MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Cosmetic changes

pull/114/head
Raphaël Vinot 2017-03-05 18:59:36 +01:00
parent ad49fd3819
commit 44867b2adc
1 changed files with 29 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
misp_modules/modules/expansion/virustotal.py
View File

@ -1,9 +1,7 @@
import json import json
import requests import requests
import hashlib from requests import HTTPError
import re
import base64 import base64
import os
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "sha512"], mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "sha512"],
@ -60,32 +58,33 @@ def handler(q=False):
def getHash(hash, key, do_not_recurse=False): def getHash(hash, key, do_not_recurse=False):
global limit req = requests.get("https://www.virustotal.com/vtapi/v2/file/report",
toReturn = [] params={"allinfo": 1, "apikey": key, 'resource': hash})
try: try:
req = requests.get("https://www.virustotal.com/vtapi/v2/file/report", req.raise_for_status()
params={"allinfo": 1, "apikey": key, 'resource': hash} req = req.json()
).json() except HTTPError as e:
except: misperrors['error'] = str(e)
return [] return misperrors
if req["response_code"] == 0: if req["response_code"] == 0:
# Nothing found # Nothing found
return [] return []
toReturn += getMoreInfo(req, key) return getMoreInfo(req, key)
return toReturn
def getIP(ip, key, do_not_recurse=False): def getIP(ip, key, do_not_recurse=False):
global limit global limit
toReturn = [] toReturn = []
req = requests.get("https://www.virustotal.com/vtapi/v2/ip-address/report",
params={"ip": ip, "apikey": key})
try: try:
req = requests.get("https://www.virustotal.com/vtapi/v2/ip-address/report", req.raise_for_status()
params={"ip": ip, "apikey": key} req = req.json()
).json() except HTTPError as e:
except: misperrors['error'] = str(e)
return [] return misperrors
if req["response_code"] == 0: if req["response_code"] == 0:
# Nothing found # Nothing found
@ -93,7 +92,7 @@ def getIP(ip, key, do_not_recurse=False):
if "resolutions" in req: if "resolutions" in req:
for res in req["resolutions"][:limit]: for res in req["resolutions"][:limit]:
toReturn.append({"types": ["domain"], "values": [res["hostname"]], "comment":comment % ip}) toReturn.append({"types": ["domain"], "values": [res["hostname"]], "comment": comment % ip})
# Pivot from here to find all domain info # Pivot from here to find all domain info
if not do_not_recurse: if not do_not_recurse:
toReturn += getDomain(res["hostname"], key, True) toReturn += getDomain(res["hostname"], key, True)
@ -105,12 +104,14 @@ def getIP(ip, key, do_not_recurse=False):
def getDomain(domain, key, do_not_recurse=False): def getDomain(domain, key, do_not_recurse=False):
global limit global limit
toReturn = [] toReturn = []
req = requests.get("https://www.virustotal.com/vtapi/v2/domain/report",
params={"domain": domain, "apikey": key})
try: try:
req = requests.get("https://www.virustotal.com/vtapi/v2/domain/report", req.raise_for_status()
params={"domain": domain, "apikey": key} req = req.json()
).json() except HTTPError as e:
except: misperrors['error'] = str(e)
return [] return misperrors
if req["response_code"] == 0: if req["response_code"] == 0:
# Nothing found # Nothing found
@ -118,7 +119,7 @@ def getDomain(domain, key, do_not_recurse=False):
if "resolutions" in req: if "resolutions" in req:
for res in req["resolutions"][:limit]: for res in req["resolutions"][:limit]:
toReturn.append({"types": ["ip-dst", "ip-src"], "values": [res["ip_address"]], "comment":comment % domain}) toReturn.append({"types": ["ip-dst", "ip-src"], "values": [res["ip_address"]], "comment": comment % domain})
# Pivot from here to find all info on IPs # Pivot from here to find all info on IPs
if not do_not_recurse: if not do_not_recurse:
toReturn += getIP(res["ip_address"], key, True) toReturn += getIP(res["ip_address"], key, True)
@ -163,16 +164,16 @@ def getMoreInfo(req, key):
# Go through each key and check if it exists # Go through each key and check if it exists
if "submission_names" in data: if "submission_names" in data:
r.append({'types': ["filename"], "values": data["submission_names"], "comment":comment % hsh}) r.append({'types': ["filename"], "values": data["submission_names"], "comment": comment % hsh})
if "ssdeep" in data: if "ssdeep" in data:
r.append({'types': ["ssdeep"], "values": [data["ssdeep"]], "comment":comment % hsh}) r.append({'types': ["ssdeep"], "values": [data["ssdeep"]], "comment": comment % hsh})
if "authentihash" in data: if "authentihash" in data:
r.append({"types": ["authentihash"], "values": [data["authentihash"]], "comment":comment % hsh}) r.append({"types": ["authentihash"], "values": [data["authentihash"]], "comment": comment % hsh})
if "ITW_urls" in data: if "ITW_urls" in data:
r.append({"types": ["url"], "values": data["ITW_urls"], "comment":comment % hsh}) r.append({"types": ["url"], "values": data["ITW_urls"], "comment": comment % hsh})
# Get the malware sample # Get the malware sample
sample = requests.get("https://www.virustotal.com/vtapi/v2/file/download", sample = requests.get("https://www.virustotal.com/vtapi/v2/file/download",