Merge pull request #624 from davidonzo/main

Module updated to apiosintDSv2.0
pull/630/head
Alexandre Dulaunoy 2023-07-10 21:54:41 +02:00 committed by GitHub
commit 7bd0a53828
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 256 additions and 49 deletions

View File

@ -13,8 +13,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
## Existing MISP modules ## Existing MISP modules
### Expansion modules ### Expansion modules
* [apiosintDS](misp_modules/modules/expansion/apiosintds.py) - a hover and expansion module to query the [OSINT.digitalside.it](https://osint.digitalside.it) API. [Documentation](https://apiosintds.readthedocs.io/en/latest/userguidemisp.html).
* [apiosintDS](misp_modules/modules/expansion/apiosintds.py) - a hover and expansion module to query the OSINT.digitalside.it API.
* [API Void](misp_modules/modules/expansion/apivoid.py) - an expansion and hover module to query API Void with a domain attribute. * [API Void](misp_modules/modules/expansion/apivoid.py) - an expansion and hover module to query API Void with a domain attribute.
* [AssemblyLine submit](misp_modules/modules/expansion/assemblyline_submit.py) - an expansion module to submit samples and urls to AssemblyLine. * [AssemblyLine submit](misp_modules/modules/expansion/assemblyline_submit.py) - an expansion module to submit samples and urls to AssemblyLine.
* [AssemblyLine query](misp_modules/modules/expansion/assemblyline_query.py) - an expansion module to query AssemblyLine and parse the full submission report. * [AssemblyLine query](misp_modules/modules/expansion/assemblyline_query.py) - an expansion module to query AssemblyLine and parse the full submission report.

View File

@ -3,7 +3,7 @@ aiohttp==3.8.4
aiosignal==1.3.1 ; python_version >= '3.7' aiosignal==1.3.1 ; python_version >= '3.7'
antlr4-python3-runtime==4.9.3 antlr4-python3-runtime==4.9.3
anyio==3.6.2 ; python_full_version >= '3.6.2' anyio==3.6.2 ; python_full_version >= '3.6.2'
apiosintds==1.8.3 git+https://github.com/davidonzo/apiosintDS@misp
appdirs==1.4.4 appdirs==1.4.4
argcomplete==3.0.8 ; python_version >= '3.6' argcomplete==3.0.8 ; python_version >= '3.6'
argparse==1.4.0 argparse==1.4.0

View File

@ -16,14 +16,14 @@ misperrors = {'error': 'Error'}
mispattributes = {'input': ["domain", "domain|ip", "hostname", "ip-dst", "ip-src", "ip-dst|port", "ip-src|port", "url", mispattributes = {'input': ["domain", "domain|ip", "hostname", "ip-dst", "ip-src", "ip-dst|port", "ip-src|port", "url",
"md5", "sha1", "sha256", "filename|md5", "filename|sha1", "filename|sha256"], "md5", "sha1", "sha256", "filename|md5", "filename|sha1", "filename|sha256"],
'output': ["domain", "ip-dst", "url", "comment", "md5", "sha1", "sha256"] 'output': ["domain", "ip-dst", "url", "comment", "md5", "sha1", "sha256", "link", "text"]
} }
moduleinfo = {'version': '0.1', 'author': 'Davide Baglieri aka davidonzo', moduleinfo = {'version': '0.2', 'author': 'Davide Baglieri aka davidonzo',
'description': 'On demand query API for OSINT.digitalside.it project.', 'description': 'On demand query API for OSINT.digitalside.it project.',
'module-type': ['expansion', 'hover']} 'module-type': ['expansion', 'hover']}
moduleconfig = ['import_related_hashes', 'cache', 'cache_directory'] moduleconfig = ['STIX2_details', 'import_related', 'cache', 'cache_directory', 'cache_timeout_h', 'local_directory']
def handler(q=False): def handler(q=False):
@ -63,17 +63,48 @@ def handler(q=False):
else: else:
return False return False
persistent = 0
if request.get('persistent'):
persistent = request["persistent"]
submitcache = False submitcache = False
submitcache_directory = False submitcache_directory = False
import_related_hashes = False submitcache_timeout = False
submit_stix = False
import_related = False
sumbit_localdirectory = False
r = {"results": []} r = {"results": []}
if request.get('config'): if request.get('config'):
if request['config'].get('cache') and request['config']['cache'].lower() == "yes": if request['config'].get('cache') and request['config']['cache'].lower() == "yes":
submitcache = True submitcache = True
if request['config'].get('import_related_hashes') and request['config']['import_related_hashes'].lower() == "yes":
import_related_hashes = True if request['config'].get('import_related') and request['config']['import_related'].lower() == "yes":
import_related = True
if request['config'].get('STIX2_details') and request['config']['STIX2_details'].lower() == "yes":
submit_stix = True
if request['config'].get('cache_timeout_h') and len(request['config']['cache_timeout_h']) > 0:
submitcache_timeout = int(request['config'].get('cache_timeout_h'))
localdirectory = request['config'].get('local_directory')
if localdirectory and len(localdirectory) > 0:
if os.access(localdirectory, os.R_OK):
sumbit_localdirectory = localdirectory
WarningMSG = "Local directory OK! Ignoring cache configuration..."
log.debug(str(WarningMSG))
submitcache = False
sumbitcache_titmeout = False
submitcache_directory = False
else:
ErrorMSG = "Unable to read local 'Threat-Intel' directory ("+localdirectory+"). Please, check your configuration and retry."
log.debug(str(ErrorMSG))
misperrors['error'] = ErrorMSG
return misperrors
if submitcache: if submitcache:
cache_directory = request['config'].get('cache_directory') cache_directory = request['config'].get('cache_directory')
if cache_directory and len(cache_directory) > 0: if cache_directory and len(cache_directory) > 0:
@ -90,52 +121,228 @@ def handler(q=False):
misperrors['error'] = ErrorMSG misperrors['error'] = ErrorMSG
return misperrors return misperrors
else: else:
if sumbit_localdirectory == False:
log.debug("Cache option is set to " + str(submitcache) + ". You are not using the internal cache system and this is NOT recommended!") log.debug("Cache option is set to " + str(submitcache) + ". You are not using the internal cache system and this is NOT recommended!")
log.debug("Please, consider to turn on the cache setting it to 'Yes' and specifing a writable directory for the cache directory option.") log.debug("Please, consider to turn on the cache setting it to 'Yes' and specifing a writable directory for the cache directory option.")
try: try:
response = apiosintDS.request(entities=tosubmit, cache=submitcache, cachedirectory=submitcache_directory, verbose=True) response = apiosintDS.request(entities=tosubmit, stix=submit_stix, cache=submitcache, cachedirectory=submitcache_directory, cachetimeout=submitcache_timeout, verbose=True, localdirectory=sumbit_localdirectory)
r["results"] += reversed(apiosintParser(response, import_related_hashes)) r["results"] += apiosintParserHover(persistent, response, import_related, submit_stix)
except Exception as e: except ValueError as e:
log.debug(str(e)) log.debug(str(e))
misperrors['error'] = str(e) misperrors['error'] = str(e)
return r return r
def apiosintParserHover(ispersistent, response, import_related, stix):
def apiosintParser(response, import_related_hashes): apiosinttype = ['hash', 'ip', 'url', 'domain']
line = "##############################################"
linedot = "--------------------------------------------------------------------"
linedotty = "-------------------"
ret = [] ret = []
retHover = []
if isinstance(response, dict): if isinstance(response, dict):
for key in response: for key in response:
if key in apiosinttype:
for item in response[key]["items"]: for item in response[key]["items"]:
if item["response"]: if item["response"]:
comment = item["item"] + " IS listed by OSINT.digitalside.it. Date list: " + response[key]["list"]["date"] comment = "IoC '"+item["item"] + "' found in OSINT.DigitaiSide.it repository. List file: "+response[key]["list"]["file"]+". List date: " + response[key]["list"]["date"]
if key == "url": commentH = "IoC '"+item["item"] + "' found in OSINT.DigitaiSide.it repository."
if "hashes" in item.keys(): CommentHDate = "List file: "+response[key]["list"]["file"]+". Date list: " + response[key]["list"]["date"]
if "sha256" in item["hashes"].keys(): ret.append({"types": ["text"], "values": [comment]})
ret.append({"types": ["sha256"], "values": [item["hashes"]["sha256"]]})
if "sha1" in item["hashes"].keys():
ret.append({"types": ["sha1"], "values": [item["hashes"]["sha1"]]})
if "md5" in item["hashes"].keys():
ret.append({"types": ["md5"], "values": [item["hashes"]["md5"]]})
retHover.append({"types": ["text"], "values": [commentH]})
retHover.append({"types": ["text"], "values": [CommentHDate]})
retHover.append({"types": ["text"], "values": [line]})
if key in ["url", "hash"]:
if "hashes" in item:
headhash = "Hashes set"
retHover.append({"types": ["text"], "values": [headhash]})
if "md5" in item["hashes"].keys():
ret.append({"types": ["md5"], "values": [item["hashes"]["md5"]], "comment": "Related to: " + item["item"]})
strmd5 = "MD5: "+item["hashes"]["md5"]
retHover.append({"types": ["text"], "values": [strmd5]})
if "sha1" in item["hashes"].keys():
ret.append({"types": ["sha1"], "values": [item["hashes"]["sha1"]], "comment": "Related to: " + item["item"]})
strsha1 = "SHA1: "+item["hashes"]["sha1"]
retHover.append({"types": ["text"], "values": [strsha1]})
if "sha256" in item["hashes"].keys():
ret.append({"types": ["sha256"], "values": [item["hashes"]["sha256"]], "comment": "Related to: " + item["item"]})
strsha256 = "SHA256: "+item["hashes"]["sha256"]
retHover.append({"types": ["text"], "values": [strsha256]})
if "online_reports" in item:
headReports = "Online Reports (availability depends on retention)"
retHover.append({"types": ["text"], "values": [linedot]})
retHover.append({"types": ["text"], "values": [headReports]})
onlierepor = item["online_reports"]
ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["MISP_EVENT"]], "comment": "MISP Event related to: " + item["item"]})
ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["MISP_CSV"]], "comment": "MISP CSV related to: " + item["item"]})
ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["OSINTDS_REPORT"]], "comment": "DigitalSide report related to: " + item["item"]})
ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["STIX"]], "comment": "STIX2 report related to: " + item["item"]})
MISPEVENT = "MISP Event => "+onlierepor["MISP_EVENT"]
MISPCSV = "MISP CSV => "+onlierepor["MISP_CSV"]
OSINTDS = "DigitalSide report => "+onlierepor["OSINTDS_REPORT"]
STIX = "STIX report => "+onlierepor["STIX"]
retHover.append({"types": ["text"], "values": [MISPEVENT]})
retHover.append({"types": ["text"], "values": [MISPCSV]})
retHover.append({"types": ["text"], "values": [OSINTDS]})
retHover.append({"types": ["text"], "values": [STIX]})
if stix and onlierepor:
if "STIXDETAILS" in onlierepor:
retHover.append({"types": ["text"], "values": [linedot]})
headStix = "STIX2 report details"
stixobj = onlierepor["STIXDETAILS"]
stxdet = "TLP:"+stixobj["tlp"]+" | Observation: "+str(stixobj["number_observed"])+" | First seen: "+stixobj["first_observed"]+" | First seen: "+stixobj["last_observed"]
ret.append({"types": ["comment"], "values": [stxdet], "comment": "STIX2 details for: " + item["item"]})
retHover.append({"types": ["text"], "values": [headStix]})
retHover.append({"types": ["text"], "values": [stxdet]})
if stixobj["observed_time_frame"] != False:
obstf = "Observation time frame: "+str(stixobj["observed_time_frame"])
ret.append({"types": ["comment"], "values": [obstf], "comment": "STIX2 details for: " + item["item"]})
retHover.append({"types": ["text"], "values": [obstf]})
filename = stixobj["filename"]
ret.append({"category": "Payload delivery", "types": ["filename"], "values": [filename], "comment": "STIX2 details for: " + item["item"]})
Hovefilename = "Filename: "+filename
retHover.append({"types": ["text"], "values": [Hovefilename]})
filesize = stixobj["filesize"]
ret.append({"types": ["size-in-bytes"], "values": [filesize], "comment": "STIX2 details for: " + item["item"]})
Hovefilesize = "Filesize in bytes: "+str(filesize)
retHover.append({"types": ["text"], "values": [Hovefilesize]})
filetype = stixobj["mime_type"]
ret.append({"category": "Payload delivery", "types": ["mime-type"], "values": [filetype], "comment": "STIX2 details for: " + item["item"]})
Hovemime = "Filetype: "+filetype
retHover.append({"types": ["text"], "values": [Hovemime]})
if "virus_total" in stixobj:
if stixobj["virus_total"] != False:
VTratio = "VirusTotal Ratio: "+str(stixobj["virus_total"]["vt_detection_ratio"])
ret.append({"types": ["comment"], "values": [VTratio], "comment": "STIX2 details for: " + item["item"]})
retHover.append({"types": ["text"], "values": [VTratio]})
VTReport = str(stixobj["virus_total"]["vt_report"])
ret.append({"category": "External analysis", "types": ["link"], "values": [VTReport], "comment": "VirusTotal Report for: " + item["item"]})
if import_related:
if len(item["related_urls"]) > 0: if len(item["related_urls"]) > 0:
retHover.append({"types": ["text"], "values": [linedot]})
countRelated = "Related URLS count: "+str(len(item["related_urls"]))
retHover.append({"types": ["text"], "values": [countRelated]})
for urls in item["related_urls"]: for urls in item["related_urls"]:
if isinstance(urls, dict): if isinstance(urls, dict):
itemToInclude = urls["url"] itemToInclude = urls["url"]
if import_related_hashes: ret.append({"types": ["url"], "values": [itemToInclude], "comment": "Download URL for "+urls["hashes"]["md5"]+". Related to: " + item["item"]})
retHover.append({"types": ["text"], "values": [linedot]})
relatedURL = "Related URL "+itemToInclude
retHover.append({"types": ["text"], "values": [relatedURL]})
if "hashes" in urls.keys(): if "hashes" in urls.keys():
if "sha256" in urls["hashes"].keys():
ret.append({"types": ["sha256"], "values": [urls["hashes"]["sha256"]], "comment": "Related to: " + itemToInclude})
if "sha1" in urls["hashes"].keys():
ret.append({"types": ["sha1"], "values": [urls["hashes"]["sha1"]], "comment": "Related to: " + itemToInclude})
if "md5" in urls["hashes"].keys(): if "md5" in urls["hashes"].keys():
ret.append({"types": ["md5"], "values": [urls["hashes"]["md5"]], "comment": "Related to: " + itemToInclude}) ret.append({"types": ["md5"], "values": [urls["hashes"]["md5"]], "comment": "Related to: " + itemToInclude})
ret.append({"types": ["url"], "values": [itemToInclude], "comment": "Related to: " + item["item"]})
strmd5 = "MD5: "+urls["hashes"]["md5"]
retHover.append({"types": ["text"], "values": [strmd5]})
if "sha1" in urls["hashes"].keys():
ret.append({"types": ["sha1"], "values": [urls["hashes"]["sha1"]], "comment": "Related to: " + itemToInclude})
strsha1 = "SHA1: "+urls["hashes"]["sha1"]
retHover.append({"types": ["text"], "values": [strsha1]})
if "sha256" in urls["hashes"].keys():
ret.append({"types": ["sha256"], "values": [urls["hashes"]["sha256"]], "comment": "Related to: " + itemToInclude})
strsha256 = "SHA256: "+urls["hashes"]["sha256"]
retHover.append({"types": ["text"], "values": [strsha256]})
headReports = "Online Reports (availability depends on retention)"
retHover.append({"types": ["text"], "values": [linedotty]})
retHover.append({"types": ["text"], "values": [headReports]})
onlierepor = urls["online_reports"]
ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["MISP_EVENT"]], "comment": "MISP Event related to: " + item["item"]})
ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["MISP_CSV"]], "comment": "MISP CSV related to: " + item["item"]})
ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["OSINTDS_REPORT"]], "comment": "DigitalSide report related to: " + item["item"]})
ret.append({"category": "External analysis", "types": ["link"], "values": [onlierepor["STIX"]], "comment": "STIX2 report related to: " + item["item"]})
MISPEVENT = "MISP Event => "+onlierepor["MISP_EVENT"]
MISPCSV = "MISP CSV => "+onlierepor["MISP_CSV"]
OSINTDS = "DigitalSide report => "+onlierepor["OSINTDS_REPORT"]
STIX = "STIX report => "+onlierepor["STIX"]
retHover.append({"types": ["text"], "values": [MISPEVENT]})
retHover.append({"types": ["text"], "values": [MISPCSV]})
retHover.append({"types": ["text"], "values": [OSINTDS]})
retHover.append({"types": ["text"], "values": [STIX]})
if stix and onlierepor:
if "STIXDETAILS" in onlierepor:
retHover.append({"types": ["text"], "values": [linedotty]})
headStix = "STIX2 report details"
stixobj = onlierepor["STIXDETAILS"]
stxdet = "TLP:"+stixobj["tlp"]+" | Observation: "+str(stixobj["number_observed"])+" | First seen: "+stixobj["first_observed"]+" | First seen: "+stixobj["last_observed"]
ret.append({"types": ["comment"], "values": [stxdet], "comment": "STIX2 details for: " + item["item"]})
retHover.append({"types": ["text"], "values": [headStix]})
retHover.append({"types": ["text"], "values": [stxdet]})
if stixobj["observed_time_frame"] != False:
obstf = "Observation time frame: "+str(stixobj["observed_time_frame"])
ret.append({"types": ["comment"], "values": [obstf], "comment": "STIX2 details for: " + item["item"]})
retHover.append({"types": ["text"], "values": [obstf]})
filename = stixobj["filename"]
ret.append({"category": "Payload delivery", "types": ["filename"], "values": [filename], "comment": "STIX2 details for: " + item["item"]})
Hovefilename = "Filename: "+filename
retHover.append({"types": ["text"], "values": [Hovefilename]})
filesize = stixobj["filesize"]
ret.append({"types": ["size-in-bytes"], "values": [filesize], "comment": "STIX2 details for: " + item["item"]})
Hovefilesize = "Filesize in bytes: "+str(filesize)
retHover.append({"types": ["text"], "values": [Hovefilesize]})
filetype = stixobj["mime_type"]
ret.append({"category": "Payload delivery", "types": ["mime-type"], "values": [filetype], "comment": "STIX2 details for: " + item["item"]})
Hovemime = "Filetype: "+filetype
retHover.append({"types": ["text"], "values": [Hovemime]})
if "virus_total" in stixobj:
if stixobj["virus_total"] != False:
VTratio = "VirusTotal Ratio: "+stixobj["virus_total"]["vt_detection_ratio"]
ret.append({"types": ["comment"], "values": [VTratio], "comment": "STIX2 details for: " + item["item"]})
retHover.append({"types": ["text"], "values": [VTratio]})
VTReport = stixobj["virus_total"]["vt_report"]
ret.append({"category": "External analysis", "types": ["link"], "values": [VTReport], "comment": "VirusTotal Report for: " + item["item"]})
else: else:
ret.append({"types": ["url"], "values": [urls], "comment": "Related URL to: " + item["item"]}) ret.append({"types": ["url"], "values": [urls], "comment": "Download URL for: " + item["item"]})
urlHover = "URL => "+urls
retHover.append({"types": ["text"], "values": [urlHover]})
else: else:
comment = item["item"] + " IS NOT listed by OSINT.digitalside.it. Date list: " + response[key]["list"]["date"] notfound = item["item"] + " IS NOT listed by OSINT.digitalside.it. Date list: " + response[key]["list"]["date"]
ret.append({"types": ["text"], "values": [comment]}) ret.append({"types": ["comment"], "values": [notfound]})
retHover.append({"types": ["comment"], "values": [notfound]})
if ispersistent == 0:
return ret return ret
return retHover
def introspection(): def introspection():

View File

@ -74,12 +74,13 @@ class TestExpansions(unittest.TestCase):
return data['results'][0]['values'] return data['results'][0]['values']
def test_apiosintds(self): def test_apiosintds(self):
query = {'module': 'apiosintds', 'ip-dst': '185.255.79.90'} query = {'module': 'apiosintds', 'ip-dst': '10.10.10.10'}
response = self.misp_modules_post(query) response = self.misp_modules_post(query)
try: try:
self.assertTrue(self.get_values(response).startswith('185.255.79.90 IS listed by OSINT.digitalside.it.')) self.assertTrue(self.get_values(response).startswith('IoC 10.10.10.10'))
except AssertionError: except AssertionError:
self.assertTrue(self.get_values(response).startswith('185.255.79.90 IS NOT listed by OSINT.digitalside.it.')) self.assertTrue(self.get_values(response).startswith('10.10.10.10 IS NOT listed by OSINT.digitalside.it.'))
def test_apivoid(self): def test_apivoid(self):
module_name = "apivoid" module_name = "apivoid"