MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add summary ip, domain and hostname

pull/498/head
Sebdraven 2021-05-07 12:27:11 +02:00
parent 16f9ec9f6d
commit d0c2f94354
1 changed files with 112 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
misp_modules/modules/expansion/onyphe.py
View File

@ -33,14 +33,20 @@ class OnypheClient:
def get_results(self): def get_results(self):
event = json.loads(self.misp_event.to_json()) event = json.loads(self.misp_event.to_json())
results = {key: event[key] for key in ('Attribute', 'Object') if key in event} results = {key: event[key]
for key in ('Attribute', 'Object') if key in event}
return results return results
def get_query_onyphe(self): def get_query_onyphe(self):
if self.attribute['type'] == 'ip-src' or self.attribute['type'] == 'ip-dst': if self.attribute['type'] == 'ip-src' or self.attribute['type'] == 'ip-dst':
self.__summary_ip() self.__summary_ip()
if self.attribute['type'] == 'domain':
self.__summary_domain()
if self.attribute['type'] == 'hostname':
self.__summary_hostname()
def __summary_ip(self): def __summary_ip(self):
print('ip')
results = self.onyphe_client.summary_ip(self.attribute['value']) results = self.onyphe_client.summary_ip(self.attribute['value'])
if 'results' in results: if 'results' in results:
for r in results['results']: for r in results['results']:
@ -64,43 +70,107 @@ class OnypheClient:
issuer = r['issuer'] issuer = r['issuer']
self.__get_object_certificate(r) self.__get_object_certificate(r)
def __summary_domain(self):
print('domain')
results = self.onyphe_client.summary_domain(self.attribute['value'])
if 'results' in results:
for r in results['results']:
for domain in r.get('domain'):
self.misp_event.add_attribute('domain', domain)
for hostname in r.get('hostname'):
self.misp_event.add_attribute('hostname', hostname)
if 'ip' in r:
if type(r['ip']) is str:
self.__get_object_domain_ip(r['ip'], 'ip')
if type(r['ip']) is list:
for ip in r['ip']:
self.__get_object_domain_ip(ip, 'ip')
if 'issuer' in r:
self.__get_object_certificate(r)
def __summary_hostname(self):
results = self.onyphe_client.summary_hostname(self.attribute['value'])
if 'results' in results:
for r in results['results']:
if 'domain' in r:
if type(r['domain']) is str:
self.misp_event.add_attribute(
'domain', r['domain'])
if type(r['domain']) is list:
for domain in r['domain']:
self.misp_event.add_attribute('domain', domain)
if 'hostname' in r:
if type(r['hostname']) is str:
self.misp_event.add_attribute(
'hostname', r['hostname'])
if type(r['hostname']) is list:
for hostname in r['hostname']:
self.misp_event.add_attribute(
'hostname', r['hostname'])
if 'ip' in r:
if type(r['ip']) is str:
self.__get_object_domain_ip(r['ip'], 'ip')
if type(r['ip']) is list:
for ip in r['ip']:
self.__get_object_domain_ip(ip, 'ip')
if 'issuer' in r:
self.__get_object_certificate(r)
if 'cve' in r:
if type(r['cve']) is list:
for cve in r['cve']:
self.__get_object_cve(r, cve)
def __get_object_certificate(self, r): def __get_object_certificate(self, r):
object_certificate = MISPObject('x509') object_certificate = MISPObject('x509')
object_certificate.add_attribute('ip', self.attribute['value']) object_certificate.add_attribute('ip', self.attribute['value'])
object_certificate.add_attribute('serial-number', r['serial']) object_certificate.add_attribute('serial-number', r['serial'])
object_certificate.add_attribute('x509-fingerprint-sha256', r['fingerprint']['sha256']) object_certificate.add_attribute(
object_certificate.add_attribute('x509-fingerprint-sha1', r['fingerprint']['sha1']) 'x509-fingerprint-sha256', r['fingerprint']['sha256'])
object_certificate.add_attribute('x509-fingerprint-md5', r['fingerprint']['md5']) object_certificate.add_attribute(
'x509-fingerprint-sha1', r['fingerprint']['sha1'])
object_certificate.add_attribute(
'x509-fingerprint-md5', r['fingerprint']['md5'])
signature = r['signature']['algorithm'] signature = r['signature']['algorithm']
value = '' value = ''
if 'sha256' in signature and 'RSA' in signature: if 'sha256' in signature and 'RSA' in signature:
value = 'SHA256_WITH_RSA_ENCRYPTION' value = 'SHA256_WITH_RSA_ENCRYPTION'
elif 'sha1' in signature and 'RSA' in signature: elif 'sha1' in signature and 'RSA' in signature:
value = 'SHA1_WITH_RSA_ENCRYPTION' value = 'SHA1_WITH_RSA_ENCRYPTION'
if value: if value:
object_certificate.add_attribute('signature_algorithm', value) object_certificate.add_attribute('signature_algorithm', value)
object_certificate.add_attribute('pubkey-info-algorithm',r['publickey']['algorithm'])
if 'exponent' in r['publickey']:
object_certificate.add_attribute('pubkey-info-exponent',r['publickey']['exponent'])
if 'length' in r['publickey']:
object_certificate.add_attribute('pubkey-info-size',r['publickey']['length'])
object_certificate.add_attribute('issuer',r['issuer']['commonname']) object_certificate.add_attribute(
object_certificate.add_attribute('validity-not-before',r['validity']['notbefore']) 'pubkey-info-algorithm', r['publickey']['algorithm'])
object_certificate.add_attribute('validity-not-after',r['validity']['notbefore'])
if 'exponent' in r['publickey']:
object_certificate.add_attribute(
'pubkey-info-exponent', r['publickey']['exponent'])
if 'length' in r['publickey']:
object_certificate.add_attribute(
'pubkey-info-size', r['publickey']['length'])
object_certificate.add_attribute('issuer', r['issuer']['commonname'])
object_certificate.add_attribute(
'validity-not-before', r['validity']['notbefore'])
object_certificate.add_attribute(
'validity-not-after', r['validity']['notbefore'])
object_certificate.add_reference(self.attribute['uuid'], 'related-to') object_certificate.add_reference(self.attribute['uuid'], 'related-to')
self.misp_event.add_object(object_certificate) self.misp_event.add_object(object_certificate)
def __get_object_domain_ip(self, obs, relation): def __get_object_domain_ip(self, obs, relation):
objet_domain_ip = MISPObject('domain-ip') objet_domain_ip = MISPObject('domain-ip')
objet_domain_ip.add_attribute(relation, obs) objet_domain_ip.add_attribute(relation, obs)
relation_attr = self.__get_relation_attribute() relation_attr = self.__get_relation_attribute()
if relation_attr: if relation_attr:
objet_domain_ip.add_attribute(relation_attr, self.attribute['value']) objet_domain_ip.add_attribute(
relation_attr, self.attribute['value'])
objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to') objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to')
self.misp_event.add_object(objet_domain_ip) self.misp_event.add_object(objet_domain_ip)
@ -115,6 +185,28 @@ class OnypheClient:
elif self.attribute['type'] == 'hostname': elif self.attribute['type'] == 'hostname':
return 'domain' return 'domain'
def __get_object_cve(self, item, cve):
attributes = []
object_cve = MISPObject('vulnerability')
object_cve.add_attribute('id', cve)
object_cve.add_attribute('state', 'Published')
if type(item['ip']) is list:
for ip in item['ip']:
attributes.extend(
list(filter(lambda x: x['value'] == ip, self.misp_event['Attribute'])))
for obj in self.misp_event['Object']:
attributes.extend(
list(filter(lambda x: x['value'] == ip, obj['Attribute'])))
if type(item['ip']) is str:
for obj in self.misp_event['Object']:
for att in obj['Attribute']:
if att['value'] == item['ip']:
object_cve.add_reference(obj['uuid'], 'cve')
self.misp_event.add_object(object_cve)
def handler(q=False): def handler(q=False):
if q: if q:
@ -134,6 +226,7 @@ def handler(q=False):
return {'results': results} return {'results': results}
def introspection(): def introspection():
return mispattributes return mispattributes