Merge branch 'master' of github.com:MISP/misp-modules

pull/222/head
chrisr3d 2018-08-08 16:51:42 +02:00
commit 9acf66053e
1 changed files with 25 additions and 17 deletions

View File

@ -15,7 +15,7 @@ misperrors = {'error': 'Error'}
userConfig = {} userConfig = {}
inputSource = ['file'] inputSource = ['file']
moduleinfo = {'version': '0.7', 'author': 'Christophe Vandeplas', moduleinfo = {'version': '0.8', 'author': 'Christophe Vandeplas',
'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files', 'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
'module-type': ['import']} 'module-type': ['import']}
@ -73,7 +73,7 @@ def handler(q=False):
results.append({ results.append({
'values': current_sample_filename, 'values': current_sample_filename,
'data': base64.b64encode(file_data).decode(), 'data': base64.b64encode(file_data).decode(),
'type': 'malware-sample', 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': True, 'comment': ''}) 'type': 'malware-sample', 'categories': ['Artifacts dropped', 'Payload delivery'], 'to_ids': True, 'comment': ''})
if 'Analysis/analysis.json' in zip_file_name: if 'Analysis/analysis.json' in zip_file_name:
with zf.open(zip_file_name, mode='r', pwd=None) as fp: with zf.open(zip_file_name, mode='r', pwd=None) as fp:
@ -88,7 +88,7 @@ def handler(q=False):
results.append({ results.append({
'values': sample_filename, 'values': sample_filename,
'data': base64.b64encode(file_data).decode(), 'data': base64.b64encode(file_data).decode(),
'type': 'malware-sample', 'categories': ['Artifacts dropped', 'Payload delivery'], 'to_ids': True, 'comment': ''}) 'type': 'malware-sample', 'categories': ['Payload delivery', 'Artifacts dropped'], 'to_ids': True, 'comment': ''})
except Exception as e: except Exception as e:
# no 'sample' in archive, might be an url analysis, just ignore # no 'sample' in archive, might be an url analysis, just ignore
pass pass
@ -113,7 +113,15 @@ def process_analysis_json(analysis_json):
for process in analysis_json['analysis']['processes']['process']: for process in analysis_json['analysis']['processes']['process']:
# print_json(process) # print_json(process)
if 'connection_section' in process and 'connection' in process['connection_section']: if 'connection_section' in process and 'connection' in process['connection_section']:
# compensate for absurd behavior of the data format: if one entry = immediately the dict, if multiple entries = list containing dicts
# this will always create a list, even with only one item
if isinstance(process['connection_section']['connection'], dict):
process['connection_section']['connection'] = [process['connection_section']['connection']]
# iterate over each entry
for connection_section_connection in process['connection_section']['connection']: for connection_section_connection in process['connection_section']['connection']:
if 'name_to_ip' in connection_section_connection: # TA 6.1 data format
connection_section_connection['@remote_ip'] = connection_section_connection['name_to_ip']['@result_addresses']
connection_section_connection['@remote_hostname'] = connection_section_connection['name_to_ip']['@request_name']
connection_section_connection['@remote_ip'] = cleanup_ip(connection_section_connection['@remote_ip']) connection_section_connection['@remote_ip'] = cleanup_ip(connection_section_connection['@remote_ip'])
connection_section_connection['@remote_hostname'] = cleanup_hostname(connection_section_connection['@remote_hostname']) connection_section_connection['@remote_hostname'] = cleanup_hostname(connection_section_connection['@remote_hostname'])
@ -124,7 +132,7 @@ def process_analysis_json(analysis_json):
# connection_section_connection['@remote_hostname'], # connection_section_connection['@remote_hostname'],
# connection_section_connection['@remote_ip']) # connection_section_connection['@remote_ip'])
# ) # )
yield({'values': val, 'type': 'domain|ip', 'categories': 'Network activity', 'to_ids': True, 'comment': ''}) yield({'values': val, 'type': 'domain|ip', 'categories': ['Network activity'], 'to_ids': True, 'comment': ''})
elif connection_section_connection['@remote_ip']: elif connection_section_connection['@remote_ip']:
# print("connection_section_connection ip-dst: {} IDS:yes".format( # print("connection_section_connection ip-dst: {} IDS:yes".format(
# connection_section_connection['@remote_ip']) # connection_section_connection['@remote_ip'])
@ -136,20 +144,19 @@ def process_analysis_json(analysis_json):
# ) # )
yield({'values': connection_section_connection['@remote_hostname'], 'type': 'hostname', 'to_ids': True, 'comment': ''}) yield({'values': connection_section_connection['@remote_hostname'], 'type': 'hostname', 'to_ids': True, 'comment': ''})
if 'http_command' in connection_section_connection: if 'http_command' in connection_section_connection:
for http_command in connection_section_connection['http_command']: # print('connection_section_connection HTTP COMMAND: {}\t{}'.format(
# print('connection_section_connection HTTP COMMAND: {}\t{}'.format( # connection_section_connection['http_command']['@method'], # comment
# http_command['@method'], # comment # connection_section_connection['http_command']['@url']) # url
# http_command['@url']) # url # )
# ) val = cleanup_url(connection_section_connection['http_command']['@url'])
val = cleanup_url(http_command['@url']) if val:
if val: yield({'values': val, 'type': 'url', 'categories': ['Network activity'], 'to_ids': True, 'comment': connection_section_connection['http_command']['@method']})
yield({'values': val, 'type': 'url', 'categories': 'Network activity', 'to_ids': True, 'comment': http_command['@method']})
if 'http_header' in connection_section_connection: if 'http_header' in connection_section_connection:
for http_header in connection_section_connection['http_header']: for http_header in connection_section_connection['http_header']:
if 'User-Agent:' in http_header['@header']: if 'User-Agent:' in http_header['@header']:
val = http_header['@header'][len('User-Agent: '):] val = http_header['@header'][len('User-Agent: '):]
yield({'values': val, 'type': 'user-agent', 'categories': 'Network activity', 'to_ids': False, 'comment': ''}) yield({'values': val, 'type': 'user-agent', 'categories': ['Network activity'], 'to_ids': False, 'comment': ''})
elif 'Host:' in http_header['@header']: elif 'Host:' in http_header['@header']:
val = http_header['@header'][len('Host: '):] val = http_header['@header'][len('Host: '):]
if ':' in val: if ':' in val:
@ -162,7 +169,7 @@ def process_analysis_json(analysis_json):
if val_hostname and val_port: if val_hostname and val_port:
val_combined = '{}|{}'.format(val_hostname, val_port) val_combined = '{}|{}'.format(val_hostname, val_port)
# print({'values': val_combined, 'type': 'hostname|port', 'to_ids': True, 'comment': ''}) # print({'values': val_combined, 'type': 'hostname|port', 'to_ids': True, 'comment': ''})
yield({'values': val_combined, 'type': 'hostname|port', 'to_ids': True, 'comment': ''}) yield({'values': val_combined, 'type': 'hostname|port', 'categories': ['Network activity'], 'to_ids': True, 'comment': ''})
elif val_ip and val_port: elif val_ip and val_port:
val_combined = '{}|{}'.format(val_ip, val_port) val_combined = '{}|{}'.format(val_ip, val_port)
# print({'values': val_combined, 'type': 'ip-dst|port', 'to_ids': True, 'comment': ''}) # print({'values': val_combined, 'type': 'ip-dst|port', 'to_ids': True, 'comment': ''})
@ -207,7 +214,7 @@ def process_analysis_json(analysis_json):
# networkoperation_section_dns_request_by_name['@request_name'], # networkoperation_section_dns_request_by_name['@request_name'],
# networkoperation_section_dns_request_by_name['@result_addresses']) # networkoperation_section_dns_request_by_name['@result_addresses'])
# ) # )
yield({'values': val, 'type': 'domain|ip', 'categories': 'Network activity', 'to_ids': True, 'comment': ''}) yield({'values': val, 'type': 'domain|ip', 'categories': ['Network activity'], 'to_ids': True, 'comment': ''})
elif networkoperation_section_dns_request_by_name['@request_name']: elif networkoperation_section_dns_request_by_name['@request_name']:
# print("networkoperation_section_dns_request_by_name hostname: {} IDS:yes".format( # print("networkoperation_section_dns_request_by_name hostname: {} IDS:yes".format(
# networkoperation_section_dns_request_by_name['@request_name']) # networkoperation_section_dns_request_by_name['@request_name'])
@ -231,14 +238,14 @@ def process_analysis_json(analysis_json):
# networkpacket_section_connect_to_computer['@remote_port']) # networkpacket_section_connect_to_computer['@remote_port'])
# ) # )
val_combined = "{}|{}".format(networkpacket_section_connect_to_computer['@remote_hostname'], networkpacket_section_connect_to_computer['@remote_ip']) val_combined = "{}|{}".format(networkpacket_section_connect_to_computer['@remote_hostname'], networkpacket_section_connect_to_computer['@remote_ip'])
yield({'values': val_combined, 'type': 'hostname|ip', 'to_ids': True, 'comment': ''}) yield({'values': val_combined, 'type': 'domain|ip', 'to_ids': True, 'comment': ''})
elif networkpacket_section_connect_to_computer['@remote_hostname']: elif networkpacket_section_connect_to_computer['@remote_hostname']:
# print("networkpacket_section_connect_to_computer hostname: {} IDS:yes COMMENT:port {}".format( # print("networkpacket_section_connect_to_computer hostname: {} IDS:yes COMMENT:port {}".format(
# networkpacket_section_connect_to_computer['@remote_hostname'], # networkpacket_section_connect_to_computer['@remote_hostname'],
# networkpacket_section_connect_to_computer['@remote_port']) # networkpacket_section_connect_to_computer['@remote_port'])
# ) # )
val_combined = "{}|{}".format(networkpacket_section_connect_to_computer['@remote_hostname'], networkpacket_section_connect_to_computer['@remote_port']) val_combined = "{}|{}".format(networkpacket_section_connect_to_computer['@remote_hostname'], networkpacket_section_connect_to_computer['@remote_port'])
yield({'values': val_combined, 'type': 'hostname|port', 'to_ids': True, 'comment': ''}) yield({'values': val_combined, 'type': 'hostname|port', 'categories': ['Network activity'], 'to_ids': True, 'comment': ''})
elif networkpacket_section_connect_to_computer['@remote_ip']: elif networkpacket_section_connect_to_computer['@remote_ip']:
# print("networkpacket_section_connect_to_computer ip-dst: {} IDS:yes COMMENT:port {}".format( # print("networkpacket_section_connect_to_computer ip-dst: {} IDS:yes COMMENT:port {}".format(
# networkpacket_section_connect_to_computer['@remote_ip'], # networkpacket_section_connect_to_computer['@remote_ip'],
@ -524,3 +531,4 @@ def introspection():
def version(): def version():
moduleinfo['config'] = moduleconfig moduleinfo['config'] = moduleconfig
return moduleinfo return moduleinfo