mirror of https://github.com/MISP/misp-modules
Make PEP8 happy \o/
parent
91675a635c
commit
c6fccf1b7e
|
@ -1,6 +1,4 @@
|
||||||
import json
|
import json
|
||||||
import stix
|
|
||||||
import csv
|
|
||||||
from stix.core import STIXPackage
|
from stix.core import STIXPackage
|
||||||
import re
|
import re
|
||||||
import base64
|
import base64
|
||||||
|
@ -66,13 +64,14 @@ def handler(q=False):
|
||||||
# Quick and dirty regex for IP addresses
|
# Quick and dirty regex for IP addresses
|
||||||
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
|
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
|
||||||
|
|
||||||
|
|
||||||
def buildCampaign(cpn):
|
def buildCampaign(cpn):
|
||||||
"""
|
"""
|
||||||
Extract a campaign name
|
Extract a campaign name
|
||||||
"""
|
"""
|
||||||
|
|
||||||
return {"values": [cpn.title], "types": ["campaign-name"]}
|
return {"values": [cpn.title], "types": ["campaign-name"]}
|
||||||
|
|
||||||
|
|
||||||
def buildExploitTarget(et):
|
def buildExploitTarget(et):
|
||||||
"""
|
"""
|
||||||
Extract CVEs from exploit targets
|
Extract CVEs from exploit targets
|
||||||
|
@ -84,9 +83,9 @@ def buildExploitTarget(et):
|
||||||
for v in et.vulnerabilities:
|
for v in et.vulnerabilities:
|
||||||
if v.cve_id:
|
if v.cve_id:
|
||||||
r["values"].append(v.cve_id)
|
r["values"].append(v.cve_id)
|
||||||
|
|
||||||
return r
|
return r
|
||||||
|
|
||||||
|
|
||||||
def identifyHash(hsh):
|
def identifyHash(hsh):
|
||||||
"""
|
"""
|
||||||
What's that hash!?
|
What's that hash!?
|
||||||
|
@ -100,9 +99,9 @@ def identifyHash(hsh):
|
||||||
if len(str(hsh)) == len(hashlib.new(h).hexdigest()):
|
if len(str(hsh)) == len(hashlib.new(h).hexdigest()):
|
||||||
possible_hashes.append(h)
|
possible_hashes.append(h)
|
||||||
possible_hashes.append("filename|{}".format(h))
|
possible_hashes.append("filename|{}".format(h))
|
||||||
|
|
||||||
return possible_hashes
|
return possible_hashes
|
||||||
|
|
||||||
|
|
||||||
def buildIndicator(ind):
|
def buildIndicator(ind):
|
||||||
"""
|
"""
|
||||||
Extract hashes
|
Extract hashes
|
||||||
|
@ -116,6 +115,7 @@ def buildIndicator(ind):
|
||||||
return buildObservable(ind.observable)
|
return buildObservable(ind.observable)
|
||||||
return r
|
return r
|
||||||
|
|
||||||
|
|
||||||
def buildActor(ta):
|
def buildActor(ta):
|
||||||
"""
|
"""
|
||||||
Extract the name
|
Extract the name
|
||||||
|
@ -127,6 +127,7 @@ def buildActor(ta):
|
||||||
|
|
||||||
return r
|
return r
|
||||||
|
|
||||||
|
|
||||||
def buildObservable(o):
|
def buildObservable(o):
|
||||||
"""
|
"""
|
||||||
Take a STIX observable
|
Take a STIX observable
|
||||||
|
@ -149,7 +150,7 @@ def buildObservable(o):
|
||||||
props = o["object"]["properties"]
|
props = o["object"]["properties"]
|
||||||
|
|
||||||
# If it has an address_value field, it's gonna be an address
|
# If it has an address_value field, it's gonna be an address
|
||||||
print(props)
|
# print(props)
|
||||||
# Kinda obvious really
|
# Kinda obvious really
|
||||||
if "address_value" in props:
|
if "address_value" in props:
|
||||||
|
|
||||||
|
@ -162,12 +163,10 @@ def buildObservable(o):
|
||||||
|
|
||||||
# Is it an IP?
|
# Is it an IP?
|
||||||
if ipre.match(str(value)):
|
if ipre.match(str(value)):
|
||||||
|
|
||||||
# Yes!
|
# Yes!
|
||||||
r["values"].append(value)
|
r["values"].append(value)
|
||||||
r["types"] = ["ip-src", "ip-dst"]
|
r["types"] = ["ip-src", "ip-dst"]
|
||||||
else:
|
else:
|
||||||
|
|
||||||
# Probably a domain yo
|
# Probably a domain yo
|
||||||
r["values"].append(value)
|
r["values"].append(value)
|
||||||
r["types"] = ["domain", "hostname"]
|
r["types"] = ["domain", "hostname"]
|
||||||
|
@ -178,6 +177,7 @@ def buildObservable(o):
|
||||||
r["types"] = identifyHash(hsh["simple_hash_value"]["value"])
|
r["types"] = identifyHash(hsh["simple_hash_value"]["value"])
|
||||||
return r
|
return r
|
||||||
|
|
||||||
|
|
||||||
def loadPackage(data):
|
def loadPackage(data):
|
||||||
# Write the stix package to a tmp file
|
# Write the stix package to a tmp file
|
||||||
with open("/tmp/stixdump", "w") as f:
|
with open("/tmp/stixdump", "w") as f:
|
||||||
|
@ -188,11 +188,12 @@ def loadPackage(data):
|
||||||
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
|
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
|
||||||
except:
|
except:
|
||||||
package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
|
package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
|
||||||
except Exception as ex:
|
except Exception:
|
||||||
print("Failed to load package")
|
print("Failed to load package")
|
||||||
raise ValueError("COULD NOT LOAD STIX PACKAGE!")
|
raise ValueError("COULD NOT LOAD STIX PACKAGE!")
|
||||||
return package
|
return package
|
||||||
|
|
||||||
|
|
||||||
def introspection():
|
def introspection():
|
||||||
modulesetup = {}
|
modulesetup = {}
|
||||||
try:
|
try:
|
||||||
|
|
Loading…
Reference in New Issue