add: Starting parsing dropped files

pull/304/head
chrisr3d 2019-05-21 23:37:53 +02:00
parent 417c306ace
commit 191034d311
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 24 additions and 6 deletions

View File

@ -15,6 +15,11 @@ moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
moduleconfig = [] moduleconfig = []
dropped_file_mapping = {'@entropy': ('float', 'entropy'),
'@file': ('filename', 'filename'),
'@size': ('size-in-bytes', 'size-in-bytes'),
'@type': ('mime-type', 'mimetype')}
dropped_hash_mapping = {'MD5': 'md5', 'SHA': 'sha1', 'SHA-256': 'sha256', 'SHA-512': 'sha512'}
file_object_fields = ['filename', 'md5', 'sha1', 'sha256', 'sha512', 'ssdeep'] file_object_fields = ['filename', 'md5', 'sha1', 'sha256', 'sha512', 'ssdeep']
file_object_mapping = {'entropy': ('float', 'entropy'), file_object_mapping = {'entropy': ('float', 'entropy'),
'filesize': ('size-in-bytes', 'size-in-bytes'), 'filesize': ('size-in-bytes', 'size-in-bytes'),
@ -58,7 +63,9 @@ class JoeParser():
def parse_joe(self): def parse_joe(self):
self.parse_fileinfo() self.parse_fileinfo()
self.parse_behavior() self.parse_system_behavior()
self.parse_network_behavior()
self.parse_dropped_files()
if self.attributes: if self.attributes:
self.handle_attributes() self.handle_attributes()
if self.references: if self.references:
@ -80,11 +87,22 @@ class JoeParser():
source_uuid, relationship = reference source_uuid, relationship = reference
self.references[source_uuid].append({'idref': attribute_uuid, 'relationship': relationship}) self.references[source_uuid].append({'idref': attribute_uuid, 'relationship': relationship})
def parse_behavior(self): def parse_dropped_files(self):
self.parse_behavior_system() droppedinfo = self.data['droppedinfo']
self.parse_behavior_network() if droppedinfo:
for droppedfile in droppedinfo['hash']:
file_object = MISPObject('file')
for key, mapping in dropped_file_mapping.items():
attribute_type, object_relation = mapping
file_object.add_attribute(object_relation, **{'type': attribute_type, 'value': droppedfile[key]})
if droppedfile['@malicious'] == 'true':
file_object.add_attribute('state', **{'type': 'text', 'value': 'Malicious'})
for h in droppedfile['value']:
hash_type = dropped_hash_mapping[h['@algo']]
file_object.add_attribute(hash_type, **{'type': hash_type, 'value': h['$']})
self.misp_event.add_object(**file_object)
def parse_behavior_network(self): def parse_network_behavior(self):
network = self.data['behavior']['network'] network = self.data['behavior']['network']
connections = defaultdict(lambda: defaultdict(set)) connections = defaultdict(lambda: defaultdict(set))
for protocol, layer in protocols.items(): for protocol, layer in protocols.items():
@ -114,7 +132,7 @@ class JoeParser():
self.misp_event.add_object(**network_connection_object) self.misp_event.add_object(**network_connection_object)
self.references[self.fileinfo_uuid].append({'idref': network_connection_object.uuid, 'relationship': 'initiates'}) self.references[self.fileinfo_uuid].append({'idref': network_connection_object.uuid, 'relationship': 'initiates'})
def parse_behavior_system(self): def parse_system_behavior(self):
system = self.data['behavior']['system'] system = self.data['behavior']['system']
if system.get('processes'): if system.get('processes'):
process_activities = {'fileactivities': self.parse_fileactivities, process_activities = {'fileactivities': self.parse_fileactivities,