mirror of https://github.com/MISP/misp-modules
fix: ta_import - bugfixes
Christophe Vandeplas
parent
f5414226b4
commit
7deeb95820
|
|
@ -15,7 +15,7 @@ misperrors = {'error': 'Error'}
|
||||||
userConfig = {}
|
userConfig = {}
|
||||||
inputSource = ['file']
|
inputSource = ['file']
|
||||||
|
|
||||||
moduleinfo = {'version': '0.8', 'author': 'Christophe Vandeplas',
|
moduleinfo = {'version': '0.9', 'author': 'Christophe Vandeplas',
|
||||||
'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
|
'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
|
||||||
'module-type': ['import']}
|
'module-type': ['import']}
|
||||||
|
|
||||||
|
|
@ -45,7 +45,7 @@ def handler(q=False):
|
||||||
if re.match(r"Analysis/proc_\d+/modified_files/mapping\.log", zip_file_name):
|
if re.match(r"Analysis/proc_\d+/modified_files/mapping\.log", zip_file_name):
|
||||||
with zf.open(zip_file_name, mode='r', pwd=None) as fp:
|
with zf.open(zip_file_name, mode='r', pwd=None) as fp:
|
||||||
file_data = fp.read()
|
file_data = fp.read()
|
||||||
for line in file_data.decode().split('\n'):
|
for line in file_data.decode("utf-8", 'ignore').split('\n'):
|
||||||
if not line:
|
if not line:
|
||||||
continue
|
continue
|
||||||
if line.count('|') == 3:
|
if line.count('|') == 3:
|
||||||
|
|
@ -55,7 +55,8 @@ def handler(q=False):
|
||||||
l_fname = cleanup_filepath(l_fname)
|
l_fname = cleanup_filepath(l_fname)
|
||||||
if l_fname:
|
if l_fname:
|
||||||
if l_size == 0:
|
if l_size == 0:
|
||||||
pass # FIXME create an attribute for the filename/path
|
results.append({'values': l_fname, 'type': 'filename', 'to_ids': True,
|
||||||
|
'categories': ['Artifacts dropped', 'Payload delivery'], 'comment': ''})
|
||||||
else:
|
else:
|
||||||
# file is a non empty sample, upload the sample later
|
# file is a non empty sample, upload the sample later
|
||||||
modified_files_mapping[l_md5] = l_fname
|
modified_files_mapping[l_md5] = l_fname
|
||||||
|
|
@ -144,13 +145,14 @@ def process_analysis_json(analysis_json):
|
||||||
# )
|
# )
|
||||||
yield({'values': connection_section_connection['@remote_hostname'], 'type': 'hostname', 'to_ids': True, 'comment': ''})
|
yield({'values': connection_section_connection['@remote_hostname'], 'type': 'hostname', 'to_ids': True, 'comment': ''})
|
||||||
if 'http_command' in connection_section_connection:
|
if 'http_command' in connection_section_connection:
|
||||||
# print('connection_section_connection HTTP COMMAND: {}\t{}'.format(
|
for http_command in connection_section_connection['http_command']:
|
||||||
# connection_section_connection['http_command']['@method'], # comment
|
# print('connection_section_connection HTTP COMMAND: {}\t{}'.format(
|
||||||
# connection_section_connection['http_command']['@url']) # url
|
# connection_section_connection['http_command']['@method'], # comment
|
||||||
# )
|
# connection_section_connection['http_command']['@url']) # url
|
||||||
val = cleanup_url(connection_section_connection['http_command']['@url'])
|
# )
|
||||||
if val:
|
val = cleanup_url(http_command['@url'])
|
||||||
yield({'values': val, 'type': 'url', 'categories': ['Network activity'], 'to_ids': True, 'comment': connection_section_connection['http_command']['@method']})
|
if val:
|
||||||
|
yield({'values': val, 'type': 'url', 'categories': ['Network activity'], 'to_ids': True, 'comment': http_command['@method']})
|
||||||
|
|
||||||
if 'http_header' in connection_section_connection:
|
if 'http_header' in connection_section_connection:
|
||||||
for http_header in connection_section_connection['http_header']:
|
for http_header in connection_section_connection['http_header']:
|
||||||
|
|
@ -453,9 +455,9 @@ def cleanup_filepath(item):
|
||||||
'\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\UserCache.bin',
|
'\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\UserCache.bin',
|
||||||
|
|
||||||
'\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol',
|
'\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol',
|
||||||
'\\AppData\\Roaming\Adobe\\Flash Player\\NativeCache\\',
|
'\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\',
|
||||||
'C:\\Windows\\AppCompat\\Programs\\',
|
'C:\\Windows\\AppCompat\\Programs\\',
|
||||||
'C:\~' # caused by temp file created by MS Office when opening malicious doc/xls/...
|
'C:\\~' # caused by temp file created by MS Office when opening malicious doc/xls/...
|
||||||
}
|
}
|
||||||
if list_in_string(noise_substrings, item):
|
if list_in_string(noise_substrings, item):
|
||||||
return None
|
return None
|
||||||
|
|
@ -531,4 +533,3 @@ def introspection():
|
||||||
def version():
|
def version():
|
||||||
moduleinfo['config'] = moduleconfig
|
moduleinfo['config'] = moduleconfig
|
||||||
return moduleinfo
|
return moduleinfo
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue