add: Parsing some object references at the end of the process

pull/304/head
chrisr3d 2019-05-13 17:29:07 +02:00
parent 728386d8a0
commit d39fb7da18
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 16 additions and 4 deletions
misp_modules/modules/import_mod

View File

@ -1,4 +1,5 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
from collections import defaultdict
from pymisp import MISPEvent, MISPObject from pymisp import MISPEvent, MISPObject
import json import json
import base64 import base64
@ -38,11 +39,21 @@ class JoeParser():
def __init__(self, data): def __init__(self, data):
self.data = data self.data = data
self.misp_event = MISPEvent() self.misp_event = MISPEvent()
self.references = defaultdict(list)
def parse_joe(self): def parse_joe(self):
self.parse_fileinfo() self.parse_fileinfo()
if self.references:
self.build_references()
self.finalize_results() self.finalize_results()
def build_references(self):
for misp_object in self.misp_event.objects:
object_uuid = misp_object.uuid
if object_uuid in self.references:
for reference in self.references[object_uuid]:
misp_object.add_reference(reference['idref'], reference['relationship'])
def parse_fileinfo(self): def parse_fileinfo(self):
fileinfo = self.data['fileinfo'] fileinfo = self.data['fileinfo']
file_object = MISPObject('file') file_object = MISPObject('file')
@ -54,6 +65,7 @@ class JoeParser():
pe_object = MISPObject('pe') pe_object = MISPObject('pe')
file_object.add_reference(pe_object.uuid, 'included-in') file_object.add_reference(pe_object.uuid, 'included-in')
self.misp_event.add_object(**file_object) self.misp_event.add_object(**file_object)
self.fileinfo_uuid = file_object.uuid
peinfo = fileinfo['pe'] peinfo = fileinfo['pe']
for field, mapping in pe_object_fields.items(): for field, mapping in pe_object_fields.items():
attribute_type, object_relation = mapping attribute_type, object_relation = mapping
@ -67,10 +79,6 @@ class JoeParser():
pe_object.add_attribute(pe_object_mapping[name], **{'type': 'text', 'value': feature['value']}) pe_object.add_attribute(pe_object_mapping[name], **{'type': 'text', 'value': feature['value']})
sections_number = len(peinfo['sections']['section']) sections_number = len(peinfo['sections']['section'])
pe_object.add_attribute('number-sections', **{'type': 'counter', 'value': sections_number}) pe_object.add_attribute('number-sections', **{'type': 'counter', 'value': sections_number})
for section in peinfo['sections']['section']:
section_object = self.parse_pe_section(section)
pe_object.add_reference(section_object.uuid, 'included-in')
self.misp_event.add_object(**section_object)
signerinfo_object = MISPObject('authenticode-signerinfo') signerinfo_object = MISPObject('authenticode-signerinfo')
pe_object.add_reference(signerinfo_object.uuid, 'signed-by') pe_object.add_reference(signerinfo_object.uuid, 'signed-by')
self.misp_event.add_object(**pe_object) self.misp_event.add_object(**pe_object)
@ -80,6 +88,10 @@ class JoeParser():
attribute_type, object_relation = mapping attribute_type, object_relation = mapping
signerinfo_object.add_attribute(object_relation, **{'type': attribute_type, 'value': signatureinfo[feature]}) signerinfo_object.add_attribute(object_relation, **{'type': attribute_type, 'value': signatureinfo[feature]})
self.misp_event.add_object(**signerinfo_object) self.misp_event.add_object(**signerinfo_object)
for section in peinfo['sections']['section']:
section_object = self.parse_pe_section(section)
self.references[pe_object.uuid].append({'idref': section_object.uuid, 'relationship': 'included-in'})
self.misp_event.add_object(**section_object)
def parse_pe_section(self, section): def parse_pe_section(self, section):
section_object = MISPObject('pe-section') section_object = MISPObject('pe-section')