mirror of https://github.com/MISP/misp-modules
add: Supporting composite attributes ip-*|port
- Including 1 test to avoid querying Crowdstrike with a port value
parent
b37073c746
commit
804fe00188
|
@ -8,8 +8,8 @@ moduleinfo = {'version': '0.1',
|
|||
moduleconfig = ['api_id', 'apikey']
|
||||
misperrors = {'error': 'Error'}
|
||||
misp_types_in = ['domain', 'domain|ip', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
|
||||
'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url',
|
||||
'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']
|
||||
'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'ip-src|port',
|
||||
'ip-dst|port', 'uri', 'url', 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']
|
||||
mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types.
|
||||
'domain': {'types': 'hostname', 'to_ids': True},
|
||||
'email_address': {'types': 'email-src', 'to_ids': True},
|
||||
|
@ -54,6 +54,7 @@ def handler(q=False):
|
|||
to_query = request[k]
|
||||
if '|' in k:
|
||||
to_query, query = to_query.split('|')
|
||||
if 'port' not in k:
|
||||
r['result'].extend([ item for item in lookup_indicator(client, query)])
|
||||
# map the MISP type to the CrowdStrike type
|
||||
r['results'].extend([item for item in lookup_indicator(client, to_query)])
|
||||
|
|
Loading…
Reference in New Issue