MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Added few more endpoints

pull/586/head
Rambatla Venkat Rao 2022-10-11 08:24:53 +05:30 committed by GitHub
parent 4a0c8cdccb
commit 66eb82cf1a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 97 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
misp_modules/modules/expansion/hyasinsight.py
View File

@ -107,10 +107,14 @@ SHA512_PARAM = 'sha512'
HASH_PARAM = 'hash' HASH_PARAM = 'hash'
SHA1_PARAM = 'sha1' SHA1_PARAM = 'sha1'
HYAS_IP_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, PASSIVE_HASH_ENDPOINT, SINKHOLE_ENDPOINT, HYAS_IP_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, PASSIVE_DNS_ENDPOINT, PASSIVE_HASH_ENDPOINT,
SSL_CERTIFICATE_ENDPOINT, DEVICE_GEO_ENDPOINT, C2ATTRIBUTION_ENDPOINT] SINKHOLE_ENDPOINT,
HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST = [PASSIVE_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT, WHOIS_CURRENT_ENDPOINT, SSL_CERTIFICATE_ENDPOINT, DEVICE_GEO_ENDPOINT, C2ATTRIBUTION_ENDPOINT,
C2ATTRIBUTION_ENDPOINT] MALWARE_RECORDS_ENDPOINT, OPEN_SOURCE_INDICATORS_ENDPOINT]
HYAS_DOMAIN_ENRICHMENT_ENDPOINTS_LIST = [PASSIVE_DNS_ENDPOINT, DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT,
MALWARE_RECORDS_ENDPOINT, WHOIS_CURRENT_ENDPOINT, PASSIVE_HASH_ENDPOINT,
C2ATTRIBUTION_ENDPOINT, SSL_CERTIFICATE_ENDPOINT,
OPEN_SOURCE_INDICATORS_ENDPOINT]
HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT, C2ATTRIBUTION_ENDPOINT] HYAS_EMAIL_ENRICHMENT_ENDPOINTS_LIST = [DYNAMIC_DNS_ENDPOINT, WHOIS_HISTORIC_ENDPOINT, C2ATTRIBUTION_ENDPOINT]
HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST = [WHOIS_HISTORIC_ENDPOINT] HYAS_PHONE_ENRICHMENT_ENDPOINTS_LIST = [WHOIS_HISTORIC_ENDPOINT]
HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST = [SSL_CERTIFICATE_ENDPOINT, MALWARE_INFORMATION_ENDPOINT, HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST = [SSL_CERTIFICATE_ENDPOINT, MALWARE_INFORMATION_ENDPOINT,
@ -222,6 +226,43 @@ def request_body(query_input, query_param, current):
} }
def malware_info_lookup_to_markdown(results: Dict) -> list:
scan_results = results.get('scan_results', [])
out = []
if scan_results:
for res in scan_results:
malware_info_data = {
"avscan_score": results.get(
"avscan_score", ''),
"md5": results.get("md5", ''),
'av_name': res.get(
"av_name", ''),
'def_time': res.get(
"def_time", ''),
'threat_found': res.get(
'threat_found', ''),
'scan_time': results.get("scan_time", ''),
'sha1': results.get('sha1', ''),
'sha256': results.get('sha256', ''),
'sha512': results.get('sha512', '')
}
out.append(malware_info_data)
else:
malware_info_data = {
"avscan_score": results.get("avscan_score", ''),
"md5": results.get("md5", ''),
'av_name': '',
'def_time': '',
'threat_found': '',
'scan_time': results.get("scan_time", ''),
'sha1': results.get('sha1', ''),
'sha256': results.get('sha256', ''),
'sha512': results.get('sha512', '')
}
out.append(malware_info_data)
return out
class RequestHandler: class RequestHandler:
"""A class for handling any outbound requests from this module.""" """A class for handling any outbound requests from this module."""
@ -277,7 +318,7 @@ class HyasInsightParser:
self.c2_attribution_data_items = [ self.c2_attribution_data_items = [
'actor_ipv4', 'actor_ipv4',
'c2_domain', 'c2_domain',
'c2_ipv4', 'c2_ip',
'c2_url', 'c2_url',
'datetime', 'datetime',
'email', 'email',
@ -290,7 +331,7 @@ class HyasInsightParser:
self.c2_attribution_data_items_friendly_names = { self.c2_attribution_data_items_friendly_names = {
'actor_ipv4': 'Actor IPv4', 'actor_ipv4': 'Actor IPv4',
'c2_domain': 'C2 Domain', 'c2_domain': 'C2 Domain',
'c2_ipv4': 'C2 IPv4', 'c2_ip': 'C2 IP',
'c2_url': 'C2 URL', 'c2_url': 'C2 URL',
'datetime': 'DateTime', 'datetime': 'DateTime',
'email': 'Email', 'email': 'Email',
@ -480,6 +521,7 @@ class HyasInsightParser:
self.sinkhole_data_items = [ self.sinkhole_data_items = [
'count', 'count',
'country_name', 'country_name',
'country_code',
'data_port', 'data_port',
'datetime', 'datetime',
'ipv4', 'ipv4',
@ -491,6 +533,7 @@ class HyasInsightParser:
self.sinkhole_data_items_friendly_names = { self.sinkhole_data_items_friendly_names = {
'count': 'Sinkhole Count', 'count': 'Sinkhole Count',
'country_name': 'IP Address Country', 'country_name': 'IP Address Country',
'country_code': 'IP Address Country Code',
'data_port': 'Data Port', 'data_port': 'Data Port',
'datetime': 'First Seen', 'datetime': 'First Seen',
'ipv4': 'IP Address', 'ipv4': 'IP Address',
@ -539,7 +582,7 @@ class HyasInsightParser:
'ssl_cert_serial_number': 'Certificate Serial Number', 'ssl_cert_serial_number': 'Certificate Serial Number',
'ssl_cert_sha1': 'Certificate SHA1', 'ssl_cert_sha1': 'Certificate SHA1',
'ssl_cert_sha_256': 'Certificate SHA256', 'ssl_cert_sha_256': 'Certificate SHA256',
'ssl_cert_sig_algo': 'Certificate Signature Algorith', 'ssl_cert_sig_algo': 'Certificate Signature Algorithm',
'ssl_cert_ssl_version': 'SSL Version', 'ssl_cert_ssl_version': 'SSL Version',
'ssl_cert_subject_commonName': 'Reciever Subject Name', 'ssl_cert_subject_commonName': 'Reciever Subject Name',
'ssl_cert_subject_countryName': 'Receiver Country Name', 'ssl_cert_subject_countryName': 'Receiver Country Name',
@ -550,9 +593,11 @@ class HyasInsightParser:
} }
self.whois_historic_data_items = [ self.whois_historic_data_items = [
'abuse_emails',
'address', 'address',
'city', 'city',
'country', 'country',
'datetime',
'domain', 'domain',
'domain_2tld', 'domain_2tld',
'domain_created_datetime', 'domain_created_datetime',
@ -560,16 +605,20 @@ class HyasInsightParser:
'domain_updated_datetime', 'domain_updated_datetime',
'email', 'email',
'idn_name', 'idn_name',
'name',
'nameserver', 'nameserver',
'organization',
'phone', 'phone',
'privacy_punch', 'privacy_punch',
'registrar' 'registrar'
] ]
self.whois_historic_data_items_friendly_names = { self.whois_historic_data_items_friendly_names = {
'abuse_emails': 'Abuse Emails',
'address': 'Address', 'address': 'Address',
'city': 'City', 'city': 'City',
'country': 'Country', 'country': 'Country',
'datetime': 'Datetime',
'domain': 'Domain', 'domain': 'Domain',
'domain_2tld': 'Domain 2tld', 'domain_2tld': 'Domain 2tld',
'domain_created_datetime': 'Domain Created Time', 'domain_created_datetime': 'Domain Created Time',
@ -577,7 +626,9 @@ class HyasInsightParser:
'domain_updated_datetime': 'Domain Updated Time', 'domain_updated_datetime': 'Domain Updated Time',
'email': 'Email Address', 'email': 'Email Address',
'idn_name': 'IDN Name', 'idn_name': 'IDN Name',
'name': 'Name',
'nameserver': 'Nameserver', 'nameserver': 'Nameserver',
'organization': 'Organization',
'phone': 'Phone Info', 'phone': 'Phone Info',
'privacy_punch': 'Privacy Punch', 'privacy_punch': 'Privacy Punch',
'registrar': 'Registrar' 'registrar': 'Registrar'
@ -588,6 +639,7 @@ class HyasInsightParser:
'address', 'address',
'city', 'city',
'country', 'country',
'datetime',
'domain', 'domain',
'domain_2tld', 'domain_2tld',
'domain_created_datetime', 'domain_created_datetime',
@ -595,9 +647,11 @@ class HyasInsightParser:
'domain_updated_datetime', 'domain_updated_datetime',
'email', 'email',
'idn_name', 'idn_name',
'name',
'nameserver', 'nameserver',
'organization', 'organization',
'phone', 'phone',
'privacy_punch',
'registrar', 'registrar',
'state' 'state'
] ]
@ -607,6 +661,7 @@ class HyasInsightParser:
'address': 'Address', 'address': 'Address',
'city': 'City', 'city': 'City',
'country': 'Country', 'country': 'Country',
'datetime': 'Datetime',
'domain': 'Domain', 'domain': 'Domain',
'domain_2tld': 'Domain 2tld', 'domain_2tld': 'Domain 2tld',
'domain_created_datetime': 'Domain Created Time', 'domain_created_datetime': 'Domain Created Time',
@ -614,9 +669,11 @@ class HyasInsightParser:
'domain_updated_datetime': 'Domain Updated Time', 'domain_updated_datetime': 'Domain Updated Time',
'email': 'Email Address', 'email': 'Email Address',
'idn_name': 'IDN Name', 'idn_name': 'IDN Name',
'name': 'Name',
'nameserver': 'Nameserver', 'nameserver': 'Nameserver',
'organization': 'Organization', 'organization': 'Organization',
'phone': 'Phone Info', 'phone': 'Phone',
'privacy_punch': 'Privacy Punch',
'registrar': 'Registrar', 'registrar': 'Registrar',
'state': 'State' 'state': 'State'
} }
@ -661,7 +718,10 @@ class HyasInsightParser:
elif endpoint == C2ATTRIBUTION_ENDPOINT: elif endpoint == C2ATTRIBUTION_ENDPOINT:
data_items: List[str] = self.c2_attribution_data_items data_items: List[str] = self.c2_attribution_data_items
data_items_friendly_names = self.c2_attribution_data_items_friendly_names data_items_friendly_names = self.c2_attribution_data_items_friendly_names
loop = 1
for result in flatten_json_response: for result in flatten_json_response:
if loop <= 3:
hyas_object = misp_object(endpoint, attribute_value) hyas_object = misp_object(endpoint, attribute_value)
for data_item in result.keys(): for data_item in result.keys():
if data_item in data_items: if data_item in data_items:
@ -669,6 +729,7 @@ class HyasInsightParser:
data_item_value = str(result[data_item]) data_item_value = str(result[data_item])
hyas_object.add_attribute( hyas_object.add_attribute(
**parse_attribute(hyas_object.comment, data_item_text, data_item_value)) **parse_attribute(hyas_object.comment, data_item_text, data_item_value))
loop = loop + 1
hyas_object.add_reference(self.attribute['uuid'], 'related-to') hyas_object.add_reference(self.attribute['uuid'], 'related-to')
self.misp_event.add_object(hyas_object) self.misp_event.add_object(hyas_object)
@ -716,6 +777,8 @@ def handler(q=False):
ip_param = IPV4_PARAM ip_param = IPV4_PARAM
elif endpoint == SINKHOLE_ENDPOINT: elif endpoint == SINKHOLE_ENDPOINT:
ip_param = IPV4_PARAM ip_param = IPV4_PARAM
elif endpoint == MALWARE_RECORDS_ENDPOINT:
ip_param = IPV4_PARAM
else: else:
ip_param = IP_PARAM ip_param = IP_PARAM
enrich_response = request_handler.hyas_lookup(endpoint, ip_param, attribute_value) enrich_response = request_handler.hyas_lookup(endpoint, ip_param, attribute_value)
@ -748,50 +811,51 @@ def handler(q=False):
has_results = True has_results = True
parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
elif attribute_type in md5_query_input_type: elif attribute_type in md5_query_input_type:
md5_param = MD5_PARAM
for endpoint in HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST: for endpoint in HYAS_MD5_ENRICHMENT_ENDPOINTS_LIST:
if endpoint == MALWARE_INFORMATION_ENDPOINT: if endpoint == MALWARE_INFORMATION_ENDPOINT:
md5_param = HASH_PARAM md5_param = HASH_PARAM
else:
md5_param = MD5_PARAM
enrich_response = request_handler.hyas_lookup(endpoint, md5_param, attribute_value) enrich_response = request_handler.hyas_lookup(endpoint, md5_param, attribute_value)
if endpoint == MALWARE_INFORMATION_ENDPOINT:
if not enrich_response.get("Message"):
enrich_response = enrich_response.get("scan_results")
if enrich_response: if enrich_response:
has_results = True has_results = True
if endpoint == MALWARE_INFORMATION_ENDPOINT:
enrich_response = malware_info_lookup_to_markdown(enrich_response)
parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
elif attribute_type in sha1_query_input_type: elif attribute_type in sha1_query_input_type:
sha1_param = SHA1_PARAM
for endpoint in HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST: for endpoint in HYAS_SHA1_ENRICHMENT_ENDPOINTS_LIST:
enrich_response = request_handler.hyas_lookup(endpoint, SHA1_PARAM, attribute_value)
if endpoint == MALWARE_INFORMATION_ENDPOINT: if endpoint == MALWARE_INFORMATION_ENDPOINT:
if not enrich_response.get("Message"): sha1_param = HASH_PARAM
enrich_response = enrich_response.get("scan_results") elif endpoint == SSL_CERTIFICATE_ENDPOINT:
sha1_param = HASH_PARAM
enrich_response = request_handler.hyas_lookup(endpoint, sha1_param, attribute_value)
if enrich_response: if enrich_response:
has_results = True has_results = True
if endpoint == MALWARE_INFORMATION_ENDPOINT:
enrich_response = malware_info_lookup_to_markdown(enrich_response)
parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
elif attribute_type in sha256_query_input_type: elif attribute_type in sha256_query_input_type:
sha256_param = SHA256_PARAM
for endpoint in HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST: for endpoint in HYAS_SHA256_ENRICHMENT_ENDPOINTS_LIST:
if endpoint == MALWARE_INFORMATION_ENDPOINT: if endpoint == MALWARE_INFORMATION_ENDPOINT:
sha256_param = HASH_PARAM sha256_param = HASH_PARAM
else:
sha256_param = SHA256_PARAM
enrich_response = request_handler.hyas_lookup(endpoint, sha256_param, attribute_value) enrich_response = request_handler.hyas_lookup(endpoint, sha256_param, attribute_value)
if endpoint == MALWARE_INFORMATION_ENDPOINT:
if not enrich_response.get("Message"):
enrich_response = enrich_response.get("scan_results")
if enrich_response: if enrich_response:
has_results = True has_results = True
if endpoint == MALWARE_INFORMATION_ENDPOINT:
enrich_response = malware_info_lookup_to_markdown(enrich_response)
parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
elif attribute_type in sha512_query_input_type: elif attribute_type in sha512_query_input_type:
sha512_param = ''
for endpoint in HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST: for endpoint in HYAS_SHA512_ENRICHMENT_ENDPOINTS_LIST:
if endpoint == MALWARE_INFORMATION_ENDPOINT: if endpoint == MALWARE_INFORMATION_ENDPOINT:
sha512_param = HASH_PARAM sha512_param = HASH_PARAM
enrich_response = request_handler.hyas_lookup(endpoint, sha512_param, attribute_value) enrich_response = request_handler.hyas_lookup(endpoint, sha512_param, attribute_value)
if endpoint == MALWARE_INFORMATION_ENDPOINT:
if not enrich_response.get("Message"):
enrich_response = enrich_response.get("scan_results")
if enrich_response: if enrich_response:
has_results = True has_results = True
if endpoint == MALWARE_INFORMATION_ENDPOINT:
enrich_response = malware_info_lookup_to_markdown(enrich_response)
parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value) parser.create_misp_attributes_and_objects(enrich_response, endpoint, attribute_value)
if has_results: if has_results: