Merge branch 'main' of https://github.com/cudeso/misp-modules into cudeso-main

pull/701/head
Alexandre Dulaunoy 2024-10-29 06:22:35 +01:00
commit 1a2c7f0f82
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 32 additions and 34 deletions

View File

@ -5,30 +5,22 @@ from pymisp import MISPEvent, MISPObject
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'], 'format': 'misp_standard'} mispattributes = {'input': ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'], 'format': 'misp_standard'}
moduleinfo = { moduleinfo = {'version': '1', 'author': 'Jeroen Pinoy',
'version': '1', 'description': "An expansion module to enrich an ip with geolocation and asn information from an mmdb server "
'author': 'Jeroen Pinoy', "such as ip.circl.lu.",
'description': "A hover and expansion module to enrich an ip with geolocation and ASN information from an mmdb server instance, such as CIRCL's ip.circl.lu.", 'module-type': ['expansion', 'hover']}
'module-type': ['expansion', 'hover'], moduleconfig = ["custom_API", "db_source_filter", "max_country_info_qt"]
'name': 'GeoIP Enrichment',
'logo': 'circl.png',
'requirements': [],
'features': 'The module takes an IP address related attribute as input.\n It queries the public CIRCL.lu mmdb-server instance, available at ip.circl.lu, by default. The module can be configured with a custom mmdb server url if required.\n It is also possible to filter results on 1 db_source by configuring db_source_filter.',
'references': ['https://data.public.lu/fr/datasets/geo-open-ip-address-geolocation-per-country-in-mmdb-format/', 'https://github.com/adulau/mmdb-server'],
'input': 'An IP address attribute (for example ip-src or ip-src|port).',
'output': 'Geolocation and asn objects.',
}
moduleconfig = ["custom_API", "db_source_filter"]
mmdblookup_url = 'https://ip.circl.lu/' mmdblookup_url = 'https://ip.circl.lu/'
class MmdbLookupParser(): class MmdbLookupParser():
def __init__(self, attribute, mmdblookupresult, api_url): def __init__(self, attribute, mmdblookupresult, api_url, max_country_info_qt=0):
self.attribute = attribute self.attribute = attribute
self.mmdblookupresult = mmdblookupresult self.mmdblookupresult = mmdblookupresult
self.api_url = api_url self.api_url = api_url
self.misp_event = MISPEvent() self.misp_event = MISPEvent()
self.misp_event.add_attribute(**attribute) self.misp_event.add_attribute(**attribute)
self.max_country_info_qt = int(max_country_info_qt)
def get_result(self): def get_result(self):
event = json.loads(self.misp_event.to_json()) event = json.loads(self.misp_event.to_json())
@ -37,8 +29,10 @@ class MmdbLookupParser():
def parse_mmdblookup_information(self): def parse_mmdblookup_information(self):
# There is a chance some db's have a hit while others don't so we have to check if entry is empty each time # There is a chance some db's have a hit while others don't so we have to check if entry is empty each time
country_info_qt = 0
for result_entry in self.mmdblookupresult: for result_entry in self.mmdblookupresult:
if result_entry['country_info']: if result_entry['country_info']:
if (self.max_country_info_qt == 0) or (self.max_country_info_qt > 0 and country_info_qt < self.max_country_info_qt):
mmdblookup_object = MISPObject('geolocation') mmdblookup_object = MISPObject('geolocation')
mmdblookup_object.add_attribute('country', mmdblookup_object.add_attribute('country',
**{'type': 'text', 'value': result_entry['country_info']['Country']}) **{'type': 'text', 'value': result_entry['country_info']['Country']})
@ -57,6 +51,7 @@ class MmdbLookupParser():
result_entry['meta']['build_db'])}) result_entry['meta']['build_db'])})
mmdblookup_object.add_reference(self.attribute['uuid'], 'related-to') mmdblookup_object.add_reference(self.attribute['uuid'], 'related-to')
self.misp_event.add_object(mmdblookup_object) self.misp_event.add_object(mmdblookup_object)
country_info_qt += 1
if 'AutonomousSystemNumber' in result_entry['country']: if 'AutonomousSystemNumber' in result_entry['country']:
mmdblookup_object_asn = MISPObject('asn') mmdblookup_object_asn = MISPObject('asn')
mmdblookup_object_asn.add_attribute('asn', mmdblookup_object_asn.add_attribute('asn',
@ -96,6 +91,9 @@ def handler(q=False):
else: else:
misperrors['error'] = 'There is no attribute of type ip-src or ip-dst provided as input' misperrors['error'] = 'There is no attribute of type ip-src or ip-dst provided as input'
return misperrors return misperrors
max_country_info_qt = request['config'].get('max_country_info_qt', 0)
if max_country_info_qt is None:
max_country_info_qt = 0
api_url = check_url(request['config']['custom_API']) if 'config' in request and request['config'].get( api_url = check_url(request['config']['custom_API']) if 'config' in request and request['config'].get(
'custom_API') else mmdblookup_url 'custom_API') else mmdblookup_url
r = requests.get("{}/geolookup/{}".format(api_url, toquery)) r = requests.get("{}/geolookup/{}".format(api_url, toquery))
@ -123,7 +121,7 @@ def handler(q=False):
else: else:
misperrors['error'] = 'API not accessible - http status code {} was returned'.format(r.status_code) misperrors['error'] = 'API not accessible - http status code {} was returned'.format(r.status_code)
return misperrors return misperrors
parser = MmdbLookupParser(attribute, mmdblookupresult, api_url) parser = MmdbLookupParser(attribute, mmdblookupresult, api_url, max_country_info_qt)
parser.parse_mmdblookup_information() parser.parse_mmdblookup_information()
result = parser.get_result() result = parser.get_result()
return result return result