MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: Making ipasn module return asn object(s) 

- Latest changes on the returned value as string
  broke the freetext parser, because no asn number
  could be parsed when we return the full json
  blob as a freetext attribute
- Now returning asn object(s) with a reference to
  the initial attribute
pull/363/head
chrisr3d 2020-01-10 15:02:59 +01:00
parent 35c438e6ee
commit b3bc533bc3
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
misp_modules/modules/expansion/ipasn.py
View File

@ -2,22 +2,40 @@
import json import json
from pyipasnhistory import IPASNHistory from pyipasnhistory import IPASNHistory
from pymisp import MISPAttribute, MISPEvent, MISPObject
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['freetext']} mispattributes = {'input': ['ip-src', 'ip-dst'], 'format': 'misp_standard'}
moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot', moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
'description': 'Query an IP ASN history service (https://github.com/CIRCL/IP-ASN-history.git)', 'description': 'Query an IP ASN history service (https://github.com/CIRCL/IP-ASN-history.git)',
'module-type': ['expansion', 'hover']} 'module-type': ['expansion', 'hover']}
def parse_result(attribute, values):
event = MISPEvent()
initial_attribute = MISPAttribute()
initial_attribute.from_dict(**attribute)
event.add_attribute(**initial_attribute)
mapping = {'asn': ('AS', 'asn'), 'prefix': ('ip-src', 'subnet-announced')}
print(values)
for last_seen, response in values['response'].items():
asn = MISPObject('asn')
asn.add_attribute('last-seen', **{'type': 'datetime', 'value': last_seen})
for feature, attribute_fields in mapping.items():
attribute_type, object_relation = attribute_fields
asn.add_attribute(object_relation, **{'type': attribute_type, 'value': response[feature]})
asn.add_reference(initial_attribute.uuid, 'related-to')
event.add_object(**asn)
event = json.loads(event.to_json())
return {key: event[key] for key in ('Attribute', 'Object')}
def handler(q=False): def handler(q=False):
if q is False: if q is False:
return False return False
request = json.loads(q) request = json.loads(q)
if request.get('ip-src'): if request.get('attribute') and request['attribute'].get('type') in mispattributes['input']:
toquery = request['ip-src'] toquery = request['attribute']['value']
elif request.get('ip-dst'):
toquery = request['ip-dst']
else: else:
misperrors['error'] = "Unsupported attributes type" misperrors['error'] = "Unsupported attributes type"
return misperrors return misperrors
@ -28,7 +46,7 @@ def handler(q=False):
if not values: if not values:
misperrors['error'] = 'Unable to find the history of this IP' misperrors['error'] = 'Unable to find the history of this IP'
return misperrors return misperrors
return {'results': [{'types': mispattributes['output'], 'values': [str(values)]}]} return {'results': parse_result(request['attribute'], values)}
def introspection(): def introspection():