MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: Added references between processes and the files they drop

pull/304/head
chrisr3d 2019-05-22 15:27:04 +02:00
parent 191034d311
commit cfec9a6b1c
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
misp_modules/modules/import_mod/joe_import.py
View File

@ -60,6 +60,7 @@ class JoeParser():
self.misp_event = MISPEvent()
self.references = defaultdict(list)
self.attributes = defaultdict(lambda: defaultdict(set))
self.process_references = {}
def parse_joe(self):
self.parse_fileinfo()
@ -101,6 +102,10 @@ class JoeParser():
hash_type = dropped_hash_mapping[h['@algo']]
file_object.add_attribute(hash_type, **{'type': hash_type, 'value': h['$']})
self.misp_event.add_object(**file_object)
self.references[self.process_references[(int(droppedfile['@targetid']), droppedfile['@process'])]].append({
'idref': file_object.uuid,
'relationship': 'drops'
})
def parse_network_behavior(self):
network = self.data['behavior']['network']
@ -148,6 +153,7 @@ class JoeParser():
for field, to_call in process_activities.items():
to_call(process_object.uuid, process[field])
self.references[self.fileinfo_uuid].append({'idref': process_object.uuid, 'relationship': 'calls'})
self.process_references[(general['targetid'], general['path'])] = process_object.uuid
def parse_fileactivities(self, process_uuid, fileactivities):
for feature, files in fileactivities.items():