MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #74 from cudeso/master 

Extra VTI detections
pull/71/merge
Raphaël Vinot 2016-11-30 13:59:05 +01:00 committed by GitHub
parent 1e303b7af5 077470b8ed
commit 5b692eeca9
1 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
misp_modules/modules/import_mod/vmray_import.py
View File

@ -174,6 +174,8 @@ def vmrayVtiPatterns(vti_patterns):
content = vmrayGeneric(pattern, "url", 1) content = vmrayGeneric(pattern, "url", 1)
elif pattern["category"] == "_network" and pattern["operation"] == "_connect": elif pattern["category"] == "_network" and pattern["operation"] == "_connect":
content = vmrayConnect(pattern) content = vmrayConnect(pattern)
elif pattern["category"] == "_network" and pattern["operation"] == "_install_server":
content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_alloc_wx_page": elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_alloc_wx_page":
content = vmrayGeneric(pattern) content = vmrayGeneric(pattern)
@ -181,6 +183,10 @@ def vmrayVtiPatterns(vti_patterns):
content = vmrayGeneric(pattern, "mutex", 1) content = vmrayGeneric(pattern, "mutex", 1)
elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_crashed_process": elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_crashed_process":
content = vmrayGeneric(pattern) content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_read_from_remote_process":
content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_create_process_with_hidden_window":
content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_anti_analysis" and pattern["operation"] == "_delay_execution": elif only_network_info is False and pattern["category"] == "_anti_analysis" and pattern["operation"] == "_delay_execution":
content = vmrayGeneric(pattern) content = vmrayGeneric(pattern)
@ -194,11 +200,20 @@ def vmrayVtiPatterns(vti_patterns):
elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_memory": elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_memory":
content = vmrayGeneric(pattern) content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_memory_system":
content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_memory_non_system":
content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_control_flow": elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_control_flow":
content = vmrayGeneric(pattern) content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_control_flow_non_system":
content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_file_system" and pattern["operation"] == "_create_many_files": elif only_network_info is False and pattern["category"] == "_file_system" and pattern["operation"] == "_create_many_files":
content = vmrayGeneric(pattern) content = vmrayGeneric(pattern)
elif only_network_info is False and pattern["category"] == "_hide_tracks" and pattern["operation"] == "_hide_data_in_registry":
content = vmrayGeneric(pattern, "regkey", 1)
elif only_network_info is False and pattern["category"] == "_persistence" and pattern["operation"] == "_install_startup_script": elif only_network_info is False and pattern["category"] == "_persistence" and pattern["operation"] == "_install_startup_script":
content = vmrayGeneric(pattern, "regkey", 1) content = vmrayGeneric(pattern, "regkey", 1)
elif only_network_info is False and pattern["category"] == "_os" and pattern["operation"] == "_enable_process_privileges": elif only_network_info is False and pattern["category"] == "_os" and pattern["operation"] == "_enable_process_privileges":
@ -248,12 +263,14 @@ def vmrayGeneric(el, attr="", attrpos=1):
content = el["technique_desc"] content = el["technique_desc"]
if content: if content:
if attr: if attr:
# Some elements are put between \"\" ; replace them to single
content = content.replace("\"\"","\"")
content_split = content.split("\"") content_split = content.split("\"")
# Attributes are between open " and close "; so use > # Attributes are between open " and close "; so use >
if len(content_split) > attrpos: if len(content_split) > attrpos:
content_split[attrpos] = vmraySanitizeInput(content_split[attrpos]) content_split[attrpos] = vmraySanitizeInput(content_split[attrpos])
r["values"].append(content_split[attrpos]) r["values"].append(content_split[attrpos])
r["types"] = [attr] r["types"] = [attr]
# Adding the value also as text to get the extra description, # Adding the value also as text to get the extra description,
# but this is pretty useless for "url" # but this is pretty useless for "url"