mirror of https://github.com/MISP/misp-modules
add: Supporting composite attributes ip-*|port
- Including 1 test to avoid querying Crowdstrike with a port value
parent
b37073c746
commit
804fe00188
|
@ -8,8 +8,8 @@ moduleinfo = {'version': '0.1',
|
||||||
moduleconfig = ['api_id', 'apikey']
|
moduleconfig = ['api_id', 'apikey']
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
misp_types_in = ['domain', 'domain|ip', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
|
misp_types_in = ['domain', 'domain|ip', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
|
||||||
'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url',
|
'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'ip-src|port',
|
||||||
'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']
|
'ip-dst|port', 'uri', 'url', 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']
|
||||||
mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types.
|
mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types.
|
||||||
'domain': {'types': 'hostname', 'to_ids': True},
|
'domain': {'types': 'hostname', 'to_ids': True},
|
||||||
'email_address': {'types': 'email-src', 'to_ids': True},
|
'email_address': {'types': 'email-src', 'to_ids': True},
|
||||||
|
@ -54,7 +54,8 @@ def handler(q=False):
|
||||||
to_query = request[k]
|
to_query = request[k]
|
||||||
if '|' in k:
|
if '|' in k:
|
||||||
to_query, query = to_query.split('|')
|
to_query, query = to_query.split('|')
|
||||||
r['result'].extend([ item for item in lookup_indicator(client, query)])
|
if 'port' not in k:
|
||||||
|
r['result'].extend([ item for item in lookup_indicator(client, query)])
|
||||||
# map the MISP type to the CrowdStrike type
|
# map the MISP type to the CrowdStrike type
|
||||||
r['results'].extend([item for item in lookup_indicator(client, to_query)])
|
r['results'].extend([item for item in lookup_indicator(client, to_query)])
|
||||||
valid_type = True
|
valid_type = True
|
||||||
|
|
Loading…
Reference in New Issue