mirror of https://github.com/MISP/misp-modules
fix: Making pep8 happy
parent
bd38fabba5
commit
458e432bb7
|
@ -11,9 +11,11 @@ mispattributes = {'input': ['url'], 'output': ['text']}
|
||||||
moduleinfo = {'author': 'Oun & Gindt', 'module-type': ['hover'],
|
moduleinfo = {'author': 'Oun & Gindt', 'module-type': ['hover'],
|
||||||
'description': 'An expansion hover module to expand google search information about an URL'}
|
'description': 'An expansion hover module to expand google search information about an URL'}
|
||||||
|
|
||||||
|
|
||||||
def sleep(retry):
|
def sleep(retry):
|
||||||
time.sleep(random.uniform(0, min(40, 0.01 * 2 ** retry)))
|
time.sleep(random.uniform(0, min(40, 0.01 * 2 ** retry)))
|
||||||
|
|
||||||
|
|
||||||
def handler(q=False):
|
def handler(q=False):
|
||||||
if q is False:
|
if q is False:
|
||||||
return False
|
return False
|
||||||
|
|
|
@ -3,12 +3,13 @@ import requests
|
||||||
import json
|
import json
|
||||||
|
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
mispattributes = {'input': ['email-dst', 'email-src'],'output': ['text']}
|
mispattributes = {'input': ['email-dst', 'email-src'], 'output': ['text']}
|
||||||
moduleinfo = {'version': '0.2', 'author': 'Corsin Camichel, Aurélien Schwab', 'description': 'Module to access haveibeenpwned.com API (v3).', 'module-type': ['hover']}
|
moduleinfo = {'version': '0.2', 'author': 'Corsin Camichel, Aurélien Schwab', 'description': 'Module to access haveibeenpwned.com API (v3).', 'module-type': ['hover']}
|
||||||
moduleconfig = ['api_key']
|
moduleconfig = ['api_key']
|
||||||
|
|
||||||
haveibeenpwned_api_url = 'https://haveibeenpwned.com/api/v3/breachedaccount/'
|
haveibeenpwned_api_url = 'https://haveibeenpwned.com/api/v3/breachedaccount/'
|
||||||
API_KEY = "" # details at https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/
|
API_KEY = "" # details at https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/
|
||||||
|
|
||||||
|
|
||||||
def handler(q=False):
|
def handler(q=False):
|
||||||
if q is False:
|
if q is False:
|
||||||
|
@ -39,9 +40,11 @@ def handler(q=False):
|
||||||
misperrors['error'] = 'haveibeenpwned.com API not accessible (HTTP ' + str(r.status_code) + ')'
|
misperrors['error'] = 'haveibeenpwned.com API not accessible (HTTP ' + str(r.status_code) + ')'
|
||||||
return misperrors['error']
|
return misperrors['error']
|
||||||
|
|
||||||
|
|
||||||
def introspection():
|
def introspection():
|
||||||
return mispattributes
|
return mispattributes
|
||||||
|
|
||||||
|
|
||||||
def version():
|
def version():
|
||||||
moduleinfo['config'] = moduleconfig
|
moduleinfo['config'] = moduleconfig
|
||||||
return moduleinfo
|
return moduleinfo
|
||||||
|
|
|
@ -3,12 +3,13 @@ import requests
|
||||||
import json
|
import json
|
||||||
|
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'],'output': ['text']}
|
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'], 'output': ['text']}
|
||||||
moduleinfo = {'version': '0.1', 'author': 'Corsin Camichel', 'description': 'Module to search for an IOC on ThreatFox by abuse.ch.', 'module-type': ['hover', 'expansion']}
|
moduleinfo = {'version': '0.1', 'author': 'Corsin Camichel', 'description': 'Module to search for an IOC on ThreatFox by abuse.ch.', 'module-type': ['hover', 'expansion']}
|
||||||
moduleconfig = []
|
moduleconfig = []
|
||||||
|
|
||||||
API_URL = "https://threatfox-api.abuse.ch/api/v1/"
|
API_URL = "https://threatfox-api.abuse.ch/api/v1/"
|
||||||
|
|
||||||
|
|
||||||
# copied from
|
# copied from
|
||||||
# https://github.com/marjatech/threatfox2misp/blob/main/threatfox2misp.py
|
# https://github.com/marjatech/threatfox2misp/blob/main/threatfox2misp.py
|
||||||
def confidence_level_to_tag(level: int) -> str:
|
def confidence_level_to_tag(level: int) -> str:
|
||||||
|
@ -26,6 +27,7 @@ def confidence_level_to_tag(level: int) -> str:
|
||||||
confidence_tag = tag
|
confidence_tag = tag
|
||||||
return confidence_tag
|
return confidence_tag
|
||||||
|
|
||||||
|
|
||||||
def handler(q=False):
|
def handler(q=False):
|
||||||
if q is False:
|
if q is False:
|
||||||
return False
|
return False
|
||||||
|
@ -41,19 +43,21 @@ def handler(q=False):
|
||||||
misperrors['error'] = "Unsupported attributes type:"
|
misperrors['error'] = "Unsupported attributes type:"
|
||||||
return misperrors
|
return misperrors
|
||||||
|
|
||||||
data = { "query": "search_ioc", "search_term": f"{to_query}" }
|
data = {"query": "search_ioc", "search_term": f"{to_query}"}
|
||||||
response = requests.post(API_URL, data=json.dumps(data))
|
response = requests.post(API_URL, data=json.dumps(data))
|
||||||
if response.status_code == 200:
|
if response.status_code == 200:
|
||||||
result = json.loads(response.text)
|
result = json.loads(response.text)
|
||||||
if(result["query_status"] == "ok"):
|
if(result["query_status"] == "ok"):
|
||||||
confidence_tag = confidence_level_to_tag(result["data"][0]["confidence_level"])
|
confidence_tag = confidence_level_to_tag(result["data"][0]["confidence_level"])
|
||||||
ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], result["data"][0]["malware_printable"], confidence_tag ] }]}
|
ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], result["data"][0]["malware_printable"], confidence_tag]}]}
|
||||||
|
|
||||||
return ret_val
|
return ret_val
|
||||||
|
|
||||||
|
|
||||||
def introspection():
|
def introspection():
|
||||||
return mispattributes
|
return mispattributes
|
||||||
|
|
||||||
|
|
||||||
def version():
|
def version():
|
||||||
moduleinfo['config'] = moduleconfig
|
moduleinfo['config'] = moduleconfig
|
||||||
return moduleinfo
|
return moduleinfo
|
||||||
|
|
|
@ -24,31 +24,37 @@ moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge',
|
||||||
'description': 'Defender for Endpoint KQL hunting query export module',
|
'description': 'Defender for Endpoint KQL hunting query export module',
|
||||||
'module-type': ['export']}
|
'module-type': ['export']}
|
||||||
|
|
||||||
|
|
||||||
def handle_sha1(value, period):
|
def handle_sha1(value, period):
|
||||||
query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
|
query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
|
||||||
where SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}'"""
|
where SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}'"""
|
||||||
return query.replace('\n', ' ')
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
|
|
||||||
def handle_md5(value, period):
|
def handle_md5(value, period):
|
||||||
query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
|
query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents)
|
||||||
where MD5 == '{value}' or InitiatingProcessMD5 == '{value}'"""
|
where MD5 == '{value}' or InitiatingProcessMD5 == '{value}'"""
|
||||||
return query.replace('\n', ' ')
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
|
|
||||||
def handle_domain(value, period):
|
def handle_domain(value, period):
|
||||||
query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents)
|
query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents)
|
||||||
where RemoteUrl contains '{value}'"""
|
where RemoteUrl contains '{value}'"""
|
||||||
return query.replace('\n', ' ')
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
|
|
||||||
def handle_ip(value, period):
|
def handle_ip(value, period):
|
||||||
query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents)
|
query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents)
|
||||||
where RemoteIP == '{value}'"""
|
where RemoteIP == '{value}'"""
|
||||||
return query.replace('\n', ' ')
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
|
|
||||||
def handle_url(value, period):
|
def handle_url(value, period):
|
||||||
query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents)
|
query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents)
|
||||||
where RemoteUrl startswith '{value}'"""
|
where RemoteUrl startswith '{value}'"""
|
||||||
return query.replace('\n', ' ')
|
return query.replace('\n', ' ')
|
||||||
|
|
||||||
|
|
||||||
handlers = {
|
handlers = {
|
||||||
'sha1': handle_sha1,
|
'sha1': handle_sha1,
|
||||||
'md5': handle_md5,
|
'md5': handle_md5,
|
||||||
|
@ -72,6 +78,7 @@ def handler(q=False):
|
||||||
r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
|
r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')}
|
||||||
return r
|
return r
|
||||||
|
|
||||||
|
|
||||||
def introspection():
|
def introspection():
|
||||||
modulesetup = {}
|
modulesetup = {}
|
||||||
try:
|
try:
|
||||||
|
|
Loading…
Reference in New Issue