Merge pull request #89 from Rafiot/fix_87

Improve VT support.
2017-01-07 10:46:37 -05:00 · 2017-01-07 10:46:37 -05:00 · 352f9ec2ed
parent 15c3f0d482 727f302dd1
commit 352f9ec2ed
1 changed files with 17 additions and 18 deletions
--- a/misp_modules/modules/expansion/virustotal.py
+++ b/misp_modules/modules/expansion/virustotal.py
@ -11,7 +11,7 @@ mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst"],
                  }

 # possible module-types: 'expansion', 'hover' or both
-moduleinfo = {'version': '1', 'author': 'Hannah Ward',
+moduleinfo = {'version': '', 'author': 'Hannah Ward',
              'description': 'Get information from virustotal',
              'module-type': ['expansion']}

@ -101,12 +101,6 @@ def findAll(data, keys):
    
  return a 

-def isset(d, key):
-    if key in d:
-      if  d[key] not in [None, '', ' ']:
-        return True
-    return False
-
 def getMoreInfo(req, key):
    global limit
    r = []
@ -119,16 +113,18 @@ def getMoreInfo(req, key):
      data = requests.get("http://www.virustotal.com/vtapi/v2/file/report",
                          params={"allinfo":1, "apikey":key, "resource":hsh}
                         ).json()
-      if isset(data, "submission_names"):
+
+      # Go through each key and check if it exists
+      if "submission_names" in data:
        r.append({'types':["filename"], "values":data["submission_names"]})

-      if isset(data, "ssdeep"):
+      if "ssdeep" in data:
        r.append({'types':["ssdeep"], "values":[data["ssdeep"]]})

-      if isset(data, "authentihash"):
+      if "authentihash" in data:
        r.append({"types":["authentihash"], "values":[data["authentihash"]]})

-      if isset(data, "ITW_urls"):
+      if "ITW_urls" in data:
        r.append({"types":["url"], "values":data["ITW_urls"]})

      #Get the malware sample
@ -136,18 +132,21 @@ def getMoreInfo(req, key):
                            params = {"hash":hsh, "apikey":key})
      
      malsample = sample.content
-      r.append({"types":["malware-sample"], 
-                "categories":["Payload delivery"],
-                "values":data["submission_names"],
-                "data": str(base64.b64encode(malsample), 'utf-8')
-                }
-              )  
+
+      # It is possible for VT to not give us any submission names
+      if "submission_names" in data:
+        r.append({"types":["malware-sample"], 
+                  "categories":["Payload delivery"],
+                  "values":data["submission_names"],
+                  "data": str(base64.b64encode(malsample), 'utf-8')
+                  }
+                )
+    
    return r

 def introspection():
    return mispattributes

-
 def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo