add: New expansion module to submit samples and urls to AssemblyLine

misp_modules/modules/expansion/__init__.py

@@ -14,4 +14,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
            'intel471', 'backscatter_io', 'btc_scam_check', 'hibp', 'greynoise', 'macvendors',
            'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
            'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
-           'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails']
+           'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails',
+           'assemblyline_submit']

misp_modules/modules/expansion/assemblyline_submit.py

@@ -0,0 +1,87 @@
+import json
+
+from assemblyline_client import Client, ClientError
+from urllib.parse import urljoin
+
+
+moduleinfo = {"version": 1, "author": "Christian Studer", "module-type": ["expansion"],
+              "description": "Submit files or URLs to AssemblyLine"}
+moduleconfig = ["apiurl", "user_id", "apikey", "password"]
+mispattributes = {"input": ["attachment", "malware-sample", "url", "domain"],
+                  "output": ["link"]}
+
+
+def parse_config(apiurl, user_id, config):
+    error = {"error": "Please provide your AssemblyLine API key or Password."}
+    if config.get('apikey'):
+        try:
+            return Client(apiurl, apikey=(user_id, config['apikey']))
+        except ClientError as e:
+            error['error'] = f'Error while initiating a connection with AssemblyLine: {e.__str__()}'
+    if config.get('password'):
+        try:
+            return Client(apiurl, auth=(user_id, config['password']))
+        except ClientError as e:
+            error['error'] = f'Error while initiating a connection with AssemblyLine: {e.__str__()}'
+    return error
+
+def submit_content(client, filename, data):
+    try:
+        return client.submit(fname=filename, contents=data.encode())
+    except Exception as e:
+        return {'error': f'Error while submitting content to AssemblyLine: {e.__str__()}'}
+
+
+def submit_request(client, request):
+    if 'attachment' in request:
+        return submit_content(client, request['attachment'], request['data'])
+    if 'malware-sample' in request:
+        return submit_content(client, request['malware-sample'].split('|')[0], request['data'])
+    for feature in ('url', 'domain'):
+        if feature in request:
+            return submit_url(client, request[feature])
+    return {"error": "No valid attribute type for this module has been provided."}
+
+
+def submit_url(client, url):
+    try:
+        return client.submit(url=url)
+    except Exception as e:
+        return {'error': f'Error while submitting url to AssemblyLine: {e.__str__()}'}
+
+
+def handler(q=False):
+    if q is False:
+        return q
+    request = json.loads(q)
+    if not request.get('config'):
+        return {"error": "Missing configuration."}
+    if not request['config'].get('apiurl'):
+        return {"error": "No AssemblyLine server address provided."}
+    apiurl = request['config']['apiurl']
+    if not request['config'].get('user_id'):
+        return {"error": "Please provide your AssemblyLine User ID."}
+    user_id = request['config']['user_id']
+    client = parse_config(apiurl, user_id, request['config'])
+    if isinstance(client, dict):
+        return client
+    submission = submit_request(client, request)
+    if 'error' in submission:
+        return submission
+    sid = submission['submission']['sid']
+    return {
+        "results": [{
+            "types": "link",
+            "categories": "External analysis",
+            "values": urljoin(apiurl, f'submission_detail.html?sid={sid}')
+        }]
+    }
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo["config"] = moduleconfig
+    return moduleinfo