Merge branch 'new_module' of github.com:MISP/misp-modules

README.md

@@ -86,6 +86,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [TruSTAR Enrich](misp_modules/modules/expansion/trustar_enrich.py) - an expansion module to enrich MISP data with [TruSTAR](https://www.trustar.co/).
 * [urlhaus](misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
 * [urlscan](misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io).
+* [variotdbs](misp_modules/modules/expansion/variotdbs.py) - an expansion module to query the [VARIoT db](https://www.variotdbs.pl) API to get more information about a Vulnerability
 * [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://developers.virustotal.com/reference))
 * [virustotal_public](misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://developers.virustotal.com/reference))
 * [VMray](misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray.

documentation/README.md

@@ -685,6 +685,28 @@ Expansion module to fetch the html content from an url and convert it into markd
 
 -----
 
+#### [hyasinsight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py)
+
+<img src=logos/hyas.png height=60>
+
+HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
+- **features**:
+>This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.
+> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects. 
+>
+>An API key is required to submit queries to the HYAS Insight API.
+>
+- **input**:
+>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)
+- **output**:
+>Hyas Insight objects, resulting from the query on the HYAS Insight API.
+- **references**:
+>https://www.hyas.com/hyas-insight/
+- **requirements**:
+>A HYAS Insight API Key.
+
+-----
+
 #### [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py)
 
 <img src=logos/intel471.png height=60>
@@ -1606,6 +1628,28 @@ An expansion module to query urlscan.io.
 
 -----
 
+#### [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py)
+
+<img src=logos/variot.png height=60>
+
+An expansion module to query the VARIoT db API for more information about a vulnerability.
+- **features**:
+>The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.
+>
+>The `vuln` endpoint is queried first to look for additional information about the vulnerability itself.
+>
+>The `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template.
+- **input**:
+>Vulnerability attribute.
+- **output**:
+>Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.
+- **references**:
+>https://www.variotdbs.pl/
+- **requirements**:
+>A VARIoT db API key (if you do not want to be limited to 100 queries / day)
+
+-----
+
 #### [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py)
 
 <img src=logos/virustotal.png height=60>

documentation/website/expansion/variotdbs.json

@@ -0,0 +1,13 @@
+{
+    "description": "An expansion module to query the VARIoT db API for more information about a vulnerability.",
+    "logo": "variot.png",
+    "requirements": [
+        "A VARIoT db API key (if you do not want to be limited to 100 queries / day)"
+    ],
+    "input": "Vulnerability attribute.",
+    "output": "Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.",
+    "references": [
+        "https://www.variotdbs.pl/"
+    ],
+    "features": "The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.\n\nThe `vuln` endpoint is queried first to look for additional information about the vulnerability itself.\n\nThe `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template."
+}

misp_modules/modules/expansion/__init__.py

@@ -18,7 +18,8 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
            'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
            'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich',
            'trustar_enrich', 'recordedfuture', 'html_to_markdown', 'socialscan', 'passive-ssh',
-           'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring', 'clamav', 'jinja_template_rendering','hyasinsight']
+           'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring',
+           'clamav', 'jinja_template_rendering','hyasinsight', 'variotdbs']
 
 
 minimum_required_fields = ('type', 'uuid', 'value')

misp_modules/modules/expansion/variotdbs.py

@@ -1,7 +1,7 @@
 import json
 import requests
 from . import check_input_attribute, standard_error_message
-from pymisp import MISPEvent, MISPObject
+from pymisp import MISPAttribute, MISPEvent, MISPObject
 
 misperrors = {'error': 'Error'}
 mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
@@ -20,6 +20,20 @@ class VariotdbsParser:
         misp_event.add_attribute(**misp_attribute)
         self.__misp_attribute = misp_attribute
         self.__misp_event = misp_event
+        self.__exploit_mapping = {
+            'credits': 'credit',
+            'exploit': 'exploit'
+        }
+        self.__exploit_multiple_mapping = {
+            'cve': {
+                'feature': 'cve_id',
+                'relation': 'cve-id'
+            },
+            'references': {
+                'feature': 'url',
+                'relation': 'reference'
+            }
+        }
         self.__vulnerability_data_mapping = {
             'credits': 'credit',
             'description': 'description',
@@ -29,9 +43,17 @@ class VariotdbsParser:
             'cve': 'id', 'id': 'id'
         }
 
+    @property
+    def exploit_mapping(self) -> dict:
+        return self.__exploit_mapping
+
+    @property
+    def exploit_multiple_mapping(self) -> dict:
+        return self.__exploit_multiple_mapping
+
     @property
     def misp_attribute(self) -> MISPAttribute:
-        return self.__attribute
+        return self.__misp_attribute
 
     @property
     def misp_event(self) -> MISPEvent:
@@ -50,6 +72,26 @@ class VariotdbsParser:
         results = {key: event[key] for key in ('Attribute', 'Object') if event.get(key)}
         return {'results': results}
 
+    def parse_exploit_information(self, query_results):
+        for exploit in query_results['results']:
+            exploit_object = MISPObject('exploit')
+            exploit_object.add_attribute('exploitdb-id', exploit['edb_id'])
+            for feature, relation in self.exploit_mapping.items():
+                if exploit.get(feature):
+                    exploit_object.add_attribute(
+                        relation,
+                        exploit[feature]['data']
+                    )
+            for feature, relation in self.exploit_multiple_mapping.items():
+                if exploit.get(feature):
+                    for value in exploit[feature]['data']:
+                        exploit_object.add_attribute(
+                            relation['relation'],
+                            value[relation['feature']]
+                        )
+            exploit_object.add_reference(self.misp_attribute.uuid, 'related-to')
+            self.misp_event.add_object(exploit_object)
+
     def parse_vulnerability_information(self, query_results):
         vulnerability_object = MISPObject('vulnerability')
         for feature, relation in self.vulnerability_flat_mapping.items():
@@ -65,13 +107,14 @@ class VariotdbsParser:
                     query_results[feature]['data']
                 )
         if query_results.get('configurations', {}).get('data'):
-            for node in query_results['configurations']['data']['nodes']:
-                for cpe_match in node['cpe_match']:
-                    if cpe_match['vulnerable']:
-                        vulnerability_object.add_attribute(
-                            'vulnerable-configuration',
-                            cpe_match['cpe23Uri']
-                        )
+            for configuration in query_results['configurations']['data']:
+                for node in configuration['nodes']:
+                    for cpe_match in node['cpe_match']:
+                        if cpe_match['vulnerable']:
+                            vulnerability_object.add_attribute(
+                                'vulnerable-configuration',
+                                cpe_match['cpe23Uri']
+                            )
         if query_results.get('cvss', {}).get('data'):
             cvss = {}
             for cvss_data in query_results['cvss']['data']:
@@ -129,15 +172,27 @@ def handler(q=False):
     headers = {'Content-Type': 'application/json'}
     if request.get('config', {}).get('API_key'):
         headers['Authorization'] = f"Token {request['config']['API_key']}"
+    empty = True
+    parser = VariotdbsParser(attribute)
     r = requests.get(f"{variotdbs_url}/vuln/{attribute['value']}/", headers=headers)
     if r.status_code == 200:
-        query_results = r.json()
-        if not query_results:
-            return {'error': 'Empty results'}
+        vulnerability_results = r.json()
+        if vulnerability_results:
+            parser.parse_vulnerability_information(vulnerability_results)
+            empty = False
+    else:
+        if r.reason != 'Not found':
+            return {'error': 'Error while querying the variotdbs API.'}
+    r = requests.get(f"{variotdbs_url}/exploits/?cve={attribute['value']}", headers=headers)
+    if r.status_code == 200:
+        exploit_results = r.json()
+        if exploit_results:
+            parser.parse_exploit_information(exploit_results)
+            empty = False
     else:
         return {'error': 'Error while querying the variotdbs API.'}
-    parser = VariotdbsParser(attribute, query_results)
-    parser.parse_vulnerability_information()
+    if empty:
+        return {'error': 'Empty results'}
     return parser.get_results()
 
 
@@ -147,4 +202,4 @@ def introspection():
 
 def version():
     moduleinfo['config'] = moduleconfig
-    return moduleconfig
+    return moduleinfo