add summary ip, domain and hostname

misp_modules/modules/expansion/onyphe.py

@@ -33,14 +33,20 @@ class OnypheClient:
 
     def get_results(self):
         event = json.loads(self.misp_event.to_json())
-        results = {key: event[key] for key in ('Attribute', 'Object') if key in event}
+        results = {key: event[key]
+                   for key in ('Attribute', 'Object') if key in event}
         return results
 
     def get_query_onyphe(self):
         if self.attribute['type'] == 'ip-src' or self.attribute['type'] == 'ip-dst':
             self.__summary_ip()
+        if self.attribute['type'] == 'domain':
+            self.__summary_domain()
+        if self.attribute['type'] == 'hostname':
+            self.__summary_hostname()
 
     def __summary_ip(self):
+        print('ip')
         results = self.onyphe_client.summary_ip(self.attribute['value'])
         if 'results' in results:
             for r in results['results']:
@@ -64,43 +70,107 @@ class OnypheClient:
                     issuer = r['issuer']
                     self.__get_object_certificate(r)
 
+    def __summary_domain(self):
+        print('domain')
+        results = self.onyphe_client.summary_domain(self.attribute['value'])
+        if 'results' in results:
+            for r in results['results']:
+
+                for domain in r.get('domain'):
+                    self.misp_event.add_attribute('domain', domain)
+                for hostname in r.get('hostname'):
+                    self.misp_event.add_attribute('hostname', hostname)
+                if 'ip' in r:
+                    if type(r['ip']) is str:
+                        self.__get_object_domain_ip(r['ip'], 'ip')
+                    if type(r['ip']) is list:
+                        for ip in r['ip']:
+                            self.__get_object_domain_ip(ip, 'ip')
+                if 'issuer' in r:
+                    self.__get_object_certificate(r)
+
+    def __summary_hostname(self):
+        results = self.onyphe_client.summary_hostname(self.attribute['value'])
+        if 'results' in results:
+
+            for r in results['results']:
+                if 'domain' in r:
+                    if type(r['domain']) is str:
+                        self.misp_event.add_attribute(
+                            'domain', r['domain'])
+                    if type(r['domain']) is list:
+                        for domain in r['domain']:
+                            self.misp_event.add_attribute('domain', domain)
+
+                if 'hostname' in r:
+                    if type(r['hostname']) is str:
+                        self.misp_event.add_attribute(
+                            'hostname', r['hostname'])
+                    if type(r['hostname']) is list:
+                        for hostname in r['hostname']:
+                            self.misp_event.add_attribute(
+                                'hostname', r['hostname'])
+
+                if 'ip' in r:
+                    if type(r['ip']) is str:
+                        self.__get_object_domain_ip(r['ip'], 'ip')
+                    if type(r['ip']) is list:
+                        for ip in r['ip']:
+                            self.__get_object_domain_ip(ip, 'ip')
+
+                if 'issuer' in r:
+                    self.__get_object_certificate(r)
+
+                if 'cve' in r:
+                    if type(r['cve']) is list:
+                        for cve in r['cve']:
+                            self.__get_object_cve(r, cve)
+
     def __get_object_certificate(self, r):
         object_certificate = MISPObject('x509')
         object_certificate.add_attribute('ip', self.attribute['value'])
         object_certificate.add_attribute('serial-number', r['serial'])
-        object_certificate.add_attribute('x509-fingerprint-sha256', r['fingerprint']['sha256'])
-        object_certificate.add_attribute('x509-fingerprint-sha1', r['fingerprint']['sha1'])
-        object_certificate.add_attribute('x509-fingerprint-md5', r['fingerprint']['md5'])
-        
+        object_certificate.add_attribute(
+            'x509-fingerprint-sha256', r['fingerprint']['sha256'])
+        object_certificate.add_attribute(
+            'x509-fingerprint-sha1', r['fingerprint']['sha1'])
+        object_certificate.add_attribute(
+            'x509-fingerprint-md5', r['fingerprint']['md5'])
+
         signature = r['signature']['algorithm']
         value = ''
         if 'sha256' in signature and 'RSA' in signature:
             value = 'SHA256_WITH_RSA_ENCRYPTION'
         elif 'sha1' in signature and 'RSA' in signature:
-            value = 'SHA1_WITH_RSA_ENCRYPTION' 
+            value = 'SHA1_WITH_RSA_ENCRYPTION'
         if value:
             object_certificate.add_attribute('signature_algorithm', value)
-        
-        object_certificate.add_attribute('pubkey-info-algorithm',r['publickey']['algorithm'])
-        
-        if 'exponent' in r['publickey']:
-            object_certificate.add_attribute('pubkey-info-exponent',r['publickey']['exponent'])
-        if 'length' in r['publickey']:    
-            object_certificate.add_attribute('pubkey-info-size',r['publickey']['length'])
 
-        object_certificate.add_attribute('issuer',r['issuer']['commonname'])
-        object_certificate.add_attribute('validity-not-before',r['validity']['notbefore'])
-        object_certificate.add_attribute('validity-not-after',r['validity']['notbefore'])
+        object_certificate.add_attribute(
+            'pubkey-info-algorithm', r['publickey']['algorithm'])
+
+        if 'exponent' in r['publickey']:
+            object_certificate.add_attribute(
+                'pubkey-info-exponent', r['publickey']['exponent'])
+        if 'length' in r['publickey']:
+            object_certificate.add_attribute(
+                'pubkey-info-size', r['publickey']['length'])
+
+        object_certificate.add_attribute('issuer', r['issuer']['commonname'])
+        object_certificate.add_attribute(
+            'validity-not-before', r['validity']['notbefore'])
+        object_certificate.add_attribute(
+            'validity-not-after', r['validity']['notbefore'])
         object_certificate.add_reference(self.attribute['uuid'], 'related-to')
         self.misp_event.add_object(object_certificate)
-        
-        
+
     def __get_object_domain_ip(self, obs, relation):
         objet_domain_ip = MISPObject('domain-ip')
         objet_domain_ip.add_attribute(relation, obs)
         relation_attr = self.__get_relation_attribute()
         if relation_attr:
-            objet_domain_ip.add_attribute(relation_attr, self.attribute['value'])
+            objet_domain_ip.add_attribute(
+                relation_attr, self.attribute['value'])
             objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to')
             self.misp_event.add_object(objet_domain_ip)
 
@@ -115,6 +185,28 @@ class OnypheClient:
         elif self.attribute['type'] == 'hostname':
             return 'domain'
 
+    def __get_object_cve(self, item, cve):
+        attributes = []
+        object_cve = MISPObject('vulnerability')
+        object_cve.add_attribute('id', cve)
+        object_cve.add_attribute('state', 'Published')
+
+        if type(item['ip']) is list:
+            for ip in item['ip']:
+                attributes.extend(
+                    list(filter(lambda x: x['value'] == ip, self.misp_event['Attribute'])))
+                for obj in self.misp_event['Object']:
+                    attributes.extend(
+                        list(filter(lambda x: x['value'] == ip, obj['Attribute'])))
+        if type(item['ip']) is str:
+
+            for obj in self.misp_event['Object']:
+                for att in obj['Attribute']:
+                    if att['value'] == item['ip']:
+                        object_cve.add_reference(obj['uuid'], 'cve')
+
+        self.misp_event.add_object(object_cve)
+
 
 def handler(q=False):
     if q:
@@ -134,6 +226,7 @@ def handler(q=False):
 
         return {'results': results}
 
+
 def introspection():
     return mispattributes