mirror of https://github.com/MISP/misp-modules
add: Parsing some object references at the end of the process
parent
728386d8a0
commit
d39fb7da18
|
@ -1,4 +1,5 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
|
from collections import defaultdict
|
||||||
from pymisp import MISPEvent, MISPObject
|
from pymisp import MISPEvent, MISPObject
|
||||||
import json
|
import json
|
||||||
import base64
|
import base64
|
||||||
|
@ -38,11 +39,21 @@ class JoeParser():
|
||||||
def __init__(self, data):
|
def __init__(self, data):
|
||||||
self.data = data
|
self.data = data
|
||||||
self.misp_event = MISPEvent()
|
self.misp_event = MISPEvent()
|
||||||
|
self.references = defaultdict(list)
|
||||||
|
|
||||||
def parse_joe(self):
|
def parse_joe(self):
|
||||||
self.parse_fileinfo()
|
self.parse_fileinfo()
|
||||||
|
if self.references:
|
||||||
|
self.build_references()
|
||||||
self.finalize_results()
|
self.finalize_results()
|
||||||
|
|
||||||
|
def build_references(self):
|
||||||
|
for misp_object in self.misp_event.objects:
|
||||||
|
object_uuid = misp_object.uuid
|
||||||
|
if object_uuid in self.references:
|
||||||
|
for reference in self.references[object_uuid]:
|
||||||
|
misp_object.add_reference(reference['idref'], reference['relationship'])
|
||||||
|
|
||||||
def parse_fileinfo(self):
|
def parse_fileinfo(self):
|
||||||
fileinfo = self.data['fileinfo']
|
fileinfo = self.data['fileinfo']
|
||||||
file_object = MISPObject('file')
|
file_object = MISPObject('file')
|
||||||
|
@ -54,6 +65,7 @@ class JoeParser():
|
||||||
pe_object = MISPObject('pe')
|
pe_object = MISPObject('pe')
|
||||||
file_object.add_reference(pe_object.uuid, 'included-in')
|
file_object.add_reference(pe_object.uuid, 'included-in')
|
||||||
self.misp_event.add_object(**file_object)
|
self.misp_event.add_object(**file_object)
|
||||||
|
self.fileinfo_uuid = file_object.uuid
|
||||||
peinfo = fileinfo['pe']
|
peinfo = fileinfo['pe']
|
||||||
for field, mapping in pe_object_fields.items():
|
for field, mapping in pe_object_fields.items():
|
||||||
attribute_type, object_relation = mapping
|
attribute_type, object_relation = mapping
|
||||||
|
@ -67,10 +79,6 @@ class JoeParser():
|
||||||
pe_object.add_attribute(pe_object_mapping[name], **{'type': 'text', 'value': feature['value']})
|
pe_object.add_attribute(pe_object_mapping[name], **{'type': 'text', 'value': feature['value']})
|
||||||
sections_number = len(peinfo['sections']['section'])
|
sections_number = len(peinfo['sections']['section'])
|
||||||
pe_object.add_attribute('number-sections', **{'type': 'counter', 'value': sections_number})
|
pe_object.add_attribute('number-sections', **{'type': 'counter', 'value': sections_number})
|
||||||
for section in peinfo['sections']['section']:
|
|
||||||
section_object = self.parse_pe_section(section)
|
|
||||||
pe_object.add_reference(section_object.uuid, 'included-in')
|
|
||||||
self.misp_event.add_object(**section_object)
|
|
||||||
signerinfo_object = MISPObject('authenticode-signerinfo')
|
signerinfo_object = MISPObject('authenticode-signerinfo')
|
||||||
pe_object.add_reference(signerinfo_object.uuid, 'signed-by')
|
pe_object.add_reference(signerinfo_object.uuid, 'signed-by')
|
||||||
self.misp_event.add_object(**pe_object)
|
self.misp_event.add_object(**pe_object)
|
||||||
|
@ -80,6 +88,10 @@ class JoeParser():
|
||||||
attribute_type, object_relation = mapping
|
attribute_type, object_relation = mapping
|
||||||
signerinfo_object.add_attribute(object_relation, **{'type': attribute_type, 'value': signatureinfo[feature]})
|
signerinfo_object.add_attribute(object_relation, **{'type': attribute_type, 'value': signatureinfo[feature]})
|
||||||
self.misp_event.add_object(**signerinfo_object)
|
self.misp_event.add_object(**signerinfo_object)
|
||||||
|
for section in peinfo['sections']['section']:
|
||||||
|
section_object = self.parse_pe_section(section)
|
||||||
|
self.references[pe_object.uuid].append({'idref': section_object.uuid, 'relationship': 'included-in'})
|
||||||
|
self.misp_event.add_object(**section_object)
|
||||||
|
|
||||||
def parse_pe_section(self, section):
|
def parse_pe_section(self, section):
|
||||||
section_object = MISPObject('pe-section')
|
section_object = MISPObject('pe-section')
|
||||||
|
|
Loading…
Reference in New Issue