mirror of https://github.com/MISP/misp-modules
Merge branch 'master' of github.com:MISP/misp-modules into tests
commit
6b50c7718c
|
@ -125,16 +125,14 @@ def process_ssl_details(instance, query):
|
||||||
"""Process details for a specific certificate."""
|
"""Process details for a specific certificate."""
|
||||||
log.debug("SSL Details: starting")
|
log.debug("SSL Details: starting")
|
||||||
values = list()
|
values = list()
|
||||||
_ = instance.get_ssl_certificate_details(query=query)
|
details = instance.get_ssl_certificate_details(query=query)
|
||||||
err = _has_error(_)
|
err = _has_error(details)
|
||||||
if err:
|
if err:
|
||||||
raise Exception("We hit an error, time to bail!")
|
raise Exception("We hit an error, time to bail!")
|
||||||
|
if details.get('message') and details['message'].startswith('quota_exceeded'):
|
||||||
for key, value in _.items():
|
raise Exception("API quota exceeded.")
|
||||||
if not value:
|
values = {value for value in details.values() if value}
|
||||||
continue
|
txt = [{'types': ['ssl-cert-attributes'], 'values': list(values)}]
|
||||||
values.append(value)
|
|
||||||
txt = [{'types': ['ssl-cert-attributes'], 'values': list(set(values))}]
|
|
||||||
log.debug("SSL Details: ending")
|
log.debug("SSL Details: ending")
|
||||||
|
|
||||||
return txt
|
return txt
|
||||||
|
@ -151,12 +149,13 @@ def process_ssl_history(instance, query):
|
||||||
}
|
}
|
||||||
|
|
||||||
hits = {'ip': list(), 'sha1': list(), 'domain': list()}
|
hits = {'ip': list(), 'sha1': list(), 'domain': list()}
|
||||||
_ = instance.get_ssl_certificate_history(query=query)
|
history = instance.get_ssl_certificate_history(query=query)
|
||||||
err = _has_error(_)
|
err = _has_error(history)
|
||||||
if err:
|
if err:
|
||||||
raise Exception("We hit an error, time to bail!")
|
raise Exception("We hit an error, time to bail!")
|
||||||
|
if history.get('message') and history['message'].startswith('quota_exceeded'):
|
||||||
for item in _.get('results', []):
|
raise Exception("API quota exceeded.")
|
||||||
|
for item in history.get('results', []):
|
||||||
hits['ip'] += item.get('ipAddresses', [])
|
hits['ip'] += item.get('ipAddresses', [])
|
||||||
hits['sha1'].append(item['sha1'])
|
hits['sha1'].append(item['sha1'])
|
||||||
hits['domain'] += item.get('domains', [])
|
hits['domain'] += item.get('domains', [])
|
||||||
|
@ -175,21 +174,22 @@ def process_whois_details(instance, query):
|
||||||
"""Process the detail from the WHOIS record."""
|
"""Process the detail from the WHOIS record."""
|
||||||
log.debug("WHOIS Details: starting")
|
log.debug("WHOIS Details: starting")
|
||||||
tmp = list()
|
tmp = list()
|
||||||
_ = instance.get_whois_details(query=query, compact_record=True)
|
details = instance.get_whois_details(query=query, compact_record=True)
|
||||||
err = _has_error(_)
|
err = _has_error(details)
|
||||||
if err:
|
if err:
|
||||||
raise Exception("We hit an error, time to bail!")
|
raise Exception("We hit an error, time to bail!")
|
||||||
|
if details.get('message') and details['message'].startswith('quota_exceeded'):
|
||||||
if _.get('contactEmail', None):
|
raise Exception("API quota exceeded.")
|
||||||
tmp.append({'types': ['whois-registrant-email'], 'values': [_.get('contactEmail')]})
|
if details.get('contactEmail', None):
|
||||||
phones = _['compact']['telephone']['raw']
|
tmp.append({'types': ['whois-registrant-email'], 'values': [details.get('contactEmail')]})
|
||||||
|
phones = details['compact']['telephone']['raw']
|
||||||
tmp.append({'types': ['whois-registrant-phone'], 'values': phones})
|
tmp.append({'types': ['whois-registrant-phone'], 'values': phones})
|
||||||
names = _['compact']['name']['raw']
|
names = details['compact']['name']['raw']
|
||||||
tmp.append({'types': ['whois-registrant-name'], 'values': names})
|
tmp.append({'types': ['whois-registrant-name'], 'values': names})
|
||||||
if _.get('registrar', None):
|
if details.get('registrar', None):
|
||||||
tmp.append({'types': ['whois-registrar'], 'values': [_.get('registrar')]})
|
tmp.append({'types': ['whois-registrar'], 'values': [details.get('registrar')]})
|
||||||
if _.get('registered', None):
|
if details.get('registered', None):
|
||||||
tmp.append({'types': ['whois-creation-date'], 'values': [_.get('registered')]})
|
tmp.append({'types': ['whois-creation-date'], 'values': [details.get('registered')]})
|
||||||
log.debug("WHOIS Details: ending")
|
log.debug("WHOIS Details: ending")
|
||||||
|
|
||||||
return tmp
|
return tmp
|
||||||
|
@ -206,12 +206,13 @@ def process_whois_search(instance, query, qtype):
|
||||||
field_type = 'name'
|
field_type = 'name'
|
||||||
|
|
||||||
domains = list()
|
domains = list()
|
||||||
_ = instance.search_whois_by_field(field=field_type, query=query)
|
search = instance.search_whois_by_field(field=field_type, query=query)
|
||||||
err = _has_error(_)
|
err = _has_error(search)
|
||||||
if err:
|
if err:
|
||||||
raise Exception("We hit an error, time to bail!")
|
raise Exception("We hit an error, time to bail!")
|
||||||
|
if search.get('message') and search['message'].startswith('quota_exceeded'):
|
||||||
for item in _.get('results', []):
|
raise Exception("API quota exceeded.")
|
||||||
|
for item in search.get('results', []):
|
||||||
domain = item.get('domain', None)
|
domain = item.get('domain', None)
|
||||||
if not domain:
|
if not domain:
|
||||||
continue
|
continue
|
||||||
|
@ -227,15 +228,16 @@ def process_passive_dns(instance, query):
|
||||||
"""Process passive DNS data."""
|
"""Process passive DNS data."""
|
||||||
log.debug("Passive DNS: starting")
|
log.debug("Passive DNS: starting")
|
||||||
tmp = list()
|
tmp = list()
|
||||||
_ = instance.get_unique_resolutions(query=query)
|
pdns = instance.get_unique_resolutions(query=query)
|
||||||
err = _has_error(_)
|
err = _has_error(pdns)
|
||||||
if err:
|
if err:
|
||||||
raise Exception("We hit an error, time to bail!")
|
raise Exception("We hit an error, time to bail!")
|
||||||
|
if pdns.get('message') and pdns['message'].startswith('quota_exceeded'):
|
||||||
|
raise Exception("API quota exceeded.")
|
||||||
if is_ip(query):
|
if is_ip(query):
|
||||||
tmp = [{'types': ['domain', 'hostname'], 'values': _.get('results', [])}]
|
tmp = [{'types': ['domain', 'hostname'], 'values': pdns.get('results', [])}]
|
||||||
else:
|
else:
|
||||||
tmp = [{'types': ['ip-src', 'ip-dst'], 'values': _.get('results', [])}]
|
tmp = [{'types': ['ip-src', 'ip-dst'], 'values': pdns.get('results', [])}]
|
||||||
log.debug("Passive DNS: ending")
|
log.debug("Passive DNS: ending")
|
||||||
|
|
||||||
return tmp
|
return tmp
|
||||||
|
@ -245,12 +247,13 @@ def process_osint(instance, query):
|
||||||
"""Process OSINT links."""
|
"""Process OSINT links."""
|
||||||
log.debug("OSINT: starting")
|
log.debug("OSINT: starting")
|
||||||
urls = list()
|
urls = list()
|
||||||
_ = instance.get_osint(query=query)
|
osint = instance.get_osint(query=query)
|
||||||
err = _has_error(_)
|
err = _has_error(osint)
|
||||||
if err:
|
if err:
|
||||||
raise Exception("We hit an error, time to bail!")
|
raise Exception("We hit an error, time to bail!")
|
||||||
|
if osint.get('message') and osint['message'].startswith('quota_exceeded'):
|
||||||
for item in _.get('results', []):
|
raise Exception("API quota exceeded.")
|
||||||
|
for item in osint.get('results', []):
|
||||||
urls.append(item['sourceUrl'])
|
urls.append(item['sourceUrl'])
|
||||||
|
|
||||||
tmp = [{'types': ['link'], 'values': urls}]
|
tmp = [{'types': ['link'], 'values': urls}]
|
||||||
|
@ -263,12 +266,13 @@ def process_malware(instance, query):
|
||||||
"""Process malware samples."""
|
"""Process malware samples."""
|
||||||
log.debug("Malware: starting")
|
log.debug("Malware: starting")
|
||||||
content = {'hashes': list(), 'urls': list()}
|
content = {'hashes': list(), 'urls': list()}
|
||||||
_ = instance.get_malware(query=query)
|
malware = instance.get_malware(query=query)
|
||||||
err = _has_error(_)
|
err = _has_error(malware)
|
||||||
if err:
|
if err:
|
||||||
raise Exception("We hit an error, time to bail!")
|
raise Exception("We hit an error, time to bail!")
|
||||||
|
if malware.get('message') and malware['message'].startswith('quota_exceeded'):
|
||||||
for item in _.get('results', []):
|
raise Exception("API quota exceeded.")
|
||||||
|
for item in malware.get('results', []):
|
||||||
content['hashes'].append(item['sample'])
|
content['hashes'].append(item['sample'])
|
||||||
content['urls'].append(item['sourceUrl'])
|
content['urls'].append(item['sourceUrl'])
|
||||||
|
|
||||||
|
@ -331,7 +335,8 @@ def handler(q=False):
|
||||||
output['results'] += results
|
output['results'] += results
|
||||||
else:
|
else:
|
||||||
log.error("Unsupported query pattern issued.")
|
log.error("Unsupported query pattern issued.")
|
||||||
except Exception:
|
except Exception as e:
|
||||||
|
misperrors['error'] = e.__str__()
|
||||||
return misperrors
|
return misperrors
|
||||||
|
|
||||||
return output
|
return output
|
||||||
|
|
|
@ -151,7 +151,11 @@ def expand_domain_info(api, misperror, domain):
|
||||||
servers_mx = []
|
servers_mx = []
|
||||||
soa_hostnames = []
|
soa_hostnames = []
|
||||||
|
|
||||||
results = api.domain(domain)
|
try:
|
||||||
|
results = api.domain(domain)
|
||||||
|
except APIError as e:
|
||||||
|
misperrors['error'] = e.value
|
||||||
|
return [], False
|
||||||
|
|
||||||
if results:
|
if results:
|
||||||
status_ok = True
|
status_ok = True
|
||||||
|
|
Loading…
Reference in New Issue