From f45d9964f3e65abdc7a2f216bf10ef61aa6db7be Mon Sep 17 00:00:00 2001 From: Jesse Hedden Date: Tue, 30 Jun 2020 10:07:16 -0700 Subject: [PATCH 01/30] removed obsoleted module name --- misp_modules/modules/import_mod/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/misp_modules/modules/import_mod/__init__.py b/misp_modules/modules/import_mod/__init__.py index 45e3359..fbad911 100644 --- a/misp_modules/modules/import_mod/__init__.py +++ b/misp_modules/modules/import_mod/__init__.py @@ -15,5 +15,4 @@ __all__ = [ 'threatanalyzer_import', 'csvimport', 'joe_import', - 'trustar_import', ] From c91a61110a125bf7fd9369221339694b11011847 Mon Sep 17 00:00:00 2001 From: johannesh Date: Thu, 23 Jul 2020 12:28:56 +0200 Subject: [PATCH 02/30] Add Recorded Future expansion module --- README.md | 1 + misp_modules/modules/expansion/__init__.py | 2 +- .../modules/expansion/recordedfuture.py | 280 ++++++++++++++++++ 3 files changed, 282 insertions(+), 1 deletion(-) create mode 100644 misp_modules/modules/expansion/recordedfuture.py diff --git a/README.md b/README.md index 67573da..77ece38 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [pptx-enrich](misp_modules/modules/expansion/pptx_enrich.py) - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser). * [qrcode](misp_modules/modules/expansion/qrcode.py) - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values. * [rbl](misp_modules/modules/expansion/rbl.py) - a module to get RBL (Real-Time Blackhost List) values from an attribute. +* [recordedfuture](misp_modules/modules/expansion/recordedfuture.py) - a hover and expansion module for enriching MISP attributes with threat intelligence from Recorded Future. * [reversedns](misp_modules/modules/expansion/reversedns.py) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes. * [securitytrails](misp_modules/modules/expansion/securitytrails.py) - an expansion module for [securitytrails](https://securitytrails.com/). * [shodan](misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module. diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index dbd3473..14d5499 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -18,4 +18,4 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c 'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid', 'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar', 'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich', - 'trustar_enrich'] + 'trustar_enrich', 'recordedfuture'] diff --git a/misp_modules/modules/expansion/recordedfuture.py b/misp_modules/modules/expansion/recordedfuture.py new file mode 100644 index 0000000..c42a42b --- /dev/null +++ b/misp_modules/modules/expansion/recordedfuture.py @@ -0,0 +1,280 @@ +import json +import logging +import requests +from urllib.parse import quote +from pymisp import MISPAttribute, MISPEvent, MISPTag, MISPObject + +moduleinfo = {'version': '1.0', 'author': 'Recorded Future', + 'description': 'Module to retrieve data from Recorded Future', + 'module-type': ['expansion', 'hover']} + +moduleconfig = ['token'] + +misperrors = {'error': 'Error'} + +mispattributes = {'input': ['ip', 'ip-src', 'ip-dst', 'domain', 'hostname', 'md5', 'sha1', 'sha256', + 'uri', 'url', 'vulnerability', 'weakness'], + 'output': ['ip', 'ip-src', 'ip-dst', 'domain', 'hostname', 'md5', 'sha1', 'sha256', + 'uri', 'url', 'vulnerability', 'weakness', 'email-src', 'text'], + 'format': 'misp_standard'} + +LOGGER = logging.getLogger('recorded_future') +LOGGER.setLevel(logging.INFO) + + +def rf_lookup(api_token: str, category: str, ioc: str) -> requests.Response: + """Do a lookup call using Recorded Future's ConnectAPI.""" + auth_header = {"X-RFToken": api_token} + parsed_ioc = quote(ioc, safe='') + url = f'https://api.recordedfuture.com/v2/{category}/{parsed_ioc}?fields=risk%2CrelatedEntities' + response = requests.get(url, headers=auth_header) + response.raise_for_status() + return response + + +class GalaxyFinder: + """A class for finding MISP galaxy matches to Recorded Future data.""" + def __init__(self): + self.session = requests.Session() + self.sources = { + 'RelatedThreatActor': ['https://raw.githubusercontent.com/MISP/misp-galaxy/' + 'main/clusters/threat-actor.json'], + 'RelatedMalware': ['https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/banker.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/botnet.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/exploit-kit.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/rat.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/ransomware.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/malpedia.json'] + } + self.galaxy_clusters = {} + + def pull_galaxy_cluster(self, related_type: str): + """Fetches galaxy clusters for the related_type from the remote json files specified as self.sources.""" + # Only fetch clusters if not fetched previously + if not self.galaxy_clusters.get(related_type): + for source in self.sources.get(related_type): + response = self.session.get(source) + if response.ok: + name = source.split('/')[-1].split('.')[0] + self.galaxy_clusters[related_type] = {name: response.json()} + else: + LOGGER.info(f'pull_galaxy_cluster failed for source: {source},' + f' got response: {response}, {response.reason}.') + + def find_galaxy_match(self, indicator: str, related_type: str) -> str: + """Searches the clusters of the related_type for a match with the indicator. + :returns the first matching galaxy string or an empty string if no galaxy match is found. + """ + self.pull_galaxy_cluster(related_type) + try: + for cluster_name, cluster in self.galaxy_clusters[related_type].items(): + for value in cluster['values']: + try: + if indicator in value['meta']['synonyms'] or indicator in value['value']: + value = value['value'] + return f'misp-galaxy:{cluster_name}="{value}"' + except KeyError: + pass + except KeyError: + pass + return '' + + +class RFColors: + """Class for setting signature RF-colors.""" + def __init__(self): + self.rf_white = '#CCCCCC' + self.rf_yellow = '#FFCE00' + self.rf_red = '#CF0A2C' + + def riskscore_color(self, risk_score: int) -> str: + """Returns appropriate hex-colors according to risk score.""" + risk_score = int(risk_score) + if risk_score < 25: + return self.rf_white + elif risk_score < 65: + return self.rf_yellow + else: + return self.rf_red + + def riskrule_color(self, risk_rule_criticality: int) -> str: + """Returns appropriate hex-colors according to risk rule criticality.""" + risk_rule_criticality = int(risk_rule_criticality) + if risk_rule_criticality == 1: + return self.rf_white + elif risk_rule_criticality == 2: + return self.rf_yellow + else: # risk_rule_criticality == 3 or 4 + return self.rf_red + + +class RFEnricher: + """Class for enriching an attribute with data from Recorded Future. + The enrichment data is returned as a custom MISP object. + """ + def __init__(self, api_token: str, attribute_props: dict): + self.api_token = api_token + self.event = MISPEvent() + self.enrichment_object = MISPObject('Recorded Future Enrichment') + self.enrichment_object.from_dict(**{'meta-category': 'misc', + 'description': 'An object containing the enriched attribute and related ' + 'entities from Recorded Future.', + 'distribution': 0}) + + # Create a copy of enriched attribute to add tags to + temp_attr = MISPAttribute() + temp_attr.from_dict(**attribute_props) + self.enriched_attribute = MISPAttribute() + self.enriched_attribute.from_dict(**{'value': temp_attr.value, 'type': temp_attr.type, 'distribution': 0}) + + self.related_attributes = [] + self.color_picker = RFColors() + self.galaxy_finder = GalaxyFinder() + + # Mapping from MISP-type to RF-type + self.type_to_rf_category = {'ip': 'ip', 'ip-src': 'ip', 'ip-dst': 'ip', + 'domain': 'domain', 'hostname': 'domain', + 'md5': 'hash', 'sha1': 'hash', 'sha256': 'hash', + 'uri': 'url', 'url': 'url', + 'vulnerability': 'vulnerability', 'weakness': 'vulnerability'} + + # Related entities from RF portrayed as related attributes in MISP + self.related_attribute_types = ['RelatedIpAddress', 'RelatedInternetDomainName', 'RelatedHash', + 'RelatedEmailAddress', 'RelatedCyberVulnerability'] + # Related entities from RF portrayed as tags in MISP + self.galaxy_tag_types = ['RelatedMalware', 'RelatedThreatActor'] + + def enrich(self): + """Run the enrichment.""" + category = self.type_to_rf_category.get(self.enriched_attribute.type) + + try: + response = rf_lookup(self.api_token, category, self.enriched_attribute.value) + json_response = json.loads(response.content) + except requests.HTTPError as error: + misperrors['error'] = f'Error when requesting data from Recorded Future. ' \ + f'{error.response} : {error.response.reason}' + raise error + + try: + # Add risk score and risk rules as tags to the enriched attribute + risk_score = json_response['data']['risk']['score'] + hex_color = self.color_picker.riskscore_color(risk_score) + tag_name = f'recorded-future:risk-score="{risk_score}"' + self.add_tag(tag_name, hex_color) + for evidence in json_response['data']['risk']['evidenceDetails']: + risk_rule = evidence['rule'] + criticality = evidence['criticality'] + hex_color = self.color_picker.riskrule_color(criticality) + tag_name = f'recorded-future:risk-rule="{risk_rule}"' + self.add_tag(tag_name, hex_color) + + # Retrieve related entities + for related_entity in json_response['data']['relatedEntities']: + related_type = related_entity['type'] + if related_type in self.related_attribute_types: + # Related entities returned as additional attributes + for related in related_entity['entities']: + if int(related["count"]) > 4: + indicator = related['entity']['name'] + self.add_related_attribute(indicator, related_type) + elif related_type in self.galaxy_tag_types: + # Related entities added as galaxy-tags to the enriched attribute + galaxy_tags = [] + for related in related_entity['entities']: + if int(related["count"]) > 4: + indicator = related['entity']['name'] + galaxy = self.galaxy_finder.find_galaxy_match(indicator, related_type) + # Handle deduplication of galaxy tags + if galaxy and galaxy not in galaxy_tags: + galaxy_tags.append(galaxy) + for galaxy in galaxy_tags: + self.add_tag(galaxy) + except KeyError as error: + misperrors['error'] = 'Unexpected format in Recorded Future api response.' + raise error + + def add_related_attribute(self, indicator: str, related_type: str) -> None: + """Helper method for adding an indicator to the related attribute list.""" + out_type = self.get_output_type(related_type, indicator) + attribute = MISPAttribute() + attribute.from_dict(**{'value': indicator, 'type': out_type, 'distribution': 0}) + self.related_attributes.append((related_type, attribute)) + + def add_tag(self, tag_name: str, hex_color: str = None) -> None: + """Helper method for adding a tag to the enriched attribute.""" + tag = MISPTag() + tag_properties = {'name': tag_name} + if hex_color: + tag_properties['colour'] = hex_color + tag.from_dict(**tag_properties) + self.enriched_attribute.add_tag(tag) + + def get_output_type(self, related_type: str, indicator: str) -> str: + """Helper method for translating a Recorded Future related type to a MISP output type.""" + output_type = 'text' + if related_type == 'RelatedIpAddress': + output_type = 'ip-dst' + elif related_type == 'RelatedInternetDomainName': + output_type = 'domain' + elif related_type == 'RelatedHash': + hash_len = len(indicator) + if hash_len == 64: + output_type = 'sha256' + elif hash_len == 40: + output_type = 'sha1' + elif hash_len == 32: + output_type = 'md5' + elif related_type == 'RelatedEmailAddress': + output_type = 'email-src' + elif related_type == 'RelatedCyberVulnerability': + signature = indicator.split('-')[0] + if signature == 'CVE': + output_type = 'vulnerability' + elif signature == 'CWE': + output_type = 'weakness' + return output_type + + def get_results(self) -> dict: + """Build and return the enrichment results.""" + self.enrichment_object.add_attribute('Enriched attribute', **self.enriched_attribute) + for related_type, attribute in self.related_attributes: + self.enrichment_object.add_attribute(related_type, **attribute) + self.event.add_object(**self.enrichment_object) + event = json.loads(self.event.to_json()) + result = {key: event[key] for key in ['Object'] if key in event} + return {'results': result} + + +def handler(q=False): + """Handle enrichment.""" + if q is False: + return False + request = json.loads(q) + + if request.get('config') and request['config'].get('token'): + token = request['config'].get('token') + else: + misperrors['error'] = 'Missing Recorded Future token.' + return misperrors + + input_attribute = request.get('attribute') + rf_enricher = RFEnricher(token, input_attribute) + try: + rf_enricher.enrich() + except (requests.HTTPError, KeyError): + return misperrors + + return rf_enricher.get_results() + + +def introspection(): + """Returns a dict of the supported attributes.""" + return mispattributes + + +def version(): + """Returns a dict with the version and the associated meta-data + including potential configurations required of the module.""" + moduleinfo['config'] = moduleconfig + return moduleinfo From 8180ecbfa80a9cac3fd5ff9601b00ff913fdc98b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 27 Jul 2020 17:20:36 +0200 Subject: [PATCH 03/30] chg: Making use of the Greynoise v2 API --- misp_modules/modules/expansion/greynoise.py | 56 +++++++++++++++------ 1 file changed, 40 insertions(+), 16 deletions(-) diff --git a/misp_modules/modules/expansion/greynoise.py b/misp_modules/modules/expansion/greynoise.py index dd54158..4cd89d5 100644 --- a/misp_modules/modules/expansion/greynoise.py +++ b/misp_modules/modules/expansion/greynoise.py @@ -3,35 +3,59 @@ import json misperrors = {'error': 'Error'} mispattributes = {'input': ['ip-dst', 'ip-src'], 'output': ['text']} -moduleinfo = {'version': '0.1', 'author': 'Aurélien Schwab ', 'description': 'Module to access GreyNoise.io API.', 'module-type': ['hover']} -moduleconfig = ['user-agent'] # TODO take this into account in the code +moduleinfo = { + 'version': '0.2', + 'author': 'Aurélien Schwab ', + 'description': 'Module to access GreyNoise.io API.', + 'module-type': ['hover'] +} +moduleconfig = ['api_key'] -greynoise_api_url = 'http://api.greynoise.io:8888/v1/query/ip' -default_user_agent = 'MISP-Module' +greynoise_api_url = 'https://api.greynoise.io/v2/noise/quick/' +codes_mapping = { + '0x00': 'The IP has never been observed scanning the Internet', + '0x01': 'The IP has been observed by the GreyNoise sensor network', + '0x02': 'The IP has been observed scanning the GreyNoise sensor network, but has not completed a full connection, meaning this can be spoofed', + '0x03': 'The IP is adjacent to another host that has been directly observed by the GreyNoise sensor network', + '0x04': 'Reserved', + '0x05': 'This IP is commonly spoofed in Internet-scan activity', + '0x06': 'This IP has been observed as noise, but this host belongs to a cloud provider where IPs can be cycled frequently', + '0x07': 'This IP is invalid', + '0x08': 'This IP was classified as noise, but has not been observed engaging in Internet-wide scans or attacks in over 60 days' +} def handler(q=False): if q is False: return False request = json.loads(q) + if not request.get('config') or not request['config'].get('api_key'): + return {'error': 'Missing Greynoise API key.'} + headers = { + 'Accept': 'application/json', + 'key': request['config']['api_key'] + } for input_type in mispattributes['input']: if input_type in request: ip = request[input_type] break else: - misperrors['error'] = "Unsupported attributes type" + misperrors['error'] = "Unsupported attributes type." return misperrors - data = {'ip': ip} - r = requests.post(greynoise_api_url, data=data, headers={'user-agent': default_user_agent}) # Real request - if r.status_code == 200: # OK (record found) - response = r.text - if response: - return {'results': [{'types': mispattributes['output'], 'values': response}]} - elif r.status_code == 404: # Not found (not an error) - return {'results': [{'types': mispattributes['output'], 'values': 'No data'}]} - else: # Real error - misperrors['error'] = 'GreyNoise API not accessible (HTTP ' + str(r.status_code) + ')' - return misperrors['error'] + response = requests.get(f'{greynoise_api_url}{ip}', headers=headers) # Real request + if response.status_code == 200: # OK (record found) + return {'results': [{'types': mispattributes['output'], 'values': codes_mapping[response.json()['code']]}]} + # There is an error + errors = { + 400: "Bad request.", + 401: "Unauthorized. Please check your API key.", + 429: "Too many requests. You've hit the rate-limit." + } + try: + misperrors['error'] = errors[response.status_code] + except KeyError: + misperrors['error'] = f'GreyNoise API not accessible (HTTP {response.status_code})' + return misperrors['error'] def introspection(): From f7b60bed2982454e922d4e23a33b033413b3dfc3 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 27 Jul 2020 17:21:52 +0200 Subject: [PATCH 04/30] chg: Updated Greynoise tests following the latest changes on the expansion module --- tests/test_expansions.py | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/tests/test_expansions.py b/tests/test_expansions.py index b853c25..a56fbe7 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -229,11 +229,24 @@ class TestExpansions(unittest.TestCase): self.assertEqual(to_check, 'OK (Not Found)', response) def test_greynoise(self): - query = {"module": "greynoise", "ip-dst": "1.1.1.1"} - response = self.misp_modules_post(query) - value = self.get_values(response) - if value != 'GreyNoise API not accessible (HTTP 429)': - self.assertTrue(value.startswith('{"ip":"1.1.1.1","status":"ok"')) + module_name = 'greynoise' + query = {"module": module_name, "ip-dst": "1.1.1.1"} + if module_name in self.configs: + query['config'] = self.configs[module_name] + response = self.misp_modules_post(query) + try: + self.assertEqual(self.get_values(response), 'This IP is commonly spoofed in Internet-scan activity') + except Exception: + self.assertIn( + self.get_errors(reponse), + ( + "Unauthorized. Please check your API key.", + "Too many requests. You've hit the rate-limit." + ) + ) + else: + response = self.misp_modules_post(query) + self.assertEqual(self.get_errors(response), 'Missing Greynoise API key.') def test_ipasn(self): query = {"module": "ipasn", From 6d528628c7f7aa65ec2e25a1074abc52a0818fab Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 27 Jul 2020 17:26:07 +0200 Subject: [PATCH 05/30] chg: Updated documentation about the greynoise module --- doc/README.md | 4 +++- doc/expansion/greynoise.json | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/README.md b/doc/README.md index e173ad4..21030d4 100644 --- a/doc/README.md +++ b/doc/README.md @@ -502,13 +502,15 @@ Module to query a local copy of Maxmind's Geolite database. Module to access GreyNoise.io API - **features**: ->The module takes an IP address as input and queries Greynoise for some additional information about it. The result is returned as text. +>The module takes an IP address as input and queries Greynoise for some additional information about it: basically it checks whether a given IP address is “Internet background noise”, or has been observed scanning or attacking devices across the Internet. The result is returned as text. - **input**: >An IP address. - **output**: >Additional information about the IP fetched from Greynoise API. - **references**: >https://greynoise.io/, https://github.com/GreyNoise-Intelligence/api.greynoise.io +- **requirements**: +>A Greynoise API key. ----- diff --git a/doc/expansion/greynoise.json b/doc/expansion/greynoise.json index f1f1003..49ba481 100644 --- a/doc/expansion/greynoise.json +++ b/doc/expansion/greynoise.json @@ -1,9 +1,9 @@ { "description": "Module to access GreyNoise.io API", "logo": "logos/greynoise.png", - "requirements": [], + "requirements": ["A Greynoise API key."], "input": "An IP address.", "output": "Additional information about the IP fetched from Greynoise API.", "references": ["https://greynoise.io/", "https://github.com/GreyNoise-Intelligence/api.greynoise.io"], - "features": "The module takes an IP address as input and queries Greynoise for some additional information about it. The result is returned as text." + "features": "The module takes an IP address as input and queries Greynoise for some additional information about it: basically it checks whether a given IP address is “Internet background noise”, or has been observed scanning or attacking devices across the Internet. The result is returned as text." } From 3b7a5c4dc2541f3b07baee69a7e8b9694a1627fc Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 28 Jul 2020 11:47:53 +0200 Subject: [PATCH 06/30] add: Specific error message for misp_standard format expansion modules - Checking if the input format is respected and displaying an error message if it is not --- misp_modules/modules/expansion/__init__.py | 9 +++++++++ misp_modules/modules/expansion/apivoid.py | 7 ++++++- misp_modules/modules/expansion/assemblyline_query.py | 5 +++++ misp_modules/modules/expansion/censys_enrich.py | 7 ++++--- misp_modules/modules/expansion/circl_passivedns.py | 7 ++++--- misp_modules/modules/expansion/circl_passivessl.py | 7 ++++--- misp_modules/modules/expansion/cve_advanced.py | 8 +++++--- misp_modules/modules/expansion/cytomic_orion.py | 6 ++++-- misp_modules/modules/expansion/ipasn.py | 11 ++++++----- misp_modules/modules/expansion/joesandbox_query.py | 5 +++++ misp_modules/modules/expansion/lastline_query.py | 4 +++- misp_modules/modules/expansion/malwarebazaar.py | 5 +++++ misp_modules/modules/expansion/ransomcoindb.py | 5 +++++ misp_modules/modules/expansion/recordedfuture.py | 5 +++++ misp_modules/modules/expansion/sophoslabs_intelix.py | 7 +++++++ misp_modules/modules/expansion/trustar_enrich.py | 5 +++++ misp_modules/modules/expansion/urlhaus.py | 8 +++++++- misp_modules/modules/expansion/virustotal.py | 8 +++++++- misp_modules/modules/expansion/virustotal_public.py | 7 ++++++- misp_modules/modules/expansion/xforceexchange.py | 5 +++++ 20 files changed, 107 insertions(+), 24 deletions(-) diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index 14d5499..af895e3 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -19,3 +19,12 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c 'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar', 'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich', 'trustar_enrich', 'recordedfuture'] + + +minimum_required_fields = ('type', 'uuid', 'value') + +checking_error = 'containing at least a "type" field and a "value" field' +standard_error_message = 'This module requires an "attribute" field as input' + +def check_input_attribute(attribute, requirements=minimum_required_fields): + return all(feature in attribute for feature in requirements) diff --git a/misp_modules/modules/expansion/apivoid.py b/misp_modules/modules/expansion/apivoid.py index 5d6395e..a71b5e6 100755 --- a/misp_modules/modules/expansion/apivoid.py +++ b/misp_modules/modules/expansion/apivoid.py @@ -1,5 +1,6 @@ import json import requests +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} @@ -74,7 +75,11 @@ def handler(q=False): request = json.loads(q) if not request.get('config', {}).get('apikey'): return {'error': 'An API key for APIVoid is required.'} - attribute = request.get('attribute') + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} apikey = request['config']['apikey'] apivoid_parser = APIVoidParser(attribute) apivoid_parser.parse_domain(apikey) diff --git a/misp_modules/modules/expansion/assemblyline_query.py b/misp_modules/modules/expansion/assemblyline_query.py index 226e4dd..67fce45 100644 --- a/misp_modules/modules/expansion/assemblyline_query.py +++ b/misp_modules/modules/expansion/assemblyline_query.py @@ -1,5 +1,6 @@ # -*- coding: utf-8 -*- import json +from . import check_input_attribute, standard_error_message from assemblyline_client import Client, ClientError from collections import defaultdict from pymisp import MISPAttribute, MISPEvent, MISPObject @@ -139,6 +140,10 @@ def handler(q=False): if q is False: return False request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} if not request.get('config'): return {"error": "Missing configuration."} if not request['config'].get('apiurl'): diff --git a/misp_modules/modules/expansion/censys_enrich.py b/misp_modules/modules/expansion/censys_enrich.py index 0fc61ae..d5823ff 100644 --- a/misp_modules/modules/expansion/censys_enrich.py +++ b/misp_modules/modules/expansion/censys_enrich.py @@ -3,6 +3,7 @@ import json import base64 import codecs from dateutil.parser import isoparse +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject try: import censys.base @@ -36,11 +37,11 @@ def handler(q=False): api_id = request['config']['api_id'] api_secret = request['config']['api_secret'] - if not request.get('attribute'): - return {'error': 'Unsupported input.'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] if not any(input_type == attribute['type'] for input_type in mispattributes['input']): - return {'error': 'Unsupported attributes type'} + return {'error': 'Unsupported attribute type.'} attribute = MISPAttribute() attribute.from_dict(**request['attribute']) diff --git a/misp_modules/modules/expansion/circl_passivedns.py b/misp_modules/modules/expansion/circl_passivedns.py index d278a85..5f98314 100755 --- a/misp_modules/modules/expansion/circl_passivedns.py +++ b/misp_modules/modules/expansion/circl_passivedns.py @@ -1,5 +1,6 @@ import json import pypdns +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port'], 'format': 'misp_standard'} @@ -58,11 +59,11 @@ def handler(q=False): if not request['config'].get('username') or not request['config'].get('password'): return {'error': 'CIRCL Passive DNS authentication is incomplete, please provide your username and password.'} authentication = (request['config']['username'], request['config']['password']) - if not request.get('attribute'): - return {'error': 'Unsupported input.'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] if not any(input_type == attribute['type'] for input_type in mispattributes['input']): - return {'error': 'Unsupported attributes type'} + return {'error': 'Unsupported attribute type.'} pdns_parser = PassiveDNSParser(attribute, authentication) pdns_parser.parse() return pdns_parser.get_results() diff --git a/misp_modules/modules/expansion/circl_passivessl.py b/misp_modules/modules/expansion/circl_passivessl.py index 102bed8..65783d7 100755 --- a/misp_modules/modules/expansion/circl_passivessl.py +++ b/misp_modules/modules/expansion/circl_passivessl.py @@ -1,5 +1,6 @@ import json import pypssl +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject mispattributes = {'input': ['ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port'], 'format': 'misp_standard'} @@ -83,11 +84,11 @@ def handler(q=False): if not request['config'].get('username') or not request['config'].get('password'): return {'error': 'CIRCL Passive SSL authentication is incomplete, please provide your username and password.'} authentication = (request['config']['username'], request['config']['password']) - if not request.get('attribute'): - return {'error': 'Unsupported input.'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] if not any(input_type == attribute['type'] for input_type in mispattributes['input']): - return {'error': 'Unsupported attributes type'} + return {'error': 'Unsupported attribute type.'} pssl_parser = PassiveSSLParser(attribute, authentication) pssl_parser.parse() return pssl_parser.get_results() diff --git a/misp_modules/modules/expansion/cve_advanced.py b/misp_modules/modules/expansion/cve_advanced.py index 86cba8c..bd2d277 100644 --- a/misp_modules/modules/expansion/cve_advanced.py +++ b/misp_modules/modules/expansion/cve_advanced.py @@ -1,7 +1,8 @@ -from collections import defaultdict -from pymisp import MISPEvent, MISPObject import json import requests +from . import check_input_attribute, standard_error_message +from collections import defaultdict +from pymisp import MISPEvent, MISPObject misperrors = {'error': 'Error'} mispattributes = {'input': ['vulnerability'], 'format': 'misp_standard'} @@ -108,7 +109,8 @@ def handler(q=False): if q is False: return False request = json.loads(q) - attribute = request.get('attribute') + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} if attribute.get('type') != 'vulnerability': misperrors['error'] = 'Vulnerability id missing.' return misperrors diff --git a/misp_modules/modules/expansion/cytomic_orion.py b/misp_modules/modules/expansion/cytomic_orion.py index 9723ed6..b730135 100755 --- a/misp_modules/modules/expansion/cytomic_orion.py +++ b/misp_modules/modules/expansion/cytomic_orion.py @@ -7,6 +7,7 @@ An expansion module to enrich attributes in MISP and share indicators of comprom ''' +from . import check_input_attribute, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject import json import requests @@ -146,9 +147,10 @@ def handler(q=False): if not request.get('attribute'): return {'error': 'Unsupported input.'} - attribute = request['attribute'] + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} if not any(input_type == attribute['type'] for input_type in mispattributes['input']): - return {'error': 'Unsupported attributes type'} + return {'error': 'Unsupported attribute type.'} if not request.get('config'): return {'error': 'Missing configuration'} diff --git a/misp_modules/modules/expansion/ipasn.py b/misp_modules/modules/expansion/ipasn.py index 3c6867c..3a32358 100755 --- a/misp_modules/modules/expansion/ipasn.py +++ b/misp_modules/modules/expansion/ipasn.py @@ -1,6 +1,7 @@ # -*- coding: utf-8 -*- import json +from . import check_input_attribute, standard_error_message from pyipasnhistory import IPASNHistory from pymisp import MISPAttribute, MISPEvent, MISPObject @@ -34,11 +35,11 @@ def handler(q=False): if q is False: return False request = json.loads(q) - if request.get('attribute') and request['attribute'].get('type') in mispattributes['input']: - toquery = request['attribute']['value'] - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} + toquery = request['attribute']['value'] ipasn = IPASNHistory() values = ipasn.query(toquery) diff --git a/misp_modules/modules/expansion/joesandbox_query.py b/misp_modules/modules/expansion/joesandbox_query.py index 1ace259..b9c4987 100644 --- a/misp_modules/modules/expansion/joesandbox_query.py +++ b/misp_modules/modules/expansion/joesandbox_query.py @@ -1,6 +1,7 @@ # -*- coding: utf-8 -*- import jbxapi import json +from . import check_input_attribute, checking_error, standard_error_message from joe_parser import JoeParser misperrors = {'error': 'Error'} @@ -27,6 +28,10 @@ def handler(q=False): if not apikey: return {'error': 'No API key provided'} + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error} that is the link to the Joe Sandbox report.'} + if request['attribute']['type'] != 'link': + return {'error': 'Unsupported attribute type.'} url = request['attribute']['value'] if "/submissions/" not in url: return {'error': "The URL does not point to a Joe Sandbox analysis."} diff --git a/misp_modules/modules/expansion/lastline_query.py b/misp_modules/modules/expansion/lastline_query.py index 4ce4e47..dcabda5 100644 --- a/misp_modules/modules/expansion/lastline_query.py +++ b/misp_modules/modules/expansion/lastline_query.py @@ -3,8 +3,8 @@ Module (type "expansion") to query a Lastline report from an analysis link. """ import json - import lastline_api +from . import check_input_attribute, checking_error, standard_error_message misperrors = { @@ -52,6 +52,8 @@ def handler(q=False): try: config = request["config"] auth_data = lastline_api.LastlineAbstractClient.get_login_params_from_dict(config) + if not request.get('attribute') or not request['attribute'].get('value'): + return {'error': f'{standard_error_message}, {checking_error} that is the link to a Lastline analysis.'} analysis_link = request['attribute']['value'] # The API url changes based on the analysis link host name api_url = lastline_api.get_portal_url_from_task_link(analysis_link) diff --git a/misp_modules/modules/expansion/malwarebazaar.py b/misp_modules/modules/expansion/malwarebazaar.py index 4574b75..60739e8 100644 --- a/misp_modules/modules/expansion/malwarebazaar.py +++ b/misp_modules/modules/expansion/malwarebazaar.py @@ -1,5 +1,6 @@ import json import requests +from . import check_input_attribute, checking_error, standard_error_message from pymisp import MISPEvent, MISPObject mispattributes = {'input': ['md5', 'sha1', 'sha256'], @@ -34,7 +35,11 @@ def handler(q=False): if q is False: return False request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error} that is the hash to submit to Malware Bazaar.'} attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} url = 'https://mb-api.abuse.ch/api/v1/' response = requests.post(url, data={'query': 'get_info', 'hash': attribute['value']}).json() query_status = response['query_status'] diff --git a/misp_modules/modules/expansion/ransomcoindb.py b/misp_modules/modules/expansion/ransomcoindb.py index 2b9b566..d9a1712 100644 --- a/misp_modules/modules/expansion/ransomcoindb.py +++ b/misp_modules/modules/expansion/ransomcoindb.py @@ -1,4 +1,5 @@ import json +from . import check_input_attribute, checking_error, standard_error_message from ._ransomcoindb import ransomcoindb from pymisp import MISPObject @@ -28,6 +29,10 @@ def handler(q=False): q = json.loads(q) if "config" not in q or "api-key" not in q["config"]: return {"error": "Ransomcoindb API key is missing"} + if not q.get('attribute') or not check_input_attribute(attribute, requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error}.'} + if q['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} api_key = q["config"]["api-key"] r = {"results": []} diff --git a/misp_modules/modules/expansion/recordedfuture.py b/misp_modules/modules/expansion/recordedfuture.py index c42a42b..2f71dbb 100644 --- a/misp_modules/modules/expansion/recordedfuture.py +++ b/misp_modules/modules/expansion/recordedfuture.py @@ -1,6 +1,7 @@ import json import logging import requests +from . import check_input_attribute, checking_error, standard_error_message from urllib.parse import quote from pymisp import MISPAttribute, MISPEvent, MISPTag, MISPObject @@ -257,6 +258,10 @@ def handler(q=False): else: misperrors['error'] = 'Missing Recorded Future token.' return misperrors + if not request.get('attribute') or not check_input_attribute(request['atttribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error}.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} input_attribute = request.get('attribute') rf_enricher = RFEnricher(token, input_attribute) diff --git a/misp_modules/modules/expansion/sophoslabs_intelix.py b/misp_modules/modules/expansion/sophoslabs_intelix.py index 017683a..6c6204a 100644 --- a/misp_modules/modules/expansion/sophoslabs_intelix.py +++ b/misp_modules/modules/expansion/sophoslabs_intelix.py @@ -1,3 +1,4 @@ +from. import check_input_attribute, checking_error, standard_error_message from pymisp import MISPEvent, MISPObject import json import requests @@ -105,6 +106,12 @@ def handler(q=False): misperrors['error'] = "Missing client_id or client_secret value for SOPHOSLabs Intelix. \ It's free to sign up here https://aws.amazon.com/marketplace/pp/B07SLZPMCS." return misperrors + to_check = (('type', 'value'), ('type', 'value1')) + if not request.get('attribute') or not any(check_input_attribute(request['attribute'], requirements=check) for check in to_check): + return {'error': f'{standard_error_message}, {checking_error}.'} + attribute = request['attribute'] + if attribute['type'] not in misp_types_in: + return {'error': 'Unsupported attribute type.'} client = SophosLabsApi(j['config']['client_id'], j['config']['client_secret']) if j['attribute']['type'] == "sha256": client.hash_lookup(j['attribute']['value1']) diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py index efe7c53..a0d6177 100644 --- a/misp_modules/modules/expansion/trustar_enrich.py +++ b/misp_modules/modules/expansion/trustar_enrich.py @@ -1,5 +1,6 @@ import json import pymisp +from . import check_input_attribute, checking_error, standard_error_message from pymisp import MISPAttribute, MISPEvent, MISPObject from trustar import TruStar @@ -110,7 +111,11 @@ def handler(q=False): misperrors['error'] = "Your TruSTAR API key and secret are required for indicator enrichment." return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): + return {'error': f'{standard_error_message}, {checking_error}.'} attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} trustar_parser = TruSTARParser(attribute, config) try: diff --git a/misp_modules/modules/expansion/urlhaus.py b/misp_modules/modules/expansion/urlhaus.py index baaaaf6..ed13b77 100644 --- a/misp_modules/modules/expansion/urlhaus.py +++ b/misp_modules/modules/expansion/urlhaus.py @@ -1,6 +1,8 @@ -from pymisp import MISPAttribute, MISPEvent, MISPObject +# -*- coding: utf-8 -*- import json import requests +from . import check_input_attribute, standard_error_message +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} mispattributes = {'input': ['domain', 'hostname', 'ip-src', 'ip-dst', 'md5', 'sha256', 'url'], @@ -134,7 +136,11 @@ def handler(q=False): if q is False: return False request = json.loads(q) + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} urlhaus_parser = _misp_type_mapping[attribute['type']](attribute) return urlhaus_parser.query_api() diff --git a/misp_modules/modules/expansion/virustotal.py b/misp_modules/modules/expansion/virustotal.py index b09de81..12f7552 100644 --- a/misp_modules/modules/expansion/virustotal.py +++ b/misp_modules/modules/expansion/virustotal.py @@ -1,6 +1,7 @@ -from pymisp import MISPAttribute, MISPEvent, MISPObject import json import requests +from . import check_input_attribute, standard_error_message +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "url"], @@ -195,6 +196,11 @@ def handler(q=False): if not request.get('config') or not request['config'].get('apikey'): misperrors['error'] = "A VirusTotal api key is required for this module." return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} + event_limit = request['config'].get('event_limit') if not isinstance(event_limit, int): event_limit = 5 diff --git a/misp_modules/modules/expansion/virustotal_public.py b/misp_modules/modules/expansion/virustotal_public.py index e7c2e96..6ffb7f9 100644 --- a/misp_modules/modules/expansion/virustotal_public.py +++ b/misp_modules/modules/expansion/virustotal_public.py @@ -1,6 +1,7 @@ -from pymisp import MISPAttribute, MISPEvent, MISPObject import json import requests +from . import check_input_attribute, standard_error_message +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} mispattributes = {'input': ['hostname', 'domain', "ip-src", "ip-dst", "md5", "sha1", "sha256", "url"], @@ -174,7 +175,11 @@ def handler(q=False): if not request.get('config') or not request['config'].get('apikey'): misperrors['error'] = "A VirusTotal api key is required for this module." return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} query_type, to_call = misp_type_mapping[attribute['type']] parser = to_call(request['config']['apikey'], attribute) query_result = parser.get_query_result(query_type) diff --git a/misp_modules/modules/expansion/xforceexchange.py b/misp_modules/modules/expansion/xforceexchange.py index 7999ce2..936917f 100644 --- a/misp_modules/modules/expansion/xforceexchange.py +++ b/misp_modules/modules/expansion/xforceexchange.py @@ -1,6 +1,7 @@ import requests import json import sys +from . import check_input_attribute, standard_error_message from collections import defaultdict from pymisp import MISPAttribute, MISPEvent, MISPObject from requests.auth import HTTPBasicAuth @@ -160,6 +161,10 @@ def handler(q=False): return misperrors key = request["config"]["apikey"] password = request['config']['apipassword'] + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message} which should contain at least a type, a value and an uuid.'} + if request['attribute']['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} parser = XforceExchange(request['attribute'], key, password) parser.parse() return parser.get_result() From 3ab67b23b66831dc49e6ecd0a346a8b9b52cbdce Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 28 Jul 2020 11:56:03 +0200 Subject: [PATCH 07/30] fix: Avoid issues with the attribute value field name - The module setup allows 'value1' as attribute value field name, but we want to make sure that users passing standard misp format with 'value' instead, will not have issues, as well as keeping the current setup --- .../modules/expansion/sophoslabs_intelix.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/misp_modules/modules/expansion/sophoslabs_intelix.py b/misp_modules/modules/expansion/sophoslabs_intelix.py index 6c6204a..38d4293 100644 --- a/misp_modules/modules/expansion/sophoslabs_intelix.py +++ b/misp_modules/modules/expansion/sophoslabs_intelix.py @@ -113,12 +113,18 @@ def handler(q=False): if attribute['type'] not in misp_types_in: return {'error': 'Unsupported attribute type.'} client = SophosLabsApi(j['config']['client_id'], j['config']['client_secret']) - if j['attribute']['type'] == "sha256": - client.hash_lookup(j['attribute']['value1']) - if j['attribute']['type'] in ['ip-dst', 'ip-src', 'ip']: - client.ip_lookup(j["attribute"]["value1"]) - if j['attribute']['type'] in ['uri', 'url', 'domain', 'hostname']: - client.url_lookup(j["attribute"]["value1"]) + mapping = { + 'sha256': 'hash_lookup', + 'ip-dst': 'ip_lookup', + 'ip-src': 'ip_lookup', + 'ip': 'ip_lookup', + 'uri': 'url_lookup', + 'url': 'url_lookup', + 'domain': 'url_lookup', + 'hostname': 'url_lookup' + } + attribute_value = attribute['value'] if 'value' in attribute else attribute['value1'] + getattr(client, mapping[attribute['type']])(attribute_value) return client.get_result() From a316e1877f55995df55ad917ca8f8a3a471548e2 Mon Sep 17 00:00:00 2001 From: johannesh Date: Tue, 28 Jul 2020 13:33:48 +0200 Subject: [PATCH 08/30] Add Recorded Future module documentation --- doc/README.md | 18 ++++++++++++++++++ doc/expansion/recordedfuture.json | 9 +++++++++ doc/logos/recordedfuture.png | Bin 0 -> 39310 bytes 3 files changed, 27 insertions(+) create mode 100644 doc/expansion/recordedfuture.json create mode 100644 doc/logos/recordedfuture.png diff --git a/doc/README.md b/doc/README.md index e173ad4..77c1e82 100644 --- a/doc/README.md +++ b/doc/README.md @@ -964,6 +964,24 @@ Module to check an IPv4 address against known RBLs. ----- +#### [recordedfuture](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/recordedfuture.py) + + + +Module to enrich attributes with threat intelligence from Recorded Future. +- **features**: +>Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future will be matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object will also include a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes. +- **input**: +>A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness. +- **output**: +>A MISP object containing a copy of the enriched attribute with added tags from Recorded Future and a list of new attributes related to the enriched attribute. +- **references**: +>https://www.recordedfuture.com/ +- **requirements**: +>A Recorded Future API token. + +----- + #### [reversedns](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/reversedns.py) Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes. diff --git a/doc/expansion/recordedfuture.json b/doc/expansion/recordedfuture.json new file mode 100644 index 0000000..bbeea07 --- /dev/null +++ b/doc/expansion/recordedfuture.json @@ -0,0 +1,9 @@ +{ + "description": "Module to enrich attributes with threat intelligence from Recorded Future.", + "logo": "logos/recordedfuture.png", + "requirements": ["A Recorded Future API token."], + "input": "A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness.", + "output": "A MISP object containing a copy of the enriched attribute with added tags from Recorded Future and a list of new attributes related to the enriched attribute.", + "references": ["https://www.recordedfuture.com/"], + "features": "Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future will be matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object will also include a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes." +} diff --git a/doc/logos/recordedfuture.png b/doc/logos/recordedfuture.png new file mode 100644 index 0000000000000000000000000000000000000000..a208c0453e811fe2f8fefab566158f5d4ca76e9a GIT binary patch literal 39310 zcmeFYhgVZw6E}(o(nO>qT|^*sQF;@Q7Mk?lrFTP>s(?rlL_!ZmBp^yvKzc7K5IRBW zH9)9R0))UlJm32~`mKBagnQOv9g?%p-ZQgj&-|t&_OZ4qIVmG49v&XKy4oW>;Kq%I zcO{ef8t_efghM27Bk@)L6(ERP7 z!e;*_Vp|h~Lu2K`afil4rP|DMcXBCDYMYt-XA z3!DtM8}6pQ8A8w{B4da_>jeaVJvUg979x@ng!@kW&9Ir1a?!?EA}x!cN6iL*4SJ~M ztNlW?5Q=Cl54QY%uK}Qk9Tj5OUi;S=yfqjBMG1e#m@4{32H+LG&bS9mBln!Xge^*4=P3;#q74neO(yR^KSN{7R56}D#jNn2dXTEAu z1H@un$@15uw(BI^?edl>R$2!pn)eI{|9bS`p#;gfzsSN;CDQ`$U*AW(rqZ@M(gOfQMl7<)B3{WubJ>1 zA4$ZTYJi$I8$64X?T5hMF3-omR|fF{=jyhD61D-rvk< zMtM^`;DjG^ph^B3?H=b%RqZhM|N8E)A$XNE3!Hy{wgGjh|NXg5FDm8l&k=Cq|4aCI z8kE}je-B9Gfc>qKc>Kx|f766#0uc50`2U}P|F;C@q}{gw%~)&jym-#ijF7Y*#4+5{ z0>OW`$i2c~`pVH(vXytf0%x0?HGLNImo#@nI@HPI+IoiBtE=`Wt%{&O*z&+OcNCfE zA@VQB_}~VLYTSFQb1e1mq$w><8LhyeRLogW&@xOu`1@Z92GC!VwAr;lnu^Mz z-s*wj*uL;PPxhy6^yn=etpL-Z3SJjcyj@AV$0}r7FF!$}xv_{lpM#E=g4d&s8UJFa zhf+JMa_tmC+aBi^BuWfwhGFkHebEC0T*yxkQMax)Y@4zFZMH98$cK)Ef!BGZ?rym| zQ-Iahc>#ks)?NsP2kZJ01b=PE1bT7f2Nlo$Z7Fso77An4K`efj0YCj_X6b61qQquZ zoe3ri2vQbhTM&sh_Dupihm)*-5jW4;p-xR@86P&M$er0}RSXr37Bi_)5O!f&Xv9Jz zpctvY2FpB@aN*#{IA|#-3%y(2&TGh^xskdh`N>}YuR-~ObHTD3#QwiCT<#?4qAufYPLM)uK>0?+1>o;b)EW!boY=-l-;aRCFs*{d&J38FcVCV zm#sG3pb}&crPxcCL=7H#{cT;dZ=NJA1f|Q0p#P8_~fvLB8Qojzag|x17KY^`r z?K>*QxN&zFaMQYzQ77yDQsF(QztMLhS#!hijot{aPlMd-&)>)RyXHTOiH?B*7izSogac) zK~w3FSvAOwg~De!+TPi7fIFp8`4RzY8El;Nq-Jj`nijVWkT}LpoeKfSR<%B(iB+bY zqt3Ucg!~fp{GZEN_d$VVg)r3D_-6|S1RvFkf<~qA(s)gjlrtO5*7X7eq{bIIZ?S!& z2ujuaWxPgV;402KXQA=PdtD!+V^dPP>7NQY-;Dlaa05*MR1@{KDD7}f2@DUrcw#BK zJ6E=p{@b0KS}v+$sW7rw^CWauv=Y}Qv!#rLk9e#nm7~vv;J&GPQbP1OEuDW(a0~5B z%(?Ue*8@v;Y+jWRUok|_p@8Sud$G}H%x}h&a7qEb7}_GfheUkIMJFfqUpDa~B*CC9)vtwq$QD3BJxwa=5jV%Cpn4_I@>UM?cNYpzt8WHM&}lD{ z2s8}_0Kh>K)kj)OXp`!H=fhY`s+`K>bq-X>mfF?-W-QYH9oE0fq21ajHj!x=vrBtC zG_Ftftr%+MYiW$HC$uyeNlOSnDu^G^kwop&p2;l~lGfb(HOZIbLnFNZDpKVJLLo!} zuX@u^W)=>W>n6o}@du4POwj}1g&wSCV*Q!oJFQh_R^BTVV!K*TimYVuHHeaBC7(G4 zZiGJAlnCqDIaZV?kwd$;)~FNdHeJWKfM5i|+;>42f-k^qi*`RTvj5R697K5r@=J~x zoJ>!OjGm{z!6|z;45ch{dPApo@LNHXHYjxc#{p~$=lL`I+eT`asZxv|02%TX;h!c* z&8Ixf`D_&<9GF$?&LO6^+2!W`Y!nyw3-$CtVlLc--%OGuit4wdwW{#C+@8hV_}}tX zkPn6dFi@SOOjX z6Gwy@a2V;YbESH!%dfzao+9$x!f*G9t-^G`F~yTdRX^@YnlIO1q8gL0Pm@no!6lsQ z(N%w5F9V$75CTnDyHJE~h=lE*j9JyM?HbT!UR1Zq2j}QXv0ytdF_Qa_Pr%8^){`=? zp7{e*+jtA1;K!&L{ML_A&yFAnWBt%8c2o4^Jk77|4>>Qfme`gSV4*?qJF0(t$t2Xo zA~bnhHLt*a1Xa?iRz(qi4Jz2fuOx1*`!Ue&o z_l9Q(y-%5XQjGOm#Z`H8$DXuIfVR2qmUC{hnEdy)&8=b4^}}!Brxin5(MJvC!E=5y zh6Hg&4x25l+92E~Y3M(k@X=SL`#}DC3$OB3O0qoG4RPYCsOtX}-7sfdLmYxQX+Sqv ztDGOVCjP^J4WEZ1;h%^qLisfb_l&<~fYk6E>@&kF@NzU_(L`qD*i)FnOKhwsOvVnqC{tj8Dv??-wq1agaP_K*0(rcvv*gxc*RP()ylq z(3^=RQfwieFmEXz-C%qtyp{ke_!L1u_!B@1LEsYK-PpmGiUgv3{O2ID zrs_Q#_M2IF^}f2QTwM}1s(hifsY-(1%(Az1_sL($>*x@$4)(9ha2EaN#8koqPI}EYvAn64L|r@uS2Eq zfxEkk?((qwp2g6A{ZE)}n_Ec|cmO`g;||O(S3T?h(y6}C`6}-+49dSn4}c>p?f(X6 zG~Xl3wbtHaUxA6&&)DapHEwEN3YTtEv$~o0zhRYT_EJPzBCzU(=;;cTvxLi?*8*I= z)ZyFz_MokF>-FTxz4mOzEicz>6@QmsK*|6Q&$)jJI?^N9^xsjAcvcAQ@zrYhE*YM? z)+bh^^7~ozAZERUjmIzhQohxzcAXv?e}+o|@+}i-`r^{7BeURv2uj6@b9EgmUQ#&$ zrF&OwW%wVN^Q zXK07xoRRfHl?R0>(2>k-K-&Mi9@@+KS_U-rSU$VA8gsdAT#h$^_{$7%HTfgD1ZhW2 zMRSv}2z9g>?Z2%tDX;1774 z|HMC<6DzOC!+*B*VV7RMP`7s#s)z;_W7L=8TY(L7d^k`-`n3WP4%%-*lH|XIoH<~= zP47@Y+4k-u=e%r`@bD(z!uAd8@m`lJ^imG}%vneKyw&4i^!Ve1^Oewv^E} z@M8sbasMcw2nrrRVO7JH{l*?yl?8q2C8(D}1Kvyc>fJZgGteK(i#nFbnf_hBxu5gk z|I`n!?d1xrH!8*7ZW!YV&atWGfY+R(@YB>UcJs^w! zU6pcqDrc)@zB*<@>(uh+K$KTm&dqkx*vg-F={ALxhSf_fs?P^sJqgwD*9WW4?*IEH zpogC*rE6;+4}M&R38{_+%F)_9OT5>+*7whe&!`${d4RGIWDU<9*8RT{KoN%w)Y@4; z6jAmK++}Y6*b@dJR0x2(C;;XV^OY<`P%ERqQc!IhmWju&0mDdN!-h?sNkJIlnta@? zULOw&^_pFtF`=i3yUkXL(s_>FkBUAo{t--N#D^H>FDAi!GbsS^y?kK^-CnK^{SNh^ z3^ySjyuoD1IkSg^IR#JIDFoLdQYh6+zC~CQ>Z8z~0 zA>gMyLP#2s8c)`1Bz=8L>jTRl2vnJ|PbrVvd^lLdKP0;@S(D7|qnZ0#%L!QAxp--4 znFidX}nyyF>R=vpPm8vDJ?;K*l!=>F0F`4?5K6gnmC6 zDtODR2@2f=a>P*q6{*`gcn18ake_VpN68qhQWqP4;(u0EZ;$k9VBLXUBi?#+q#{n2evHz_EePE&VtmwQlKhJ zmrYSB&~eSVbfMm7M?wk4m&Z{zmM4V75Br}sREph&`HB>@IErs@>ZJXAqcw4ef(aRo zFLQR7+q?35vPl7{)thYiK#(lm?XSOAk>-q7Dfrr7M`|~ebc`RL4!ajrV|^0ZryZht zFh^}|1XBmiTvudBU%@_U%vN_RaGTtfF%2MIuRmJ!nY_p)76{!OOd&q9tZ@6+p4bQ$ zj6VKO*2GlR=cNZWhPbc;xdmRV%Tbj^kg!AQnk_PGqy z_C@*IB99_nS;*{BPCEGJ(iVG^52&2KNTxI)*_o3?$&PrKH)EDT;_ixe92RZV6$A4?k`GM_~Op+Ywqf*$RwT{%A1U`!$ zS0l9Iclxtq{h6BvJ?qyoIc7<93!tm_gqDW8^ZVo5RkoA(AGN-|L8BB(ya>6tAW^B* zy0;s6Qz8ESOGP@JbtQ(orM^=!LIlErYNcbNd3CzUEIih!%Dek8XHI#R z!m~N}(dSJ~70$Mss12c&U^0wF}K50~$5N@`xIX_*>xiIRiX6dy=;_fYGYTytKrZP3-`+Pm7gY+K^ zrNTB%0FC^bxYQX++8x0L_6a1My3!_N$v@NsAw41z4|Z?Mk9Z>QIf9`lW)`qRXtO=pAo3KXeOIXsf-e!9GD{6vBgQ)ep?Ez+3U?dA@zo(@+p>;AtX_Bctq>`Y z?(;Fbn;g^DOZX2vV;iyMXt`Aw#rFA52qfVpa*l{hJ4@jAsc$42_H{-cIV0{f6H1Gm z=F-fpkw!g{FKJF39Ga0voi-2NlhCOk!hAF4>iSv4gI|v|8OODMB04|s&foV6*S2Ul zzf1^iGxjGl^HVD_erNuk^(e#Lq_g@*eagEkQBBJP^-$LS5{nXBv)3ZCIeMplPjL2Z zkENVFa;KiFv1EOl84s|rG_#ROt$6H2e ztIg|D^}dn#Kc*BG3K!LL?;@h@72>&P$a!tRc)Dh(;UUMB#-dgqbsqU?V_0CmiPiZ0s$sptr@m6)1^c0@Z7K* zh9r_bolfs}5!cWn460Hl_VYoMxIo=?=U;ggY^PNmD15vCQQ_^~XzZ8q`q5i{KhjuJ zel6b1IIEw;L0(%l)+Cr}Kbgz3Q|PDtEsG5yhZ(P`1*Ww(sb4s~7S)`wvDido(c0wt z^4gzXx=0q2MUi04$an-OH5+cFSOP^N>8A*k&)#7JP@ZZr$Ln9G~-K0}kd=@QsZ zfG-T4M1Kv1xcXRad&rNcv!Eu=qv9W-c!PIjnp+w4g4w}E%6RNjq z^~K@x#@L9SEt}gESIE=oSh{X-8TF3}eH>nQC2f-}lG`4_>ab)FM~QeHsa}=-4ZBxj zl-ORYxiDGg*8e#gGa#gkH{g1l8`@HmXFQdAM>0;5>Um-82XD%+sJh18-{PX09pI(Z zC8(ZM;*!{^>@X2Du~_aJ!%`JJ8N!tLb&wZO_>z5!=&jl?eN9Nm%_WBSq02!@{Fe~l z*j-v4??w z*=PEp_l~FWD1^)nQ1FM+{AyCN)D~S^k}VU$e&IXV-gXY}o?=$r)m%OBN>iBp@4SO6 z@b@JXpB|ZbxwC)5>`w+sEpP@tgkOQ@ft`v;Yp>!pIFnC-CDdbH-gVZ+y|%qKQOu+0 zlOnG_thLw`RAm%;TyXtk4k<`0X?IrTUtKh!P`E&d|55?2 zL#Zbs2ll)6ypT?jZm=p?r|$9NSg(E?zlE9h4#w7Qzq;T{oRYx~;T#nq<{YrqUFki@ zNu4dReP)&!5O-25e&<3x$P1UO$NN0zi-#w+faBGnXM6b36bBYa049Cl$@gX28q&1F zdz{jj;q0Xd;(SUircEG}IMXlhEabU7s~nI{MhM-%iRxLuZlqfA{S(6hrCt{CyTY=` zdVS`gjjWg|J#eqo-Eojrc1mV6`;V3u9Z*h>Q>L4Ht!t%CZ&h$a@cN4$<4DEarA$lX z160KSp*VwQQQnYV|LZOO#UqPO#v-BkHf5Gkl*`TpfUb4yu0xWgUIyS4HERZ2ds}jZ zs%*x3-@;9n*#L`54Y;0~M|$3da@|DfB+_`UqrU?5L1{)Guy_I=($i3z8ipwl!%Xjfn0yz1MN+WEOWy~EBx83wOg=FuE+^OK)NgqamGE_l^SRp!*! zrAV<0pV}p{#ouAiy3kJ<<3UY+TIYsrdJX=e16)wroBH7Ny;~<{!Y(d2ft+|O#x7quNNu#Rvust)B`&`d5f_sh9AbO<4k*+?lg7G-AMaJy7`D6{&Drw zkJ?9&G>pczlpAR!6tvnelEDvoP!?3l@<3$PxVmIyq>X)79sA`eJ6%yX}2v+fkl0LUOB^V!_zPWv~Wkn3wm?F1jIgH5dR`e?1!b&(;L$fGQw~4MNF({ z^Qhlk3~P*3+@TlsWFIx!p8A0SIv!fhp*HZB@qsWh*J=eGm+H}v3F&)aOR7eacljo?M z{U=oZWwY8*Bz_tn)qI_O2C6bT*SbE}kg)v{A->y;ta9J7A_Hkn<@e<&%k-e>$?D?p zc>pqP$gV*+d+_+|Z^K^yGVDC~O7-KrWO{wkT-q7!-QB}r=DrlIgrMHzP4#}4v%Q4q zi7>v`7P+G)Kp{HqCYuaO67~D}-en{#cjtqFl=d0WEO7y)_yXI9BMIJ+J+)i7pPO5{rV z@Vjo&-bH`A4psWQXf@SyWpE75!Wn8KWm!PZ06KwR&;zKehl3`^+B9G+a@Zcqhype&X5R#6NaxV z`fOUcAKKmA>If1Ef@d69(qx{HeS&>pt+>z35%E9`WB+GdR6)MTvcl%wG_$2Z+ zCAwimtbC4OhK#0pb!igFpkRmDZq!f}Mh4i1(saqUQr+mMR21>^?#66-ytb*M^%Ew` zus)7DV_mX67-rduElLwK(_^QTzUPz&steE*M#S3+zLU9O6qq>Old;^*8^I|T+tA(A=Rb`#p}1FdJ{ z0lK_7?@?jGW=}@S1SxlAFwaUYPG(yVOndbCf9aOx)b+?D?oT#pD0B3Od1|_>+*oQv zo7B+(luvYKgyh&Yt@qnyjIYz1otH)RteSKhyf7VZTDDV;&)(|VIav*WLydMn(bxVa ztZto}2At2saYqQm{F<4aVN5`r+Q%a?(oTxiF!tKpzu2rvxJ1z&Kuw!e*K}lFhEmgY zRJ-)0-?oK|hGqi^mmvq;_2W@=l^D(`^RWmf4zg<|T;l4`w2G+<%bV#CsR1FQL2wb0 zi^hBKnxF9zZ}->%DoyS|I1giiQW%35mF7p|TS~2o+Tbtxil&k%5i1PDmocm1GlhJ5 zsF{Os2{n)hi#U0O|Mq@&Qp!j`Q2k?u7Rf4(!PNc2pirj_Ts_+>2MHa=6+aqPDPzW) zNNS_2r4KE#t$SWvDFui}=XM!Kl6b}YYxW`$iGWs5Q6VFZhi76Af5q!Iiu6@-s4B&hFAo07&wLNC<+M@Y8&R2>o@?90_uTy7EGGD_&T ze=X;{)T+^R$1?Kr)a-Ygj6|OdNSVmE{yvQ^T%A@f*~BJUB121UQhIo&PJ!yP^Z3l$ zmzN2nz#Gx*)Hjuv8}4dZ&ndeI@EP}8`U=(EoX>`b`LXd;%HKw$=#AlOH^?0Dl(>huqLM&pc~M^vo?Co@aen+`9EoK0LySp+DKg7mj}q zVY~NX9gRv9T5Wh^fH(n)6vEHn=&^yNc&3`Rxi2?lUh>FX>RDM0jD^Mu#NpMK4ILS` zFz2jLV(#l(d)yt;tY3Oo*`AL>n|)1w9b}H6ogw8yX$rew7lT)E(@9E%1W-qwhM^6U zi8PTDTqB{(M6c{aLxRiVflUxUFb z&|`2QKfFvE($UyQ(t&0^Gq`;w)^7B- z-wvFxHwF^_uzjB~wsW9193$Y~6BD?d?qL2DVVpgScUh=$)}+bjZF02^3cbj{4&Wfy zueHJWu7iwN8DQLv4d5i)NAuB9-v>{dCVb!?kv93B9b3Vom~lzt z@3IfaXU#ucMoc|Gv&Jo^>6Q;J_0`1M`~G&Du1EWVK*Ir0@P+N`B2MIi_|Xfn^8S_> z7jhj8C@df-@q&KPG#9(inCk}J`Fhv|xI6{p+#in=np0I)S2S$Fr7i7h_wf9=GPt#@X|!HPN(} zVY4p~TAvVhZzyI%SOaezBJ(3--VbQW5ptWh{zq^T9lbw;S$3|7W9~c>UJpHF`cXR| zm0!q{On4C8M#_nXlrOa()yd^Ssg5fAsbacGOa{$@2EuhfI8NU>3Cxca-B}dM2j_8} z7!ccbfM-6ef?A#5{<@4qPRJg4wUY2A?)dCmQ~%?PJuU81Lw#m>dLl;hEC@5j=FWvig4 zN2TYNsdvnM)z6j=rLu6}yBQCHgIAMK>X#``hi2d9S|QKHavC|RBLXNZUF4g%GLtd1 zB(2yDDe|_0(}=fjT>|mwh%csWQ36z&S*0v<;iKFZ?JQoXx}i3aMb@_Z`?4{Lfxr^G zWeo4dxvKB3s?{kybouA>o1}G&3NX>UF{jMBeFYxebz*n(twZx`J7m#`l`WyaFI!26 zI?}HZB2PSJGve|4h$cuU-G+)H!-0ED*#rhudp0~T6Y6skqR4s{Ao6TWj2LOUYlVqeLqe%($9V-VJ$?0o15%V7m^Q@r%!$knw%)-^ zqI2_c7Rja3(52}~Jsqo65{@MVbcHjci*d6n_@k&%l^u%}2!FQJgmU)~c2rLXg6sFT zfa03C6@ih>iJ0r*5Q?ERaj6SHZH1kDtlg7W$eG5TY$9BHO(zlw7k>fGn|N&^n*LtT zZKyPOyH%X-%LYm@RNeqm+>QuPj-1JT<+kj*npK2V-knoFw*s-VCe0O|FVy+ho871} zc;xz%z|3v1%sW3T6@Tn7*& z&9AYpk7FP>b&lL*1jfk68tCb)z0<)b6;;#cW)1=*y^e!*#`v7qIXdf`zB_)hO$00x zaS|&@Wtk$TCLHVZ>psz_;6IX~>V^x{F5xWN#iskTWcft0w`l^8ERQ)0WA zc|#xEbIQbd$w`4DrRRr)>}N*s6WW6J#J!|^?j73(WcKg#&kJ5?*~@4wikXvk#EeWp`zp zvo7)22DxJ@;TK^4#1Bg+9hL}9=;LUA<|BunJG;WT-8-!;kd@C=5$gkSg0IVmQMRg1 zp8*F>E4O2k+MF3JfneH-LbS4IAIM!6oYHPjRw__(2HnqQaim6=Sw9K#y!4|cQ7=Zw z;|hAee)(xD=1@F7{`UQvCDB!}tq}0@R;V7RGR&~ONLa^<7F-@Z-*s($L_))B$ZGM;+R zTYhzmHrU|?q>%LvX*5Azx>2gY`j)dbO(ISf0k^EP@{FtA-UFC?z}MsJ8#f!F;1p~U zV`-nUbsV-$1SrX{Su4pgpba7Sc$jq$zDcFh&I>^hhJ^cR?i3*7B-1Oopc8!dx;B0YM;ZJSJHXDdCN=5l@3GWc{=gXi?f15+e70zYg<0`B31I zCDQ8?>6@2bGh(^oi$8ZbKw0jn1P(l9M_CL^4v_-%Rp?_PF3Cf5FlR$-TT(=&`Qx{i zVXvLE{=rc?U=T}Kl%m z{=$JkJ`fvfvV|AutFbSI+tR05w=4&G-ov~u8g&X92XvcMn{I?t2(qof$|`G{mev@Z z7d?~~WhP{uW(D=ZNJ<%ptED~PuWfZZopDMPB+@Pg#f(mxP1uOTeGNxnXaba0a^RR_ z38%%_S2G2sd$?fT9DQ_g{}fE{SZS35%PPRTz$rfFAXT+8t_10OQ_ooE+Pzt}ZPXWP zi&N+or*#LDdvZ(%R&BRu5ldShbQeU6On-+UYL;Htdb-FMlZW#` zxf^R7H0|PxasypUbIAMjk=UhFOUztAGh@mE4!36!X{!}gyi_x08yIA7RA19^S<@eC zs28jZL>7m^{8Rn#D8_`F>-0MxAeX`!A>Rb}IYgx|#XbGWVtMdGeh6B5*HKwTWalCb}qfEk1 zS?G*K#z_ZDD7(v2j_%S)c>&W#e4UV7mhIz`=-q1XIf(${`ev&K1Pu1nLPT@cL`HRl zcy-n^`{z!hG2C$9pB-n95J5}5HzH2req~Auh3((#DG|5qJgBe8;T64IMLfKBJrXSK zbC$$ANk{jO8))t4&+y%eYtN=pmQNvxE*;WhyZ#ZruQ9g=#}-e0`<@U7o>jSGWM~=4 z>LbXx zYgV3gj{3~4eEA*5XT2iU^SFE`EL{1@;Bdb&z%S64z_Y5dD&ZBtgbg*)B_B0R=*#V@ zn}gA{$no2|PnECR`!JDkcP}rT+pK(`r#M?fEsz>gTc;-6Vl3Sby1BEDQ%&sf7Omym zLS?+TJG&IB8;g<9d;~+K-#1^_wR&vdmGm-cy|dv}C&{86ft4uwf)C{5@Y% zm0>4(hdy;Kxc}aDTt=C%Z+&rgpO1`hk#oOhquhDzYeDt+SFy*V$1QS+tzTJdGoA*T zAq%}`y6)9aKGFSdvzIMd;eFZFa5hD=s;2EI_R@#iKG$&2Fzs3V=hycpd__`%miNEq z3g31E_$JV6WgKgNL0uOUIj4VqJXFyp@s74BGg<9DEC0QcU9Edo;C1~bOw73+J-uwfn3w>aRE^_it&x^=fn*Y2Rh6^GPATJ3~u&mnc$kFD;(kTI;1#bBF=;AvvTxY+(Qc#{vogVk((0XDc%C;{P;6u4d_vC-WB;VRzebWfx z#G+Y~;_H*sPD%r@Q@xqqrm*yBEl+ls#plyv3q(*^rd4^Zpg#D;@1Qq&4X#a) z>4_I~_eopQcG4r$=;e8?mid%hAo5KbY20#e5oN-X_RgCu4EMYes1NK3G3SV57@B+O z#>9i$-2BETi};Zwb)$jJQBW>-l^IZNVq+` z@eVZ}gW`U1e_fOsrGHnbrRke46dO<_GWT<=l^`>bn8)2tF-TnTrk6h0P=`(tZC8UB zy;bq?S>wQqe4YX~++_GGZ{_=W`wrt!=t$7@AJryjt;Q!m?m+4(&VpR|4){Ov%TO(m zl)V&8{A$815mV5m1LUC2t?IAyQ%G6VPB(k0VhX?WAOq;9HVYtgq9LVRfx;%b-Y)m9 zNucuk3L8ecn^oBKq>R^OO(Dl;7Y-Zo{@2N+WOK!*V}nH&Tr5*s2#R!ysm_>u*FBp9 zFT3;1o=Ru1{WME??KhCzC83O7Lg(4-eQ=~}O=yVkW3Ug`Z|5q@l3b2G*_O;Um+N07 z$MwFHfAa%x3;X%0JB?GDS!$a~RMdInLPt~%vA0DpDXvmXx6P+HdNKQV$jbiNgAU!c zYf!fjb&0|9``>pwuBDtN8kX@!id^>enqALN>nQx}<-lfdZLYtfg-eJl3v-pt7(*NH zyBx^;dVOX3b(VTS)lUMTlNGX}&thIJ#=TAU$&VT-dm&W5^AUYyiAed4t1sxdkks)$ zGcz)WEq2(fwA?{i$njl#9d?U%?Dh-mLkg{6u`y{c)RjWh7uHNhvvNpY&-5QQqQ&Si z5*c=?pY>$kLc(r+I=rl9`<>E2I2|_60<+r-V@jP93lABiKL?J5X#hXo7!%HUAR}*g zBSI9(8h=XqZ| zizGQ6jLMU>rOv_4(cVF2wURd8znqKT2wrnMLJh4yIND<;^*8^_MEIh{rFrt>bt;_1 zSHbqzL{KqS?X317kwzOmp`-f4h!H4h1ZvSfM7+85-ka(h_qVfrsVfe@k6EKK7{YE@ zwq(3atFR99@aqWX;c88Kul8PaTqk6(&TXWZAv`N&L6hbNPB^mrGKF9RK9zinn?R`* z1Sx)6(hwIAVikRm!RF$T@SXX06hE^zZ_1ZQjw7?C*cblq$c=a#?&5TZ(>+O+Ese~0 zeh_pkujK8`er)%Q(yp`d>7ol+gm=_iVpVtv8?x6bRvj+w-NV9_2x;;`yS~RCMO?n;G(9OTeDXs zwvTSdHD(8u5#?xym)k%BA0=F^4a}Jfpw1nSa^bJuRkBC&>SrA1E(M+n`Q(iBACJzr z)O8C!0r(TX`z7m6Y*4*XZ~AGsN0yb0E6=K`*`}}8jUWy>Qf}pA)W-sjqj#17Z+E3M z+#AhDlzu###PW#5z`KH*nqp=RpAi5Z%7PY}ZBG}OFR0XjEet5N3Auf69Hn=vL!3`lJ(}FJwO2)NGfc; zB{pGt;)?#U;d3E9`dCl?iuhNIHE7%OXkWC!rJ4@vtkQ{^_8|D^B>7UF*ra;Qw(eK# zj!C|aHW}q1OH4MiIg{^g>hjAH+(2XIdWQ%1>j@~1u408Bm2RI<0%zoce51Z61*1`R zNly*OJA6leoV9~^v*jeG{G5*D)@Qy*}oKUl=-%2o; z23IR{?%?hv9Tq#jR6Al>O{IFjG3K;nd~y4o!sCJ(?P39EpOMC$1LuY3wNlrSGJCSc zk`cN?qveAK!lGc%10K|44dlkAQxgkgpBR70fI8%MxF4u< z=6C6F0Y5P#@v3}7($b4*>Rs>}CSPZl;>b}kE_@nx2DBCD`IH?wDxxs8GwxMupSuev z+vA@1;DduHum7q|+t~?&oQLqCLPkvXc8jFAYh-SUV-a?kShq~;jj7M6AIgHQ(LcZu z^3XSN+fTmm?&gk*Hbv-#GUgo6X)?arfuUt*!x>bs(;2-O&!ld@OVu*&ybcc~1cSfm6Fvfl;?m za#voOv5_+?LjgUVEglND*rm;!c*M#N%|nGqc4Z4Rp%11lw*$?Q?)UZa$GNw^wkAdn zuFRriBwup>z{*&mK#55;A8OQh?AHVWuKyPcV#Sp)~s6?k>+fj7`9Xp z%~?tR?6s5*!`4CJ#DhoE@gICX~Z4H!2E;qaSfSpWY_)0fD;cl(NEC;He=lfp6FqSM;>YEgx3_YY1g5jh5~{3q0Xz0%t)TX%mxoDr&>l$38SXtI_I2l z{e3Y(o0%N89PaycNYS!HBI4q*UXRQAQFNV=SB?JCo9`3h<)cYV_1bxb485Lk{hynW z)b@{fK1c5y8rSqo_5_VR<7Pn_ztV1!H>|o$c?f$rG%cvwuUJ<+5E{s`fi8jHDTbMvux%B<(ouwKeQn|p&N){HtK}YxMLVEB z{B_g0E0XuH!ds6f6j%^ipYi>ZG;u$6F1=j+YH!HQSUih9Ap#*=n9obfJDPVx2c;qQBx!zn+~p`h>{} zwjc?U05fmXWDm&G8IUJ^1^SC-sOJ-*r+5ad+1`3f(VLbuqaeq85*qcnEu4F>%n@q&Ykjm~;^HHvHJ5oA zCzOYxf7hy7b9R2}7f<#;QzgW|L3=8}2=UeaT`MYfyF>qm0h_1W^SWEUXOOVhH|KU* zjauIULaYpx|KxX~n&46+tc|_b!(ghH(5}^tn4Z>--uBm)a%p zv2cS&7a^32E@i=Q(Qj5lg(deZk1b}){II#}JtoJ2K4p8hyi?M)0@G~fb@qNm=eU+K zx4kr_n$~(YlW!%6aDd9)4W$D>1ech-bXq^ukD&+=iiX2 z*}roQF-t0RAj@80swHJPsB*g16JyuJqUi{^;3TMYIoYa#M-dQeeC^-p1; z?Y(D$==7)Pswivz>y3K)xyG}Wo%mHUqeySP_sRkkl#>}%FMm-bE-bpXtcu)rSR`k# zcWcjrjwoF1HfFPjUpFdzo=BHnm*%-8ZG|ixceaf_HN26qp4An}xRv`v#>+>w1Ek~X zXVLDoLA4lC6}Ng?Eo>CJ0r6WYlG$r6>6UJBt?u(4?2yoSrR}MI;{;H#wg!_nbRvWK zGsAHef$biNb63+xafVF(+FAO~zuFxIW$WJ@{LyiL>>F>P{gz4{-TdvT8xz&uGbQoe z&ooc!$`2dA4%_jehDjf_p+~y{lqA+|5h>$t9yYVhb9Q0W+CdgegtI-Z=}?HAhw!v% zd`WoX+%in-S%t|}>bdOgHl%BBD-+q0Onfj1*skM=idD7k@eYe@!omq9a%#T&*STw? z@^KeG8^0_`mGkT7|0KmJd0f#=zV_yG#2Z38(}&;i73heo^V!KBnGNL=Dw_;NUAd)Y zvP(d=q5KvLRwwSv`MoNMEv0RLe5jfd1d-`v-M(Y{-lMGfRa4;9s2LtuV@}BC{#U{# zYPX9UtzT{KC;gB%>&I;k9C;u`U0Pi!Or|s(4%hnAOV)Z`?+ozI_5||8r^jq-Kdv&L zsYbr_lWm{04|vgp;g2I5m-F|r?(gjhsK1zfr}lA1p&veLh`sEzwrTY&U6K88B+5YO z>8KY(36i`WeFB3)g+Dm3P>KB-H{*y5ZkFBli4f9Gzy3pmD&+15KdTzSEaq#2tQM{F+;eCYddf{@C>9VTp*ZmPmP?x_b!n zw4dd479l~`p!dN>DCDxPHBT1IiFvjB8r97*=~x=x|7lg!JNO%+sUKif3+gDD#xS_} zYt(y3v}Y=W1#!Mxk>9jrQ%CW#jZ^Jg(;t`p=-=`h=Pw3vpH7>#b{ATW2WtKOHi&b+?ReQqgA} zgls8Od|bD`lKQRPMXP4ZR`z)=~vv^&u&@WeRD5!?ua#U#u!+ZVN|m z$UcL$U8|P5zThW5?@Xyv@GlE{GPBh7!=!z|cby$Y(4Hv%Lg_})1YRjBnZ3&EXOBoj zd;j|*%xL*wA}UJDf%Lzn-Jm9qbbrmK#N>iODBiG(0aDy6V=gLDfhONVqfNH<7>fP}=-jffyE zE!`j?C`!lDOD`cTu*7@$etz%%2V8b$PRyL=oM+CJ+>9tYdm^SE9gyDyOn_gLh5h_@ zx~`cNrtdu8>m;{Fi@+QlydLUjS3@hmoHYIL94qDj`FnZifdKU|)IUB4n*xT&IG{0_ z2*?D%&urQgomvkI?A}U4SZb>chd86JO4=oUb$PNjV@BDoE&z~7rlP+^qVh`6u$D5K zgwIzvjjmI2<7FU+HevR!x4lYnkQEFrbXg$?G0$?2IY8{F(r{7RyDpWrYC25jv?-cB zJWF1LMANh1;eDtc$Sz|j;EW*9M9*On^F3qZ; z)`=jkOH;-)$c_YST)~7#AvH(erS&#*>-E(pE#n5c1gJ2Z5i6mS4^14_xq@41fReydnGhb3BsJ{pB<*XF*x<4HSC<&7#ehVQ2uY z6*ECo>(nD#)2avNEEj`|o1&t*?z#VJAYBSm73iJW<`UNFG%oWQ+tEO7CYFQZbKj=g z5e$WwE9lrb-?6!2@%4+LW=E+`6JQn%Ta$FdpWkwS3zW3ee0Heg=>f*MC^?RMX7O2) zJrYAk%IevcgKU@55qVCz;IJj!B*7~ptklME==;>>dLe&DM!rH3o!RMuf!Uy-g$|Y- z7!M)L7P4ru%|2H0mX>~8vf$_WLF;sylPZ2nlw)mC%Uu53T|7s zBrR4jK5^REkv+tnUuE-GEF&Ae06SPz9}iW1|80QKY((wDWc|Wb&LX7V&%f`M(Vv~zX z8WDUINwRJlPtZI#oudgsg-e*7dL{t-j(w!$(9l#n3&XLKXk)%F4mZKCcOI||-GH}F zg1De-ljImE$%m8nP`SDE?#Rs-lC_EE71>ynrPWNAe2lb%ZsT1^x&H(w{@A{ytAP(u z1>4qMI+*x-vU}83RVYm?8e5&MXWcG;*;ewQ0z3XUp5O^Eo|@xFA5nbH`bIv{vP~TG zIQW5s;B!?5I#5>XJYN}U-~f?fjTnq=cEq!vlL13W8w@YSO!zFAwX8lD?&Z6=P+zjW z0gC}4`)YeSTCxk8sjbo!ro^Q49aUM4w3^&UF%&BS7b<){{S~!T8|zjaIc+o5IxRjU%>1WW zS?kQ=(gzT1Ql57^AlM8aM_LE>SjE~j9S^NIVz(4LgBLm7=8vZnbcJ&k*OM0XV^+}? zRLi-OS zMr31d?#94W;X|iR=lu*bayLR6#m_ma>^O3!U61;Xii!$T=doV3D`(7DBZ{qibSb2> zw1378Y3HZl3@oyZwtgtrGuxhR&axAv-6ySdrO)^5?97J$7RI5$Ix~$%o?oME78Fr* zk`kx)tYm&t#7QW&J5}|;Np`%2rEft>%F`;$(zKv9!#4QR-hsmbUGpcr%Xo}>X~I4? z-8r6$AWI(oFy{lYTDb4gG)&_47_d33OvD_cPwLt$I63#yJCffou^6NKP9GVW{Y2X5 zEZclN6Wecd)Gu+JQT=IB%f9vBsbGkoEnR*d^kT-xztJ>;Q^Bm_?B_-|T=-vGO;Bp~ zv|(MsM)7&O^FC$U(DMv;m3PJtCxKHKjF|GV8hbQ0GXWv+9-}yih9lhQWH#2{@5WB* zATO+UL;EZMg}0|=`uOqLP3qW5PB@DEz@@7AMv#|6XWQ9MxPD)Ut84YPq5sm&|Luc= zhn8~BeihE)Y2#?r17`5?Q?eemDr}|r9uZi|v*_c6>j?`gQ=MFhwrBSbZ;T~Z5u81C*R!rRz)p#Q$;{%2V;{Q>PyZxAXeXf{4=$r3l{BT<@DzdqN)M|5O)qL))#`8Wr3wBgzhz6YQYRHOlyKwktlx_ z4B~QOpC_U}9~b8qzP)pYqYyYWulKNzr&J5cfmB41$d{B{`3im=Xnki#F7e08mV=`6 z;L=6Y*Vq z2bag#lw~>~otXWBe4`V|z*O4RGpx9F9U8lG>L~?3gM;99#GbvbXe&J@_LK+d(V zl=u3NxwdlxZg=8}$tzuO>IBGhE|9SNR8NzX59TqI(6_GG5i;I`u7}c579y%wA4lH& zq#$B8V6xBDPRFsfy6~`ml4!HT{vhX9kflFZg5GXDXF3aUo41i^lNAjNB4bqfds57? zf#Ax>Lkm03cAwSrc~V|LF4I1zrzBxSH8hYS4_b#)wYW|AK&J(0Qx&bKG$KKv?H)Gm zOih!&GxxhER8&&g!-xDgYqTJLHjMN6{Ars6yne{$Nptrk#G;<^dR?>l4p4%Eibg$XF|Ll%6bHpsy>wktZs^X}b?Qzt8~5<7Pq|?*wI~bwPh#b<1iwVq zN%i9(ogNQ0iUq+%b1bwnbcF)!fy`yw$adk3($jlmY>@K+R|U*n;ptCy3`19648PoT z?(GgdXN4UvGl`bk_3=K`SmAJ2Z-;v5F28_nfCQ<#%I-d>LAfMrn9o6DFOzsAMtb?V zV2@RYy~rQ1rmWo;%YG5@sdQV?0e)0IQNz$uYFj!#b(+c-`fmT5&SlIyVZy!z%!CL` z1=RO>@imj3aNL2`kB}dC3B|<}L#7k>A`kQ@n|f9a*p+6aG76ot!UJ*sX2|`TF*CnfO$UC%iy0)-zcuxc|lmrPuLgIQUv@~ zqn(n3<7b%Uyr=_HxLQd0_L`!KC5Ps~rGi2ZlO9ZHR(_E~&>Jr$Q+_JS;^HxKw{rZ= zlZ!DRF{rNyM`4CKD2)jiBsqeuP>stCQ4z$hn0|6jhW(`%DPOzxTKN zgmPQvzP1#o3!rJxGTFOoxMC+`oZ`EnjEnHwN<+!VO$HlcP>&PrOWsmWf*)CJP|VFy z{;kkS1A5RQzu7(ES%fB%CrrUPHTSPVs58VlmF$<)gX_)@8*H;V7F6Q^?b}Y4wy&BI z4_Opy^*qdiYA}ICT0YzkZ*cwMc>)3daIkvw?HIlnV2?zfQqQQ32|~T0081VC*!K?( zLpex9Zf|{o!)`b ziQF1VKk9Si{E#O{l>!G^bV(O!&wN^Z#fz?0;~!%?JU&&_65Ehm9_T_P9>X*2l{_eM zyw`FfkYx9BtqNGa!Yh=(r@x>1uS`nr3w|FZHNz+3qwz5>ttdYO(w(?au4aZpUG1)Y zS4^!Cakbid5Vjj3tE9`HFW8{H528H~bRhy(YdgDicdxy=w4Kxct(gQTU-)+ZmAto= z>=LVc_A;p3BOx!~Vk~&zW#R*tw=`X!wJ3=kV`PCX)QW*D;bodOL!eX2i z%a{62WGU*Zo|fqNU0^WKG^ir{iE>;(;C{FV9qIzQh-h0}7e1D{<7IAa{qbU#p_9HX z{-e_QG=%bg$S?mtWWO^;+`Oa5q>|SIKkAUyPNbQ9K;`-c(rV7$%46{2?v4+ZS7@JX z?fwLHwM%EVgiH+DmLBZ5eSYY>l*~H0K_?xz@rN?G^50*{TejQ4_yFT@wx87Svmkil zFtm$Bl5*mzQ+jF@05<>o6w=m1SeD35%)P>&cPMsVG$`qYJ2Au@%3WhL@iHI&3kvD9 zVyT0Dq@CerTKdmi{`<#NCN=lAP}yQ zk2%pSnljE1fL+bW=!q)+ywOEGTaXAH|FQwu zN@e0bR=^kn9vz^LlD)@bz-KBM0Dj*>0nddX^Z$9mQQ>D{rPr&3Jt=kA%s|jf_`VY< zz!Z0x{@>Gp5_|vqa+Uz!=Su*kb>yE(`X1nn>D+<;dq9KhewqX^hfpNA;BF=eUO?tX z1M*ZR-MD9g|M&UEcK^ueq$FNp@Pvt+pCKGIq(%xV_SrkZOf5yCDY@^@a}claf8X>p zYE}E>5X$4Nj!AbsJRHVi^G*%IlGb-YxVs@~NF=+ALhG-|Vic|m0RQu1ErQ??Clpv* z_sKX+k22V(n-658l;ZUp)geP~OA<5IeN&xB`Sf%Qhi6c8j|F6|3KRWLyicD4EnLhk z`gpH_#!L!pdq^dCUH=4zPLD-QW79@fyW*PlbJ3W>my80Js#{r_9aitcs>fn8m?QmCenBi$#DNA zp>y{;4QoFyA!4|qD4*#tAA9BIfjViXenJK`IGQLBWOKRl4&*E0`SSj8qE{Bu=9;j3 zb$R4pyrW^d3+nc%PRVV)k30Q$a{HGd$`l#7{jK~<9LrxuJs*L-eiXb{fqgeG;rV!| zLeSnnEKsTyRa7&ePL^u+E5J@Dfs7dYivBs1T=zxJ_9Bk*k2(=%#WYbHf3-KNJaQ%7 z@>6hqy^?@|Oe_CtSr-6H6k?GvU8H_luz{mk@+$^*&hK}HziV%)qDb`!c8h_=yfXf3 zDP}2epuFV?-Q#r-4y9IeH3!(cq3(Vl9`g?0{p1oJmw|XHp)$$3uU^tC#i@>f+)s1p zqvIn^g?mj{6v4K2*7i;e&G~ts{|8BVH7&+K_Dk7Z9>M_>{>GB(!TKZM zSO*b32QchV3(i>(PZ@yhfD`56y}{zVEex1crhOG!n1Uf;K^3Jk4DGxd9X+WYA^S#< zbAW0Re@2W zOyV|>3uw$_VmSP&lOC%&5q6!c0u7*fm5%yK^pL>gFz1M+KDlja@a!ZiOBXNTxb9A`-VkDJc)X){XEw$2u?6)lHf`SO6@VG1BsB~q=yYC-W%b9|H)p; zCTdEmHbl3Z?^n}{IIAFdh2oeoKNmxQT6)UPqTO!$5CGBaNv+#ydaN(~JI(2q3r5`! z@1swyDN0A}eef>Rz3k0@OYW$yIljz%P;>qGH{GbGsv=4eCCra+k#Wf{OG4^ z%3u@S83J;=@1rb!{L7V4Ps%jT0}dXhE77dhhi)QSu#^OBYI;*(*TbZr)aHocG^?E33}EnUJbq|2A{e?CUvc(M#8@+})o*GPWT7q0C&bY!St+ znNB2J*A(Nra%9pwhg* zM=L?q!f6$RZYwT4!Atbhlc*c-8E>m!Yta@|*jQLch3@N}Nc3s-Ua)##`Zyy-h3*qr ziaB%+#tmWNi=OWi)MkOD5UF{9RpUgb4wxN%BTs>Z#1hMN(uRTfdDW-KfK*!j66XoT zIpN$OABGmcn!3u@AWqd@%*s+g5_~EeWv<2|v*Y@Yg7%Mo0auLUWRB^Z^;P_qy_Y6{ zt7+%Iu)W4w2gx-8r)B27Bz{$&O_MuO#V!6L$~>N@{Ps1dt&Xxw zdYlQEPe+3aI{O#dF!b9eMWv_Gi+6MpUr~OygO9?^hPrK`N+5|fiOb;@))lHIz}J3w zt`k$Fvu*DhY!0WVa%jICOh#-J@-sy&5%nci#et$zoZBrJZ)Gg2tp&V-8l@dEaoJva zv3*zd5|l8C-VDT&5v`2C#K+xFY$2*Fy}EfEFsxDPY9g$!?j&QjFZz5(>UDDQy@l`a z5@v9d05`c&#m8tsMx(_no12*rB?#rbduG=8P(fzh$@?3TYS^5t3mw9p6#x`UNG&p# zui|dXL)1mdy{;GH$D!Y( z=}D`w5+dCbn6l~PLnT4ytNn&!rkPftyvtw9exl z8gwykut*U0uX|g>;mYY2~9{zrQsrK zm(K$*5Zf)-OrXOb%QogS)nMhaAj>-~H%5X{3b$&;F^RWk?-vEXA9<(`X~r6o!W>~c zH1J)^9_}K6OVzp*)*k`3$%-7^0iKPNI<xUPl#;ktBT!*+eEAWwm!q+ixj! zx=N!gX4yp9ZtnzerUTS$$s8YMvDfcr_e&L1yOOyP&WR2!l-(Ez2$wvBlGb&E! zz9{A^7Xpz~lZU3}e92z!dE59jWxDNV$@ZF_i0~jLavS_g>63#johBleIkD(kLR!|@ z)Z;~;xAZmfvYCL;i_X=oef^tk$xgTI973LflpjBCrM9A5;!EI37y|rS~{w>k#@n?ZMw^x=@>x_g`%GY?HY7%pDqe zqz?ZIIxsBc@&@#tF)$cBU+^_SK+a`x@u!)$Em)r93r3)H$Rh>Z}d96RZ%TG=HX)5^B<1aE2j6sFej2zwlsg}+He)3?QK7+ z+Eg3|yrCiO=4%jRpqXszTsUcg!l%dQdz=PGeclj6ACPkSk-5SA&|hln)qSX#h@JM) zBt+?XEd_!il*yoZA-@A-g&X;o3&J({AR1<&-hWC=4y@Iz?JKJr!mh^%B>zqQ{QcB? zE1PxZ>;k6+9|>1>|E#1#g4BA>G z8eQp^e<12#1{%8U7e^SR!%3GZ+{vty`Fo0?kt`Xrh7#~29`(gHt zOdGrT*lokZLv}o7?vJZAdqza59jc0U~K7jm=%|rIhnRB)a~+ zNeVx6RbAmdCZlnr!3&%(D5l*`hgk+2ck{^%Za{`Z(7-i5jdZ85e-lB?Ga1&B)R~Dl zy+1#Ee7|I)|2e4Yl;$sh?*cVX!#mO=L6zJ2Z$2nie$88Xm7dP`_~zv#e40OSeQW#b z#3!oD)1lE@nNz9Via!BQV0n*|#|9VQ>SG7Vzi-ljiBrQlxrYt^1XW5N$hLnry)UeT zV|riCUAWXt0Mh0#(hI5$b}VmSksxCnEO~-&N^K>J17Z2yKKt#i_T;p%2otn!ec}w@ zw+W6tv6IeFtJySQ8mW9oyFbF`wk+45%OS!=F+ByOSQ>+n%AV=p*!O0=ITyABY<^_s z7I$~kZD%+58Vqs_9;ZI*GyG!$yF2d_#}AeBvzgd-0MJN|cJJ~{@=>Z`pAm36?k65X zyJZ9SUdW-?d)WNAWbs0IgNbkRF06C)-iY4u%VPdx|NgrOK4vM0RM?bWU*{zZSfHV* zc!>%MNpT}ZB7k@bAK+7_C$I$&htn6d06()_EH4WBJZW1*h=0KWU_U(BjP&-+QbXpb zi0PePZ@oAL)%PQ!rI^bJI;N*J?Fn|HBEhyK<{I8fJ-mdTOx-|B)N`cecX*!@Y$+I$=3_0t$KW~bAq zL&aTsx74?Ma+`I{P^<$uv*Ii95At~gE_Q_0K{>oK$E=;7V%?mW9l?o>M7Dehu0VdC zPP~ap9Jn~;b58^3Cqr(p8F7SJ2D@^Y&9r78OATl1qdf?HGWp6l#D}jzG_Y{0#DJV{ z6{4Kn)5rX#A3V{|P;u7kp0u-{-D||4?z8k&j6Zq6DQ|faZsjJi5oKARic(p-LaZO*I5ngK1R<`y#A~>@Y6Wt zE`0D1yWF&@3~-U+;Taq z-?!gYcZFCicNu+p4UB+kGzin8?|afcedqEDX}9SDLkHn%G@YA$og= zdChse2F((p+cLcvX$7I1qTX+OISaaDaQA5aiL;g7B9MWw^Rx@6+e)tV8*1tPWMD(} zhYIbAXlX31QryL4HJUzrsY6C0Q7l5gwK_K9nbC9_<~u}N8*=5TiHqZJ?T?VyLrVp$ z9uD+hq4q{XUQLU9W>-`z^3D<>@m9k$XGhxxlc#m3c-KD;6{PRcOB|)KKb`jU?oyl| zZ8+xj<#n0-Xh+5dGvz zI0i9rpEYAF3B4J8+-IHWFAGbtHz`R>i6jEul97)14o@g@rF`NfrNdYg_%N`Q(Ri02 z8Znf@bh&hP*`jrD=!jRLvfS_MFEreR=F#bV_g7&pRGvDCMrkWR6}R=wA2G%W7OIQi z`>4M4$!+MV<$j1Hs;mBS*tlbCsAOIVXe2{W)ZyP}^D7=p7mXV!VjcUSk1URe;_;`; zlZG7Jrxb4%>no5-34w68PvJed@eER#hc(wAHvRaHW0-Z-6h|NqJfqNsWY{6 zy$K8t`Q)9ee*PkP(>woPa&W^Z zS)%aHhAAz!Ug!4CBz)4v@(;W6uDb zbl3A8EG+_&2lKF?++!Z(L{}U>T&RqQb?^)czA2u%DBgK{+_sCBQnuMZMJrXS=|4nN zGv-kpQpz&G-eT;+Br|Vq;t|vrN-E)fBSOIeRf-EP zKqRV0=J?FO+2TGy0Ct2Fc10aR*B=b1Vno-egHxMQIUk;w_vk%pA8k!1O?>|tCu$Wz6mD7VU*#x~6YBuU12P9M{W2m{ol)2jq1bTI zGEaZhC^vChKS5hS0J$(6!^tHLy=qA6KJipWD}1b+uu0hz4YYMG6}RU5{^dm@E_fKb z^;b_A6Ib9V51)#7iwb|Iq}Q?j;eBfISy$Xf*vJG&mbvXd=$Wj8_it>JQMH z(YHhw?#(2G-ilS&m5F#ts&CBH^D}|oc&LmAtt{SL%&dZ`nZ=G^<+m1nYb``PAqm4~ zly0nCqaxMx1vQCWzJ81S#h=~MYkz9tRdYcO+Y^-Lf5sv_}#Rlk>ycsii&Vn_s zo9>b``+E)HDbCMD%i^_2tXs_{uDW9b>(lRgmlZkq;}L z-RGS!9$~X5I`2C^bQyViWbe@x^Kp7rLPz48dx*PQl(cH{1@_@LHYHnOV3%p z?zH9Y)LRRh7%0f00jvVIQPGHfcGWyQQ&%>0n%;IkC}nZJ=EN}}z|5+OUwfn9y$bS2 zZ4O!rt9pG}P>5d;@ctH1^U(ImebT9cF(B=CJw9{#`qluD*5QkG_qeOw#5o>AO zIhs;fLu^;;*fhLBBB2TmW&|R+EsL)#j~LeAE}t0oG_fU$4}8E~RcYP0CMm449J0%* z%&Y^M5~mlRg$#r{hmMEutmz8&8N!pKn3Ws8$70V!#MS<3vkAHFxn4HJWdfE^)&P{v zY}oCE@rv{|!eI@jD`j7N-clJ!c|6Q8(?vb!ryrQ|H7pd~raPf{7B_lKUFS{aHxgM5 zB`f|S--4Lqz*Q3yQc_{pK1Uq*I|U0Dgi<4(tsAe{4kwf?Ww_rB4G!MaSp8&k_Hdpg zvI42bg&T1N)#&BVd^Z(7Jop!M2SqHsxmCQ#F+3!6Gw9~yw9vucEG~&iI15dzjm9GT znk=~)!Ujp}_LjXY^MerSC*vFmb}dD`M>Ftii~Ynqv-9da#+pLg=|46SNGF+y9 z!#R0FLZIEpYb<2wTo?E8H(XgwD;Cl*H7Ms8LovX){E8)87$~NHQWf5gMXm|ctryqp z1IwGhSK5w9n+_LGuyoQ4H1BI=5WR}1Ce^WL%DOV}dcrNm>PgR>r(N&j=gZ{$PIy+Z zF%G>e7d2kCG&3=V#6*E6-vTko=B9N=^;gMuaVS(Q07AC(O5jS+sy0iokuLOF>>M7) z0T!F1zBVah`O7$+zAWf59L#-23uHUYb+Jrjy;a%c?`r~s{g_VYP@6|nD5Go|+5t@K zdA!@a$muazNSv=~>*p!ej5G(>q(2^%3MgihK;Ln>NVLbjFN7Jtn8vVvyI6?s>O}G= z6JjQ)VXiap-UFp(5)zqdOuVA?UQm=|i{AT)>x+#v0?SZ}z zjgE-XcCO)kt6E&n(H}L!0ZJx6#W5WzAqf_c{mb|Oql15ZXJYKrA^IMNPhxuPYHJwT z${rca_y@bbkR8rGnNfI2sd^pXkx)xIOb>$Tk01oTTr?VcNC& z397CdiUYg1(2{)&0v_cW`9=NBhaO;r9LOrXHsY1$_s2S3Od$> zu|+yIPR=*9DGO4290yA#)_y3gyJ~1S?l`Gyc!|~a;q7Tf@tzrVCNWv_&XPTpo4y_mh)8rCqs4d8C$nC>?BVX`YoNqMaLFLIv)@{yXRsHQN z4ZlTu)R}ZQ;@uH<0E1Gw^`mRA0@+(uHRDpxJeZK}zEQ1;`(wd=84YguF3Zxg!Nf8f z(fYX9IW!_b%(IODRY_RTG57g3p)^_k zYlI9t-!|R3m=0d$BJOu2{!SBS}xmr0fD0djRe4 zbr{9apRg2I0bqYAwR$~nTn(cTK`B8M7f)~MqW|U#_D83Ub|m}%L{|XN$qnWo1XWF) zp6w*Zh7BE;#vxY3^B&T98Obu0Y2($J`M0zdu)qrdj)nTd1MDHpqowZXX;SJ#&qixY zuv0e`;~+p;ON1)9D&x7upbiYKkDZmx7q<`4x8=vjTc=-_Z)-Y{u7_iZlrV^tbs71U(?&#mt6RXmVT?T;umMB4KSYP)fQsKS;o! zFL*cScFCI7hym=&)rs%}t&9EZ0+4;eP3)*BkR9{vLsD?h`TzwgP1FI2srvcDf>z-K zmXLjS8Kd#1a7xka{WvcYvs%N?CV?T4^H*y9yg|AigxY`Zci0!~U@LBzcSGBrL^%M#f#9j0jfUzo46_4#iBfuqPFp}S{1|6 z;|@V$bim`^2QQM}3BJzf`{mR)+<|}ekM3G|CuiACldbU#VV_p~&k;M!Y@9szGV>vo zsB;6BFbEakC{>?qcRb{mYSNgL+i)TQ^9fG$t|DF_+iVpOHm-_PFBn*ujWd(q_ir%G zwa~5*jqznaDx9UftO`qr0Nx$be(eq0Zi%&c+Eo)Wrs?Oe_1N?5ktz9LD(}?*TDMhU zTJgT-yuc09%MJ$0FPFVKIn&2V!g07A?QJqoNpBa1U-brItP^KFfcb)xraiP}UuU`} z1BR%BgLbo@Y4i$>d9R=2y%*qP7pAxJBRDrB_XrDQF~}e#mZt)1+2xM{ zAnZTqYukV*YPfmS6Q^6xGU)J?#&eo!k@L7B;;Jf+>n9pZOI<_nW|&Pp5(cqLA`yzN z2fm;&pm~*Gyusb!rFDnhRnS4v#mPu(0CNSTn4C{Vy=_Xc%;~>yZd$RscW(B1`9=ao ztAW$zwwgwI=<#K4`Z9^_+6xMQ&S^KrM(!lc-f^GFsjtBlwF?hG*-Si<}1Jfu!qx9Mf6xmv=7nwE^?VPC6I12XC8G zlume<$(-))h5*Qx0ZG*r|oUCtjs**mR`w8eM zGwwo{8rihjW#xPxad~73VL5=u$=yYuzJKGH&8@JYQY&(-^5+?YSn`m$e14&aZ;_77 znN|mC{{=dlm)^Ktub2)e^Avtzr527nJE@&~H{*@O7a==ot3E?N!P7C!^R%yFC)kdZ z9_Zj`aq<20%q>h`f;GQIZ~QUNlQ^*Pw3lqruOF_!?tPH2-f0Acyt8ps$WCveoRjfZ zeUkF0fArR@clzRkdU6car~;m|(h^xyMY;1_k6e~KZa&}Ly~jeKQ$;4{#hGhZKUicF zn{jA}a&_Acn13hAeZ72={A1|T%^RZ(zVFIO!Zf-Po?RjbWGf|WMN)|Hf1pBr%!&nA zhoUt(Kq9mbZ1zfXoid2 z0-+)P=mlb90Y}DvoP73exXe`@Yf(eU7c$(l%1z(TkDqcfPG2!QF%aUvH3EpLVd1^IO^ORK=rJG zAO>7^NtXfDS_w{@6fHX)`{GmO2?@4s`ul30G3Hj(UK$fzkEfF zHJR}`wcXG2jSBoeY3EONZk05q9pZ!Znc9LqgrJ9SKn4QUz>qwH7CK{_Wy`9Qy|f{$ zioa3`A~8X`kCBc&|3q(WgDUm6F3@KHB@3w}k~E9>MxUAD%9JXXY(un}QOohY-h}>M z=7CHUBlSGo4T%K2K0o|Ltgr!1|*`6GVaM-%Al7=N^ML&eRQqdK>;hdXa zuoC^U|5b4*69@=zcJ zYbe7g&5t(LmnxC>$D&)o=|-H76%GrY($Rox)tm5)!v6H-MzUEZ*%(?yl_F8GmKUqS z$i_OV3f|AmgZ#&YS(FG{Crk~No_{U5yO#PA!&d0CqExIHyNOJZM57tf5k}dVtd6)@ zI`;n**#(g4<~SbbrcGJ~(~{5te+;5#IaAfSA1Er@_yYWIlmf#1n={W?tBs`c4YL)w z?XSQ3%s@vofsKDTv1=gj*dS38BhT-#jhOfp6S*BlH*95|umrD`T;=ok{7?-`W^f8P z2?)Kr<+x!iy);vS9ti;d>&auNyzHB%-@t&9jy_sEvN3`t&Fx1_+Zm65W%;*i6n~lY z?g1+D_4N;i_)EiIPbLF-!xpM_{F0i5?`r4eXDJ#aR;4%o1}l7d^V&7b!0nwn%D<82 zz=#tNW~TeJR%pNg1mK)Z)Bwd}N;ewEIP)w@X4L-IOK1l+Q@)#t;g>F^hgUX_z$wqD zjEX;>%HsgzMYwaG1}!S9l1RW{KoW>Xjd3+q?2=AT9#wp^i@sHW4v|h2S@*nK8WbjB z%@t%mFTSKIQMuRE5l~edr=G*UNljCfjxQ z#v&4r#g5d|8WK zJa_hNKh!a~x+tKTP_s9SoKOaNcM%A2=anmg4Z9t$jeI&;4JELySQuBSN-Hy$-W9Ls_D&zo2j zwB*iXHFfk>VxTz+I)_gS7AV?cYjd6s^}w9?aui4yDM zWdfwZ!({IzZj1bL-n_$>Ju%BnvRGx6dlT3jp^Lw2N21F)j{6^c=*QO`JfvWM>1q%2 zd!EVH=KO8qntP!r| z4q=wXV({6-Rp7}H4EDS$s|XUm_r-59`?5v=eOf*F7s=8i(-%n^gEPT@F#SUYAH{y% zV9ex8bYIL2F};JtsaQlB|Q^@n?X5cT~LIMs)r z0#mYjRfh3!RX%*ua#>j={G1gsm8$bwA9?lQ{@^s%p5xf2R~Ws0!SMJ_U!kJ`JDI-Q zFBqWL6?_)n32~CDDBoeJo$FWe(kx$Yl-Co9pA9?(dh)4*Q|7(wPK}Ni0x-xGji_8rIR;J9tJ5TdH-eJnP}bn+Vt_I#iKr6X8YSd z&o>`Yi@x@2$PmkL9FLJ9)czN8b@|U&UK5I7| z=L{J-&&RZ_5KaGyiW>2Vv%h5jF}bWhi>A&*iB6u2<;##FB{=_JVWD5b?T#q>^scBs z(+9^VDdX4_siRHh#!O+v6ou=HvL<^%BPPc;e`p(B*7djOt)4|ZLiSP3JZES@esrDL z57tzr2_5Rc?Iuv*vGuGt|yb!S} za36a(aS9F8d|g!J*!C~K9EynPws^wKPB%f@Vx)zzZ?>5qVZVg;03ZQ>krt;OFWUOFykJGCkl zI6AV)I)0IRbyXL2M?QO3f~SO8GILrN715qpJTX@}y+yW!P4{BQhbO9xu35AD$M>w7 z`v}S1~bWQt_Ke2Q3(0P}o{4O$ANI*QwqNM6pK7c#v2E*PfCdAFDQYYM#>8 zVucRNK)rldOqTr1vogq+H4{}aJdRi2zKKUZj6X)LH$U8d+<@EtilIzr?dZ_ubHHj$ zqd*BWo>G3T;9q0VKebZN)7&LvqZ}+Drl>OfKeL3i2bcfdUvOe#rktaMnVtuQXmz`f zjbnEy&cI;1d}ZH*X>`~nUq@T4R`91JScM~r_wr;+zeZS(cNpmGosL^E`odDl=vjx_ zwjoxW+JzTB2HNvKbr#p{wi-cBjxdqRKX*RM17h`uk&7JXVQLJYa))%fy6E!8&HCp- zIhXCeluNL&)vziR%gkE`^%km%-Vu1r&lSFVFgt4qQL!c#6X98*BC_T0xsx5e8mPql z(I{1|;iP7wf>~c}B+Vkw5_8JIR;HD*f~E)BivD!YT?mPnofg9Q#GPWT7Pg$z5{t?| z#t@I`9@ja>m{{f4jeMwU^(4<4zx3#*uC6RC%b`2yT%q*tV^ynXe)j9Sgl){z2*jS| z6wnnVn~eE7y8EKB3M`ouTMODE4PaW&KS7NzY<1ouAl8!!=LDazpco8oyREap7LaE*tcYjI$FVlJIo%p%zLB`mgt(M5Hju+Yc zMu37tZnJ3aKX(PV#xB20Au32(_rtsVi^-4FBB~GYrMCS z)S=K}MRWQ37Ddh*`ZW{(ry=}Z0;mJqlgfuGD!b#TEgcCK>84;)A>LqZ?sZWT6%0Iu zm6L_x%p7~&9*0Xq&s7G`-~;U!X~!eW#zUERlbOp)GS*fA%+LateluMDuG7a zgVI6puFQVkOCqGpnQ2#Qd_O>JP8)dkks_Y7(Twy)E$21JEI!WlPA!l-|05I!C^e9| zamE?oSbn?<#!l#hef_`ouKTZvdpdihl z9>u8K(T@bBHx1y?1m(m4QcMU&K?I~pLV`gtBoI(Blpx=Ur(XOYzRxfF`Ru$?c6VlX zXWsXDrlCGRr#oIhH>|ht`aNb0+H+TPv2{vf=gPbbgX=lo75O?}EG-9esGw_QzPhiT zi>^(oZ^Ivpko#%a#Ngfq#K| zx1FMMdU|dvPe-Y_%ZppS|{o{RqmoG*hdzE($@(ILYNA^9=f=VZd zEc$yV045RaqRNx-0kW8vyJR~0q{0n19AA;!p$bjRg>1eiz?+BTCa8y`XrP2z8uUyiMy$Y$??Nh{41 zS(go(oqKEY;GB=Me@@H5s5u3Bit_RZS<{@C%vktEd#XGEC9;ch5yY1rf@fOjG2D~) z=1!tf&R?+pzdljGH4;A+J!DE%@hB}Enih#GPu6VyhCvytY_Ne?`R?~5X+cu z7CXyvnn+-p=Z6}m62oR8dSj5=o&%0^v+SVvHkkU=*jljCoW}EbX3_ifT+aX3vfjnLqC+Y=%3~ zhC`e;qjEx_Aq`clfoxZ`tVuj3RWAWJDIn*hizeXev?-A@h1$+eX36vz&-VIb8c>3I zIlTwDacOZX<~<#&&1ag#E_jh`-Z+bqO|OlR7Ndgd&o1)|lot6^r%f%Eju^!~m*6Q< zt%hB=u%5-KX0fZgYu)HdDa3X)e>J${rB*K!M$Cj^(->==M~jp)W=9RhV5!0!b(2X^ zBfPX`k5Nq4a6#Fo4zfQ-o$9%gMi)K(7!tmCUwXWt_WmBzjFzI*1Bj7|(kS=|Z>`D# z()P$ixlgs*z@HDOmLrrN;UVBr ze$e=>pPbeKbAITc@Nk@Oy@gQ=S1r3Ti@dwiicpEU|7ZpCa zBG(sY3Qft=7V}f?WcT8-v!+tBMvLi=!-?fgo-zyX>EYBy zDHhl5)Hu@2x(@`Ls%%}JV(&y5vY^u*vF))m^QN}9YrL6Eu1m}0ry@enG%Yw?{Crm| zYJ8ThTFz=32>ylIvys@aMIMcQ4d)mf-9SOU*p;Ja=(+N9Y_Ms>(gru)?s$Z56)^c~)Kbk5_l(R3s(}dS!{$B&iMU*uNcSXQ!-~dr~OsOML$G6hM&OUAM9pTV7Zftwg&TJ;ieFUh-;@Q&;S? z+M_`ve3_h|&S~W$_E7Id9;XkxNcwRu0n)`?;74xd zAAUymr}M&exRvwI^nX&3R0Fz~|Kcz~I?yr+lEu8Pc(eBSwz}i-5-#E*bE<{7r~9DY z{1dGDlV^IL<~`SOa%vjjd+1^f@*D6LGFSfmvdS%C5_|OJ9a5NPS^i{#$0r#llJaJ)3*I z&dO@j3xLT8Zjo}buJv7*$@?+8bVZ?>pDOS&jb2U z*!9A`V$JaNLUs=iM7Y?jw>#W)Gl%326dblHV%D2W2LrK6IRpgbiyG7G)W+%1Dpb%Z6o*Yc7v?j zcF2mV@d!9Wu1g3u1N?@VJkZ{>Bt^lLRHZCGH@-6rg|&s)babR9okv-DM;*yC-yFtY zSpy5^1RVj9@Eh2f1;+?*ztgITOk0AvorD%Drmk#lxi|hZld1*WVe!>^&4=OHYCjP^IkakgrMf$$$j5<&cg5PWq6zx@9pp++!A62b$)x_}VCnEHPK z;2u1AgJTQd7&UOtHb8ZqVEX$V?Hz)!WOXlu&{!7{8N(J>v-d`CX@W6SzncOgb0RQ4 zL(~tLF2Kuv(Ifbpc>XZZ;&JXOl?M!EA^R5_DaaSm*~sTtet05`5)dm3#DjQ%y$wX~ zg))e20Ln2RfJX}GYq-9d(y-@g3#FE5VsVU=M&;r^#{5)+E#rif0DY8U&%?tBQ|0}U z;YR?CTnHP$LT0>a)too=$F6e|^qj{ak`fFO*9(@eoj`<~v{Pe;N| zh!ZBvM{895i9_w7!@}>ry7l1-`(0dlt6Ta+y8{qbFrl_44E~8@BvmfwOb(DDS$_TH zmD`~)UkLVJjn0!u$hmE<(T3qA4KfeEK2%ZGgun`zweSp6u+bOVuBz)t}E8QQWeAuyH7m=zZa7?%2Px>>PGj&xFX{ zZs|Ih_DJ{&?kfULPH@dRtamEcwA7^y`;idu8XcxCWYb={QM*GnxTa9cRGrRRL=4{5 jw1A8f{t~WBtr~JtM8C$dXd*f@QjiyE<78cH<%{_rhd6zX literal 0 HcmV?d00001 From 988bf3487d4c47b16f9d95d42d85b6158ed4f1a9 Mon Sep 17 00:00:00 2001 From: johannesh Date: Tue, 28 Jul 2020 13:46:43 +0200 Subject: [PATCH 09/30] Improve wording --- doc/README.md | 2 +- doc/expansion/recordedfuture.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/README.md b/doc/README.md index 77c1e82..5e15147 100644 --- a/doc/README.md +++ b/doc/README.md @@ -970,7 +970,7 @@ Module to check an IPv4 address against known RBLs. Module to enrich attributes with threat intelligence from Recorded Future. - **features**: ->Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future will be matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object will also include a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes. +>Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes. - **input**: >A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness. - **output**: diff --git a/doc/expansion/recordedfuture.json b/doc/expansion/recordedfuture.json index bbeea07..2fec7eb 100644 --- a/doc/expansion/recordedfuture.json +++ b/doc/expansion/recordedfuture.json @@ -5,5 +5,5 @@ "input": "A MISP attribute of one of the following types: ip, ip-src, ip-dst, domain, hostname, md5, sha1, sha256, uri, url, vulnerability, weakness.", "output": "A MISP object containing a copy of the enriched attribute with added tags from Recorded Future and a list of new attributes related to the enriched attribute.", "references": ["https://www.recordedfuture.com/"], - "features": "Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future will be matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object will also include a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes." + "features": "Enrich an attribute to add a custom enrichment object to the event. The object contains a copy of the enriched attribute with added tags presenting risk score and triggered risk rules from Recorded Future. Malware and Threat Actors related to the enriched indicator in Recorded Future is matched against MISP's galaxy clusters and applied as galaxy tags. The custom enrichment object also includes a list of related indicators from Recorded Future (IP's, domains, hashes, URL's and vulnerabilities) added as additional attributes." } From d2661c7a2017f669baf98cfaee5f4b9a7a18bf66 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 28 Jul 2020 15:06:25 +0200 Subject: [PATCH 10/30] fix: Fixed pep8 + some copy paste issues introduced with the latest commits --- misp_modules/modules/expansion/__init__.py | 1 + misp_modules/modules/expansion/cve_advanced.py | 1 + misp_modules/modules/expansion/cytomic_orion.py | 1 + misp_modules/modules/expansion/ransomcoindb.py | 2 +- misp_modules/modules/expansion/sophoslabs_intelix.py | 8 ++++---- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index af895e3..1b6d2bb 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -26,5 +26,6 @@ minimum_required_fields = ('type', 'uuid', 'value') checking_error = 'containing at least a "type" field and a "value" field' standard_error_message = 'This module requires an "attribute" field as input' + def check_input_attribute(attribute, requirements=minimum_required_fields): return all(feature in attribute for feature in requirements) diff --git a/misp_modules/modules/expansion/cve_advanced.py b/misp_modules/modules/expansion/cve_advanced.py index bd2d277..cd36655 100644 --- a/misp_modules/modules/expansion/cve_advanced.py +++ b/misp_modules/modules/expansion/cve_advanced.py @@ -111,6 +111,7 @@ def handler(q=False): request = json.loads(q) if not request.get('attribute') or not check_input_attribute(request['attribute']): return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] if attribute.get('type') != 'vulnerability': misperrors['error'] = 'Vulnerability id missing.' return misperrors diff --git a/misp_modules/modules/expansion/cytomic_orion.py b/misp_modules/modules/expansion/cytomic_orion.py index b730135..c13b254 100755 --- a/misp_modules/modules/expansion/cytomic_orion.py +++ b/misp_modules/modules/expansion/cytomic_orion.py @@ -149,6 +149,7 @@ def handler(q=False): if not request.get('attribute') or not check_input_attribute(request['attribute']): return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] if not any(input_type == attribute['type'] for input_type in mispattributes['input']): return {'error': 'Unsupported attribute type.'} diff --git a/misp_modules/modules/expansion/ransomcoindb.py b/misp_modules/modules/expansion/ransomcoindb.py index d9a1712..0e05855 100644 --- a/misp_modules/modules/expansion/ransomcoindb.py +++ b/misp_modules/modules/expansion/ransomcoindb.py @@ -29,7 +29,7 @@ def handler(q=False): q = json.loads(q) if "config" not in q or "api-key" not in q["config"]: return {"error": "Ransomcoindb API key is missing"} - if not q.get('attribute') or not check_input_attribute(attribute, requirements=('type', 'value')): + if not q.get('attribute') or not check_input_attribute(q['attribute'], requirements=('type', 'value')): return {'error': f'{standard_error_message}, {checking_error}.'} if q['attribute']['type'] not in mispattributes['input']: return {'error': 'Unsupported attribute type.'} diff --git a/misp_modules/modules/expansion/sophoslabs_intelix.py b/misp_modules/modules/expansion/sophoslabs_intelix.py index 38d4293..254437b 100644 --- a/misp_modules/modules/expansion/sophoslabs_intelix.py +++ b/misp_modules/modules/expansion/sophoslabs_intelix.py @@ -1,8 +1,8 @@ -from. import check_input_attribute, checking_error, standard_error_message -from pymisp import MISPEvent, MISPObject import json import requests import base64 +from. import check_input_attribute, checking_error, standard_error_message +from pymisp import MISPEvent, MISPObject from urllib.parse import quote moduleinfo = {'version': '1.0', @@ -107,9 +107,9 @@ def handler(q=False): It's free to sign up here https://aws.amazon.com/marketplace/pp/B07SLZPMCS." return misperrors to_check = (('type', 'value'), ('type', 'value1')) - if not request.get('attribute') or not any(check_input_attribute(request['attribute'], requirements=check) for check in to_check): + if not j.get('attribute') or not any(check_input_attribute(j['attribute'], requirements=check) for check in to_check): return {'error': f'{standard_error_message}, {checking_error}.'} - attribute = request['attribute'] + attribute = j['attribute'] if attribute['type'] not in misp_types_in: return {'error': 'Unsupported attribute type.'} client = SophosLabsApi(j['config']['client_id'], j['config']['client_secret']) From f1dac0c8dfb5aff60611d3dbd439b67feaa1a03e Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 28 Jul 2020 15:23:24 +0200 Subject: [PATCH 11/30] fix: Fixed pep8 --- misp_modules/modules/expansion/lastline_query.py | 2 +- misp_modules/modules/expansion/sophoslabs_intelix.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/misp_modules/modules/expansion/lastline_query.py b/misp_modules/modules/expansion/lastline_query.py index dcabda5..dbfdf14 100644 --- a/misp_modules/modules/expansion/lastline_query.py +++ b/misp_modules/modules/expansion/lastline_query.py @@ -52,7 +52,7 @@ def handler(q=False): try: config = request["config"] auth_data = lastline_api.LastlineAbstractClient.get_login_params_from_dict(config) - if not request.get('attribute') or not request['attribute'].get('value'): + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): return {'error': f'{standard_error_message}, {checking_error} that is the link to a Lastline analysis.'} analysis_link = request['attribute']['value'] # The API url changes based on the analysis link host name diff --git a/misp_modules/modules/expansion/sophoslabs_intelix.py b/misp_modules/modules/expansion/sophoslabs_intelix.py index 254437b..4d7c413 100644 --- a/misp_modules/modules/expansion/sophoslabs_intelix.py +++ b/misp_modules/modules/expansion/sophoslabs_intelix.py @@ -1,7 +1,7 @@ import json import requests import base64 -from. import check_input_attribute, checking_error, standard_error_message +from . import check_input_attribute, checking_error, standard_error_message from pymisp import MISPEvent, MISPObject from urllib.parse import quote From 0b869750d75dd170c502fca089ee989cf3a4f14c Mon Sep 17 00:00:00 2001 From: Jesse Hedden Date: Wed, 29 Jul 2020 09:35:08 -0700 Subject: [PATCH 12/30] added description to readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index db199a0..17d6f2b 100644 --- a/README.md +++ b/README.md @@ -78,6 +78,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [STIX2 pattern syntax validator](misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax. * [ThreatCrowd](misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/). * [threatminer](misp_modules/modules/expansion/threatminer.py) - an expansion module to expand from [ThreatMiner](https://www.threatminer.org/). +* [TruSTAR Enrich](misp_modules/modules/expansion/trustar_enrich.py) - an expansion module to enrich MISP data with [TruSTAR](https://www.trustar.co/). * [urlhaus](misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url. * [urlscan](misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io). * [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://developers.virustotal.com/reference)) From ee21a88127abc91332abfff10dabd04c1afca422 Mon Sep 17 00:00:00 2001 From: Jesse Hedden Date: Thu, 6 Aug 2020 21:59:13 -0700 Subject: [PATCH 13/30] updating to include metadata and alter type of trustar link generated --- .../modules/expansion/trustar_enrich.py | 70 +++++++++++++------ 1 file changed, 48 insertions(+), 22 deletions(-) diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py index 48b4895..f4df990 100644 --- a/misp_modules/modules/expansion/trustar_enrich.py +++ b/misp_modules/modules/expansion/trustar_enrich.py @@ -1,7 +1,10 @@ import json import pymisp +from base64 import b64encode +from collections import OrderedDict from pymisp import MISPAttribute, MISPEvent, MISPObject from trustar import TruStar +from urllib.parse import quote misperrors = {'error': "Error"} mispattributes = { @@ -33,9 +36,12 @@ class TruSTARParser: 'SHA256': "sha256" } + SUMMARY_FIELDS = ["source", "score", "attributes"] + METADATA_FIELDS = ["sightings", "first_seen", "last_seen", "tags"] + REPORT_BASE_URL = "https://station.trustar.co/constellation/reports/{}" - CLIENT_METATAG = "MISP-{}".format(pymisp.__version__) + CLIENT_METATAG = f"MISP-{pymisp.__version__}" def __init__(self, attribute, config): config['enclave_ids'] = config.get('enclave_ids', "").strip().split(',') @@ -55,20 +61,36 @@ class TruSTARParser: results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} return {'results': results} - def generate_trustar_links(self, entity_value): + def generate_trustar_link(self, entity_type, entity_value): """ - Generates links to TruSTAR reports if they exist. + Generates link to TruSTAR report of entity. :param entity_value: Value of entity. """ - report_links = list() - trustar_reports = self.ts_client.search_reports(entity_value) - for report in trustar_reports: - report_links.append(self.REPORT_BASE_URL.format(report.id)) + report_id = b64encode(quote(f"{entity_type}|{entity_value}").encode()).decode() - return report_links + return self.REPORT_BASE_URL.format(report_id) - def parse_indicator_summary(self, summaries): + def generate_enrichment_report(self, summary, metadata): + """ + Extracts desired fields from summary and metadata reports and + generates an enrichment report. + + :param summary: Indicator summary report. + :param metadata: Indicator metadata report. + :return: Enrichment report. + """ + enrichment_report = OrderedDict() + + for field in self.SUMMARY_FIELDS: + enrichment_report[field] = summary.get(field) + + for field in self.METADATA_FIELDS: + enrichment_report[field] = metadata.get(field) + + return enrichment_report + + def parse_indicator_summary(self, summaries, metadata): """ Converts a response from the TruSTAR /1.3/indicators/summaries endpoint a MISP trustar_report object and adds the summary data and links as attributes. @@ -78,18 +100,21 @@ class TruSTARParser: """ for summary in summaries: - trustar_obj = MISPObject('trustar_report') - indicator_type = summary.indicator_type - indicator_value = summary.value - if summary_type in self.ENTITY_TYPE_MAPPINGS: - trustar_obj.add_attribute(indicator_type, attribute_type=self.ENTITY_TYPE_MAPPINGS[indicator_type], - value=indicator_value) - trustar_obj.add_attribute("INDICATOR_SUMMARY", attribute_type="text", - value=json.dumps(summary.to_dict(), sort_keys=True, indent=4)) - report_links = self.generate_trustar_links(indicator_value) - for link in report_links: - trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=link) - self.misp_event.add_object(**trustar_obj) + if summary.indicator_type in self.ENTITY_TYPE_MAPPINGS: + indicator_type = summary.indicator_type + indicator_value = summary.indicator_value + try: + enrichment_report = self.generate_enrichment_report(summary.to_dict(), metadata.to_dict()) + trustar_obj = MISPObject('trustar_report') + trustar_obj.add_attribute(indicator_type, attribute_type=self.ENTITY_TYPE_MAPPINGS[indicator_type], + value=indicator_value) + trustar_obj.add_attribute("INDICATOR_SUMMARY", attribute_type="text", + value=json.dumps(enrichment_report, indent=4)) + report_link = self.generate_trustar_link(indicator_type, indicator_value) + trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=report_link) + self.misp_event.add_object(**trustar_obj) + except Exception as e: + misperrors['error'] = f"Error enriching data with TruSTAR -- {e}" def handler(q=False): @@ -114,10 +139,11 @@ def handler(q=False): trustar_parser = TruSTARParser(attribute, config) try: + metadata = trustar_parser.ts_client.get_indicators_metadata([attribute['value']]) summaries = list( trustar_parser.ts_client.get_indicator_summaries([attribute['value']], page_size=MAX_PAGE_SIZE)) except Exception as e: - misperrors['error'] = "Unable to retrieve TruSTAR summary data: {}".format(e) + misperrors['error'] = f"Unable to retrieve TruSTAR summary data: {e}" return misperrors trustar_parser.parse_indicator_summary(summaries) From 85d319e85e1e53349685b3124aa13b020891b382 Mon Sep 17 00:00:00 2001 From: johannesh Date: Fri, 7 Aug 2020 10:36:40 +0200 Subject: [PATCH 14/30] Fix typo error introduced in commit: 3b7a5c4dc2541f3b07baee69a7e8b9694a1627fc --- misp_modules/modules/expansion/recordedfuture.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/recordedfuture.py b/misp_modules/modules/expansion/recordedfuture.py index 2f71dbb..8fdff09 100644 --- a/misp_modules/modules/expansion/recordedfuture.py +++ b/misp_modules/modules/expansion/recordedfuture.py @@ -258,7 +258,7 @@ def handler(q=False): else: misperrors['error'] = 'Missing Recorded Future token.' return misperrors - if not request.get('attribute') or not check_input_attribute(request['atttribute'], requirements=('type', 'value')): + if not request.get('attribute') or not check_input_attribute(request['attribute'], requirements=('type', 'value')): return {'error': f'{standard_error_message}, {checking_error}.'} if request['attribute']['type'] not in mispattributes['input']: return {'error': 'Unsupported attribute type.'} From 2d464adfd635d89c9b9db402a17aece813a503ab Mon Sep 17 00:00:00 2001 From: Jesse Hedden Date: Sun, 9 Aug 2020 20:29:37 -0700 Subject: [PATCH 15/30] added error checking --- .../modules/expansion/trustar_enrich.py | 123 ++++++++++++------ 1 file changed, 86 insertions(+), 37 deletions(-) diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py index f4df990..81238ad 100644 --- a/misp_modules/modules/expansion/trustar_enrich.py +++ b/misp_modules/modules/expansion/trustar_enrich.py @@ -3,7 +3,7 @@ import pymisp from base64 import b64encode from collections import OrderedDict from pymisp import MISPAttribute, MISPEvent, MISPObject -from trustar import TruStar +from trustar import TruStar, Indicator from urllib.parse import quote misperrors = {'error': "Error"} @@ -36,7 +36,7 @@ class TruSTARParser: 'SHA256': "sha256" } - SUMMARY_FIELDS = ["source", "score", "attributes"] + SUMMARY_FIELDS = ["severityLevel", "source", "score", "attributes"] METADATA_FIELDS = ["sightings", "first_seen", "last_seen", "tags"] REPORT_BASE_URL = "https://station.trustar.co/constellation/reports/{}" @@ -57,64 +57,104 @@ class TruSTARParser: """ Returns the MISP Event enriched with TruSTAR indicator summary data. """ - event = json.loads(self.misp_event.to_json()) - results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} - return {'results': results} + try: + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} + return {'results': results} + except Exception as e: + misperrors['error'] += f" -- Encountered issue serializing enrichment data -- {e}" + return misperrors def generate_trustar_link(self, entity_type, entity_value): """ Generates link to TruSTAR report of entity. + :param entity_type: Type of entity. :param entity_value: Value of entity. + :return: Link to indicator report in TruSTAR platform. """ report_id = b64encode(quote(f"{entity_type}|{entity_value}").encode()).decode() return self.REPORT_BASE_URL.format(report_id) + @staticmethod + def extract_tags(enrichment_report): + """ + Extracts tags from the enrichment report in order to add them + to the TruSTAR MISP Object. Removes tags from report to avoid + redundancy. + + :param: Enrichment data. + """ + if enrichment_report and enrichment_report.get('tags'): + return [tag.get('name') for tag in enrichment_report.pop('tags')] + return None + def generate_enrichment_report(self, summary, metadata): """ Extracts desired fields from summary and metadata reports and generates an enrichment report. - :param summary: Indicator summary report. - :param metadata: Indicator metadata report. + :param summary: Indicator summary report. + :param metadata: Indicator metadata report. :return: Enrichment report. """ enrichment_report = OrderedDict() - for field in self.SUMMARY_FIELDS: - enrichment_report[field] = summary.get(field) + if summary: + summary_dict = summary.to_dict() + enrichment_report.update( + {field: summary_dict[field] for field in self.SUMMARY_FIELDS if summary_dict.get(field)}) - for field in self.METADATA_FIELDS: - enrichment_report[field] = metadata.get(field) + if metadata: + metadata_dict = metadata.to_dict() + enrichment_report.update( + {field: metadata_dict[field] for field in self.METADATA_FIELDS if metadata_dict.get(field)}) return enrichment_report - def parse_indicator_summary(self, summaries, metadata): + def parse_indicator_summary(self, indicator, summary, metadata): """ - Converts a response from the TruSTAR /1.3/indicators/summaries endpoint - a MISP trustar_report object and adds the summary data and links as attributes. + Pulls enrichment data from the TruSTAR /indicators/summaries and /indicators/metadata endpoints + and creates a MISP trustar_report. - :param summaries: A TruSTAR Python SDK Page.generator object for generating - indicator summaries pages. + :param indicator: Value of the attribute + :summary: Indicator summary response object. + :metadata: Indicator response object. """ - for summary in summaries: - if summary.indicator_type in self.ENTITY_TYPE_MAPPINGS: - indicator_type = summary.indicator_type - indicator_value = summary.indicator_value - try: - enrichment_report = self.generate_enrichment_report(summary.to_dict(), metadata.to_dict()) - trustar_obj = MISPObject('trustar_report') - trustar_obj.add_attribute(indicator_type, attribute_type=self.ENTITY_TYPE_MAPPINGS[indicator_type], - value=indicator_value) - trustar_obj.add_attribute("INDICATOR_SUMMARY", attribute_type="text", - value=json.dumps(enrichment_report, indent=4)) - report_link = self.generate_trustar_link(indicator_type, indicator_value) - trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=report_link) - self.misp_event.add_object(**trustar_obj) - except Exception as e: - misperrors['error'] = f"Error enriching data with TruSTAR -- {e}" + # Verify that the indicator type is supported by TruSTAR + if summary and summary.indicator_type in self.ENTITY_TYPE_MAPPINGS: + indicator_type = summary.indicator_type + elif metadata and metadata.type in self.ENTITY_TYPE_MAPPINGS: + indicator_type = metadata.type + else: + misperrors['error'] += " -- Attribute not found or not supported" + raise Exception + + try: + # Extract most relevant fields from indicator summary and metadata responses + enrichment_report = self.generate_enrichment_report(summary, metadata) + tags = self.extract_tags(enrichment_report) + + if enrichment_report: + trustar_obj = MISPObject('trustar_report') + trustar_obj.add_attribute(indicator_type, attribute_type=self.ENTITY_TYPE_MAPPINGS[indicator_type], + value=indicator) + trustar_obj.add_attribute("INDICATOR_SUMMARY", attribute_type="text", + value=json.dumps(enrichment_report, indent=4)) + report_link = self.generate_trustar_link(indicator_type, indicator) + trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=report_link) + self.misp_event.add_object(**trustar_obj) + elif not tags: + raise Exception("No relevant data found") + + if tags: + for tag in tags: + self.misp_event.add_attribute_tag(tag, indicator) + except Exception as e: + misperrors['error'] += f" -- Error enriching attribute {indicator} -- {e}" + raise e def handler(q=False): @@ -139,14 +179,23 @@ def handler(q=False): trustar_parser = TruSTARParser(attribute, config) try: - metadata = trustar_parser.ts_client.get_indicators_metadata([attribute['value']]) - summaries = list( - trustar_parser.ts_client.get_indicator_summaries([attribute['value']], page_size=MAX_PAGE_SIZE)) + metadata = trustar_parser.ts_client.get_indicators_metadata([Indicator(value=attribute['value'])])[0] except Exception as e: - misperrors['error'] = f"Unable to retrieve TruSTAR summary data: {e}" + metadata = None + misperrors['error'] += f" -- Could not retrieve indicator metadata from TruSTAR {e}" + + try: + summary = list( + trustar_parser.ts_client.get_indicator_summaries([attribute['value']], page_size=MAX_PAGE_SIZE))[0] + except Exception as e: + summary = None + misperrors['error'] += f" -- Unable to retrieve TruSTAR summary data: {e}" + + try: + trustar_parser.parse_indicator_summary(attribute['value'], summary, metadata) + except Exception: return misperrors - trustar_parser.parse_indicator_summary(summaries) return trustar_parser.get_results() From 0b576faa68c1067af8a520085c37798bba146361 Mon Sep 17 00:00:00 2001 From: Jesse Hedden Date: Sun, 9 Aug 2020 20:36:47 -0700 Subject: [PATCH 16/30] added comments --- misp_modules/modules/expansion/trustar_enrich.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py index 81238ad..6e615db 100644 --- a/misp_modules/modules/expansion/trustar_enrich.py +++ b/misp_modules/modules/expansion/trustar_enrich.py @@ -99,6 +99,7 @@ class TruSTARParser: :param metadata: Indicator metadata report. :return: Enrichment report. """ + # Preserve order of fields as they exist in SUMMARY_FIELDS and METADATA_FIELDS enrichment_report = OrderedDict() if summary: @@ -147,11 +148,13 @@ class TruSTARParser: trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=report_link) self.misp_event.add_object(**trustar_obj) elif not tags: + # If enrichment report is empty and there are no tags, nothing to add to attribute raise Exception("No relevant data found") if tags: for tag in tags: self.misp_event.add_attribute_tag(tag, indicator) + except Exception as e: misperrors['error'] += f" -- Error enriching attribute {indicator} -- {e}" raise e @@ -177,18 +180,18 @@ def handler(q=False): attribute = request['attribute'] trustar_parser = TruSTARParser(attribute, config) + metadata = None + summary = None try: metadata = trustar_parser.ts_client.get_indicators_metadata([Indicator(value=attribute['value'])])[0] except Exception as e: - metadata = None misperrors['error'] += f" -- Could not retrieve indicator metadata from TruSTAR {e}" try: summary = list( trustar_parser.ts_client.get_indicator_summaries([attribute['value']], page_size=MAX_PAGE_SIZE))[0] except Exception as e: - summary = None misperrors['error'] += f" -- Unable to retrieve TruSTAR summary data: {e}" try: From 91417d390b85f141b6ae337f7050833b1d846208 Mon Sep 17 00:00:00 2001 From: Jesse Hedden Date: Sun, 9 Aug 2020 20:41:52 -0700 Subject: [PATCH 17/30] added comments --- misp_modules/modules/expansion/trustar_enrich.py | 1 + 1 file changed, 1 insertion(+) diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py index 6e615db..7b6ff3c 100644 --- a/misp_modules/modules/expansion/trustar_enrich.py +++ b/misp_modules/modules/expansion/trustar_enrich.py @@ -85,6 +85,7 @@ class TruSTARParser: redundancy. :param: Enrichment data. + :return: List of tags. """ if enrichment_report and enrichment_report.get('tags'): return [tag.get('name') for tag in enrichment_report.pop('tags')] From a3c01fa318b8b1a008e302885ff9161731349589 Mon Sep 17 00:00:00 2001 From: Jesse Hedden Date: Mon, 10 Aug 2020 07:53:24 -0700 Subject: [PATCH 18/30] added comments --- misp_modules/modules/expansion/trustar_enrich.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misp_modules/modules/expansion/trustar_enrich.py b/misp_modules/modules/expansion/trustar_enrich.py index 7b6ff3c..33dd814 100644 --- a/misp_modules/modules/expansion/trustar_enrich.py +++ b/misp_modules/modules/expansion/trustar_enrich.py @@ -36,6 +36,7 @@ class TruSTARParser: 'SHA256': "sha256" } + # Relevant fields from each TruSTAR endpoint SUMMARY_FIELDS = ["severityLevel", "source", "score", "attributes"] METADATA_FIELDS = ["sightings", "first_seen", "last_seen", "tags"] @@ -140,13 +141,16 @@ class TruSTARParser: tags = self.extract_tags(enrichment_report) if enrichment_report: + # Create MISP trustar_report object and populate it with enrichment data trustar_obj = MISPObject('trustar_report') trustar_obj.add_attribute(indicator_type, attribute_type=self.ENTITY_TYPE_MAPPINGS[indicator_type], value=indicator) trustar_obj.add_attribute("INDICATOR_SUMMARY", attribute_type="text", value=json.dumps(enrichment_report, indent=4)) + report_link = self.generate_trustar_link(indicator_type, indicator) trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=report_link) + self.misp_event.add_object(**trustar_obj) elif not tags: # If enrichment report is empty and there are no tags, nothing to add to attribute From bd7f7fa1f3340921a7c451d25e640950f3de9a9d Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Mon, 17 Aug 2020 17:34:21 +0200 Subject: [PATCH 19/30] fix: [virustotal] Resolve key error when user enrich hostname --- misp_modules/modules/expansion/virustotal.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/virustotal.py b/misp_modules/modules/expansion/virustotal.py index b09de81..1e2c6c5 100644 --- a/misp_modules/modules/expansion/virustotal.py +++ b/misp_modules/modules/expansion/virustotal.py @@ -143,7 +143,7 @@ class VirusTotalParser(object): def parse_resolutions(self, resolutions, subdomains=None, uuids=None): domain_ip_object = MISPObject('domain-ip') - if self.attribute.type == 'domain': + if self.attribute.type in ('domain', 'hostname'): domain_ip_object.add_attribute('domain', type='domain', value=self.attribute.value) attribute_type, relation, key = ('ip-dst', 'ip', 'ip_address') else: From b5d7c9c7a3f7b56378569747fb84dd3f91e8e6f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Mon, 24 Aug 2020 10:11:08 +0200 Subject: [PATCH 20/30] Disable correlation for detection-ratio in virustotal.py --- misp_modules/modules/expansion/virustotal.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/virustotal.py b/misp_modules/modules/expansion/virustotal.py index 12f7552..6d3b52d 100644 --- a/misp_modules/modules/expansion/virustotal.py +++ b/misp_modules/modules/expansion/virustotal.py @@ -175,7 +175,7 @@ class VirusTotalParser(object): vt_object = MISPObject('virustotal-report') vt_object.add_attribute('permalink', type='link', value=query_result['permalink']) detection_ratio = '{}/{}'.format(query_result['positives'], query_result['total']) - vt_object.add_attribute('detection-ratio', type='text', value=detection_ratio) + vt_object.add_attribute('detection-ratio', type='text', value=detection_ratio, disable_correlation=True) self.misp_event.add_object(**vt_object) return vt_object.uuid From 8087c9a6a1eb10eba9f4da112f24f83b21b5d8a0 Mon Sep 17 00:00:00 2001 From: johannesh Date: Mon, 24 Aug 2020 11:19:15 +0200 Subject: [PATCH 21/30] Add proxy support and User-Agent header --- .../modules/expansion/recordedfuture.py | 261 +++++++++++++----- 1 file changed, 186 insertions(+), 75 deletions(-) diff --git a/misp_modules/modules/expansion/recordedfuture.py b/misp_modules/modules/expansion/recordedfuture.py index 8fdff09..537e997 100644 --- a/misp_modules/modules/expansion/recordedfuture.py +++ b/misp_modules/modules/expansion/recordedfuture.py @@ -1,36 +1,89 @@ import json import logging import requests +from requests.exceptions import HTTPError, ProxyError,\ + InvalidURL, ConnectTimeout, ConnectionError from . import check_input_attribute, checking_error, standard_error_message -from urllib.parse import quote +import platform +import os +from urllib.parse import quote, urlparse from pymisp import MISPAttribute, MISPEvent, MISPTag, MISPObject -moduleinfo = {'version': '1.0', 'author': 'Recorded Future', - 'description': 'Module to retrieve data from Recorded Future', - 'module-type': ['expansion', 'hover']} +moduleinfo = { + 'version': '1.0.1', + 'author': 'Recorded Future', + 'description': 'Module to retrieve data from Recorded Future', + 'module-type': ['expansion', 'hover'] +} -moduleconfig = ['token'] +moduleconfig = ['token', 'proxy_host', 'proxy_port', 'proxy_username', 'proxy_password'] misperrors = {'error': 'Error'} -mispattributes = {'input': ['ip', 'ip-src', 'ip-dst', 'domain', 'hostname', 'md5', 'sha1', 'sha256', - 'uri', 'url', 'vulnerability', 'weakness'], - 'output': ['ip', 'ip-src', 'ip-dst', 'domain', 'hostname', 'md5', 'sha1', 'sha256', - 'uri', 'url', 'vulnerability', 'weakness', 'email-src', 'text'], - 'format': 'misp_standard'} +ATTRIBUTES = [ + 'ip', + 'ip-src', + 'ip-dst', + 'domain', + 'hostname', + 'md5', + 'sha1', + 'sha256', + 'uri', + 'url', + 'vulnerability', + 'weakness' +] + +mispattributes = { + 'input': ATTRIBUTES, + 'output': ATTRIBUTES + ['email-src', 'text'], + 'format': 'misp_standard' +} LOGGER = logging.getLogger('recorded_future') LOGGER.setLevel(logging.INFO) -def rf_lookup(api_token: str, category: str, ioc: str) -> requests.Response: - """Do a lookup call using Recorded Future's ConnectAPI.""" - auth_header = {"X-RFToken": api_token} - parsed_ioc = quote(ioc, safe='') - url = f'https://api.recordedfuture.com/v2/{category}/{parsed_ioc}?fields=risk%2CrelatedEntities' - response = requests.get(url, headers=auth_header) - response.raise_for_status() - return response +class RequestHandler: + """A class for handling any outbound requests from this module.""" + def __init__(self): + self.session = requests.Session() + self.app_id = f'{os.path.basename(__file__)}/{moduleinfo["version"]} ({platform.platform()}) ' \ + f'misp_enrichment/{moduleinfo["version"]} python-requests/{requests.__version__}' + self.proxies = None + self.rf_token = None + + def get(self, url: str, headers: dict = None) -> requests.Response: + """General get method with proxy error handling.""" + try: + timeout = 7 if self.proxies else None + response = self.session.get(url, headers=headers, proxies=self.proxies, timeout=timeout) + response.raise_for_status() + return response + except (ConnectTimeout, ProxyError, InvalidURL) as error: + msg = f'Error connecting with proxy, please check the Recorded Future app proxy settings.' + LOGGER.error(f'{msg} Error: {error}') + misperrors['error'] = msg + raise + + def rf_lookup(self, category: str, ioc: str) -> requests.Response: + """Do a lookup call using Recorded Future's ConnectAPI.""" + parsed_ioc = quote(ioc, safe='') + url = f'https://api.recordedfuture.com/v2/{category}/{parsed_ioc}?fields=risk%2CrelatedEntities' + headers = {'X-RFToken': self.rf_token, + 'User-Agent': self.app_id} + try: + response = self.get(url, headers) + except HTTPError as error: + msg = f'Error when requesting data from Recorded Future. {error.response}: {error.response.reason}' + LOGGER.error(msg) + misperrors['error'] = msg + raise + return response + + +GLOBAL_REQUEST_HANDLER = RequestHandler() class GalaxyFinder: @@ -38,46 +91,45 @@ class GalaxyFinder: def __init__(self): self.session = requests.Session() self.sources = { - 'RelatedThreatActor': ['https://raw.githubusercontent.com/MISP/misp-galaxy/' - 'main/clusters/threat-actor.json'], - 'RelatedMalware': ['https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/banker.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/botnet.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/exploit-kit.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/rat.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/ransomware.json', - 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/malpedia.json'] + 'RelatedThreatActor': [ + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/threat-actor.json' + ], + 'RelatedMalware': [ + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/banker.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/botnet.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/exploit-kit.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/rat.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/ransomware.json', + 'https://raw.githubusercontent.com/MISP/misp-galaxy/main/clusters/malpedia.json' + ] } self.galaxy_clusters = {} - def pull_galaxy_cluster(self, related_type: str): + def pull_galaxy_cluster(self, related_type: str) -> None: """Fetches galaxy clusters for the related_type from the remote json files specified as self.sources.""" # Only fetch clusters if not fetched previously if not self.galaxy_clusters.get(related_type): for source in self.sources.get(related_type): - response = self.session.get(source) - if response.ok: + try: + response = GLOBAL_REQUEST_HANDLER.get(source) name = source.split('/')[-1].split('.')[0] self.galaxy_clusters[related_type] = {name: response.json()} - else: - LOGGER.info(f'pull_galaxy_cluster failed for source: {source},' - f' got response: {response}, {response.reason}.') + except ConnectionError as error: + LOGGER.warning(f'pull_galaxy_cluster failed for source: {source}, with error: {error}.') def find_galaxy_match(self, indicator: str, related_type: str) -> str: """Searches the clusters of the related_type for a match with the indicator. :returns the first matching galaxy string or an empty string if no galaxy match is found. """ self.pull_galaxy_cluster(related_type) - try: - for cluster_name, cluster in self.galaxy_clusters[related_type].items(): - for value in cluster['values']: - try: - if indicator in value['meta']['synonyms'] or indicator in value['value']: - value = value['value'] - return f'misp-galaxy:{cluster_name}="{value}"' - except KeyError: - pass - except KeyError: - pass + for cluster_name, cluster in self.galaxy_clusters.get(related_type, {}).items(): + for value in cluster['values']: + try: + if indicator in value['meta']['synonyms'] or indicator in value['value']: + value = value['value'] + return f'misp-galaxy:{cluster_name}="{value}"' + except KeyError: + pass return '' @@ -113,57 +165,70 @@ class RFEnricher: """Class for enriching an attribute with data from Recorded Future. The enrichment data is returned as a custom MISP object. """ - def __init__(self, api_token: str, attribute_props: dict): - self.api_token = api_token + def __init__(self, attribute_props: dict): self.event = MISPEvent() self.enrichment_object = MISPObject('Recorded Future Enrichment') - self.enrichment_object.from_dict(**{'meta-category': 'misc', - 'description': 'An object containing the enriched attribute and related ' - 'entities from Recorded Future.', - 'distribution': 0}) + description = ( + 'An object containing the enriched attribute and ' + 'related entities from Recorded Future.' + ) + self.enrichment_object.from_dict(**{ + 'meta-category': 'misc', + 'description': description, + 'distribution': 0 + }) # Create a copy of enriched attribute to add tags to temp_attr = MISPAttribute() temp_attr.from_dict(**attribute_props) self.enriched_attribute = MISPAttribute() - self.enriched_attribute.from_dict(**{'value': temp_attr.value, 'type': temp_attr.type, 'distribution': 0}) + self.enriched_attribute.from_dict(**{ + 'value': temp_attr.value, + 'type': temp_attr.type, + 'distribution': 0 + }) self.related_attributes = [] self.color_picker = RFColors() self.galaxy_finder = GalaxyFinder() # Mapping from MISP-type to RF-type - self.type_to_rf_category = {'ip': 'ip', 'ip-src': 'ip', 'ip-dst': 'ip', - 'domain': 'domain', 'hostname': 'domain', - 'md5': 'hash', 'sha1': 'hash', 'sha256': 'hash', - 'uri': 'url', 'url': 'url', - 'vulnerability': 'vulnerability', 'weakness': 'vulnerability'} + self.type_to_rf_category = { + 'ip': 'ip', + 'ip-src': 'ip', + 'ip-dst': 'ip', + 'domain': 'domain', + 'hostname': 'domain', + 'md5': 'hash', + 'sha1': 'hash', + 'sha256': 'hash', + 'uri': 'url', + 'url': 'url', + 'vulnerability': 'vulnerability', + 'weakness': 'vulnerability' + } # Related entities from RF portrayed as related attributes in MISP - self.related_attribute_types = ['RelatedIpAddress', 'RelatedInternetDomainName', 'RelatedHash', - 'RelatedEmailAddress', 'RelatedCyberVulnerability'] + self.related_attribute_types = [ + 'RelatedIpAddress', 'RelatedInternetDomainName', 'RelatedHash', + 'RelatedEmailAddress', 'RelatedCyberVulnerability' + ] # Related entities from RF portrayed as tags in MISP self.galaxy_tag_types = ['RelatedMalware', 'RelatedThreatActor'] - def enrich(self): + def enrich(self) -> None: """Run the enrichment.""" category = self.type_to_rf_category.get(self.enriched_attribute.type) - - try: - response = rf_lookup(self.api_token, category, self.enriched_attribute.value) - json_response = json.loads(response.content) - except requests.HTTPError as error: - misperrors['error'] = f'Error when requesting data from Recorded Future. ' \ - f'{error.response} : {error.response.reason}' - raise error + json_response = GLOBAL_REQUEST_HANDLER.rf_lookup(category, self.enriched_attribute.value) + response = json.loads(json_response.content) try: # Add risk score and risk rules as tags to the enriched attribute - risk_score = json_response['data']['risk']['score'] + risk_score = response['data']['risk']['score'] hex_color = self.color_picker.riskscore_color(risk_score) tag_name = f'recorded-future:risk-score="{risk_score}"' self.add_tag(tag_name, hex_color) - for evidence in json_response['data']['risk']['evidenceDetails']: + for evidence in response['data']['risk']['evidenceDetails']: risk_rule = evidence['rule'] criticality = evidence['criticality'] hex_color = self.color_picker.riskrule_color(criticality) @@ -171,7 +236,7 @@ class RFEnricher: self.add_tag(tag_name, hex_color) # Retrieve related entities - for related_entity in json_response['data']['relatedEntities']: + for related_entity in response['data']['relatedEntities']: related_type = related_entity['type'] if related_type in self.related_attribute_types: # Related entities returned as additional attributes @@ -191,9 +256,9 @@ class RFEnricher: galaxy_tags.append(galaxy) for galaxy in galaxy_tags: self.add_tag(galaxy) - except KeyError as error: + except KeyError: misperrors['error'] = 'Unexpected format in Recorded Future api response.' - raise error + raise def add_related_attribute(self, indicator: str, related_type: str) -> None: """Helper method for adding an indicator to the related attribute list.""" @@ -247,14 +312,54 @@ class RFEnricher: return {'results': result} +def get_proxy_settings(config: dict) -> dict: + """Returns proxy settings in the requests format. + If no proxy settings are set, return None.""" + proxies = None + host = config.get('proxy_host') + port = config.get('proxy_port') + username = config.get('proxy_username') + password = config.get('proxy_password') + + if host: + if not port: + misperrors['error'] = 'The recordedfuture_proxy_host config is set, ' \ + 'please also set the recordedfuture_proxy_port.' + raise KeyError + parsed = urlparse(host) + if 'http' in parsed.scheme: + scheme = 'http' + else: + scheme = parsed.scheme + netloc = parsed.netloc + host = f'{netloc}:{port}' + + if username: + if not password: + misperrors['error'] = 'The recordedfuture_proxy_username config is set, ' \ + 'please also set the recordedfuture_proxy_password.' + raise KeyError + auth = f'{username}:{password}' + host = auth + '@' + host + + proxies = { + 'http': f'{scheme}://{host}', + 'https': f'{scheme}://{host}' + } + + LOGGER.info(f'Proxy settings: {proxies}') + return proxies + + def handler(q=False): """Handle enrichment.""" if q is False: return False request = json.loads(q) - if request.get('config') and request['config'].get('token'): - token = request['config'].get('token') + config = request.get('config') + if config and config.get('token'): + GLOBAL_REQUEST_HANDLER.rf_token = config.get('token') else: misperrors['error'] = 'Missing Recorded Future token.' return misperrors @@ -263,11 +368,17 @@ def handler(q=False): if request['attribute']['type'] not in mispattributes['input']: return {'error': 'Unsupported attribute type.'} + try: + GLOBAL_REQUEST_HANDLER.proxies = get_proxy_settings(config) + except KeyError: + return misperrors + input_attribute = request.get('attribute') - rf_enricher = RFEnricher(token, input_attribute) + rf_enricher = RFEnricher(input_attribute) + try: rf_enricher.enrich() - except (requests.HTTPError, KeyError): + except (HTTPError, ConnectTimeout, ProxyError, InvalidURL, KeyError): return misperrors return rf_enricher.get_results() From 1349ef61a515b00d84b69bae06b6afd9d830e9b6 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 28 Aug 2020 16:55:50 +0200 Subject: [PATCH 22/30] chg: Turned the Shodan expansion module into a misp_standard format module - As expected with the misp_standard modules, the input is a full attribute and the module is able to return attributes and objects - There was a lot of data that was parsed as regkey attributes by the freetext import, the module now parses properly the different field of the result of the query returned by Shodan --- misp_modules/modules/expansion/shodan.py | 226 +++++++++++++++++++++-- 1 file changed, 206 insertions(+), 20 deletions(-) diff --git a/misp_modules/modules/expansion/shodan.py b/misp_modules/modules/expansion/shodan.py index 5a4b792..ecd5b82 100755 --- a/misp_modules/modules/expansion/shodan.py +++ b/misp_modules/modules/expansion/shodan.py @@ -5,38 +5,224 @@ try: import shodan except ImportError: print("shodan module not installed.") +from . import check_input_attribute, standard_error_message +from datetime import datetime +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} -mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['freetext']} -moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot', +mispattributes = {'input': ['ip-src', 'ip-dst'], + 'format': 'misp_standard'} +moduleinfo = {'version': '0.2', 'author': 'Raphaël Vinot', 'description': 'Query on Shodan', 'module-type': ['expansion']} moduleconfig = ['apikey'] +class ShodanParser(): + def __init__(self, attribute): + self.misp_event = MISPEvent() + self.attribute = MISPAttribute() + self.attribute.from_dict(**attribute) + self.misp_event.add_attribute(**self.attribute) + self.ip_address_mapping = { + 'asn': {'type': 'AS', 'object_relation': 'asn'}, + 'city': {'type': 'text', 'object_relation': 'city'}, + 'country_code': {'type': 'text', 'object_relation': 'country-code'}, + 'country_name': {'type': 'text', 'object_relation': 'country'}, + 'isp': {'type': 'text', 'object_relation': 'ISP'}, + 'latitude': {'type': 'float', 'object_relation': 'latitude'}, + 'longitude': {'type': 'float', 'object_relation': 'longitude'}, + 'org': {'type': 'text', 'object_relation': 'organization'}, + 'postal_code': {'type': 'text', 'object_relation': 'zipcode'}, + 'region_code': {'type': 'text', 'object_relation': 'region-code'} + } + self.ip_port_mapping = { + 'domains': {'type': 'domain', 'object_relation': 'domain'}, + 'hostnames': {'type': 'hostname', 'object_relation': 'hostname'} + } + self.vulnerability_mapping = { + 'cvss': {'type': 'float', 'object_relation': 'cvss-score'}, + 'summary': {'type': 'text', 'object_relation': 'summary'} + } + self.x509_mapping = { + 'bits': {'type': 'text', 'object_relation': 'pubkey-info-size'}, + 'expires': {'type': 'datetime', 'object_relation': 'validity-not-after'}, + 'issued': {'type': 'datetime', 'object_relation': 'validity-not-before'}, + 'issuer': {'type': 'text', 'object_relation': 'issuer'}, + 'serial': {'type': 'text', 'object_relation': 'serial-number'}, + 'sig_alg': {'type': 'text', 'object_relation': 'signature_algorithm'}, + 'subject': {'type': 'text', 'object_relation': 'subject'}, + 'type': {'type': 'text', 'object_relation': 'pubkey-info-algorithm'}, + 'version': {'type': 'text', 'object_relation': 'version'} + } + + def query_shodan(self, apikey): + # Query Shodan and get the results in a json blob + api = shodan.Shodan(apikey) + query_results = api.host(self.attribute.value) + + # Parse the information about the IP address used as input + ip_address_attributes = [] + for feature, mapping in self.ip_address_mapping.items(): + if query_results.get(feature): + attribute = {'value': query_results[feature]} + attribute.update(mapping) + ip_address_attributes.append(attribute) + if ip_address_attributes: + ip_address_object = MISPObject('ip-api-address') + for attribute in ip_address_attributes: + ip_address_object.add_attribute(**attribute) + ip_address_object.add_attribute(**self._get_source_attribute()) + ip_address_object.add_reference(self.attribute.uuid, 'describes') + self.misp_event.add_object(ip_address_object) + + # Parse the hostnames / domains and ports associated with the IP address + if query_results.get('ports'): + ip_port_object = MISPObject('ip-port') + ip_port_object.add_attribute(**self._get_source_attribute()) + feature = self.attribute.type.split('-')[1] + for port in query_results['ports']: + attribute = { + 'type': 'port', + 'object_relation': f'{feature}-port', + 'value': port + } + ip_port_object.add_attribute(**attribute) + for feature, mapping in self.ip_port_mapping.items(): + for value in query_results.get(feature, []): + attribute = {'value': value} + attribute.update(mapping) + ip_port_object.add_attribute(**attribute) + ip_port_object.add_reference(self.attribute.uuid, 'extends') + self.misp_event.add_object(ip_port_object) + else: + if any(query_results.get(feature) for feature in ('domains', 'hostnames')): + domain_ip_object = MISPObject('domain-ip') + domain_ip_object.add_attribute(**self._get_source_attribute()) + for feature in ('domains', 'hostnames'): + for value in query_results[feature]: + attribute = { + 'type': 'domain', + 'object_relation': 'domain', + 'value': value + } + domain_ip_object.add_attribute(**attribute) + domain_ip_object.add_reference(self.attribute.uuid, 'extends') + self.misp_event.add_object(domain_ip_object) + + # Parse data within the "data" field + if query_results.get('vulns'): + vulnerabilities = {} + for data in query_results['data']: + # Parse vulnerabilities + if data.get('vulns'): + for cve, vulnerability in data['vulns'].items(): + if cve not in vulnerabilities: + vulnerabilities[cve] = vulnerability + # Also parse the certificates + if data.get('ssl'): + self._parse_cert(data['ssl']) + for cve, vulnerability in vulnerabilities.items(): + vulnerability_object = MISPObject('vulnerability') + vulnerability_object.add_attribute(**{ + 'type': 'vulnerability', + 'object_relation': 'id', + 'value': cve + }) + for feature, mapping in self.vulnerability_mapping.items(): + if vulnerability.get(feature): + attribute = {'value': vulnerability[feature]} + attribute.update(mapping) + vulnerability_object.add_attribute(**attribute) + if vulnerability.get('references'): + for reference in vulnerability['references']: + vulnerability_object.add_attribute(**{ + 'type': 'link', + 'object_relation': 'references', + 'value': reference + }) + vulnerability_object.add_reference(self.attribute.uuid, 'vulnerability-of') + self.misp_event.add_object(vulnerability_object) + for cve_id in query_results['vulns']: + if cve_id not in vulnerabilities: + attribute = { + 'type': 'vulnerability', + 'value': cve_id + } + self.misp_event.add_attribute(**attribute) + else: + # We have no vulnerability data, we only check if we have + # certificates within the "data" field + for data in query_results['data']: + if data.get('ssl'): + self._parse_cert(data['ssl']['cert']) + + def get_result(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])} + return {'results': results} + + # When we want to add the IP address information in objects such as the + # domain-ip or ip-port objects referencing the input IP address attribute + def _get_source_attribute(self): + return { + 'type': self.attribute.type, + 'object_relation': self.attribute.type, + 'value': self.attribute.value + } + + def _parse_cert(self, certificate): + x509_object = MISPObject('x509') + for feature in ('serial', 'sig_alg', 'version'): + if certificate.get(feature): + attribute = {'value': certificate[feature]} + attribute.update(self.x509_mapping[feature]) + x509_object.add_attribute(**attribute) + # Parse issuer and subject value + for feature in ('issuer', 'subject'): + if certificate.get(feature): + attribute_value = (f'{identifier}={value}' for identifier, value in certificate[feature].items()) + attribute = {'value': f'/{"/".join(attribute_value)}'} + attribute.update(self.x509_mapping[feature]) + x509_object.add_attribute(**attribute) + # Parse datetime attributes + for feature in ('expires', 'issued'): + if certificate.get(feature): + attribute = {'value': datetime.strptime(certificate[feature], '%Y%m%d%H%M%SZ')} + attribute.update(self.x509_mapping[feature]) + x509_object.add_attribute(**attribute) + # Parse fingerprints + if certificate.get('fingerprint'): + for hash_type, hash_value in certificate['fingerprint'].items(): + x509_object.add_attribute(**{ + 'type': f'x509-fingerprint-{hash_type}', + 'object_relation': f'x509-fingerprint-{hash_type}', + 'value': hash_value + }) + # Parse public key related info + if certificate.get('pubkey'): + for feature, value in certificate['pubkey'].items(): + attribute = {'value': value} + attribute.update(self.x509_mapping[feature]) + x509_object.add_attribute(**attribute) + x509_object.add_reference(self.attribute.uuid, 'identifies') + self.misp_event.add_object(x509_object) + def handler(q=False): if q is False: return False request = json.loads(q) - if request.get('ip-src'): - toquery = request['ip-src'] - elif request.get('ip-dst'): - toquery = request['ip-dst'] - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors - - if not request.get('config') or not request['config'].get('apikey'): - misperrors['error'] = 'Shodan authentication is missing' - return misperrors - api = shodan.Shodan(request['config'].get('apikey')) - - return handle_expansion(api, toquery) - - -def handle_expansion(api, domain): - return {'results': [{'types': mispattributes['output'], 'values': json.dumps(api.host(domain))}]} + if not request.get('config', {}).get('apikey'): + return {'error': 'Shodan authentication is missing'} + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + attribute = request['attribute'] + if attribute['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} + shodan_parser = ShodanParser(attribute) + shodan_parser.query_shodan(request['config']['apikey']) + return shodan_parser.get_result() def introspection(): From ae1016946bbbe0dd2652e0c383b8c5214fca4527 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 28 Aug 2020 17:30:23 +0200 Subject: [PATCH 23/30] fix: Making pep8 happy --- misp_modules/modules/expansion/recordedfuture.py | 2 +- misp_modules/modules/expansion/shodan.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/recordedfuture.py b/misp_modules/modules/expansion/recordedfuture.py index 537e997..ccea31b 100644 --- a/misp_modules/modules/expansion/recordedfuture.py +++ b/misp_modules/modules/expansion/recordedfuture.py @@ -62,7 +62,7 @@ class RequestHandler: response.raise_for_status() return response except (ConnectTimeout, ProxyError, InvalidURL) as error: - msg = f'Error connecting with proxy, please check the Recorded Future app proxy settings.' + msg = 'Error connecting with proxy, please check the Recorded Future app proxy settings.' LOGGER.error(f'{msg} Error: {error}') misperrors['error'] = msg raise diff --git a/misp_modules/modules/expansion/shodan.py b/misp_modules/modules/expansion/shodan.py index ecd5b82..f295deb 100755 --- a/misp_modules/modules/expansion/shodan.py +++ b/misp_modules/modules/expansion/shodan.py @@ -209,6 +209,7 @@ class ShodanParser(): x509_object.add_reference(self.attribute.uuid, 'identifies') self.misp_event.add_object(x509_object) + def handler(q=False): if q is False: return False From 3101e5bc26ee3e45afed16dfb7a5b45ac70a270c Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 8 Sep 2020 16:08:57 +0200 Subject: [PATCH 24/30] chg: Updated the bgpranking expansion module to return MISP objects - The module no longer returns freetext, since the result returned to the freetext import as text only allowed MISP to parse the same AS number as the input attribute. - The new result returned with the updated module is an asn object describing more precisely the AS number, and its ranking for a given day --- misp_modules/modules/expansion/bgpranking.py | 72 ++++++++++++++++---- 1 file changed, 60 insertions(+), 12 deletions(-) diff --git a/misp_modules/modules/expansion/bgpranking.py b/misp_modules/modules/expansion/bgpranking.py index b01088d..c021d62 100755 --- a/misp_modules/modules/expansion/bgpranking.py +++ b/misp_modules/modules/expansion/bgpranking.py @@ -1,13 +1,15 @@ # -*- coding: utf-8 -*- import json -from datetime import date, timedelta +from . import check_input_attribute, standard_error_message +from datetime import date, datetime, timedelta from pybgpranking import BGPRanking +from pymisp import MISPAttribute, MISPEvent, MISPObject misperrors = {'error': 'Error'} -mispattributes = {'input': ['AS'], 'output': ['freetext']} +mispattributes = {'input': ['AS'], 'format': 'misp_standard'} moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot', - 'description': 'Query an ASN Description history service (https://github.com/CIRCL/ASN-Description-History.git)', + 'description': 'Query BGP Ranking to get the ranking of an Autonomous System number.', 'module-type': ['expansion', 'hover']} @@ -15,19 +17,65 @@ def handler(q=False): if q is False: return False request = json.loads(q) - if request.get('AS'): - toquery = request['AS'] - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors + if not request.get('attribute') or not check_input_attribute(request['attribute']): + return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'} + toquery = request['attribute'] + if toquery['type'] not in mispattributes['input']: + return {'error': 'Unsupported attribute type.'} bgpranking = BGPRanking() - values = bgpranking.query(toquery, date=(date.today() - timedelta(1)).isoformat()) + value_toquery = int(toquery['value'][2:]) if toquery['value'].startswith('AS') else int(toquery['value']) + values = bgpranking.query(value_toquery, date=(date.today() - timedelta(1)).isoformat()) - if not values: - misperrors['error'] = 'Unable to find the ASN in BGP Ranking' + if not values['response'] or not values['response']['asn_description']: + misperrors['error'] = 'There is no result about this ASN in BGP Ranking' return misperrors - return {'results': [{'types': mispattributes['output'], 'values': values}]} + + event = MISPEvent() + attribute = MISPAttribute() + attribute.from_dict(**toquery) + event.add_attribute(**attribute) + + asn_object = MISPObject('asn') + asn_object.add_attribute(**{ + 'type': 'AS', + 'object_relation': 'asn', + 'value': values['meta']['asn'] + }) + description, country = values['response']['asn_description'].split(', ') + for relation, value in zip(('description', 'country'), (description, country)): + asn_object.add_attribute(**{ + 'type': 'text', + 'object_relation': relation, + 'value': value + }) + + mapping = { + 'address_family': {'type': 'text', 'object_relation': 'address-family'}, + 'date': {'type': 'datetime', 'object_relation': 'date'}, + 'position': {'type': 'float', 'object_relation': 'position'}, + 'rank': {'type': 'float', 'object_relation': 'ranking'} + } + bgp_object = MISPObject('bgp-ranking') + for feature in ('rank', 'position'): + bgp_attribute = {'value': values['response']['ranking'][feature]} + bgp_attribute.update(mapping[feature]) + bgp_object.add_attribute(**bgp_attribute) + date_attribute = {'value': datetime.strptime(values['meta']['date'], '%Y-%m-%d')} + date_attribute.update(mapping['date']) + bgp_object.add_attribute(**date_attribute) + address_attribute = {'value': values['meta']['address_family']} + address_attribute.update(mapping['address_family']) + bgp_object.add_attribute(**address_attribute) + + asn_object.add_reference(attribute.uuid, 'describes') + asn_object.add_reference(bgp_object.uuid, 'ranked-with') + event.add_object(asn_object) + event.add_object(bgp_object) + + event = json.loads(event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object')} + return {'results': results} def introspection(): From 589a0a03210b1f1734ff507919fd01c7f154bbf8 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 8 Sep 2020 16:15:23 +0200 Subject: [PATCH 25/30] chg: Updated documentation for the recently updated bgpranking module --- README.md | 2 +- doc/README.md | 4 ++-- doc/expansion/bgpranking.json | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 83b4dc6..26dce03 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj * [AssemblyLine submit](misp_modules/modules/expansion/assemblyline_submit.py) - an expansion module to submit samples and urls to AssemblyLine. * [AssemblyLine query](misp_modules/modules/expansion/assemblyline_query.py) - an expansion module to query AssemblyLine and parse the full submission report. * [Backscatter.io](misp_modules/modules/expansion/backscatter_io.py) - a hover and expansion module to expand an IP address with mass-scanning observations. -* [BGP Ranking](misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description, its history, and position in BGP Ranking. +* [BGP Ranking](misp_modules/modules/expansion/bgpranking.py) - a hover and expansion module to expand an AS number with the ASN description and its ranking and position in BGP Ranking. * [RansomcoinDB check](misp_modules/modules/expansion/ransomcoindb.py) - An expansion hover module to query the [ransomcoinDB](https://ransomcoindb.concinnity-risks.com): it contains mapping between BTC addresses and malware hashes. Enrich MISP by querying for BTC -> hash or hash -> BTC addresses. * [BTC scam check](misp_modules/modules/expansion/btc_scam_check.py) - An expansion hover module to instantly check if a BTC address has been abused. * [BTC transactions](misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP. diff --git a/doc/README.md b/doc/README.md index 7979348..6469dd0 100644 --- a/doc/README.md +++ b/doc/README.md @@ -108,13 +108,13 @@ Query backscatter.io (https://backscatter.io/). Query BGP Ranking (https://bgpranking-ng.circl.lu/). - **features**: ->The module takes an AS number attribute as input and displays its description and history, and position in BGP Ranking. +>The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day. > > - **input**: >Autonomous system number. - **output**: ->Text containing a description of the ASN, its history, and the position in BGP Ranking. +>An asn object with its related bgp-ranking object. - **references**: >https://github.com/D4-project/BGP-Ranking/ - **requirements**: diff --git a/doc/expansion/bgpranking.json b/doc/expansion/bgpranking.json index a98b780..4695aa1 100644 --- a/doc/expansion/bgpranking.json +++ b/doc/expansion/bgpranking.json @@ -1,8 +1,8 @@ { "description": "Query BGP Ranking (https://bgpranking-ng.circl.lu/).", "requirements": ["pybgpranking python library"], - "features": "The module takes an AS number attribute as input and displays its description and history, and position in BGP Ranking.\n\n", + "features": "The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.\n\n", "references": ["https://github.com/D4-project/BGP-Ranking/"], "input": "Autonomous system number.", - "output": "Text containing a description of the ASN, its history, and the position in BGP Ranking." + "output": "An asn object with its related bgp-ranking object." } From 9f315f1728d54796bb05db52839333643c313b2b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 8 Sep 2020 16:24:41 +0200 Subject: [PATCH 26/30] chg: Updated the bgpranking expansion module test --- tests/test_expansions.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tests/test_expansions.py b/tests/test_expansions.py index a56fbe7..1aa0f7a 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -97,9 +97,16 @@ class TestExpansions(unittest.TestCase): self.assertEqual(self.get_errors(response), 'An API key for APIVoid is required.') def test_bgpranking(self): - query = {"module": "bgpranking", "AS": "13335"} + query = { + "module": "bgpranking", + "attribute": { + "type": "AS", + "value": "13335", + "uuid": "ea89a33b-4ab7-4515-9f02-922a0bee333d" + } + } response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response)['response']['asn_description'], 'CLOUDFLARENET, US') + self.assertEqual(self.get_object(response), 'asn') def test_btc_steroids(self): query = {"module": "btc_steroids", "btc": "1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA"} From 2dde6e8757bc43cffde65e238ef370c461b71cb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 9 Sep 2020 10:56:01 +0200 Subject: [PATCH 27/30] fix: Typo in EMailObject Fix #427 --- misp_modules/modules/import_mod/email_import.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/import_mod/email_import.py b/misp_modules/modules/import_mod/email_import.py index 114f8c9..7453dcd 100644 --- a/misp_modules/modules/import_mod/email_import.py +++ b/misp_modules/modules/import_mod/email_import.py @@ -42,7 +42,7 @@ def handler(q=False): # request data is always base 64 byte encoded data = base64.b64decode(request["data"]) - email_object = EMailObject(pseudofile=BytesIO(data), attach_original_mail=True, standalone=False) + email_object = EMailObject(pseudofile=BytesIO(data), attach_original_email=True, standalone=False) # Check if we were given a configuration config = request.get("config", {}) From c5abf8980534b127785d97c8a292534cf8d88a3b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 28 Sep 2020 12:34:00 +0200 Subject: [PATCH 28/30] fix: [virustotal_public] Resolve key error when user enrich hostname - Same as #424 --- misp_modules/modules/expansion/virustotal_public.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/virustotal_public.py b/misp_modules/modules/expansion/virustotal_public.py index 6ffb7f9..989e48d 100644 --- a/misp_modules/modules/expansion/virustotal_public.py +++ b/misp_modules/modules/expansion/virustotal_public.py @@ -37,7 +37,7 @@ class VirusTotalParser(): def parse_resolutions(self, resolutions, subdomains=None, uuids=None): domain_ip_object = MISPObject('domain-ip') - if self.attribute.type == 'domain': + if self.attribute.type in ('domain', 'hostname'): domain_ip_object.add_attribute('domain', type='domain', value=self.attribute.value) attribute_type, relation, key = ('ip-dst', 'ip', 'ip_address') else: From 14aa6e2d1a0a4933f1d26c181215487bf25c6cf4 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 1 Oct 2020 22:44:39 +0200 Subject: [PATCH 29/30] fix: [cve_advanced] Avoiding potential MISP object references issues - Adding objects as dictionaries in an event may cause issues in some cases. It is better to pass the MISP object as is, as it is already a valid object since the MISPObject class is used --- misp_modules/modules/expansion/cve_advanced.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misp_modules/modules/expansion/cve_advanced.py b/misp_modules/modules/expansion/cve_advanced.py index cd36655..d15711f 100644 --- a/misp_modules/modules/expansion/cve_advanced.py +++ b/misp_modules/modules/expansion/cve_advanced.py @@ -56,7 +56,7 @@ class VulnerabilityParser(): value = value['title'] vulnerability_object.add_attribute(relation, **{'type': attribute_type, 'value': value}) vulnerability_object.add_reference(self.attribute['uuid'], 'related-to') - self.misp_event.add_object(**vulnerability_object) + self.misp_event.add_object(vulnerability_object) if 'cwe' in self.vulnerability and self.vulnerability['cwe'] not in ('Unknown', 'NVD-CWE-noinfo'): self.__parse_weakness(vulnerability_object.uuid) if 'capec' in self.vulnerability: @@ -79,7 +79,7 @@ class VulnerabilityParser(): for related_weakness in capec['related_weakness']: attribute = dict(type='weakness', value="CWE-{}".format(related_weakness)) capec_object.add_attribute('related-weakness', **attribute) - self.misp_event.add_object(**capec_object) + self.misp_event.add_object(capec_object) self.references[vulnerability_uuid].append(dict(referenced_uuid=capec_object.uuid, relationship_type='targeted-by')) @@ -95,7 +95,7 @@ class VulnerabilityParser(): for feature, relation in self.weakness_mapping.items(): if cwe.get(feature): weakness_object.add_attribute(relation, **dict(type=attribute_type, value=cwe[feature])) - self.misp_event.add_object(**weakness_object) + self.misp_event.add_object(weakness_object) self.references[vulnerability_uuid].append(dict(referenced_uuid=weakness_object.uuid, relationship_type='weakened-by')) break From 0072e04627f3dc33db0412598ac809dcaeec3f4b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 2 Oct 2020 16:41:47 +0200 Subject: [PATCH 30/30] chg: Updated expansion modules documentation - Added documentation for the missing modules - Renamed some of the documentation files to match with the module names and avoid issues within the documentation file (README.md) with the link of the miss-spelled module names --- doc/README.md | 155 +++++++++++++++++- doc/expansion/cve_advanced.json | 8 + .../{docx-enrich.json => docx_enrich.json} | 0 doc/expansion/geoip_asn.json | 9 + doc/expansion/geoip_city.json | 9 + doc/expansion/google_search.json | 9 + doc/expansion/intel471.json | 9 + .../{ocr-enrich.json => ocr_enrich.json} | 0 .../{ods-enrich.json => ods_enrich.json} | 0 .../{odt-enrich.json => odt_enrich.json} | 0 .../{pdf-enrich.json => pdf_enrich.json} | 0 .../{pptx-enrich.json => pptx_enrich.json} | 0 doc/expansion/ransomcoindb.json | 8 + doc/expansion/sophoslabs_intelix.json | 9 + .../{xlsx-enrich.json => xlsx_enrich.json} | 0 doc/logos/google.png | Bin 0 -> 15903 bytes doc/logos/intel471.png | Bin 0 -> 6713 bytes doc/logos/sophoslabs_intelix.svg | 32 ++++ 18 files changed, 241 insertions(+), 7 deletions(-) create mode 100644 doc/expansion/cve_advanced.json rename doc/expansion/{docx-enrich.json => docx_enrich.json} (100%) create mode 100644 doc/expansion/geoip_asn.json create mode 100644 doc/expansion/geoip_city.json create mode 100644 doc/expansion/google_search.json create mode 100644 doc/expansion/intel471.json rename doc/expansion/{ocr-enrich.json => ocr_enrich.json} (100%) rename doc/expansion/{ods-enrich.json => ods_enrich.json} (100%) rename doc/expansion/{odt-enrich.json => odt_enrich.json} (100%) rename doc/expansion/{pdf-enrich.json => pdf_enrich.json} (100%) rename doc/expansion/{pptx-enrich.json => pptx_enrich.json} (100%) create mode 100644 doc/expansion/ransomcoindb.json create mode 100644 doc/expansion/sophoslabs_intelix.json rename doc/expansion/{xlsx-enrich.json => xlsx_enrich.json} (100%) create mode 100644 doc/logos/google.png create mode 100644 doc/logos/intel471.png create mode 100644 doc/logos/sophoslabs_intelix.svg diff --git a/doc/README.md b/doc/README.md index 6469dd0..1225780 100644 --- a/doc/README.md +++ b/doc/README.md @@ -311,6 +311,26 @@ An expansion hover module to expand information about CVE id. ----- +#### [cve_advanced](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cve_advanced.py) + + + +An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE). +- **features**: +>The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information. +> +>The result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns. +> +>The vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects. +- **input**: +>Vulnerability attribute. +- **output**: +>Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns. +- **references**: +>https://cve.circl.lu, https://cve/mitre.org/ + +----- + #### [cytomic_orion](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cytomic_orion.py) @@ -369,7 +389,7 @@ A simple DNS expansion service to resolve IP address from domain MISP attributes ----- -#### [docx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/docx-enrich.py) +#### [docx_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/docx_enrich.py) @@ -476,6 +496,42 @@ Module to access Farsight DNSDB Passive DNS. ----- +#### [geoip_asn](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_asn.py) + + +- **descrption**: +>An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number. +- **features**: +>The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number. +- **input**: +>An IP address MISP attribute. +- **output**: +>Text containing information about the AS number of the IP address. +- **references**: +>https://www.maxmind.com/en/home +- **requirements**: +>A local copy of Maxmind's Geolite database + +----- + +#### [geoip_city](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_city.py) + + + +An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located. +- **features**: +>The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located. +- **input**: +>An IP address MISP attribute. +- **output**: +>Text containing information about the city where the IP address is located. +- **references**: +>https://www.maxmind.com/en/home +- **requirements**: +>A local copy of Maxmind's Geolite database + +----- + #### [geoip_country](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/geoip_country.py) @@ -496,6 +552,24 @@ Module to query a local copy of Maxmind's Geolite database. ----- +#### [google_search](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/google_search.py) + + +- **descrption**: +>A hover module to get information about an url using a Google search. +- **features**: +>The module takes an url as input to query the Google search API. The result of the query is then return as raw text. +- **input**: +>An url attribute. +- **output**: +>Text containing the result of a Google search on the input url. +- **references**: +>https://github.com/abenassi/Google-Search-API +- **requirements**: +>The python Google Search API library + +----- + #### [greynoise](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/greynoise.py) @@ -544,6 +618,37 @@ Module to access haveibeenpwned.com API. ----- +#### [intel471](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/intel471.py) + + +- **descrption**: +>An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash. +- **features**: +>The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it. +- **input**: +>A MISP attribute whose type is included in the following list: +>- hostname +>- domain +>- url +>- ip-src +>- ip-dst +>- email-src +>- email-dst +>- target-email +>- whois-registrant-email +>- whois-registrant-name +>- md5 +>- sha1 +>- sha256 +- **output**: +>Freetext +- **references**: +>https://public.intel471.com/ +- **requirements**: +>The intel471 python library + +----- + #### [intelmq_eventdb](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/intelmq_eventdb.py) @@ -733,7 +838,7 @@ Query the MALWAREbazaar API to get additional information about the input hash a ----- -#### [ocr-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr-enrich.py) +#### [ocr_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr_enrich.py) Module to process some optical character recognition on pictures. - **features**: @@ -747,7 +852,7 @@ Module to process some optical character recognition on pictures. ----- -#### [ods-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ods-enrich.py) +#### [ods_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ods_enrich.py) @@ -763,7 +868,7 @@ Module to extract freetext from a .ods document. ----- -#### [odt-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/odt-enrich.py) +#### [odt_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/odt_enrich.py) @@ -902,7 +1007,7 @@ Module to get information from AlienVault OTX. ----- -#### [pdf-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pdf-enrich.py) +#### [pdf_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pdf_enrich.py) @@ -918,7 +1023,7 @@ Module to extract freetext from a PDF document. ----- -#### [pptx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pptx-enrich.py) +#### [pptx_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/pptx_enrich.py) @@ -948,6 +1053,24 @@ Module to decode QR codes. ----- +#### [ransomcoindb](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ransomcoindb.py) +- **descrption**: +>Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes. +- **features**: +>The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data. +> +>If the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes. +- **input**: +>A hash (md5, sha1 or sha256) or btc attribute. +- **output**: +>Hashes associated to a btc address or btc addresses associated to a hash. +- **references**: +>https://ransomcoindb.concinnity-risks.com +- **requirements**: +>A ransomcoinDB API key. + +----- + #### [rbl](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/rbl.py) Module to check an IPv4 address against known RBLs. @@ -1091,6 +1214,24 @@ An expansion hover module to perform a syntax check on sigma rules. ----- +#### [sophoslabs_intelix](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sophoslabs_intelix.py) + + + +An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute. +- **features**: +>The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object. +- **input**: +>An ip address, url, domain or sha256 attribute. +- **output**: +>SophosLabs Intelix report and lookup objects +- **references**: +>https://aws.amazon.com/marketplace/pp/B07SLZPMCS +- **requirements**: +>A client_id and client_secret pair to authenticate to the SophosLabs Intelix API + +----- + #### [sourcecache](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/sourcecache.py) Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page. @@ -1442,7 +1583,7 @@ An expansion module for IBM X-Force Exchange. ----- -#### [xlsx-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xlsx-enrich.py) +#### [xlsx_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/xlsx_enrich.py) diff --git a/doc/expansion/cve_advanced.json b/doc/expansion/cve_advanced.json new file mode 100644 index 0000000..a4b2ac6 --- /dev/null +++ b/doc/expansion/cve_advanced.json @@ -0,0 +1,8 @@ +{ + "description": "An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).", + "logo": "logos/cve.png", + "input": "Vulnerability attribute.", + "output": "Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.", + "references": ["https://cve.circl.lu", "https://cve/mitre.org/"], + "features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information.\n\nThe result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.\n\nThe vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects." +} diff --git a/doc/expansion/docx-enrich.json b/doc/expansion/docx_enrich.json similarity index 100% rename from doc/expansion/docx-enrich.json rename to doc/expansion/docx_enrich.json diff --git a/doc/expansion/geoip_asn.json b/doc/expansion/geoip_asn.json new file mode 100644 index 0000000..98189c7 --- /dev/null +++ b/doc/expansion/geoip_asn.json @@ -0,0 +1,9 @@ +{ + "descrption": "An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about its related AS number.", + "logo": "logos/maxmind.png", + "requirements": ["A local copy of Maxmind's Geolite database"], + "input": "An IP address MISP attribute.", + "output": "Text containing information about the AS number of the IP address.", + "references": ["https://www.maxmind.com/en/home"], + "features": "The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the related AS number." +} diff --git a/doc/expansion/geoip_city.json b/doc/expansion/geoip_city.json new file mode 100644 index 0000000..bf6d8fa --- /dev/null +++ b/doc/expansion/geoip_city.json @@ -0,0 +1,9 @@ +{ + "description": "An expansion module to query a local copy of Maxmind's Geolite database with an IP address, in order to get information about the city where it is located.", + "logo": "logos/maxmind.png", + "requirements": ["A local copy of Maxmind's Geolite database"], + "input": "An IP address MISP attribute.", + "output": "Text containing information about the city where the IP address is located.", + "references": ["https://www.maxmind.com/en/home"], + "features": "The module takes an IP address attribute as input and queries a local copy of the Maxmind's Geolite database to get information about the city where this IP address is located." +} diff --git a/doc/expansion/google_search.json b/doc/expansion/google_search.json new file mode 100644 index 0000000..a3caddf --- /dev/null +++ b/doc/expansion/google_search.json @@ -0,0 +1,9 @@ +{ + "descrption": "A hover module to get information about an url using a Google search.", + "logo": "logos/google.png", + "requirements": ["The python Google Search API library"], + "input": "An url attribute.", + "output": "Text containing the result of a Google search on the input url.", + "references": ["https://github.com/abenassi/Google-Search-API"], + "features": "The module takes an url as input to query the Google search API. The result of the query is then return as raw text." +} diff --git a/doc/expansion/intel471.json b/doc/expansion/intel471.json new file mode 100644 index 0000000..72dbaba --- /dev/null +++ b/doc/expansion/intel471.json @@ -0,0 +1,9 @@ +{ + "descrption": "An expansion module to query Intel471 in order to get additional information about a domain, ip address, email address, url or hash.", + "logo": "logos/intel471.png", + "requirements": ["The intel471 python library"], + "input": "A MISP attribute whose type is included in the following list:\n- hostname\n- domain\n- url\n- ip-src\n- ip-dst\n- email-src\n- email-dst\n- target-email\n- whois-registrant-email\n- whois-registrant-name\n- md5\n- sha1\n- sha256", + "output": "Freetext", + "references": ["https://public.intel471.com/"], + "features": "The module uses the Intel471 python library to query the Intel471 API with the value of the input attribute. The result of the query is then returned as freetext so the Freetext import parses it." +} diff --git a/doc/expansion/ocr-enrich.json b/doc/expansion/ocr_enrich.json similarity index 100% rename from doc/expansion/ocr-enrich.json rename to doc/expansion/ocr_enrich.json diff --git a/doc/expansion/ods-enrich.json b/doc/expansion/ods_enrich.json similarity index 100% rename from doc/expansion/ods-enrich.json rename to doc/expansion/ods_enrich.json diff --git a/doc/expansion/odt-enrich.json b/doc/expansion/odt_enrich.json similarity index 100% rename from doc/expansion/odt-enrich.json rename to doc/expansion/odt_enrich.json diff --git a/doc/expansion/pdf-enrich.json b/doc/expansion/pdf_enrich.json similarity index 100% rename from doc/expansion/pdf-enrich.json rename to doc/expansion/pdf_enrich.json diff --git a/doc/expansion/pptx-enrich.json b/doc/expansion/pptx_enrich.json similarity index 100% rename from doc/expansion/pptx-enrich.json rename to doc/expansion/pptx_enrich.json diff --git a/doc/expansion/ransomcoindb.json b/doc/expansion/ransomcoindb.json new file mode 100644 index 0000000..bc4e2ab --- /dev/null +++ b/doc/expansion/ransomcoindb.json @@ -0,0 +1,8 @@ +{ + "descrption": "Module to access the ransomcoinDB with a hash or btc address attribute and get the associated btc address of hashes.", + "requirements": ["A ransomcoinDB API key."], + "input": "A hash (md5, sha1 or sha256) or btc attribute.", + "output": "Hashes associated to a btc address or btc addresses associated to a hash.", + "references": ["https://ransomcoindb.concinnity-risks.com"], + "features": "The module takes either a hash attribute or a btc attribute as input to query the ransomcoinDB API for some additional data.\n\nIf the input is a btc address, we will get the associated hashes returned in a file MISP object. If we query ransomcoinDB with a hash, the response contains the associated btc addresses returned as single MISP btc attributes." +} diff --git a/doc/expansion/sophoslabs_intelix.json b/doc/expansion/sophoslabs_intelix.json new file mode 100644 index 0000000..18dd7c1 --- /dev/null +++ b/doc/expansion/sophoslabs_intelix.json @@ -0,0 +1,9 @@ +{ + "description": "An expansion module to query the Sophoslabs intelix API to get additional information about an ip address, url, domain or sha256 attribute.", + "logo": "logos/sophoslabs_intelix.svg", + "requirements": ["A client_id and client_secret pair to authenticate to the SophosLabs Intelix API"], + "input": "An ip address, url, domain or sha256 attribute.", + "output": "SophosLabs Intelix report and lookup objects", + "references": ["https://aws.amazon.com/marketplace/pp/B07SLZPMCS"], + "features": "The module takes an ip address, url, domain or sha256 attribute and queries the SophosLabs Intelix API with the attribute value. The result of this query is a SophosLabs Intelix hash report, or an ip or url lookup, that is then parsed and returned in a MISP object." +} diff --git a/doc/expansion/xlsx-enrich.json b/doc/expansion/xlsx_enrich.json similarity index 100% rename from doc/expansion/xlsx-enrich.json rename to doc/expansion/xlsx_enrich.json diff --git a/doc/logos/google.png b/doc/logos/google.png new file mode 100644 index 0000000000000000000000000000000000000000..492f44c27eb2d402e0dd3446b4d38192e75874c4 GIT binary patch literal 15903 zcmeHuWl$VZn=S+=2`<6i-3E7ex8N{?5AGf$xCaXsEVv9ZI0OO{+=E*P5-fv5&`Unq zyFa$JZf({6yHho%yU#qYocFv(db*!jEe*xjn538p2nes0mE?2~5D>?nzc0{HpKCmY z_hgbE~__g6tiX0z5#v z0UCNX0Zul;Kw3!&YB4{NX9Zx8mld@i*xAKX#7~^|A9_We&;M3)(Ng~d;^ibx`%kBg z)U~K(T|Ge50-OL28y4<82)K!l%LgqN54Umx0M zYaT#b5gj>&f7yDz5~sEI@^Ta5;_~(N<@Dv_boH>~;t>`W=Hlk%;^pOdMsRrgyLego zakzNW{ab?^$kWEd!OhFT)rI=6Mk{MqZ!dA$XHWmx1hAXB`hO^P@%&eyoKhU0DI-vjS#(#e(F{OzQF zwpkA3;ot)TDtNepss9mW5r_Z63qC$R8(U#3ZVnzE0U!rIfZK}0%GyeZ17Hi}=C$Ur z761SMwEvO^{-@~uGfSUqo?GJfZ-+#90M-B=8vuwyz!o6ztWwa5!>}6S#Q9H&^zW+Y?EHKBAH(AL;y(r!$mMx7c{~prugKqT5fDW9l;x!L z{FaaM(ZbC1TOJp{v%Kjlcsj8-GE5&n#k>F@BgciFhDBcRrmMkQyC2q?-mkvO$q}_H^n?rh_H5kMOQL#Aiu)D@U$rhQ zJJnMR+cwFd(?q89#WrF*A8{}lp9`5j`sac<`?)|zNq;ViEb*RE1Zsbw;mZFDI4y3B z|0lcuJGg%~`oC-MKkfbxa7u^+-94L3_50{w;Tmtq%AolWVVH!a^Lt2bVj`b`UCq4F zn2~`bF;6D%d#WYJn&HI&o9aXkLFmBZ%I$_oqIZ_Aov|UG%0$r5J&)f`hDyQX35}t` zjb`r3V=k#YcHJyFNkWS8edZN$rT5;)JRa+ZzN2$hS_z1F>Pcxym6B-%r`JmS0;$;3 z;ooiWJeF);drWMQm4&Fet!F4FOHw)az2g2k9Rl+ayt1+hBwHC@G)nF*A6-0z5s}`N zL$VUSSK~e>Ks1R_>Z zqGs4XZ%1XZH6uuCa2FeZD)Zdjt2VA$bkKXVbU68QA&RvbSm-LInXWP_#%s>6jM*k6owJJ^FdvTdy>RbWz#CeUU-mr(kvIFCWeoF8 z`3Y|?InE^&b0y0c86#2>6oEQ{Z$msLMRL~D(%vs;%kk0uY>k%Y#;p<>SoDPTFl&%r zDp`@)w32m(L_WC4#EA?5OY-p!^J%B&{C;{}H7cVPG1($FaWLp68bJ*dJe_jrqCUN3 zoM-HHJWAgB&_EWeN76a82p?owQA9t@b9O0&ReaAParHD|v4T2(QYIT*^fqfXy_*V9 zhSAdfzD6_V#toOZo@{}!F6n!k*gZ1tP$e;z$|c#pEryNO7>io)o+|uUB7o=WD&?Ls z*WY?ZsQpsf8%Pf)d4&^qUkgcJQWZo3JyHtzv~kO+#$eM~&-}7Y91y+!pf;#Nmq$jQ zUf~PP1KQ9*jT<&R9)7hQH5Hpw>5wQVPPNP7yd*xVuoi9|+E}5}xTGLZ{>DNNh5-(q zezWOE1s5>SC(WuU97<|y+gA~|V*es=uR@~9y~-%==3Yu@W{~^H#+3aoLK(MIEx$r3 zd3tPEr}F@F|Kq)Gs#-1XR3yFPlj;oNsK?Xmf?qLsv1$gHiJC)?s-4@Jk~QNG?Q4D? zQ;&uYsig7M@+iZ*Gn(Qrf-81z8zF)T4=am0Hf)Ik#5eu~B-xx3)0UnWkG{G*=jn%f ztMQDPhmHq8AEy%Xt}V*_8cQ&WPMur=ox|=(4k<~?R-@?%O`2_b3HAr5aTcj-lXNjl z4N+pAz{KuBHhFWKY={?Jq*BAy|1;RVSBq; zk!c}E5y*7S1I-dLk@dN_dF0aWW5?8{%OtBh00wEsuikEB@RskR7@G*1Sd#?gl$yqp zW~ixrrrp1X(9)eI<%2F7$x6L*;}bps$e8d^Iz}u6Hr0FhATo7NvjHTtd1>DG_;d#B z5%k%7`UCd_s(y7(Y!iPzz;AEF*}k6yw^qARIvsgZnv#)xT_AR^UK5(t|9aayf!x=_O$fuuxyoD2;wszA^_~7UIrq(r44HoU|0O3 z2B>&CdpwyDH|@y z>Ds5caAP)&or2(?Ho!!#m{wj#O-1&sdH+T%a`87kp=5rj{hLDdDkF1~F)|GWHlUho zy6N4$Lu2r$(~MSk3+`w$4zEY7663my*f<4fu8J+u-XP0cpPIlx@?oFx&sed619{<_ z({)fK3jUAH(S(PrZwrGTx7uM6PDjc%6o`&+qDx+P%3Xcl3l=1t(b2LBE2GqPqq4b6 z=+Jkrf{b%^6E>JK{b=H9q>!>S1s;4^UZM8!v(jhQ)^(D`<$c*C#KS~8|C_^OkMW4Z zhR9sDXhjvaY-Uei$hU?2+<**b^L2tvA6IUlG9iX1B5c~s4J`Q z-rfX($N4HN8mYA@qu6UJEmP9oV7t#7K25=Ui?VkX64$iYAqk`q=gOLlkHC_kYm4&X zr15$c#jc4ip*&-}MwH>zZHK!1OuCN{B8))qPhJC%rUI8V&jRNUw-AgtP%H{Q*?lk9 z1ZohMJs}gasKqMPm$xcf%!pR|@a>1r(fEC1Sb`BiZ-I2uBO>T2hijNqolDik`qc)O z%=@%)qfUAe-^>oeh3wWA5knH@8p3zf3F87hOLY)K&cIT0z&z|G>`prl%&X2L) z)o?hxC2_~E6eRl;YkGMY_h*peG;+*7^qXJiIcVWCN@JaEfXfpD4Nxg(nBm2ss83qQ z&VuqCfLN6gBJqLnosI&PHr>^iR?)H&5rs)!1WLvv#J0H-Cz?lhubdcAkG;9p5f`|k z>I43IkE)N^Q(H}KjxvNE*j8*jZ7b)AR%zxFA;;@2JUw9W;pG0sp4P7epaG{}P(-sn z%<8AX*IUdkC%+S6?KSDnv|>yJ zrNy`;3pttig|3;f=~Wp#&{7Ux)l__IbQ)kA=7(zZxt56M@wdz}N4beiEob5W<^oZ* zlfGaAvjkE`sFoMyS+)3$!R>zjPvgF`iVQjia|QYw3*`5)Cz=jgyHcR07_H$$yEz_g z6ewRf^OAAoOYqzoX$4Yz;{EF&U}Q>4+sECf8D7WZ!L;!~;RvRWZM7Z06UNr3az#ht z*Fg>_O>gsp)1b3Nc|smkRKzs&&IOEEc}WcAs2bd<7@f9WGCh|{5o7i$r~GLM=({~I z2?zhzei;kr+PE_PfaukHy1I%cdwNDIv??Y35vqM<^qt|DT~EuSFOU7|j?<9j?ll!Y z4Smh#r+uSIg33xs-RFe|N!tlp%gTt>{hdZPH+@EXa8@atIy;ag_t~F3DV@o0a_AV4 zc$Ovm8KI9QrH%VaC0SsGZZi7o`#_yC@@t*=qf?FOW`mhd_O|1o4$l6D!j>-7$g|`i zInYau>b}g9)5c0uYXc^CAtSPuaBUOkT1Xx4s)mu-$Ir)e3kH84r7TRqbI=2lqGRM% z@Oy|d40iD5!}QhRd{48+O2v)2ZL^8>nr><1AEo{EgKIqaqBwCC2MU?fmd9$i?Go6# zwK-W`Y0L!fQ7kk)=niuP%@%V!#>&d(dOKUF_pJ^f+n^bnBiYIIsG707Y`_JF+60oW z3@>^Sj!xg|=NK`jY;XF)>MSMxT_`CIi+~9^^h#>mv);qU~k9PK`2uuwmn$QUGd)*tFMGNCF8I-aXq4fu>=f0z7AvQ-~K zo_lSscy{ZUeDz&o+O%Ln(}H|BJQk_g&e;6t^<0itI=4>(gf3wm08I=~ifSyIMn>9D zv3Z{0b@T9IT{ERkq+cZq_+(>=@Of==MQV%W!Zov?gabd|Ab!L_;1;q?;NcrS_c!23 zpEa|mwMvmw8R-w5z!R`j_DQhb(-N(0d55jHbJW6Jmj=)SLlRODn`XaZ7y#Qa!RvFb zNF2uC0*qSKwS;(xY*DZK^^;b4L3X#eTaluptKj>(q!AW z1#{FxzATc>>!#M6o-Cs`fy>_?t2}{^ylq-5sUs8Hx5#~4%ds9aD9t;9!GS{*#H$N+O8D!;c4J;@iWY%OHh;x4(p zb`!d{36`bPxE~<|a%pd2C!NTohCeU3z_sm>9|bDmKDTiiBDQ{hCbM&!l?4^+PlO^l zEP;JB^Gk)VljEBhW&06P(IVe+&1O03r1to}Uw*t@TOhql7jiO?E-0m4y#?Fc#o&Lu z%8k)5hica&AWiSU9*fKawcb_G%s%F_z7>!N#?C~=S$>Fu=q8xaYuxlEt1J=x_QrQ$ z5&ng63F{QQPxKLfC{%Bp_RB(v1DP^;Z3sd~5mKqRhT-L*(-=D))UUllBC~ei21!(N z@#5!yMVx1M!Lb9Mw$a9cBuexmf8#LSw^?YRR&l&Sm0SoEYgV#eqIz{pH4{7db=gH) zEj^O>JOyHLC}pNw8se3ru{e3O5WUK%i&A{$z07PY&&syqa+JZ7@1Q)0S)~_tCii4> zwQ^9LEE64lLRDiv55`O zS7oa?s*aQ;^S{yL6Pc5{!OEvc#@&XAQD2o?pr~+z#j$L^p%McnC3Qxy4qwQLh7_6W z@%(AVoT{U7WOMHRauw$pf8R~D09|GY1HVW<)WUF~2f4v#E*>!`9E7(neH<#|u`_=~ zYzsTj-UfXM#ml^Jc3b+ji3+Q> z|7~`}b!B5REcC41y<0d88$Et~Z~s-Bet3?)&>}rDlHk>*6-O=KlO#Z2Z?uT5F#T)R z1_xLlAMKo7Tgh5x=o@y8vK3W+Aq^7&)t7gOgfy;f^j(&t!`H$0SaPg5>-9ui5An%g zivnjnu5{HKi+sMwQPJzu;9t?v-1#ew-PQ&?$yeVK^7pM$_pOFv^ognGbz55PXc2ag zBR7fTX8FJ78rC>`Vs!d;>>xIA?VrOu>647i6hA}cr%}OvMn_fmKtnkCk=KFEdETO^ zcvnEwvA3$M`43aJI3$L=y@I1P5g5jALEt1rTPlf5IFK@)5Tl{Zx_tM8WvL5+0&gsm z>Z0X+O0Q%I=p~H|fw_zN97(ACQRV<%ESA!XYy(@HVehSA4~+S+-_Sg6RNR^;%3r4f z5b;eP_p1{;s-c6<;6b|AGfo4%-8-q2CJGZ5e+;;#>kSo$lDjXNKb+-r2WA5ni>_WAOakeKAmHM93(pV{ieLHDzFm9tO&f4JD z-4pdQYK$st@nrHnZ7_KBE9y(W;U%uPo8;^l7AJR)bLFvG? z{J0`^ymb{F(4G9!iC}zc; zFD=B|!wI`wj&?^v@77%S)z36w+ zn$fi0W&qIZbxoE8EEXO?lxVx6z0u}^%|0WUPErRqy#?r72(GP z35vie*QEGBpxnl1{2%z2!i%df3)n`Ode|k1U9jJtsVErXO=`mS0yB*^zC0x!EHUp7 z*?KZnFvU>?>VrTTkos6pWE^uny)1{czR|?8i@~o6gooi&3ncrxTWdMVMhoI=XQZ8n zuIF*BUa$nj2U5a_T^d?0WkSrF@kh1p=*i0R9sQ_}>0;RgV|Yv^OD`umt9#-0?$9@@ zpL=`32#}+@SE#<*DxdDxv~QObN5I8Nm!l5jm3h87!J$q+fq9bw7y39V1cWyY8ovPq zHz7Wb!2Q5mtTo#|=5(aq1slf)(U!|yuf8|#cS&xE!~N|lmDFI@&7;uTcm|UCaSVG( zoEC7GpX>J$Id7~;DN%MtIh+K$?{sZa@{2EfXn!Xc$5$ZuL0n?r-4k8zhFA&veX7;k zv8U>mte@XVHS5ZdHwl(KN`Ao4mohEug-g5lCLmb_n=xtZsfNV`nfQK=t1x|V>wezN zDtnxFK+xqUuQ%Dam1WI<>`1FzKB^9{Nxj>Yjy#Msa0{>Pp0@;m9~^%CgfjQVjqsdS zhN_*2ORk}udNUTXYQfR&MH9PEP|MGuMdqW2k(DN1DS;CaPCstgT4S*bPwhV^mBuuE zUlw;^^Q(L+>bD#fyJTDq6BtbwZ$pc`)SN<($+|ZcpJ-&sON�ZkvUe1M)ErGJS$u zCsRU86Q?WpT zCA4o7ip@xrefm^_4sMa_9W{7mJA86|+}9~KfW$>^ebqR5e35h&HDy5VRGl!y!__j9 z@ENGVe|Ncb%)y0?{W~=H5ra7X&Kemb5qPr&LRIHxQu%Xi^Aa!H)wa_{pSK!Zn|Cpv zT*?7iN_tIT*D(I(zDh`$V6a%Z+jxZon|VqiuQAjvek~`rTSPasE(RRswtFfv-SA_~ z>MFg7eWgma1fiawGT;3B#+wo3f%$`qyeqZzAWNHiFIPOZ?e}^1{tnLhw^W6$RN*eU zZ>|crbj_?Kkv&^>9@Gf8h|#mk(;<;+a3h9j_D^(<>ppeqGQ;>=d#>}Mj;_gG$E;~`HJep z1x96Fdg>$C!<5uMKS+VK1s44q@5TLk8@f>OVlkIGW4e<}jDxW8+rI^+=TF zpB7?HKC728J4<(bmOGA&(~2M6Ui$`R&%MVv`g+-MPkyUuF^#AN+!Di>8EX^3f^@!E7}M0(^I_GJ{Z!vWAAEKBA53qT=uR#ela(sbO00#Iql)hl2+tSHnG3s4h;3eu%FZo3j<8 zQQ^Zq4X<#hG%QX_W+rt;C*f5Q^J&zV((YFwKL)|`&9B+s|5<-vqo2Q8$bE=Zi7`>(80&{?#XZHf1^v8&}d_ljcYb$ zFBanrZlL`UU3nYuiYvy`Qi?_TY#~b(KPxj=fb>co#Tjw$%Ct{cETD}x&490=8_}eL6hMSOt<;9_-@&3hzV`%Xp ztfpO0EI0FX?RDB(b6row&X?zH!JZLdbyRq(Cz2BIb;FL7iBK6xFVgcZr_oiy(|e_r zj}>7*teJ3LE4ej>J;)xtZ$M;^K5Ie2qSvIWS`YXWL5!5B&(wlAtD34RE1C27LuS=A z<>7<~i;rmEUHRyw^@bq8pAG{}*`%Vyv<4iZjPsuPYOfVRlOCt1GQavx@Gf(HrcKP|ha;X>oLdDz4b$8D+gi=4&v8mGDb1Vil z&a|NPnQ2+_#g-2oR6=0asa_;jUhsM4m?uVsUT+oEQMDC`zP|_?r8M7-s$3cUDyH1i z&eFD&w#8VvYmNPG$SvzF<1gf&$lm;M-jQUqVWZ!x?<@U0jlS64;J%gHi6-W#f9EIK zn$=Ypd+@Fk5!CxuQ2a(M6xVIEcK{;_73D%QH#kvAq&mts$J~Mr+`D2>EZ|VTeBf}} zF4P=96gv*hq=?QIJ92hEwky4G+WKQYe`xiF`ctaV2%9GR4}$hYO3>v4aC9^E@fO2@<}}=it_7Fo#rz*PrU-X)o}>(Jd_6Pk1Yaatj8>dXhzo1yhUe1|m)&Yc0}q(z5rkfuzuwQrCBDW090E7N;n_l4YN~U( z5t|A&$lj={=Kkm-L2Y}@M^}uB>t{STiUsrP{in)48V5INbRiQ zvhr!34wy>y8S07~iZ(#D_iM`tnzn;@!;rm5{nSuqX$?qD+-}un@=SmpeR_%JU$h!0 z9*Z=W-si7dd{s%CggAF2t0Xqxt=_1p zFHi*x%N5V)K#U~_=eeCY>T+M%2QKA()GaTNb9|ZpvNb}p8kx&0A3ohqI5r)jcCtz- zwa(nP6fpY@hV#<4f2&ET{EW|Wke&Hl)qMnCf(uckd``2^lu@JRk6yeJHQnhOa91i8 zZ}i&d7MtT5L~G-P722#Wk4lpLMq9Z?jWm~+n_n`yb^(6fKI@!)X34H+MTxYTU_$;h z#NUSzR-X6dnPC#Ynl!c}8U$GptV|Z!r1KK)j3KB?jn@Hg6nQ0r#tHy@e)=t<()WV2 ze1KH-5f^o?00yj7gw`DJMv@GPQ(zvZMP{ue+Ta#!yi&uKM#xY5>Q181!41mx-Q ztvi%~adcmv;2rOa>D1iBWp-=xO8? z_Y{yF_0va$Yp&MA#wF=n4XE7Y1lJZ`PbAe8zLqP6Q~x4X_&`_5T>D#+3)qDTH||0E zY{cQFb4PNr7DVpNl`2uwN@#pjv~vUT$T8`>pL?&yj-U;@#0nq`=Tm+M`!Xx;7oRvI zOxr_*r`J~B&9fFL$fR6d5^mgX<#E5v$oWeBMp2fluSAMWPo0>TY>g`8iPx4R&-hIo zFlF3}KZE7;@=7Fle(T%_+vutQj~=E3z&qx8;j(a-vdF^_27Vu6jSq7r|03(y&JH`2R0u0&;r)B3hu4b+BOW|s)#&KC;e|iwI0w$RXXE68*vBtyqx+6 zanwp@1KmZwMkfZlM#eJq`(+siQ6eqV{iz%1dabESyOwUTk470j?h_40T6Dn~#Wo7+ zvBJT1GXeI@oINXlzf=0Wsa&??(JI++#c%NWNI8Yxr)4>#6UVL_L&IxY|6N&f;4HQQ zduUMP^FiofCA!T^nWpkY>c0Cp$OF5?hM@>6Qx+~=I&rT@&K!e@=ZfkXYL`CI#=BY3 zEkq~5S5N>G6ua3Wq^ymrKN)pHG%WZP1M`|efJ_B^O?r6>yj^T?r=PMYP->&}Hm(y8 zGb}hy=T1+0#@WNzS5-)k**8G#*|b>x{o92IS^@%OU|QLtwF`#yfOhkF1mll2Mp`Bp zfo-z1=t&^gOIHN_aMUW!s7uw{@J%$-=E8Ogw9MfzQEa3fjKqtWr>O`nxMJ)1vLZ>A za95rxcdMmi1^1*g8Q39M=RHV0-XDjzYwVlYL6^|En;?sYZEQL_DBU<#`pFRG(JWUa zrxV5bD)DkumO~;L`o{SfoLZLRO7#g!T8>Yd3q823ti>_L82LyOS2vmA77of04DOP6 zezfa+glp82XkNH9VSRg^z9n3QPfeL447mb~SK;NdN)HWT&9gLkX_2zz#{zYH z9H~IS)9N|O)^QK)^?|yzbzDEMP@qRk0z$F;ql8#np}!Xgz1F7X0(QpqxfBtDM$X2@ znTS&}J~1Y=U@`AHTGl!unzP${%|^<)_1Y^LU5ReENG^>kNEb6YmAOdG>5Jz2?3)h08_ zGJJHfv+1`j$z91JxDy@ogc)M=$bwxLRkQsg?<$O>WV~qO5LxxX_*043yi71bya#@&sg1kus+ln zsWi)N+?7IH{r$w9KYgQA2imG*YCqNKO}>g4@u4)WH(as$dZ$M?bisM#oO(|!QWj9a`<)ZKklNBjnRys{|p7|5ACyE$KN?GNpPKa z;kC^ATb*%k1Pbk5*71gujJg1-zji*v4T7$5nM90O8|K0>r5ECLKXuc~OBFLXhf!7M z!U>JezYK2}2};L6MK&J-GKCHkdU4>6cGhmUg&Ysj6MikGS2IC5%MjDFX%0%uum@di zlaMDGO3g@2P(fUax^Rp9vM;7p`(kuk5?3k?x${wO=7Lo4FB!h-4ZOR6nXEW`EOti4 z3PF64Ef}_`1Sbtetda(QMgRqsvyjD6|BXvuEXxKVQ(UC`BY}J7r39BxIV4hr`^W2X zL)Tf=&B_O5I~wU#=A@6sOmVt6553}DoL4#_HVwTvqgW)`fAWRyaKK;q#LI{9v7HMc z;?t#5UTiWX#d?{n3865gTl_M5W~3no2|J+1a!A=aUeIhlC5!9R*4ej@ne+ z7NkGgi4O82mfbL>Nx{g`(Q7`S6-#JVyvygUyyMjCk)H|NcMuohRoNE>r(Zm)zB7-W%6}}|_$l2RI4(~m-L?T`Cq*5zAeQF$o$cW^lNmvv zF>cU9jgfkdgih$85C&_q{)fo;%k)| zGTB217q6#$&YFT~8cUw)zu58UGDR>SNR+Rl;9ExUU5N^0cEG zH~Jp&8IU^KvNqA@(~aA~7U;IC=(~45QZ(ry?PwMe5&@k;AkA)}`Ww|- zwNvLc#*^{s*d^D8?0e+n4;W)I*we=Sa)rH4#c`$=wHD+gFFqiJ=3%fgS;*%~@Do!^O@K;*eufhtPsFOnp%D~IbXzN}q3|Gpc zJ&OP@&AUp9@&`=(CKQw)mky2Xh8EPKhelC5LE<#9>hQqTT;_*zmioy6T#%^2w`rz1 z?n(}RE|7({H5S1grrjU%TKvOCqOqQa$#%` z_Vds0mQV*%J@75Flp%S`3%}f!V$U-Nb*b;MuX0=%>jm}`k#ZfnD_)9c=M&?qjC_u) zx4u|{?+fh1tXhqiiKc>7y<_hmGraXawf|D+o7-b#7Zs<6b_(5X$5r?Gk&3QiKOta`=ePy8qY7h7>?;vIOU1Fi_G_xT}=|-0&cARI=`mYMspH&l3g{Z6*;*d*@H{J z-oYPO>(S6bNUiaIaw=~0vj&CabUliFE+*NPcnJ|(gZB`;){f{ZDvliyA61aDP`p+^ zWoo=})+9|)qc>10D=g|_s$t`LWo2?D&sxVeb8TfEJ+|H|yJ(>FL0G+OC0>+3iBlAS zOsN4#h(O0At|3iNsm5AYVdQ5z*W}*Ero|ZQu%PTO^bdqEnor{ZumCNToD=VFK73#b zw!(WwfB3@7LRF6+{!-hdrHr9zK<3BKSYZjgwj zFP9w*z9i}GW5=reIfQxq+Aq)=|H4jnQ4t42+V=1@&9A`FsgP@6Y|oSYlAe>W5;Y5I zAkhj#sTBQ2wkbnvkXKhiB|O8+Yf5RBO=SAc`%CD&M?SiR!5G);YRlc;?d+VbxnxC| zN0X4xO`^cEI?TQY^XlunR)lpj)K*n51arNuKGq1Jo0ywGx}j{K3bq zhL^TfN*cdb_yc`oev{GcP*o6zt8MnauUX?!{)6p4(ol;%B>p2v`{;Ne0F*MHj{{Q> z|G`$K^rPg3)C+<*(}7FQM|K3GZl@4lH zJD{smRf^m??4ijoS6S(U%Hcs}1cF+e;Y)k^7y4hMjT=T8+FmZ61T@GaX8=+X&fH>F zy0y{PH63zWKe)}urqDuJ#qg(~{mv91IF=T+xNh;?7pWWf{9o)Bj`Wp@ttzli7R;;1 z5ap;t2rYD+gLOW1!gnT)8wR_-$MVaW{iu7^KgRm!_}x#Cj7gu#igwLI^|D2Xem~Ey zX>c!`d1srUA|u54%hkK`?^=%zCSd!q-;!GWcQP<~-f68uZ+9tK3TS$mJge#5q1+ev z%=^W{fN}-G6YJKf(psX5OTyYm72I1!nflhl(lh;FO);8OrID5K&e8Aido4zNAAkQz zWx~3>0pWqoSBdsFgot0JK~H$DFUts)C)N&zuLy1)vOj(bz>VW2(8Hm!1NJoO%a|9K zGkm+R_HQHfda9d5{1!oz7Jd13SmJug(2Mu6D=CMeoE(L(u*~sk>V08ZgfJ#xlCWIE zVa!HTwD$caHSj^4O@kI?W;fM6i}f7v)Ji%Z;`X?;$6wP_awXUb&i@XT6&9_@U9XNH zi~J;53cmbE%1F}Wt%C-)6&(#(S}-`A6TK_B8f-D2n9z3Npwt{*srB6Hl20CiZPSya z+Y6e1-jnwR9KiiF#4jSer`A>FVd|pN9}c`5y~~sE!4V1R?pc#XQ&pzD-`!~$qPQ63 zF0P52^Iw=V$~3izleCIgn-n7AH8*^?pb74kq?sUfHC;8-8~Nq>ZSk}ri7NOq3`w^A zrS0P=MB(*|dBe{bFXD8&_bQk$5#>)0YJs}P!@r2k!+WCRiC<-?%pbO7RWtp0|47m_ z$Vrk@V;I2{bwcMDG%*{CIe^$A*E+w4b9`NV+2UFP{iy?D&~-rI_vR`tD_zJyl+BJO_d6fvDIVJ@oDPc-wghoXfh0 zGi|K1o18*kvU2-FT0e2`<{I`L?E3Mw)z;`eQ z(FI3Q#WU0#+kD~cgilcQ{ZC7K{wn4si3^DKADpWamva{k$bhf1r#FH&$YH>C+LK>xSIf#MQ`8rEpVWq5w zN(=LXDm8(3c`=z*g;8{nw<9GA$ANNDI5L=oqgCd{GXTR0zhf2$Kmka<*^~a>s};le za694~GqpgjtfQ?|5koe~ zvkJ`^O@^$7V4bCoKOc3beLewM4L*kA+Mty@Ghjwk*iEj}bcrQs$Mh7b8W?k;D$mt>IG)VCb^Xw)*f(1KBI)!pP;Zc@?UAsb1ddCb|KXI}X6HKn2J@m3>{Z6E>XiKjxar`$(J4w!(01ru`z)O#2&A z%LlvBFRHSNRT&3@bH9|jOZIrQ7KK_cxa;( z`~a?>@XV2runf!ab8L%{uXbV zvfeS1#=*8KAi+h-=!(%jE9fVxUthUN5ar%7C)7%!|Spv`k6; zt=3`+y$RVDi13~3tWlo}2%bM9wX3$j%_s2;4@oxJWL#(as^mYeAX;WSF5g~S=v*32 zk@{B}NvP3DuSVcn6Z>6^=}w>b1n!>NeLjbG(;UqtuN9(j^9Z2Un4c?V^H0o}p zmRf+|4fT!BZ)0yB$&=qF&=;4m*F~Hgr$)tpjnh2a>?t5(B0ubJ5u_zKP8&)5wmp!J zjPJrm6DicRr=$=9-F94B?DW>)58l)#tRNHXSce?AOE6BnThfg4oVv-xM72Z>LmF)r zgw_XSpv8DjL5Menst1?FJuH)zO9VE z^T8X&9$0$oQK7h?`m4oKC=^f8k%m4FX*5ueIh8q5cEla$Le3p4=j!7IS>V)fJmX>d z1J4!^-Trici`p|ii~fsRg%O+juyRO&TzG$_Qr(h5UYw*kuXgPsJD*Q%Z9j;v`_RJ@IaLAk-4P8jh<^ip>t~wx z0?~}-@%2e&J#K5P1X2v+6=-Bg$mzphJ{*ciG9-O4cWg<=tpsxT=MBpHfB_Z;$ffR++$3f0ghtPyVpnmQa2*lg_n zEPjrS5{t3z(aSAhJ}QS?{6N7ZNoRa=>|ZU?KNKzjp(J5}(%Cos?lLg0)9D0fqqZ;{ zJh=ix*_bOK8w>Wc>t2T=B6rO0-qCN;&(yY*Pv;FnfdE$lpBRX4qWaZ-r2K<1howB|9s}G}4uaq2ZS8j&CD;gU`$OXBS27yX0#2Z!h#Yuk9k z7~iZ6zd0BlCn#^Y6|&K1jlq4ed%iu9@@^P6~zFXYGO2>NrSIY tnt*?4e*d3i_+N4=|0f*7?I)Bs2pb+~poYm-roWVJWqA#`IvLCG{{u8a(ggqj literal 0 HcmV?d00001 diff --git a/doc/logos/intel471.png b/doc/logos/intel471.png new file mode 100644 index 0000000000000000000000000000000000000000..08264e9499fe9b749ccf0a609a488c9c5eb69657 GIT binary patch literal 6713 zcmc&(XIPWjw*IJU7(f&OQQ9yl5v3?iLy0i7Km{BHlJ3`!1>Rrh|iB#!jr|8o}=S^Y;{ojR{GQXjL609K7Fff zuJqR5&#|=j0=D;EbYGHkiSBgJR)VSclW*GIQ4H|+I{`yB05~p{!VUl@btJg}K=KhB zbP;|$RuBMUPO?M6Nm87kvw+TV&|Tos$^X=X-`ypW@}n#N;@_Z7X$BdCZY)$=`~9i= z_gMd5&bQXLTpO((7B#NiKga3NQ@%!>BH8Y#06<~hBJ1Q>xEh8(2wPJJ!S8lPXvL1z zsQw5}?&iK$3#G)$S6&a)*I|jzlcbNMp#Y<4;v6e7$-Io{c;v2c@HMzix(wInK?hpPW-KTfBplA@|qx+W>9i!lT!cJ z#_x8!Iws+U?hh+hhcy>DPBxIlR})Kdd^shJYrER5{uE~AmT?ZDX2T!h+3K0|)zzVY z*^|QT7j&>}*`P)fk;CUrW@X4sGscE9V!3uO*oVUO=u<;B<4`Qv5$lPF2*(bqEdB<(ZknTM~tVc#R?F(e8jIGE1@(Tdzn_9+Cd zvNoQZZXqsP7)tiDZR3Cez`vS+@l3jO)_fd0mZ2A`ArLR{8w9{S}Je;|Q z$2s6}huOk+A__j`!g~ZKvL7Ovo@e8Rki*Jq*B`MwV(waLjg-FD0B67A)VrLVC8xAF-l2n}T z8&B=%mh#;fM=^_6xn)wW1{W<#J1s<=(U)>?I3H%e8;1^pN=(to<+U*d$q{xd+HfR0 zH0WfY7W=~GWRA^EVAzb<{8x={+%o!XL~q*GQj`-;g#NBIctp({EeJUhOWmYIdS^BXA` zM9|r%@E*H}9AtU;tYP5t82+)JwhUoJF0|ekw#&L&i0qjn#!tLygg!~(?kuA!9TxfC zAr?o}-v7Pt>BSApF-6r_-1TL*v_rQR(TF?Za^_)vf8IfA*L1RX_P~%`&59*osGlRc zcF~XIKW+XJi)&mCi8@@UYFA6wGDF|oo}@jx zDQpVQBmIejrBOc{oZ*WoI(HDX@j}t2Y3-^^awF$*$)fk9O0MAHD}PB+Jq!{IqJF0H zYfmO?-6T4mIMzIRt@>EHFmx^HDu}VPAr%ipC`mzm#z_^5+l^o4B9Hjp8?h3w@BfQQ z6KgI$(Tp>vA*zll_WjGloJVnMSM@GpW$LRZ`2oda(d)aS&tVTCTjPY5#P_PSeb)X6 z9b>K$E?A;3=^D6|>HBe4q|T@)`g+ze;g`iBELM1Nj$2vC!;0xT1CD0ab6pA0g^`AJ zt2x`WpgJSA-&0UG_&5DGh^@4Uy24q4;Zf6I&K- z&!BxZ{7n}F3cUO1&gm^7)<~9f&hXku(k~Dr4N7gZ8hoF-xVnG_$SQC{sQvt{rbu+1 zQF6L6o8pV%9x=<@sXMW|Wsyo)DlNKeOu=6} z@A*8|#cV={rr4K*ofpY1ILxgX+rzKZth`%evrDBaj*39Js0(Jh=Sm)7lIIL%K%DeR z*88fL%GW&dmySyI<>`LvL+0mIoH1q)ve3MasWYN9s1yjs+@vvLx!upEw6M9 zqF$Zb7`g8Fwq_-<>e5k!$a8ql8rod~g^;N;A`Vf#-R}eAL)e=^BqXoO0!{DcOkAnP zxizs@ziQpFV=$Du*33nor`j)+2?^BTCB&1#Tu+aN-J-DpouNiJ_I*AAY}m`x^s^Exo1p zX~#=}egEovHC|nidh4hD_~e5E$_=4n$tO3b`Nl&BCq6%;Ek4PS8A{egJ3KBsWoY{# zZD`0IBNmhIb*#B6XeC!F%1kQ*6~1=dv4R8(ThFPx#}2K_9JIut^I;zz_Os3Aq7eT2 z9(>9pS(#lmIK}$G_UXlxT4kzN(8s(gW3W7TIz;+65anSla)U99aoiQTxE{Uc$w zo;Why;2XXwU4OhDW6&?|8Vn}H z|KSAQMY#cR67@>PdR|JvN+r4JD=Nm~ti}UWJ=fcp0M4H1Men0mt)qo*XSbe-g9mnE zhk6I1)N|1ZRzbiQka1bJ)gL5y?lo>z1cl(NK)@v0HG$>0ooITzZ3~Y}G7w>GsSdt( zTL|?3W70h_eYFow2=xWstDO%pCqfo#UiZR=t@qYmP83&WfZnI8s$b0& zbh5n#ZV*^>XXOPLvh=mLuPc#n*t1bhvP*bM{{>CePkC`mh|gna1qqzVR-@fF6wFRz z{>gbE$z<-U;ewaI7+275&RMnZ7WLv%C!8*~Pv!&%KQ$eAz-VL$gcu}ZZ8L1rXA&2A ztdSq(D{x1f1%k~irGay7X6E7y6j7=F)n~D%#n}RuzogXu=1Z9t8UT%gevN(?Cyzf? zQs7B-Pad5zR}06HPaE12hbHi%=h^zq_=M_(&&({ozm-uO(pXhjTnQq!oHj&Ft<&0b zOJnaF66u!D6SGgz5P!*hD@<$pF}^~hH_FIOF8&xdKrH`R_y@J53XOKin{@w?v2UWW zU~9y;n-`;noy51~Z9tkz9!Qc;ohVjh2ZyF)B4s18)cfS zAG~N_OVXE&JMy43z|Q@K@(a$lnP$r>jA(wrq%Y|n9y-~A-6uyAGLgi?c0`b)l9sVX zAwkP@sL*o_QJ|nLqGRlATJc0z0Sb8 z@@`EnO%{F8QtNWLi9&RPU=GEtb&L%l+|xiXXXQ;2ni7>1o_-6WsksSoXi2AZ2ybO4 zrB)I58a=sz(NV{rl}@SBh95EdYy+Uhy89w~(w7sv>F9eeJNV!4#^2G{(+KB-Vnp0 zcwYCkB&84lupgMvk!MwDzG=W4{R~z#MAKI>cY6e^_$Cy>{@at*dLNgBiQ+EKcD3Vp zvl6sw8MgtDKCiD_Za!|k9%xT2-V|ep3Vx8w6XrU~@h+KY6-w z&Pb)`6oC|^nuT16J>dk$Vz%qOdorS`BG{@`)E{k}Hgvuw!h&eNH$uRY~LauIz%ak3r3kp#`Oog8yPn(ka{a>03U-+ z^~Yw!`8y(U;+&{)Gp*Agy&sM8o^mpV5;_Ik^lJmKnIz_0NosJ>u~@-|6yy5{Yq%++ zQxM3lf%TmHCpI-t;9ryKI{r~$K5aF}xGnd7s->DQ8A--n@l^*2XO++Ff<(IPav-1M zMj=!idFeGx2@esHp$UQhlGPWl!hZ1O*jX20}N1!fn;1P z?eRGoe#36C+I>ux={wVlEhn_=eJNa@>zZ9OgF%3EuD^wv>9Jzaw?A38cn55!-C;8; zsW35ul6-O&x(F2uO7WknYzNm9U>`>56eo@a8Uy=LS$Ykt}1;G!1We8A-epp=p&ZDe%c`T zQV3S-`*ypF;DU3tx{%;>WpyvGTg5mNaLj)3xaAx&-!iB)*c*Mt#z{mHF+mv1xy9N* zs-HVz`NeF|4}SKeFvHfz_yBGcEFnj;M_=o_rbKg-6l@aIDxUY+*XTmh>wWi10#ug? zAdVEXCaGWy$HB_|D*GH+jur+QaPG-;o0g=e)ea#r8#n2IE$Z=J2Y786&jD-rK07pF zu`(cZ4@MvYue0~XyqK~kd2opI$Msob{ZnWe{Zcyr<%0JYUw(-Lr$>U*Wif+Smcv5w z2V2|BI14RhwYFS^-e{UeAHq4Np?{D74>O5c$ovy zBHi21FAq5+`>B=<*+1U0u?e({#F!qoq_B7_?%VAK|Ff}6!Sj(}j++VvYDk7K>&eE_ z9`**>;lAb3(rz-@ubJK3f@o(W5*K?Mf3g(c{<(_VU>`mMzo9>7bXdHR{nr65b&s9n zgUc|;BiSbnr9cdZ(Y{}MWCxkX2u(NI4}Hd2>i`t+0tO!UCqv1&+rn{mMswj|8(k-~ zzkU!?-^*Z%;c?S_2b#M0=5g!2{g+g85fHJlTb*8>WA-~4j*zN8Ped70_gwU)<#$+m zOPh6U*kC4QOU;Chi&Obks^OBi{Iu)Rge}6!^Rw03(qFhYSb2 zKxf9{5(K>hcN)M%BYNfaAue89Ue>5H2UJ$}iHTL6c#ot-0HR z%dq6oc4Nx+;lMKn)wJ7Q3+*wUb5Bj05*E4TcW6ZnY@^Fs{+!bBZa!qooz6q)DUg|S zzYC7qtt%NN4CcoM0b3sWc{XUU=~!8V zucM!0G46>LQQ^|hPP$OSLxHB@qc4Z>A3Iq33m8O+eBQ({&-ji5H@xcfu3CR7Cei3w86eXl7){Ew>7 z|0A4&8nnddPCUzx?nebx?wH+*^m7B3GJYSpkSUz)0`buT?ru G5B>{C#F}mZ literal 0 HcmV?d00001 diff --git a/doc/logos/sophoslabs_intelix.svg b/doc/logos/sophoslabs_intelix.svg new file mode 100644 index 0000000..9fe952f --- /dev/null +++ b/doc/logos/sophoslabs_intelix.svg @@ -0,0 +1,32 @@ + + + + CC812F0D-F9F0-4D68-9347-3579CDA181A3 + Created with sketchtool. + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file