
self.references = defaultdict(list) self.references = defaultdict(list)
self.attributes = defaultdict(lambda: defaultdict(set)) self.attributes = defaultdict(lambda: defaultdict(set))
self.process_references = {} self.process_references = {}
def parse_joe(self): def parse_data(self, data):
self.data = data
if self.analysis_type() == "file": if self.analysis_type() == "file":
self.parse_fileinfo() self.parse_fileinfo()
else: else:
@ -66,8 +66,6 @@ class JoeParser():
if self.attributes: if self.attributes:
self.handle_attributes() self.handle_attributes()
if self.references:
self.build_references()
self.parse_mitre_attack() self.parse_mitre_attack()
self.finalize_results() self.finalize_results()
@ -119,7 +117,7 @@ class JoeParser():
for protocol, layer in protocols.items(): for protocol, layer in protocols.items():
if network.get(protocol): if network.get(protocol):
for packet in network[protocol]['packet']: for packet in network[protocol]['packet']:
timestamp = datetime.strptime(self.parse_timestamp(packet['timestamp']), '%B %d, %Y %H:%M:%S.%f') timestamp = datetime.strptime(self.parse_timestamp(packet['timestamp']), '%b %d, %Y %H:%M:%S.%f')
connections[tuple(packet[field] for field in network_behavior_fields)][protocol].add(timestamp) connections[tuple(packet[field] for field in network_behavior_fields)][protocol].add(timestamp)
for connection, data in connections.items(): for connection, data in connections.items():
attributes = self.prefetch_attributes_data(connection) attributes = self.prefetch_attributes_data(connection)
@ -308,6 +306,8 @@ class JoeParser():
return attribute.uuid return attribute.uuid
def finalize_results(self): def finalize_results(self):
if self.references:
self.build_references()
event = json.loads(self.misp_event.to_json())['Event'] event = json.loads(self.misp_event.to_json())['Event']
self.results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} self.results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}

6
misp_modules/modules/import_mod/joe_import.py
View File

@ -24,9 +24,9 @@ def handler(q=False):
data = base64.b64decode(q.get('data')).decode('utf-8') data = base64.b64decode(q.get('data')).decode('utf-8')
if not data: if not data:
return json.dumps({'success': 0}) return json.dumps({'success': 0})
joe_data = json.loads(data)['analysis'] joe_parser = JoeParser()
joe_parser = JoeParser(joe_data) joe_parser.parse_data(json.loads(data)['analysis'])
joe_parser.parse_joe() joe_parser.finalize_results()
return {'results': joe_parser.results} return {'results': joe_parser.results}