MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'new_module' of github.com:MISP/misp-modules

pull/590/head
Christian Studer 2022-10-24 15:31:17 +02:00
parent f5cb8d0f57 a93b382f1f
commit 3db8fa63db
6 changed files with 130 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -86,6 +86,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
* [TruSTAR Enrich](misp_modules/modules/expansion/trustar_enrich.py) - an expansion module to enrich MISP data with [TruSTAR](https://www.trustar.co/). * [TruSTAR Enrich](misp_modules/modules/expansion/trustar_enrich.py) - an expansion module to enrich MISP data with [TruSTAR](https://www.trustar.co/).
* [urlhaus](misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url. * [urlhaus](misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
* [urlscan](misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io). * [urlscan](misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io).
* [variotdbs](misp_modules/modules/expansion/variotdbs.py) - an expansion module to query the [VARIoT db](https://www.variotdbs.pl) API to get more information about a Vulnerability
* [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://developers.virustotal.com/reference)) * [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://developers.virustotal.com/reference))
* [virustotal_public](misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://developers.virustotal.com/reference)) * [virustotal_public](misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://developers.virustotal.com/reference))
* [VMray](misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray. * [VMray](misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray.

44
documentation/README.md
View File

@ -685,6 +685,28 @@ Expansion module to fetch the html content from an url and convert it into markd
----- -----
#### [hyasinsight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py)
<img src=logos/hyas.png height=60>
HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
- **features**:
>This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.
> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects.
>
>An API key is required to submit queries to the HYAS Insight API.
>
- **input**:
>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)
- **output**:
>Hyas Insight objects, resulting from the query on the HYAS Insight API.
- **references**:
>https://www.hyas.com/hyas-insight/
- **requirements**:
>A HYAS Insight API Key.
-----
#### [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py) #### [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py)
<img src=logos/intel471.png height=60> <img src=logos/intel471.png height=60>
@ -1606,6 +1628,28 @@ An expansion module to query urlscan.io.
----- -----
#### [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py)
<img src=logos/variot.png height=60>
An expansion module to query the VARIoT db API for more information about a vulnerability.
- **features**:
>The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.
>
>The `vuln` endpoint is queried first to look for additional information about the vulnerability itself.
>
>The `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template.
- **input**:
>Vulnerability attribute.
- **output**:
>Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.
- **references**:
>https://www.variotdbs.pl/
- **requirements**:
>A VARIoT db API key (if you do not want to be limited to 100 queries / day)
-----
#### [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py) #### [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py)
<img src=logos/virustotal.png height=60> <img src=logos/virustotal.png height=60>

BIN
documentation/logos/variot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

13
documentation/website/expansion/variotdbs.json Normal file
View File

@ -0,0 +1,13 @@
{
"description": "An expansion module to query the VARIoT db API for more information about a vulnerability.",
"logo": "variot.png",
"requirements": [
"A VARIoT db API key (if you do not want to be limited to 100 queries / day)"
],
"input": "Vulnerability attribute.",
"output": "Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.",
"references": [
"https://www.variotdbs.pl/"
],
"features": "The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.\n\nThe `vuln` endpoint is queried first to look for additional information about the vulnerability itself.\n\nThe `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template."
}

3
misp_modules/modules/expansion/__init__.py
View File

@ -18,7 +18,8 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar', 'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich', 'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich',
'trustar_enrich', 'recordedfuture', 'html_to_markdown', 'socialscan', 'passive-ssh', 'trustar_enrich', 'recordedfuture', 'html_to_markdown', 'socialscan', 'passive-ssh',
'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring', 'clamav', 'jinja_template_rendering','hyasinsight'] 'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring',
'clamav', 'jinja_template_rendering','hyasinsight', 'variotdbs']
minimum_required_fields = ('type', 'uuid', 'value') minimum_required_fields = ('type', 'uuid', 'value')

85
misp_modules/modules/expansion/variotdbs.py
View File

@ -1,7 +1,7 @@
import json import json
import requests import requests
from . import check_input_attribute, standard_error_message from . import check_input_attribute, standard_error_message
from pymisp import MISPEvent, MISPObject from pymisp import MISPAttribute, MISPEvent, MISPObject
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'} mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
@ -20,6 +20,20 @@ class VariotdbsParser:
misp_event.add_attribute(**misp_attribute) misp_event.add_attribute(**misp_attribute)
self.__misp_attribute = misp_attribute self.__misp_attribute = misp_attribute
self.__misp_event = misp_event self.__misp_event = misp_event
self.__exploit_mapping = {
'credits': 'credit',
'exploit': 'exploit'
}
self.__exploit_multiple_mapping = {
'cve': {
'feature': 'cve_id',
'relation': 'cve-id'
},
'references': {
'feature': 'url',
'relation': 'reference'
}
}
self.__vulnerability_data_mapping = { self.__vulnerability_data_mapping = {
'credits': 'credit', 'credits': 'credit',
'description': 'description', 'description': 'description',
@ -29,9 +43,17 @@ class VariotdbsParser:
'cve': 'id', 'id': 'id' 'cve': 'id', 'id': 'id'
} }
@property
def exploit_mapping(self) -> dict:
return self.__exploit_mapping
@property
def exploit_multiple_mapping(self) -> dict:
return self.__exploit_multiple_mapping
@property @property
def misp_attribute(self) -> MISPAttribute: def misp_attribute(self) -> MISPAttribute:
return self.__attribute return self.__misp_attribute
@property @property
def misp_event(self) -> MISPEvent: def misp_event(self) -> MISPEvent:
@ -50,6 +72,26 @@ class VariotdbsParser:
results = {key: event[key] for key in ('Attribute', 'Object') if event.get(key)} results = {key: event[key] for key in ('Attribute', 'Object') if event.get(key)}
return {'results': results} return {'results': results}
def parse_exploit_information(self, query_results):
for exploit in query_results['results']:
exploit_object = MISPObject('exploit')
exploit_object.add_attribute('exploitdb-id', exploit['edb_id'])
for feature, relation in self.exploit_mapping.items():
if exploit.get(feature):
exploit_object.add_attribute(
relation,
exploit[feature]['data']
)
for feature, relation in self.exploit_multiple_mapping.items():
if exploit.get(feature):
for value in exploit[feature]['data']:
exploit_object.add_attribute(
relation['relation'],
value[relation['feature']]
)
exploit_object.add_reference(self.misp_attribute.uuid, 'related-to')
self.misp_event.add_object(exploit_object)
def parse_vulnerability_information(self, query_results): def parse_vulnerability_information(self, query_results):
vulnerability_object = MISPObject('vulnerability') vulnerability_object = MISPObject('vulnerability')
for feature, relation in self.vulnerability_flat_mapping.items(): for feature, relation in self.vulnerability_flat_mapping.items():
@ -65,13 +107,14 @@ class VariotdbsParser:
query_results[feature]['data'] query_results[feature]['data']
) )
if query_results.get('configurations', {}).get('data'): if query_results.get('configurations', {}).get('data'):
for node in query_results['configurations']['data']['nodes']: for configuration in query_results['configurations']['data']:
for cpe_match in node['cpe_match']: for node in configuration['nodes']:
if cpe_match['vulnerable']: for cpe_match in node['cpe_match']:
vulnerability_object.add_attribute( if cpe_match['vulnerable']:
'vulnerable-configuration', vulnerability_object.add_attribute(
cpe_match['cpe23Uri'] 'vulnerable-configuration',
) cpe_match['cpe23Uri']
)
if query_results.get('cvss', {}).get('data'): if query_results.get('cvss', {}).get('data'):
cvss = {} cvss = {}
for cvss_data in query_results['cvss']['data']: for cvss_data in query_results['cvss']['data']:
@ -129,15 +172,27 @@ def handler(q=False):
headers = {'Content-Type': 'application/json'} headers = {'Content-Type': 'application/json'}
if request.get('config', {}).get('API_key'): if request.get('config', {}).get('API_key'):
headers['Authorization'] = f"Token {request['config']['API_key']}" headers['Authorization'] = f"Token {request['config']['API_key']}"
empty = True
parser = VariotdbsParser(attribute)
r = requests.get(f"{variotdbs_url}/vuln/{attribute['value']}/", headers=headers) r = requests.get(f"{variotdbs_url}/vuln/{attribute['value']}/", headers=headers)
if r.status_code == 200: if r.status_code == 200:
query_results = r.json() vulnerability_results = r.json()
if not query_results: if vulnerability_results:
return {'error': 'Empty results'} parser.parse_vulnerability_information(vulnerability_results)
empty = False
else:
if r.reason != 'Not found':
return {'error': 'Error while querying the variotdbs API.'}
r = requests.get(f"{variotdbs_url}/exploits/?cve={attribute['value']}", headers=headers)
if r.status_code == 200:
exploit_results = r.json()
if exploit_results:
parser.parse_exploit_information(exploit_results)
empty = False
else: else:
return {'error': 'Error while querying the variotdbs API.'} return {'error': 'Error while querying the variotdbs API.'}
parser = VariotdbsParser(attribute, query_results) if empty:
parser.parse_vulnerability_information() return {'error': 'Empty results'}
return parser.get_results() return parser.get_results()
@ -147,4 +202,4 @@ def introspection():
def version(): def version():
moduleinfo['config'] = moduleconfig moduleinfo['config'] = moduleconfig
return moduleconfig return moduleinfo