mirror of https://github.com/MISP/misp-modules
commit
352f9ec2ed
|
@ -11,7 +11,7 @@ mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst"],
|
||||||
}
|
}
|
||||||
|
|
||||||
# possible module-types: 'expansion', 'hover' or both
|
# possible module-types: 'expansion', 'hover' or both
|
||||||
moduleinfo = {'version': '1', 'author': 'Hannah Ward',
|
moduleinfo = {'version': '', 'author': 'Hannah Ward',
|
||||||
'description': 'Get information from virustotal',
|
'description': 'Get information from virustotal',
|
||||||
'module-type': ['expansion']}
|
'module-type': ['expansion']}
|
||||||
|
|
||||||
|
@ -101,12 +101,6 @@ def findAll(data, keys):
|
||||||
|
|
||||||
return a
|
return a
|
||||||
|
|
||||||
def isset(d, key):
|
|
||||||
if key in d:
|
|
||||||
if d[key] not in [None, '', ' ']:
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
def getMoreInfo(req, key):
|
def getMoreInfo(req, key):
|
||||||
global limit
|
global limit
|
||||||
r = []
|
r = []
|
||||||
|
@ -119,16 +113,18 @@ def getMoreInfo(req, key):
|
||||||
data = requests.get("http://www.virustotal.com/vtapi/v2/file/report",
|
data = requests.get("http://www.virustotal.com/vtapi/v2/file/report",
|
||||||
params={"allinfo":1, "apikey":key, "resource":hsh}
|
params={"allinfo":1, "apikey":key, "resource":hsh}
|
||||||
).json()
|
).json()
|
||||||
if isset(data, "submission_names"):
|
|
||||||
|
# Go through each key and check if it exists
|
||||||
|
if "submission_names" in data:
|
||||||
r.append({'types':["filename"], "values":data["submission_names"]})
|
r.append({'types':["filename"], "values":data["submission_names"]})
|
||||||
|
|
||||||
if isset(data, "ssdeep"):
|
if "ssdeep" in data:
|
||||||
r.append({'types':["ssdeep"], "values":[data["ssdeep"]]})
|
r.append({'types':["ssdeep"], "values":[data["ssdeep"]]})
|
||||||
|
|
||||||
if isset(data, "authentihash"):
|
if "authentihash" in data:
|
||||||
r.append({"types":["authentihash"], "values":[data["authentihash"]]})
|
r.append({"types":["authentihash"], "values":[data["authentihash"]]})
|
||||||
|
|
||||||
if isset(data, "ITW_urls"):
|
if "ITW_urls" in data:
|
||||||
r.append({"types":["url"], "values":data["ITW_urls"]})
|
r.append({"types":["url"], "values":data["ITW_urls"]})
|
||||||
|
|
||||||
#Get the malware sample
|
#Get the malware sample
|
||||||
|
@ -136,18 +132,21 @@ def getMoreInfo(req, key):
|
||||||
params = {"hash":hsh, "apikey":key})
|
params = {"hash":hsh, "apikey":key})
|
||||||
|
|
||||||
malsample = sample.content
|
malsample = sample.content
|
||||||
r.append({"types":["malware-sample"],
|
|
||||||
"categories":["Payload delivery"],
|
# It is possible for VT to not give us any submission names
|
||||||
"values":data["submission_names"],
|
if "submission_names" in data:
|
||||||
"data": str(base64.b64encode(malsample), 'utf-8')
|
r.append({"types":["malware-sample"],
|
||||||
}
|
"categories":["Payload delivery"],
|
||||||
)
|
"values":data["submission_names"],
|
||||||
|
"data": str(base64.b64encode(malsample), 'utf-8')
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
return r
|
return r
|
||||||
|
|
||||||
def introspection():
|
def introspection():
|
||||||
return mispattributes
|
return mispattributes
|
||||||
|
|
||||||
|
|
||||||
def version():
|
def version():
|
||||||
moduleinfo['config'] = moduleconfig
|
moduleinfo['config'] = moduleconfig
|
||||||
return moduleinfo
|
return moduleinfo
|
||||||
|
|
Loading…
Reference in New Issue