From 458e432bb7e0948b83b607bef81306c7ba369488 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 18 Mar 2021 19:22:26 +0100 Subject: [PATCH] fix: Making pep8 happy --- misp_modules/modules/expansion/google_search.py | 2 ++ misp_modules/modules/expansion/hibp.py | 7 +++++-- misp_modules/modules/expansion/threatfox.py | 10 +++++++--- .../modules/export_mod/defender_endpoint_export.py | 7 +++++++ 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/misp_modules/modules/expansion/google_search.py b/misp_modules/modules/expansion/google_search.py index 97e37ad..68224ab 100644 --- a/misp_modules/modules/expansion/google_search.py +++ b/misp_modules/modules/expansion/google_search.py @@ -11,9 +11,11 @@ mispattributes = {'input': ['url'], 'output': ['text']} moduleinfo = {'author': 'Oun & Gindt', 'module-type': ['hover'], 'description': 'An expansion hover module to expand google search information about an URL'} + def sleep(retry): time.sleep(random.uniform(0, min(40, 0.01 * 2 ** retry))) + def handler(q=False): if q is False: return False diff --git a/misp_modules/modules/expansion/hibp.py b/misp_modules/modules/expansion/hibp.py index bea7749..66911f2 100644 --- a/misp_modules/modules/expansion/hibp.py +++ b/misp_modules/modules/expansion/hibp.py @@ -3,12 +3,13 @@ import requests import json misperrors = {'error': 'Error'} -mispattributes = {'input': ['email-dst', 'email-src'],'output': ['text']} +mispattributes = {'input': ['email-dst', 'email-src'], 'output': ['text']} moduleinfo = {'version': '0.2', 'author': 'Corsin Camichel, Aurélien Schwab', 'description': 'Module to access haveibeenpwned.com API (v3).', 'module-type': ['hover']} moduleconfig = ['api_key'] haveibeenpwned_api_url = 'https://haveibeenpwned.com/api/v3/breachedaccount/' -API_KEY = "" # details at https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/ +API_KEY = "" # details at https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/ + def handler(q=False): if q is False: @@ -39,9 +40,11 @@ def handler(q=False): misperrors['error'] = 'haveibeenpwned.com API not accessible (HTTP ' + str(r.status_code) + ')' return misperrors['error'] + def introspection(): return mispattributes + def version(): moduleinfo['config'] = moduleconfig return moduleinfo diff --git a/misp_modules/modules/expansion/threatfox.py b/misp_modules/modules/expansion/threatfox.py index f2201a0..4a89918 100644 --- a/misp_modules/modules/expansion/threatfox.py +++ b/misp_modules/modules/expansion/threatfox.py @@ -3,12 +3,13 @@ import requests import json misperrors = {'error': 'Error'} -mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'],'output': ['text']} +mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'], 'output': ['text']} moduleinfo = {'version': '0.1', 'author': 'Corsin Camichel', 'description': 'Module to search for an IOC on ThreatFox by abuse.ch.', 'module-type': ['hover', 'expansion']} moduleconfig = [] API_URL = "https://threatfox-api.abuse.ch/api/v1/" + # copied from # https://github.com/marjatech/threatfox2misp/blob/main/threatfox2misp.py def confidence_level_to_tag(level: int) -> str: @@ -26,6 +27,7 @@ def confidence_level_to_tag(level: int) -> str: confidence_tag = tag return confidence_tag + def handler(q=False): if q is False: return False @@ -41,19 +43,21 @@ def handler(q=False): misperrors['error'] = "Unsupported attributes type:" return misperrors - data = { "query": "search_ioc", "search_term": f"{to_query}" } + data = {"query": "search_ioc", "search_term": f"{to_query}"} response = requests.post(API_URL, data=json.dumps(data)) if response.status_code == 200: result = json.loads(response.text) if(result["query_status"] == "ok"): confidence_tag = confidence_level_to_tag(result["data"][0]["confidence_level"]) - ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], result["data"][0]["malware_printable"], confidence_tag ] }]} + ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], result["data"][0]["malware_printable"], confidence_tag]}]} return ret_val + def introspection(): return mispattributes + def version(): moduleinfo['config'] = moduleconfig return moduleinfo diff --git a/misp_modules/modules/export_mod/defender_endpoint_export.py b/misp_modules/modules/export_mod/defender_endpoint_export.py index eea929c..1c36efb 100755 --- a/misp_modules/modules/export_mod/defender_endpoint_export.py +++ b/misp_modules/modules/export_mod/defender_endpoint_export.py @@ -24,31 +24,37 @@ moduleinfo = {'version': '1.0', 'author': 'Julien Bachmann, Hacknowledge', 'description': 'Defender for Endpoint KQL hunting query export module', 'module-type': ['export']} + def handle_sha1(value, period): query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) where SHA1 == '{value}' or InitiatingProcessSHA1 == '{value}'""" return query.replace('\n', ' ') + def handle_md5(value, period): query = f"""find in (DeviceAlertEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents) where MD5 == '{value}' or InitiatingProcessMD5 == '{value}'""" return query.replace('\n', ' ') + def handle_domain(value, period): query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) where RemoteUrl contains '{value}'""" return query.replace('\n', ' ') + def handle_ip(value, period): query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) where RemoteIP == '{value}'""" return query.replace('\n', ' ') + def handle_url(value, period): query = f"""find in (DeviceAlertEvents, DeviceNetworkEvents) where RemoteUrl startswith '{value}'""" return query.replace('\n', ' ') + handlers = { 'sha1': handle_sha1, 'md5': handle_md5, @@ -72,6 +78,7 @@ def handler(q=False): r = {"response": [], "data": str(base64.b64encode(bytes(output, 'utf-8')), 'utf-8')} return r + def introspection(): modulesetup = {} try: