From d14d3d585fe2de3ac6082dfd4f47602de1a472b3 Mon Sep 17 00:00:00 2001 From: Corsin Camichel Date: Sat, 13 Mar 2021 20:36:49 +0100 Subject: [PATCH 1/2] first version of ThreatFox enrichment module --- misp_modules/modules/expansion/threatfox.py | 59 +++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 misp_modules/modules/expansion/threatfox.py diff --git a/misp_modules/modules/expansion/threatfox.py b/misp_modules/modules/expansion/threatfox.py new file mode 100644 index 0000000..6ddf730 --- /dev/null +++ b/misp_modules/modules/expansion/threatfox.py @@ -0,0 +1,59 @@ +# -*- coding: utf-8 -*- +import requests +import json + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'],'output': ['text']} +moduleinfo = {'version': '0.1', 'author': 'Corsin Camichel', 'description': 'Module to search for an IOC on ThreatFox by abuse.ch.', 'module-type': ['hover', 'expansion']} +moduleconfig = [] + +API_URL = "https://threatfox-api.abuse.ch/api/v1/" + +# copied from +# https://github.com/marjatech/threatfox2misp/blob/main/threatfox2misp.py +def confidence_level_to_tag(level: int) -> str: + confidence_tagging = { + 0: 'misp:confidence-level="unconfident"', + 10: 'misp:confidence-level="rarely-confident"', + 37: 'misp:confidence-level="fairly-confident"', + 63: 'misp:confidence-level="usually-confident"', + 90: 'misp:confidence-level="completely-confident"', + } + + confidence_tag = "" + for tag_minvalue, tag in confidence_tagging.items(): + if level >= tag_minvalue: + confidence_tag = tag + return confidence_tag + +def handler(q=False): + if q is False: + return False + + request = json.loads(q) + ret_val = "" + + for input_type in mispattributes['input']: + if input_type in request: + to_query = request[input_type] + break + else: + misperrors['error'] = "Unsupported attributes type:" + return misperrors + + data = { "query": "search_ioc", "search_term": f"{to_query}" } + response = requests.post(API_URL, data=json.dumps(data)) + if response.status_code == 200: + result = json.loads(response.text) + if(result["query_status"] == "ok"): + confidence_tag = confidence_level_to_tag(result["data"][0]["confidence_level"]) + ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], confidence_tag ] }]} + + return ret_val + +def introspection(): + return mispattributes + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo From a13184b078fc997bb8c37bf9c5dca58d14dd0123 Mon Sep 17 00:00:00 2001 From: Corsin Camichel Date: Sat, 13 Mar 2021 20:59:54 +0100 Subject: [PATCH 2/2] adding additional tags --- misp_modules/modules/expansion/threatfox.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/threatfox.py b/misp_modules/modules/expansion/threatfox.py index 6ddf730..f2201a0 100644 --- a/misp_modules/modules/expansion/threatfox.py +++ b/misp_modules/modules/expansion/threatfox.py @@ -47,7 +47,7 @@ def handler(q=False): result = json.loads(response.text) if(result["query_status"] == "ok"): confidence_tag = confidence_level_to_tag(result["data"][0]["confidence_level"]) - ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], confidence_tag ] }]} + ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], result["data"][0]["malware_printable"], confidence_tag ] }]} return ret_val