mirror of https://github.com/MISP/misp-modules
Make PEP8 happy \o/
parent
91675a635c
commit
c6fccf1b7e
|
@ -1,6 +1,4 @@
|
|||
import json
|
||||
import stix
|
||||
import csv
|
||||
from stix.core import STIXPackage
|
||||
import re
|
||||
import base64
|
||||
|
@ -66,13 +64,14 @@ def handler(q=False):
|
|||
# Quick and dirty regex for IP addresses
|
||||
ipre = re.compile("([0-9]{1,3}.){3}[0-9]{1,3}")
|
||||
|
||||
|
||||
def buildCampaign(cpn):
|
||||
"""
|
||||
Extract a campaign name
|
||||
"""
|
||||
|
||||
return {"values": [cpn.title], "types": ["campaign-name"]}
|
||||
|
||||
|
||||
def buildExploitTarget(et):
|
||||
"""
|
||||
Extract CVEs from exploit targets
|
||||
|
@ -84,9 +83,9 @@ def buildExploitTarget(et):
|
|||
for v in et.vulnerabilities:
|
||||
if v.cve_id:
|
||||
r["values"].append(v.cve_id)
|
||||
|
||||
return r
|
||||
|
||||
|
||||
def identifyHash(hsh):
|
||||
"""
|
||||
What's that hash!?
|
||||
|
@ -100,9 +99,9 @@ def identifyHash(hsh):
|
|||
if len(str(hsh)) == len(hashlib.new(h).hexdigest()):
|
||||
possible_hashes.append(h)
|
||||
possible_hashes.append("filename|{}".format(h))
|
||||
|
||||
return possible_hashes
|
||||
|
||||
|
||||
def buildIndicator(ind):
|
||||
"""
|
||||
Extract hashes
|
||||
|
@ -116,6 +115,7 @@ def buildIndicator(ind):
|
|||
return buildObservable(ind.observable)
|
||||
return r
|
||||
|
||||
|
||||
def buildActor(ta):
|
||||
"""
|
||||
Extract the name
|
||||
|
@ -127,6 +127,7 @@ def buildActor(ta):
|
|||
|
||||
return r
|
||||
|
||||
|
||||
def buildObservable(o):
|
||||
"""
|
||||
Take a STIX observable
|
||||
|
@ -149,7 +150,7 @@ def buildObservable(o):
|
|||
props = o["object"]["properties"]
|
||||
|
||||
# If it has an address_value field, it's gonna be an address
|
||||
print(props)
|
||||
# print(props)
|
||||
# Kinda obvious really
|
||||
if "address_value" in props:
|
||||
|
||||
|
@ -162,12 +163,10 @@ def buildObservable(o):
|
|||
|
||||
# Is it an IP?
|
||||
if ipre.match(str(value)):
|
||||
|
||||
# Yes!
|
||||
r["values"].append(value)
|
||||
r["types"] = ["ip-src", "ip-dst"]
|
||||
else:
|
||||
|
||||
# Probably a domain yo
|
||||
r["values"].append(value)
|
||||
r["types"] = ["domain", "hostname"]
|
||||
|
@ -178,6 +177,7 @@ def buildObservable(o):
|
|||
r["types"] = identifyHash(hsh["simple_hash_value"]["value"])
|
||||
return r
|
||||
|
||||
|
||||
def loadPackage(data):
|
||||
# Write the stix package to a tmp file
|
||||
with open("/tmp/stixdump", "w") as f:
|
||||
|
@ -188,11 +188,12 @@ def loadPackage(data):
|
|||
package = STIXPackage().from_xml(open("/tmp/stixdump", "r"))
|
||||
except:
|
||||
package = STIXPackage().from_json(open("/tmp/stixdump", "r"))
|
||||
except Exception as ex:
|
||||
except Exception:
|
||||
print("Failed to load package")
|
||||
raise ValueError("COULD NOT LOAD STIX PACKAGE!")
|
||||
return package
|
||||
|
||||
|
||||
def introspection():
|
||||
modulesetup = {}
|
||||
try:
|
||||
|
|
Loading…
Reference in New Issue