mirror of https://github.com/MISP/misp-modules
Merge branch 'master' of github.com:MISP/misp-modules
chrisr3d
commit
9acf66053e
|
|
@ -15,7 +15,7 @@ misperrors = {'error': 'Error'}
|
||||||
userConfig = {}
|
userConfig = {}
|
||||||
inputSource = ['file']
|
inputSource = ['file']
|
||||||
|
|
||||||
moduleinfo = {'version': '0.7', 'author': 'Christophe Vandeplas',
|
moduleinfo = {'version': '0.8', 'author': 'Christophe Vandeplas',
|
||||||
'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
|
'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
|
||||||
'module-type': ['import']}
|
'module-type': ['import']}
|
||||||
|
|
||||||
|
|
@ -73,7 +73,7 @@ def handler(q=False):
|
||||||
results.append({
|
results.append({
|
||||||
'values': current_sample_filename,
|
'values': current_sample_filename,
|
||||||
'data': base64.b64encode(file_data).decode(),
|
'data': base64.b64encode(file_data).decode(),
|
||||||
'type': 'malware-sample', 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': True, 'comment': ''})
|
'type': 'malware-sample', 'categories': ['Artifacts dropped', 'Payload delivery'], 'to_ids': True, 'comment': ''})
|
||||||
|
|
||||||
if 'Analysis/analysis.json' in zip_file_name:
|
if 'Analysis/analysis.json' in zip_file_name:
|
||||||
with zf.open(zip_file_name, mode='r', pwd=None) as fp:
|
with zf.open(zip_file_name, mode='r', pwd=None) as fp:
|
||||||
|
|
@ -88,7 +88,7 @@ def handler(q=False):
|
||||||
results.append({
|
results.append({
|
||||||
'values': sample_filename,
|
'values': sample_filename,
|
||||||
'data': base64.b64encode(file_data).decode(),
|
'data': base64.b64encode(file_data).decode(),
|
||||||
'type': 'malware-sample', 'categories': ['Artifacts dropped', 'Payload delivery'], 'to_ids': True, 'comment': ''})
|
'type': 'malware-sample', 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': True, 'comment': ''})
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
# no 'sample' in archive, might be an url analysis, just ignore
|
# no 'sample' in archive, might be an url analysis, just ignore
|
||||||
pass
|
pass
|
||||||
|
|
@ -113,7 +113,15 @@ def process_analysis_json(analysis_json):
|
||||||
for process in analysis_json['analysis']['processes']['process']:
|
for process in analysis_json['analysis']['processes']['process']:
|
||||||
# print_json(process)
|
# print_json(process)
|
||||||
if 'connection_section' in process and 'connection' in process['connection_section']:
|
if 'connection_section' in process and 'connection' in process['connection_section']:
|
||||||
|
# compensate for absurd behavior of the data format: if one entry = immediately the dict, if multiple entries = list containing dicts
|
||||||
|
# this will always create a list, even with only one item
|
||||||
|
if isinstance(process['connection_section']['connection'], dict):
|
||||||
|
process['connection_section']['connection'] = [process['connection_section']['connection']]
|
||||||
|
# iterate over each entry
|
||||||
for connection_section_connection in process['connection_section']['connection']:
|
for connection_section_connection in process['connection_section']['connection']:
|
||||||
|
if 'name_to_ip' in connection_section_connection: # TA 6.1 data format
|
||||||
|
connection_section_connection['@remote_ip'] = connection_section_connection['name_to_ip']['@result_addresses']
|
||||||
|
connection_section_connection['@remote_hostname'] = connection_section_connection['name_to_ip']['@request_name']
|
||||||
|
|
||||||
connection_section_connection['@remote_ip'] = cleanup_ip(connection_section_connection['@remote_ip'])
|
connection_section_connection['@remote_ip'] = cleanup_ip(connection_section_connection['@remote_ip'])
|
||||||
connection_section_connection['@remote_hostname'] = cleanup_hostname(connection_section_connection['@remote_hostname'])
|
connection_section_connection['@remote_hostname'] = cleanup_hostname(connection_section_connection['@remote_hostname'])
|
||||||
|
|
@ -124,7 +132,7 @@ def process_analysis_json(analysis_json):
|
||||||
# connection_section_connection['@remote_hostname'],
|
# connection_section_connection['@remote_hostname'],
|
||||||
# connection_section_connection['@remote_ip'])
|
# connection_section_connection['@remote_ip'])
|
||||||
# )
|
# )
|
||||||
yield({'values': val, 'type': 'domain|ip', 'categories': 'Network activity', 'to_ids': True, 'comment': ''})
|
yield({'values': val, 'type': 'domain|ip', 'categories': ['Network activity'], 'to_ids': True, 'comment': ''})
|
||||||
elif connection_section_connection['@remote_ip']:
|
elif connection_section_connection['@remote_ip']:
|
||||||
# print("connection_section_connection ip-dst: {} IDS:yes".format(
|
# print("connection_section_connection ip-dst: {} IDS:yes".format(
|
||||||
# connection_section_connection['@remote_ip'])
|
# connection_section_connection['@remote_ip'])
|
||||||
|
|
@ -136,20 +144,19 @@ def process_analysis_json(analysis_json):
|
||||||
# )
|
# )
|
||||||
yield({'values': connection_section_connection['@remote_hostname'], 'type': 'hostname', 'to_ids': True, 'comment': ''})
|
yield({'values': connection_section_connection['@remote_hostname'], 'type': 'hostname', 'to_ids': True, 'comment': ''})
|
||||||
if 'http_command' in connection_section_connection:
|
if 'http_command' in connection_section_connection:
|
||||||
for http_command in connection_section_connection['http_command']:
|
# print('connection_section_connection HTTP COMMAND: {}\t{}'.format(
|
||||||
# print('connection_section_connection HTTP COMMAND: {}\t{}'.format(
|
# connection_section_connection['http_command']['@method'], # comment
|
||||||
# http_command['@method'], # comment
|
# connection_section_connection['http_command']['@url']) # url
|
||||||
# http_command['@url']) # url
|
# )
|
||||||
# )
|
val = cleanup_url(connection_section_connection['http_command']['@url'])
|
||||||
val = cleanup_url(http_command['@url'])
|
if val:
|
||||||
if val:
|
yield({'values': val, 'type': 'url', 'categories': ['Network activity'], 'to_ids': True, 'comment': connection_section_connection['http_command']['@method']})
|
||||||
yield({'values': val, 'type': 'url', 'categories': 'Network activity', 'to_ids': True, 'comment': http_command['@method']})
|
|
||||||
|
|
||||||
if 'http_header' in connection_section_connection:
|
if 'http_header' in connection_section_connection:
|
||||||
for http_header in connection_section_connection['http_header']:
|
for http_header in connection_section_connection['http_header']:
|
||||||
if 'User-Agent:' in http_header['@header']:
|
if 'User-Agent:' in http_header['@header']:
|
||||||
val = http_header['@header'][len('User-Agent: '):]
|
val = http_header['@header'][len('User-Agent: '):]
|
||||||
yield({'values': val, 'type': 'user-agent', 'categories': 'Network activity', 'to_ids': False, 'comment': ''})
|
yield({'values': val, 'type': 'user-agent', 'categories': ['Network activity'], 'to_ids': False, 'comment': ''})
|
||||||
elif 'Host:' in http_header['@header']:
|
elif 'Host:' in http_header['@header']:
|
||||||
val = http_header['@header'][len('Host: '):]
|
val = http_header['@header'][len('Host: '):]
|
||||||
if ':' in val:
|
if ':' in val:
|
||||||
|
|
@ -162,7 +169,7 @@ def process_analysis_json(analysis_json):
|
||||||
if val_hostname and val_port:
|
if val_hostname and val_port:
|
||||||
val_combined = '{}|{}'.format(val_hostname, val_port)
|
val_combined = '{}|{}'.format(val_hostname, val_port)
|
||||||
# print({'values': val_combined, 'type': 'hostname|port', 'to_ids': True, 'comment': ''})
|
# print({'values': val_combined, 'type': 'hostname|port', 'to_ids': True, 'comment': ''})
|
||||||
yield({'values': val_combined, 'type': 'hostname|port', 'to_ids': True, 'comment': ''})
|
yield({'values': val_combined, 'type': 'hostname|port', 'categories': ['Network activity'], 'to_ids': True, 'comment': ''})
|
||||||
elif val_ip and val_port:
|
elif val_ip and val_port:
|
||||||
val_combined = '{}|{}'.format(val_ip, val_port)
|
val_combined = '{}|{}'.format(val_ip, val_port)
|
||||||
# print({'values': val_combined, 'type': 'ip-dst|port', 'to_ids': True, 'comment': ''})
|
# print({'values': val_combined, 'type': 'ip-dst|port', 'to_ids': True, 'comment': ''})
|
||||||
|
|
@ -207,7 +214,7 @@ def process_analysis_json(analysis_json):
|
||||||
# networkoperation_section_dns_request_by_name['@request_name'],
|
# networkoperation_section_dns_request_by_name['@request_name'],
|
||||||
# networkoperation_section_dns_request_by_name['@result_addresses'])
|
# networkoperation_section_dns_request_by_name['@result_addresses'])
|
||||||
# )
|
# )
|
||||||
yield({'values': val, 'type': 'domain|ip', 'categories': 'Network activity', 'to_ids': True, 'comment': ''})
|
yield({'values': val, 'type': 'domain|ip', 'categories': ['Network activity'], 'to_ids': True, 'comment': ''})
|
||||||
elif networkoperation_section_dns_request_by_name['@request_name']:
|
elif networkoperation_section_dns_request_by_name['@request_name']:
|
||||||
# print("networkoperation_section_dns_request_by_name hostname: {} IDS:yes".format(
|
# print("networkoperation_section_dns_request_by_name hostname: {} IDS:yes".format(
|
||||||
# networkoperation_section_dns_request_by_name['@request_name'])
|
# networkoperation_section_dns_request_by_name['@request_name'])
|
||||||
|
|
@ -231,14 +238,14 @@ def process_analysis_json(analysis_json):
|
||||||
# networkpacket_section_connect_to_computer['@remote_port'])
|
# networkpacket_section_connect_to_computer['@remote_port'])
|
||||||
# )
|
# )
|
||||||
val_combined = "{}|{}".format(networkpacket_section_connect_to_computer['@remote_hostname'], networkpacket_section_connect_to_computer['@remote_ip'])
|
val_combined = "{}|{}".format(networkpacket_section_connect_to_computer['@remote_hostname'], networkpacket_section_connect_to_computer['@remote_ip'])
|
||||||
yield({'values': val_combined, 'type': 'hostname|ip', 'to_ids': True, 'comment': ''})
|
yield({'values': val_combined, 'type': 'domain|ip', 'to_ids': True, 'comment': ''})
|
||||||
elif networkpacket_section_connect_to_computer['@remote_hostname']:
|
elif networkpacket_section_connect_to_computer['@remote_hostname']:
|
||||||
# print("networkpacket_section_connect_to_computer hostname: {} IDS:yes COMMENT:port {}".format(
|
# print("networkpacket_section_connect_to_computer hostname: {} IDS:yes COMMENT:port {}".format(
|
||||||
# networkpacket_section_connect_to_computer['@remote_hostname'],
|
# networkpacket_section_connect_to_computer['@remote_hostname'],
|
||||||
# networkpacket_section_connect_to_computer['@remote_port'])
|
# networkpacket_section_connect_to_computer['@remote_port'])
|
||||||
# )
|
# )
|
||||||
val_combined = "{}|{}".format(networkpacket_section_connect_to_computer['@remote_hostname'], networkpacket_section_connect_to_computer['@remote_port'])
|
val_combined = "{}|{}".format(networkpacket_section_connect_to_computer['@remote_hostname'], networkpacket_section_connect_to_computer['@remote_port'])
|
||||||
yield({'values': val_combined, 'type': 'hostname|port', 'to_ids': True, 'comment': ''})
|
yield({'values': val_combined, 'type': 'hostname|port', 'categories': ['Network activity'], 'to_ids': True, 'comment': ''})
|
||||||
elif networkpacket_section_connect_to_computer['@remote_ip']:
|
elif networkpacket_section_connect_to_computer['@remote_ip']:
|
||||||
# print("networkpacket_section_connect_to_computer ip-dst: {} IDS:yes COMMENT:port {}".format(
|
# print("networkpacket_section_connect_to_computer ip-dst: {} IDS:yes COMMENT:port {}".format(
|
||||||
# networkpacket_section_connect_to_computer['@remote_ip'],
|
# networkpacket_section_connect_to_computer['@remote_ip'],
|
||||||
|
|
@ -524,3 +531,4 @@ def introspection():
|
||||||
def version():
|
def version():
|
||||||
moduleinfo['config'] = moduleconfig
|
moduleinfo['config'] = moduleconfig
|
||||||
return moduleinfo
|
return moduleinfo
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue