MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #89 from Rafiot/fix_87 

Improve VT support.
pull/91/head
Raphaël Vinot 2017-01-07 10:46:37 -05:00 committed by GitHub
parent 15c3f0d482 727f302dd1
commit 352f9ec2ed
1 changed files with 17 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
misp_modules/modules/expansion/virustotal.py
View File

@ -11,7 +11,7 @@ mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst"],
} }
# possible module-types: 'expansion', 'hover' or both # possible module-types: 'expansion', 'hover' or both
moduleinfo = {'version': '1', 'author': 'Hannah Ward', moduleinfo = {'version': '', 'author': 'Hannah Ward',
'description': 'Get information from virustotal', 'description': 'Get information from virustotal',
'module-type': ['expansion']} 'module-type': ['expansion']}
@ -101,12 +101,6 @@ def findAll(data, keys):
return a return a
def isset(d, key):
if key in d:
if d[key] not in [None, '', ' ']:
return True
return False
def getMoreInfo(req, key): def getMoreInfo(req, key):
global limit global limit
r = [] r = []
@ -119,16 +113,18 @@ def getMoreInfo(req, key):
data = requests.get("http://www.virustotal.com/vtapi/v2/file/report", data = requests.get("http://www.virustotal.com/vtapi/v2/file/report",
params={"allinfo":1, "apikey":key, "resource":hsh} params={"allinfo":1, "apikey":key, "resource":hsh}
).json() ).json()
if isset(data, "submission_names"):
# Go through each key and check if it exists
if "submission_names" in data:
r.append({'types':["filename"], "values":data["submission_names"]}) r.append({'types':["filename"], "values":data["submission_names"]})
if isset(data, "ssdeep"): if "ssdeep" in data:
r.append({'types':["ssdeep"], "values":[data["ssdeep"]]}) r.append({'types':["ssdeep"], "values":[data["ssdeep"]]})
if isset(data, "authentihash"): if "authentihash" in data:
r.append({"types":["authentihash"], "values":[data["authentihash"]]}) r.append({"types":["authentihash"], "values":[data["authentihash"]]})
if isset(data, "ITW_urls"): if "ITW_urls" in data:
r.append({"types":["url"], "values":data["ITW_urls"]}) r.append({"types":["url"], "values":data["ITW_urls"]})
#Get the malware sample #Get the malware sample
@ -136,18 +132,21 @@ def getMoreInfo(req, key):
params = {"hash":hsh, "apikey":key}) params = {"hash":hsh, "apikey":key})
malsample = sample.content malsample = sample.content
r.append({"types":["malware-sample"],
"categories":["Payload delivery"], # It is possible for VT to not give us any submission names
"values":data["submission_names"], if "submission_names" in data:
"data": str(base64.b64encode(malsample), 'utf-8') r.append({"types":["malware-sample"],
} "categories":["Payload delivery"],
) "values":data["submission_names"],
"data": str(base64.b64encode(malsample), 'utf-8')
}
)
return r return r
def introspection(): def introspection():
return mispattributes return mispattributes
def version(): def version():
moduleinfo['config'] = moduleconfig moduleinfo['config'] = moduleconfig
return moduleinfo return moduleinfo