MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #305 from joesecurity/new_module 

joesandbox_query.py: improve behavior in unexpected circumstances
pull/306/head
Alexandre Dulaunoy 2019-06-05 13:26:48 +02:00 committed by GitHub
parent aa3e873845 efb0a88eeb
commit 4cec6f50b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
misp_modules/modules/expansion/joesandbox_query.py
View File

@ -9,21 +9,7 @@ mispattributes = {'input': ['link'], 'format': 'misp_standard'}
moduleinfo = {'version': '0.1', 'author': 'Christian Studer', moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
'description': 'Query Joe Sandbox API with a report URL to get the parsed data.', 'description': 'Query Joe Sandbox API with a report URL to get the parsed data.',
'module-type': ['expansion']} 'module-type': ['expansion']}
moduleconfig = ['apiurl', 'apikey', 'accept-tac'] moduleconfig = ['apiurl', 'apikey']
class _ParseError(Exception):
pass
def _parse_bool(value, name="bool"):
if value is None or value == "":
return None
if value in ("true", "True"):
return True
if value in ("false", "False"):
return False
raise _ParseError("Cannot parse {}. Must be 'true' or 'false'".format(name))
def handler(q=False): def handler(q=False):
@ -34,21 +20,32 @@ def handler(q=False):
apikey = request['config'].get('apikey') apikey = request['config'].get('apikey')
if not apikey: if not apikey:
return {'error': 'No API key provided'} return {'error': 'No API key provided'}
url = request['attribute']['value']
if "/submissions/" not in url:
return {'error': "The URL does not point to a Joe Sandbox analysis."}
submission_id = url.split('/')[-1] # The URL has the format https://example.net/submissions/12345
joe = jbxapi.JoeSandbox(apiurl=apiurl, apikey=apikey, user_agent='MISP joesandbox_query')
try: try:
accept_tac = _parse_bool(request['config'].get('accept-tac'), 'accept-tac') joe_info = joe.submission_info(submission_id)
except _ParseError as e: except jbxapi.ApiError as e:
return {'error': str(e)} return {'error': str(e)}
attribute = request['attribute']
joe = jbxapi.JoeSandbox(apiurl=apiurl, apikey=apikey, user_agent='MISP joesandbox_analysis', accept_tac=accept_tac) if joe_info["status"] != "finished":
joe_info = joe.submission_info(attribute['value'].split('/')[-1]) return {'error': "The analysis has not finished yet."}
if joe_info['most_relevant_analysis'] is None:
return {'error': "No analysis belongs to this submission."}
analysis_webid = joe_info['most_relevant_analysis']['webid']
joe_parser = JoeParser() joe_parser = JoeParser()
most_relevant = joe_info['most_relevant_analysis']['webid'] joe_data = json.loads(joe.analysis_download(analysis_webid, 'jsonfixed')[1])
for analyse in joe_info['analyses']: joe_parser.parse_data(joe_data['analysis'])
if analyse['webid'] == most_relevant:
joe_data = json.loads(joe.analysis_download(most_relevant, 'jsonfixed')[1])
joe_parser.parse_data(joe_data['analysis'])
break
joe_parser.finalize_results() joe_parser.finalize_results()
return {'results': joe_parser.results} return {'results': joe_parser.results}