From 513d292994b5af34125475f4e64af8b8fc1c7177 Mon Sep 17 00:00:00 2001 From: Steph S Date: Mon, 10 Jul 2023 17:14:15 -0400 Subject: [PATCH] Fixed object reference issue for the AbuseIPDB expansion module --- misp_modules/modules/expansion/abuseipdb.py | 70 +++++++++++++-------- 1 file changed, 45 insertions(+), 25 deletions(-) diff --git a/misp_modules/modules/expansion/abuseipdb.py b/misp_modules/modules/expansion/abuseipdb.py index 30909c2..874a970 100644 --- a/misp_modules/modules/expansion/abuseipdb.py +++ b/misp_modules/modules/expansion/abuseipdb.py @@ -1,11 +1,11 @@ import requests import json -from pymisp import MISPObject +from pymisp import MISPObject, MISPAttribute, MISPEvent from . import check_input_attribute, checking_error, standard_error_message import dns.resolver misperrors = {'error': 'Error'} -mispattributes = {'input': ['hostname', 'domain', 'domain|ip'], 'output': ['boolean', 'counter'], 'format': 'misp_standard'} +mispattributes = {'input': ['hostname', 'domain', 'domain|ip'], 'format': 'misp_standard'} moduleinfo = {'version': '0.1', 'author': 'Stephanie S', 'description': 'AbuseIPDB MISP expansion module', 'module-type': ['expansion', 'hover']} @@ -57,33 +57,53 @@ def handler(q=False): r = {"results": []} response = requests.request(method='GET', url=api_endpoint, headers=headers, params=querystring) - response_json = json.loads(response.text) - is_whitelisted = response_json['data']['isWhitelisted'] - is_tor = response_json['data']['isTor'] - is_public = response_json['data']['isPublic'] - abuse_confidence_score = response_json['data']['abuseConfidenceScore'] + if (response.status_code == 200): + response_json = json.loads(response.text) + is_whitelisted = response_json['data']['isWhitelisted'] + is_tor = response_json['data']['isTor'] + is_public = response_json['data']['isPublic'] + abuse_confidence_score = response_json['data']['abuseConfidenceScore'] - if (is_whitelisted == False): - is_whitelisted = 0 - if (is_tor == False): - is_tor = 0 - if (is_public == False): - is_public = 0 - if (abuse_confidence_score == None): - abuse_confidence_score = 0 + if (is_whitelisted == False): + is_whitelisted = 0 + if (is_tor == False): + is_tor = 0 + if (is_public == False): + is_public = 0 + if (abuse_confidence_score == None): + abuse_confidence_score = 0 + + if (response_json.get("errors")): + return {'error': 'AbuseIPDB error, check logs'} + else: + event = MISPEvent() + obj = MISPObject('abuseipdb') + attribute = MISPAttribute() + event.add_attribute(**request['attribute']) + + if is_whitelisted is not None: + obj.add_attribute('is-whitelisted', **{'type': 'boolean', 'value': is_whitelisted}) + obj.add_attribute('is-tor', **{'type': 'boolean', 'value': is_tor}) + obj.add_attribute('is-public', **{'type': 'boolean', 'value': is_public}) + obj.add_attribute('abuse-confidence-score', **{'type': 'counter', 'value': abuse_confidence_score}) + obj.add_reference(request['attribute']['uuid'], "describes") + event.add_object(obj) + + # Avoid serialization issue + event = json.loads(event.to_json()) + + r['results'] = {'Object': event['Object'], 'Attribute': event['Attribute']} + return r - if (response_json.get("errors")): - return {'error': 'AbuseIPDB error, check logs'} else: - obj = MISPObject('abuseipdb') - obj.add_attribute('is-whitelisted', **{'type': 'boolean', 'value': is_whitelisted}) - obj.add_attribute('is-tor', **{'type': 'boolean', 'value': is_tor}) - obj.add_attribute('is-public', **{'type': 'boolean', 'value': is_public}) - obj.add_attribute('abuse-confidence-score', **{'type': 'counter', 'value': abuse_confidence_score}) - - r['results'] = {'Object': [json.loads(obj.to_json())]} - return r + try: + response_json = json.loads(response.text) + if (response_json['errors']): + return {"error": "API not reachable, status code: " + str(response.status_code) + " " + str(response_json['errors'][0]['detail'])} + except: + pass + return {"error": "API not reachable, status code: " + str(response.status_code)} def introspection(): return mispattributes