mirror of https://github.com/MISP/misp-modules
fix: threatanalyzer_import - bugfix for TA6.1 behavior
parent
2d47b670f8
commit
8817de4765
|
@ -15,7 +15,7 @@ misperrors = {'error': 'Error'}
|
||||||
userConfig = {}
|
userConfig = {}
|
||||||
inputSource = ['file']
|
inputSource = ['file']
|
||||||
|
|
||||||
moduleinfo = {'version': '0.9', 'author': 'Christophe Vandeplas',
|
moduleinfo = {'version': '0.10', 'author': 'Christophe Vandeplas',
|
||||||
'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
|
'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
|
||||||
'module-type': ['import']}
|
'module-type': ['import']}
|
||||||
|
|
||||||
|
@ -118,8 +118,15 @@ def process_analysis_json(analysis_json):
|
||||||
# this will always create a list, even with only one item
|
# this will always create a list, even with only one item
|
||||||
if isinstance(process['connection_section']['connection'], dict):
|
if isinstance(process['connection_section']['connection'], dict):
|
||||||
process['connection_section']['connection'] = [process['connection_section']['connection']]
|
process['connection_section']['connection'] = [process['connection_section']['connection']]
|
||||||
|
|
||||||
# iterate over each entry
|
# iterate over each entry
|
||||||
for connection_section_connection in process['connection_section']['connection']:
|
for connection_section_connection in process['connection_section']['connection']:
|
||||||
|
# compensate for absurd behavior of the data format: if one entry = immediately the dict, if multiple entries = list containing dicts
|
||||||
|
# this will always create a list, even with only one item
|
||||||
|
for subsection in ['http_command', 'http_header']:
|
||||||
|
if isinstance(connection_section_connection[subsection], dict):
|
||||||
|
connection_section_connection[subsection] = [connection_section_connection[subsection]]
|
||||||
|
|
||||||
if 'name_to_ip' in connection_section_connection: # TA 6.1 data format
|
if 'name_to_ip' in connection_section_connection: # TA 6.1 data format
|
||||||
connection_section_connection['@remote_ip'] = connection_section_connection['name_to_ip']['@result_addresses']
|
connection_section_connection['@remote_ip'] = connection_section_connection['name_to_ip']['@result_addresses']
|
||||||
connection_section_connection['@remote_hostname'] = connection_section_connection['name_to_ip']['@request_name']
|
connection_section_connection['@remote_hostname'] = connection_section_connection['name_to_ip']['@request_name']
|
||||||
|
|
Loading…
Reference in New Issue