MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add: [variotdbs] Added the exploit information parsing 

- Following a recent change on the variotdbs API
  allowing requests to get exploits information
  base on a CVE number
pull/603/head
Christian Studer 2022-10-24 15:01:54 +02:00
parent 98031beeae
commit 153ca8d3d4
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
misp_modules/modules/expansion/variotdbs.py
View File

@ -20,6 +20,20 @@ class VariotdbsParser:
misp_event.add_attribute(**misp_attribute) misp_event.add_attribute(**misp_attribute)
self.__misp_attribute = misp_attribute self.__misp_attribute = misp_attribute
self.__misp_event = misp_event self.__misp_event = misp_event
self.__exploit_mapping = {
'credits': 'credit',
'exploit': 'exploit'
}
self.__exploit_multiple_mapping = {
'cve': {
'feature': 'cve_id',
'relation': 'cve-id'
},
'references': {
'feature': 'url',
'relation': 'reference'
}
}
self.__vulnerability_data_mapping = { self.__vulnerability_data_mapping = {
'credits': 'credit', 'credits': 'credit',
'description': 'description', 'description': 'description',
@ -29,6 +43,14 @@ class VariotdbsParser:
'cve': 'id', 'id': 'id' 'cve': 'id', 'id': 'id'
} }
@property
def exploit_mapping(self) -> dict:
return self.__exploit_mapping
@property
def exploit_multiple_mapping(self) -> dict:
return self.__exploit_multiple_mapping
@property @property
def misp_attribute(self) -> MISPAttribute: def misp_attribute(self) -> MISPAttribute:
return self.__misp_attribute return self.__misp_attribute
@ -50,6 +72,26 @@ class VariotdbsParser:
results = {key: event[key] for key in ('Attribute', 'Object') if event.get(key)} results = {key: event[key] for key in ('Attribute', 'Object') if event.get(key)}
return {'results': results} return {'results': results}
def parse_exploit_information(self, query_results):
for exploit in query_results['results']:
exploit_object = MISPObject('exploit')
exploit_object.add_attribute('exploitdb-id', exploit['edb_id'])
for feature, relation in self.exploit_mapping.items():
if exploit.get(feature):
exploit_object.add_attribute(
relation,
exploit[feature]['data']
)
for feature, relation in self.exploit_multiple_mapping.items():
if exploit.get(feature):
for value in exploit[feature]['data']:
exploit_object.add_attribute(
relation['relation'],
value[relation['feature']]
)
exploit_object.add_reference(self.misp_attribute.uuid, 'related-to')
self.misp_event.add_object(exploit_object)
def parse_vulnerability_information(self, query_results): def parse_vulnerability_information(self, query_results):
vulnerability_object = MISPObject('vulnerability') vulnerability_object = MISPObject('vulnerability')
for feature, relation in self.vulnerability_flat_mapping.items(): for feature, relation in self.vulnerability_flat_mapping.items():
@ -141,6 +183,14 @@ def handler(q=False):
else: else:
if r.reason != 'Not found': if r.reason != 'Not found':
return {'error': 'Error while querying the variotdbs API.'} return {'error': 'Error while querying the variotdbs API.'}
r = requests.get(f"{variotdbs_url}/exploits/?cve={attribute['value']}", headers=headers)
if r.status_code == 200:
exploit_results = r.json()
if exploit_results:
parser.parse_exploit_information(exploit_results)
empty = False
else:
return {'error': 'Error while querying the variotdbs API.'}
if empty: if empty:
return {'error': 'Empty results'} return {'error': 'Empty results'}
return parser.get_results() return parser.get_results()