mirror of https://github.com/MISP/misp-modules
Merge branch 'new_module' of github.com:MISP/misp-modules
commit
3db8fa63db
|
@ -86,6 +86,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
|
|||
* [TruSTAR Enrich](misp_modules/modules/expansion/trustar_enrich.py) - an expansion module to enrich MISP data with [TruSTAR](https://www.trustar.co/).
|
||||
* [urlhaus](misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
|
||||
* [urlscan](misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io).
|
||||
* [variotdbs](misp_modules/modules/expansion/variotdbs.py) - an expansion module to query the [VARIoT db](https://www.variotdbs.pl) API to get more information about a Vulnerability
|
||||
* [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://developers.virustotal.com/reference))
|
||||
* [virustotal_public](misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://developers.virustotal.com/reference))
|
||||
* [VMray](misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray.
|
||||
|
|
|
@ -685,6 +685,28 @@ Expansion module to fetch the html content from an url and convert it into markd
|
|||
|
||||
-----
|
||||
|
||||
#### [hyasinsight](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hyasinsight.py)
|
||||
|
||||
<img src=logos/hyas.png height=60>
|
||||
|
||||
HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
|
||||
- **features**:
|
||||
>This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.
|
||||
> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects.
|
||||
>
|
||||
>An API key is required to submit queries to the HYAS Insight API.
|
||||
>
|
||||
- **input**:
|
||||
>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), Email Address(email, email-src, email-dst, target-email, whois-registrant-email), Phone Number(phone-number, whois-registrant-phone), MDS(md5, x509-fingerprint-md5, ja3-fingerprint-md5, hassh-md5, hasshserver-md5), SHA1(sha1, x509-fingerprint-sha1), SHA256(sha256, x509-fingerprint-sha256), SHA512(sha512)
|
||||
- **output**:
|
||||
>Hyas Insight objects, resulting from the query on the HYAS Insight API.
|
||||
- **references**:
|
||||
>https://www.hyas.com/hyas-insight/
|
||||
- **requirements**:
|
||||
>A HYAS Insight API Key.
|
||||
|
||||
-----
|
||||
|
||||
#### [intel471](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/intel471.py)
|
||||
|
||||
<img src=logos/intel471.png height=60>
|
||||
|
@ -1606,6 +1628,28 @@ An expansion module to query urlscan.io.
|
|||
|
||||
-----
|
||||
|
||||
#### [variotdbs](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/variotdbs.py)
|
||||
|
||||
<img src=logos/variot.png height=60>
|
||||
|
||||
An expansion module to query the VARIoT db API for more information about a vulnerability.
|
||||
- **features**:
|
||||
>The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.
|
||||
>
|
||||
>The `vuln` endpoint is queried first to look for additional information about the vulnerability itself.
|
||||
>
|
||||
>The `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template.
|
||||
- **input**:
|
||||
>Vulnerability attribute.
|
||||
- **output**:
|
||||
>Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.
|
||||
- **references**:
|
||||
>https://www.variotdbs.pl/
|
||||
- **requirements**:
|
||||
>A VARIoT db API key (if you do not want to be limited to 100 queries / day)
|
||||
|
||||
-----
|
||||
|
||||
#### [virustotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/virustotal.py)
|
||||
|
||||
<img src=logos/virustotal.png height=60>
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 102 KiB |
|
@ -0,0 +1,13 @@
|
|||
{
|
||||
"description": "An expansion module to query the VARIoT db API for more information about a vulnerability.",
|
||||
"logo": "variot.png",
|
||||
"requirements": [
|
||||
"A VARIoT db API key (if you do not want to be limited to 100 queries / day)"
|
||||
],
|
||||
"input": "Vulnerability attribute.",
|
||||
"output": "Additional information about the vulnerability, as it is stored on the VARIoT db, about the vulnerability itself, and the potential related exploits.",
|
||||
"references": [
|
||||
"https://www.variotdbs.pl/"
|
||||
],
|
||||
"features": "The module takes a vulnerability attribute as input and queries que VARIoT db API to gather additional information.\n\nThe `vuln` endpoint is queried first to look for additional information about the vulnerability itself.\n\nThe `exploits` endpoint is also queried then to look for the information of the potential related exploits, which are parsed and added to the results using the `exploit` object template."
|
||||
}
|
|
@ -18,7 +18,8 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
|
|||
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
|
||||
'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich',
|
||||
'trustar_enrich', 'recordedfuture', 'html_to_markdown', 'socialscan', 'passive-ssh',
|
||||
'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring', 'clamav', 'jinja_template_rendering','hyasinsight']
|
||||
'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring',
|
||||
'clamav', 'jinja_template_rendering','hyasinsight', 'variotdbs']
|
||||
|
||||
|
||||
minimum_required_fields = ('type', 'uuid', 'value')
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
import json
|
||||
import requests
|
||||
from . import check_input_attribute, standard_error_message
|
||||
from pymisp import MISPEvent, MISPObject
|
||||
from pymisp import MISPAttribute, MISPEvent, MISPObject
|
||||
|
||||
misperrors = {'error': 'Error'}
|
||||
mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'}
|
||||
|
@ -20,6 +20,20 @@ class VariotdbsParser:
|
|||
misp_event.add_attribute(**misp_attribute)
|
||||
self.__misp_attribute = misp_attribute
|
||||
self.__misp_event = misp_event
|
||||
self.__exploit_mapping = {
|
||||
'credits': 'credit',
|
||||
'exploit': 'exploit'
|
||||
}
|
||||
self.__exploit_multiple_mapping = {
|
||||
'cve': {
|
||||
'feature': 'cve_id',
|
||||
'relation': 'cve-id'
|
||||
},
|
||||
'references': {
|
||||
'feature': 'url',
|
||||
'relation': 'reference'
|
||||
}
|
||||
}
|
||||
self.__vulnerability_data_mapping = {
|
||||
'credits': 'credit',
|
||||
'description': 'description',
|
||||
|
@ -29,9 +43,17 @@ class VariotdbsParser:
|
|||
'cve': 'id', 'id': 'id'
|
||||
}
|
||||
|
||||
@property
|
||||
def exploit_mapping(self) -> dict:
|
||||
return self.__exploit_mapping
|
||||
|
||||
@property
|
||||
def exploit_multiple_mapping(self) -> dict:
|
||||
return self.__exploit_multiple_mapping
|
||||
|
||||
@property
|
||||
def misp_attribute(self) -> MISPAttribute:
|
||||
return self.__attribute
|
||||
return self.__misp_attribute
|
||||
|
||||
@property
|
||||
def misp_event(self) -> MISPEvent:
|
||||
|
@ -50,6 +72,26 @@ class VariotdbsParser:
|
|||
results = {key: event[key] for key in ('Attribute', 'Object') if event.get(key)}
|
||||
return {'results': results}
|
||||
|
||||
def parse_exploit_information(self, query_results):
|
||||
for exploit in query_results['results']:
|
||||
exploit_object = MISPObject('exploit')
|
||||
exploit_object.add_attribute('exploitdb-id', exploit['edb_id'])
|
||||
for feature, relation in self.exploit_mapping.items():
|
||||
if exploit.get(feature):
|
||||
exploit_object.add_attribute(
|
||||
relation,
|
||||
exploit[feature]['data']
|
||||
)
|
||||
for feature, relation in self.exploit_multiple_mapping.items():
|
||||
if exploit.get(feature):
|
||||
for value in exploit[feature]['data']:
|
||||
exploit_object.add_attribute(
|
||||
relation['relation'],
|
||||
value[relation['feature']]
|
||||
)
|
||||
exploit_object.add_reference(self.misp_attribute.uuid, 'related-to')
|
||||
self.misp_event.add_object(exploit_object)
|
||||
|
||||
def parse_vulnerability_information(self, query_results):
|
||||
vulnerability_object = MISPObject('vulnerability')
|
||||
for feature, relation in self.vulnerability_flat_mapping.items():
|
||||
|
@ -65,7 +107,8 @@ class VariotdbsParser:
|
|||
query_results[feature]['data']
|
||||
)
|
||||
if query_results.get('configurations', {}).get('data'):
|
||||
for node in query_results['configurations']['data']['nodes']:
|
||||
for configuration in query_results['configurations']['data']:
|
||||
for node in configuration['nodes']:
|
||||
for cpe_match in node['cpe_match']:
|
||||
if cpe_match['vulnerable']:
|
||||
vulnerability_object.add_attribute(
|
||||
|
@ -129,15 +172,27 @@ def handler(q=False):
|
|||
headers = {'Content-Type': 'application/json'}
|
||||
if request.get('config', {}).get('API_key'):
|
||||
headers['Authorization'] = f"Token {request['config']['API_key']}"
|
||||
empty = True
|
||||
parser = VariotdbsParser(attribute)
|
||||
r = requests.get(f"{variotdbs_url}/vuln/{attribute['value']}/", headers=headers)
|
||||
if r.status_code == 200:
|
||||
query_results = r.json()
|
||||
if not query_results:
|
||||
return {'error': 'Empty results'}
|
||||
vulnerability_results = r.json()
|
||||
if vulnerability_results:
|
||||
parser.parse_vulnerability_information(vulnerability_results)
|
||||
empty = False
|
||||
else:
|
||||
if r.reason != 'Not found':
|
||||
return {'error': 'Error while querying the variotdbs API.'}
|
||||
r = requests.get(f"{variotdbs_url}/exploits/?cve={attribute['value']}", headers=headers)
|
||||
if r.status_code == 200:
|
||||
exploit_results = r.json()
|
||||
if exploit_results:
|
||||
parser.parse_exploit_information(exploit_results)
|
||||
empty = False
|
||||
else:
|
||||
return {'error': 'Error while querying the variotdbs API.'}
|
||||
parser = VariotdbsParser(attribute, query_results)
|
||||
parser.parse_vulnerability_information()
|
||||
if empty:
|
||||
return {'error': 'Empty results'}
|
||||
return parser.get_results()
|
||||
|
||||
|
||||
|
@ -147,4 +202,4 @@ def introspection():
|
|||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleconfig
|
||||
return moduleinfo
|
||||
|
|
Loading…
Reference in New Issue