Merge pull request #516 from Lastline-Inc/main

Sanity checks
pull/519/head
Alexandre Dulaunoy 2021-08-13 07:43:48 +02:00 committed by GitHub
commit 5507d65ef2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 14 deletions

View File

@ -44,7 +44,7 @@ mispattributes = {
moduleinfo = { moduleinfo = {
"version": "0.2", "version": "0.2",
"author": "Jason Zhang", "author": "Jason Zhang, Stefano Ortolani",
"description": "Enrich a file or URL with VMware NSX Defender", "description": "Enrich a file or URL with VMware NSX Defender",
"module-type": ["expansion", "hover"], "module-type": ["expansion", "hover"],
} }
@ -111,12 +111,16 @@ class ResultParser:
# Add HTTP requests from url analyses # Add HTTP requests from url analyses
network_dict = result.get("report", {}).get("analysis", {}).get("network", {}) network_dict = result.get("report", {}).get("analysis", {}).get("network", {})
for request in network_dict.get("requests", []): for request in network_dict.get("requests", []):
parsed_uri = parse.urlparse(request["url"]) if not request["url"] and not request["ip"]:
continue
o = pymisp.MISPObject(name="http-request") o = pymisp.MISPObject(name="http-request")
o.add_attribute("host", parsed_uri.netloc)
o.add_attribute("method", "GET") o.add_attribute("method", "GET")
o.add_attribute("uri", request["url"]) if request["url"]:
o.add_attribute("ip-dst", request["ip"]) parsed_uri = parse.urlparse(request["url"])
o.add_attribute("host", parsed_uri.netloc)
o.add_attribute("uri", request["url"])
if request["ip"]:
o.add_attribute("ip-dst", request["ip"])
misp_event.add_object(o) misp_event.add_object(o)
# Add network behaviors from files # Add network behaviors from files
@ -129,8 +133,8 @@ class ResultParser:
try: try:
if hostname == "wpad" or hostname == "localhost": if hostname == "wpad" or hostname == "localhost":
continue continue
# Invalid hostname, e.g., hostname: '2.2.0.10.in-addr.arpa. # Invalid hostname, e.g., hostname: ZLKKJRPY or 2.2.0.10.in-addr.arpa.
if hostname[-1] == ".": if "." not in hostname or hostname[-1] == ".":
continue continue
_ = ipaddress.ip_address(hostname) _ = ipaddress.ip_address(hostname)
continue continue
@ -183,13 +187,15 @@ class ResultParser:
misp_event.add_object(o) misp_event.add_object(o)
# Add behaviors # Add behaviors
o = pymisp.MISPObject(name="sb-signature") # Check if its not empty first, as at least one attribute has to be set for sb-signature object
o.add_attribute("software", "VMware NSX Defender") if result.get("malicious_activity", []):
for activity in result.get("malicious_activity", []): o = pymisp.MISPObject(name="sb-signature")
a = pymisp.MISPAttribute() o.add_attribute("software", "VMware NSX Defender")
a.from_dict(type="text", value=activity) for activity in result.get("malicious_activity", []):
o.add_attribute("signature", **a) a = pymisp.MISPAttribute()
misp_event.add_object(o) a.from_dict(type="text", value=activity)
o.add_attribute("signature", **a)
misp_event.add_object(o)
# Add mitre techniques # Add mitre techniques
for techniques in result.get("activity_to_mitre_techniques", {}).values(): for techniques in result.get("activity_to_mitre_techniques", {}).values():