From 9364859ce99d834efb3b56f8f9830ef0ae8fec21 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Thu, 22 Apr 2021 15:05:29 +0200 Subject: [PATCH 01/19] refactoring of the module --- misp_modules/modules/expansion/onyphe.py | 96 ++++++------------------ 1 file changed, 24 insertions(+), 72 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index d8db477..cff803f 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -1,6 +1,9 @@ # -*- coding: utf-8 -*- import json + +from pymisp import MISPEvent + try: from onyphe import Onyphe except ImportError: @@ -9,9 +12,10 @@ except ImportError: misperrors = {'error': 'Error'} mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'], - 'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url']} + 'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url'], + 'format': 'misp_standard'} # possible module-types: 'expansion', 'hover' or both -moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven', +moduleinfo = {'version': '2', 'author': 'Sebastien Larinier @sebdraven', 'description': 'Query on Onyphe', 'module-type': ['expansion', 'hover']} @@ -19,85 +23,33 @@ moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven', moduleconfig = ['apikey'] +class OnypheClient: + + def __init__(self, api_key, attribute): + self.onyphe_client = Onyphe(api_key=api_key) + self.attribute = attribute + self.misp_event = MISPEvent() + self.misp_event.add_attribute(**attribute) + + def parser_results(self): + pass + + def get_results(self): + event = json.loads(self.misp_event.to_json()) + results = {key: event[key] for key in ('Attribute', 'Object') if key in event} + return results + + def handler(q=False): if q: request = json.loads(q) + attribute = request['attribute'] if not request.get('config') or not request['config'].get('apikey'): misperrors['error'] = 'Onyphe authentication is missing' return misperrors - api = Onyphe(request['config'].get('apikey')) - - if not api: - misperrors['error'] = 'Onyphe Error instance api' - - ip = '' - if request.get('ip-src'): - ip = request['ip-src'] - elif request.get('ip-dst'): - ip = request['ip-dst'] - else: - misperrors['error'] = "Unsupported attributes type" - return misperrors - - return handle_expansion(api, ip, misperrors) - else: - return False - - -def handle_expansion(api, ip, misperrors): - result = api.ip(ip) - - if result['status'] == 'nok': - misperrors['error'] = result['message'] - return misperrors - - # categories = list(set([item['@category'] for item in result['results']])) - - result_filtered = {"results": []} - urls_pasties = [] - asn_list = [] - os_list = [] - domains_resolver = [] - domains_forward = [] - - for r in result['results']: - if r['@category'] == 'pastries': - if r['source'] == 'pastebin': - urls_pasties.append('https://pastebin.com/raw/%s' % r['key']) - elif r['@category'] == 'synscan': - asn_list.append(r['asn']) - os_target = r['os'] - if os_target != 'Unknown': - os_list.append(r['os']) - elif r['@category'] == 'resolver' and r['type'] == 'reverse': - domains_resolver.append(r['reverse']) - elif r['@category'] == 'resolver' and r['type'] == 'forward': - domains_forward.append(r['forward']) - - result_filtered['results'].append({'types': ['url'], 'values': urls_pasties, - 'categories': ['External analysis']}) - - result_filtered['results'].append({'types': ['AS'], 'values': list(set(asn_list)), - 'categories': ['Network activity']}) - - result_filtered['results'].append({'types': ['target-machine'], - 'values': list(set(os_list)), - 'categories': ['Targeting data']}) - - result_filtered['results'].append({'types': ['domain'], - 'values': list(set(domains_resolver)), - 'categories': ['Network activity'], - 'comment': 'resolver to %s' % ip}) - - result_filtered['results'].append({'types': ['domain'], - 'values': list(set(domains_forward)), - 'categories': ['Network activity'], - 'comment': 'forward to %s' % ip}) - return result_filtered - def introspection(): return mispattributes From 94f6af88821baf5ae0fabda9080960c030f3adf6 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:02:21 +0200 Subject: [PATCH 02/19] add summary ip object domain --- misp_modules/modules/expansion/onyphe.py | 47 ++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index cff803f..21f1466 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -2,7 +2,7 @@ import json -from pymisp import MISPEvent +from pymisp import MISPEvent, MISPObject try: from onyphe import Onyphe @@ -31,14 +31,46 @@ class OnypheClient: self.misp_event = MISPEvent() self.misp_event.add_attribute(**attribute) - def parser_results(self): - pass - def get_results(self): event = json.loads(self.misp_event.to_json()) results = {key: event[key] for key in ('Attribute', 'Object') if key in event} return results + def get_query_onyphe(self): + if self.attribute['type'] == 'ip-src' and self.attribute['type'] =='ip-dst': + self.__summary_ip() + + def __summary_ip(self): + results = self.onyphe_client.summary_ip(self.attribute['value']) + if 'results' in results: + for r in results['results']: + domain = r['domain'] + if type(domain) == list: + for d in domain: + self.__get_object_domain_ip(d, 'domain') + elif type(domain) == str: + self.__get_object_domain_ip(domain, 'domain') + + def __get_object_domain_ip(self, obs, relation): + objet_domain_ip = MISPObject('domain-ip') + objet_domain_ip.add_attribute(relation, obs) + relation_attr = self.__get_relation_attribute() + if relation_attr: + objet_domain_ip.add_attribute(relation, self.attribute['value']) + objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(objet_domain_ip) + + def __get_relation_attribute(self): + + if self.attribute['type'] == 'ip-src': + return 'ip' + elif self.attribute['type'] == 'ip-dest': + return 'ip' + elif self.attribute['type'] == 'domain': + return 'domain' + elif self.attribute['type'] == 'hostname': + return 'domain' + def handler(q=False): if q: @@ -50,6 +82,13 @@ def handler(q=False): misperrors['error'] = 'Onyphe authentication is missing' return misperrors + api_key = request['config'].get('apikey') + + onyphe_client = OnypheClient(api_key, attribute) + onyphe_client.get_query_onyphe() + results = onyphe_client.get_results() + + return {'results': results} def introspection(): return mispattributes From 8fbe371eca25fc985c4a59608debb835024a4d98 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:06:20 +0200 Subject: [PATCH 03/19] add logs --- misp_modules/modules/expansion/onyphe.py | 1 + 1 file changed, 1 insertion(+) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 21f1466..5b93e99 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -45,6 +45,7 @@ class OnypheClient: if 'results' in results: for r in results['results']: domain = r['domain'] + print(domain) if type(domain) == list: for d in domain: self.__get_object_domain_ip(d, 'domain') From ff6470d0e29955b6e6ceebcf280e4fa4ddcca3cb Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:07:44 +0200 Subject: [PATCH 04/19] add logs --- misp_modules/modules/expansion/onyphe.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 5b93e99..041de2e 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -42,10 +42,10 @@ class OnypheClient: def __summary_ip(self): results = self.onyphe_client.summary_ip(self.attribute['value']) + print(results) if 'results' in results: for r in results['results']: domain = r['domain'] - print(domain) if type(domain) == list: for d in domain: self.__get_object_domain_ip(d, 'domain') From 9fd23d6fe03eb385e52ec8401a4f1080e6ea5894 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:09:21 +0200 Subject: [PATCH 05/19] add logs --- misp_modules/modules/expansion/onyphe.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 041de2e..8f6dd2c 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -37,7 +37,8 @@ class OnypheClient: return results def get_query_onyphe(self): - if self.attribute['type'] == 'ip-src' and self.attribute['type'] =='ip-dst': + print(self.attribute) + if self.attribute['type'] == 'ip-src' and self.attribute['type'] == 'ip-dst': self.__summary_ip() def __summary_ip(self): From 7813ba4fc347ceab4eeba5cf3ffe0038c3c0ed71 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:11:10 +0200 Subject: [PATCH 06/19] fix logical test --- misp_modules/modules/expansion/onyphe.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 8f6dd2c..d80a832 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -37,13 +37,11 @@ class OnypheClient: return results def get_query_onyphe(self): - print(self.attribute) - if self.attribute['type'] == 'ip-src' and self.attribute['type'] == 'ip-dst': + if self.attribute['type'] == 'ip-src' or self.attribute['type'] == 'ip-dst': self.__summary_ip() def __summary_ip(self): results = self.onyphe_client.summary_ip(self.attribute['value']) - print(results) if 'results' in results: for r in results['results']: domain = r['domain'] From 436254cd8c8bee6bccd4729917c2b09f84cddd6e Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:13:32 +0200 Subject: [PATCH 07/19] add logs --- misp_modules/modules/expansion/onyphe.py | 1 + 1 file changed, 1 insertion(+) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index d80a832..85c5a0d 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -44,6 +44,7 @@ class OnypheClient: results = self.onyphe_client.summary_ip(self.attribute['value']) if 'results' in results: for r in results['results']: + print(r) domain = r['domain'] if type(domain) == list: for d in domain: From f32717c8969a6b1e27cf9d0855d925ef377c1b7f Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:15:38 +0200 Subject: [PATCH 08/19] check entry in result dico --- misp_modules/modules/expansion/onyphe.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 85c5a0d..72bdcad 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -44,13 +44,13 @@ class OnypheClient: results = self.onyphe_client.summary_ip(self.attribute['value']) if 'results' in results: for r in results['results']: - print(r) - domain = r['domain'] - if type(domain) == list: - for d in domain: - self.__get_object_domain_ip(d, 'domain') - elif type(domain) == str: - self.__get_object_domain_ip(domain, 'domain') + if 'domain' in r: + domain = r['domain'] + if type(domain) == list: + for d in domain: + self.__get_object_domain_ip(d, 'domain') + elif type(domain) == str: + self.__get_object_domain_ip(domain, 'domain') def __get_object_domain_ip(self, obs, relation): objet_domain_ip = MISPObject('domain-ip') From e1c2c779aa74ab99163ffd3c6e82607acce0dc4c Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:16:43 +0200 Subject: [PATCH 09/19] Update onyphe.py remove typo --- misp_modules/modules/expansion/onyphe.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 72bdcad..64fd62e 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -65,7 +65,7 @@ class OnypheClient: if self.attribute['type'] == 'ip-src': return 'ip' - elif self.attribute['type'] == 'ip-dest': + elif self.attribute['type'] == 'ip-dst': return 'ip' elif self.attribute['type'] == 'domain': return 'domain' From 098616846da8ee85f6a9a02061e8e08e816161db Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 23 Apr 2021 16:19:47 +0200 Subject: [PATCH 10/19] add hostname --- misp_modules/modules/expansion/onyphe.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 64fd62e..2ab3677 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -52,6 +52,15 @@ class OnypheClient: elif type(domain) == str: self.__get_object_domain_ip(domain, 'domain') + if 'hostname' in r: + hostname = r['hostname'] + if type(hostname) == list: + for d in hostname: + self.__get_object_domain_ip(d, 'domain') + elif type(hostname) == str: + self.__get_object_domain_ip(hostname, 'domain') + + def __get_object_domain_ip(self, obs, relation): objet_domain_ip = MISPObject('domain-ip') objet_domain_ip.add_attribute(relation, obs) From 7f1caaba25bcc241e6c94b4888ee1add2003b7e2 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 30 Apr 2021 15:16:22 +0200 Subject: [PATCH 11/19] add object certificate --- .gitignore | 5 +++- misp_modules/modules/expansion/onyphe.py | 32 +++++++++++++++++++++++- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 323f87a..4c3db86 100644 --- a/.gitignore +++ b/.gitignore @@ -16,4 +16,7 @@ site* .idea/* #venv -venv* \ No newline at end of file +venv* + +#vscode +.vscode* \ No newline at end of file diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 2ab3677..774058c 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -60,7 +60,37 @@ class OnypheClient: elif type(hostname) == str: self.__get_object_domain_ip(hostname, 'domain') - + if 'issuer' in r: + issuer = r['issuer'] + self.__get_object_certificate(r) + + def __get_object_certificates(self, r): + object_certificate = MISPObject('x509') + object_certificate.add_attribute('ip', self.attribute['value']) + object_certificate.add_attribute('serial-number', r['serial']) + object_certificate.add_attribute('x509-fingerprint-sha256', r['fingerprint']['sha256']) + object_certificate.add_attribute('x509-fingerprint-sha1', r['fingerprint']['sha1']) + object_certificate.add_attribute('x509-fingerprint-md5', r['fingerprint']['md5']) + + signature = r['signature']['algorithm'] + value = '' + if 'sha256' in signature and 'RSA' in signature: + value = 'SHA256_WITH_RSA_ENCRYPTION' + elif 'sha1' in signature and 'RSA' in signature: + value = 'SHA1_WITH_RSA_ENCRYPTION' + if value: + object_certificate.add_attribute('signature_algorithm', value) + + object_certificate.add_attribute('pubkey-info-algorithm',r['publickey']['algorithm']) + object_certificate.add_attribute('pubkey-info-exponent',r['publickey']['exponent']) + object_certificate.add_attribute('pubkey-info-size',r['publickey']['length']) + + object_certificate.add_attribute('issuer',r['issuer']['commonname']) + object_certificate.add_attribute('validity-not-before',r['validity']['notbefore']) + object_certificate.add_attribute('validity-not-after',r['validity']['notbefore']) + self.misp_event.add_object(object_certificate) + + pass def __get_object_domain_ip(self, obs, relation): objet_domain_ip = MISPObject('domain-ip') objet_domain_ip.add_attribute(relation, obs) From 4478440d5b09153381efdafa394e4dd29e5a0037 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 30 Apr 2021 15:16:47 +0200 Subject: [PATCH 12/19] remove pass --- misp_modules/modules/expansion/onyphe.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 774058c..d7720d4 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -90,7 +90,7 @@ class OnypheClient: object_certificate.add_attribute('validity-not-after',r['validity']['notbefore']) self.misp_event.add_object(object_certificate) - pass + def __get_object_domain_ip(self, obs, relation): objet_domain_ip = MISPObject('domain-ip') objet_domain_ip.add_attribute(relation, obs) From 32aeb52efc82485dc773a2c7e7019db4c32f4bb9 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 30 Apr 2021 15:22:55 +0200 Subject: [PATCH 13/19] fixe typo --- misp_modules/modules/expansion/onyphe.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index d7720d4..89e8188 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -64,7 +64,7 @@ class OnypheClient: issuer = r['issuer'] self.__get_object_certificate(r) - def __get_object_certificates(self, r): + def __get_object_certificate(self, r): object_certificate = MISPObject('x509') object_certificate.add_attribute('ip', self.attribute['value']) object_certificate.add_attribute('serial-number', r['serial']) From 86beb488c1fd5746e78dff2bc6ff2a84863006ad Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 30 Apr 2021 15:25:27 +0200 Subject: [PATCH 14/19] add test to check --- misp_modules/modules/expansion/onyphe.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 89e8188..cb7cfda 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -80,10 +80,13 @@ class OnypheClient: value = 'SHA1_WITH_RSA_ENCRYPTION' if value: object_certificate.add_attribute('signature_algorithm', value) - + object_certificate.add_attribute('pubkey-info-algorithm',r['publickey']['algorithm']) - object_certificate.add_attribute('pubkey-info-exponent',r['publickey']['exponent']) - object_certificate.add_attribute('pubkey-info-size',r['publickey']['length']) + + if 'exponent' in r['publickey']: + object_certificate.add_attribute('pubkey-info-exponent',r['publickey']['exponent']) + if 'length' in r['publickey']: + object_certificate.add_attribute('pubkey-info-size',r['publickey']['length']) object_certificate.add_attribute('issuer',r['issuer']['commonname']) object_certificate.add_attribute('validity-not-before',r['validity']['notbefore']) From 73ea9620bf1b90913c5b8729b0e238240dd0071d Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 30 Apr 2021 15:39:56 +0200 Subject: [PATCH 15/19] add reference --- misp_modules/modules/expansion/onyphe.py | 1 + 1 file changed, 1 insertion(+) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index cb7cfda..ef2277c 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -91,6 +91,7 @@ class OnypheClient: object_certificate.add_attribute('issuer',r['issuer']['commonname']) object_certificate.add_attribute('validity-not-before',r['validity']['notbefore']) object_certificate.add_attribute('validity-not-after',r['validity']['notbefore']) + object_certificate.add_reference(self.attribute['uuid'], 'related-to') self.misp_event.add_object(object_certificate) From 16f9ec9f6d611075f3e7ec37fc53b82bdc460532 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 30 Apr 2021 15:46:59 +0200 Subject: [PATCH 16/19] fix bug --- misp_modules/modules/expansion/onyphe.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index ef2277c..05124e0 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -100,9 +100,9 @@ class OnypheClient: objet_domain_ip.add_attribute(relation, obs) relation_attr = self.__get_relation_attribute() if relation_attr: - objet_domain_ip.add_attribute(relation, self.attribute['value']) - objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to') - self.misp_event.add_object(objet_domain_ip) + objet_domain_ip.add_attribute(relation_attr, self.attribute['value']) + objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to') + self.misp_event.add_object(objet_domain_ip) def __get_relation_attribute(self): From d0c2f943546c21c27211e6704da020a1ef0b06b5 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 7 May 2021 12:27:11 +0200 Subject: [PATCH 17/19] add summary ip, domain and hostname --- misp_modules/modules/expansion/onyphe.py | 131 +++++++++++++++++++---- 1 file changed, 112 insertions(+), 19 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 05124e0..874eff4 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -33,14 +33,20 @@ class OnypheClient: def get_results(self): event = json.loads(self.misp_event.to_json()) - results = {key: event[key] for key in ('Attribute', 'Object') if key in event} + results = {key: event[key] + for key in ('Attribute', 'Object') if key in event} return results def get_query_onyphe(self): if self.attribute['type'] == 'ip-src' or self.attribute['type'] == 'ip-dst': self.__summary_ip() + if self.attribute['type'] == 'domain': + self.__summary_domain() + if self.attribute['type'] == 'hostname': + self.__summary_hostname() def __summary_ip(self): + print('ip') results = self.onyphe_client.summary_ip(self.attribute['value']) if 'results' in results: for r in results['results']: @@ -64,43 +70,107 @@ class OnypheClient: issuer = r['issuer'] self.__get_object_certificate(r) + def __summary_domain(self): + print('domain') + results = self.onyphe_client.summary_domain(self.attribute['value']) + if 'results' in results: + for r in results['results']: + + for domain in r.get('domain'): + self.misp_event.add_attribute('domain', domain) + for hostname in r.get('hostname'): + self.misp_event.add_attribute('hostname', hostname) + if 'ip' in r: + if type(r['ip']) is str: + self.__get_object_domain_ip(r['ip'], 'ip') + if type(r['ip']) is list: + for ip in r['ip']: + self.__get_object_domain_ip(ip, 'ip') + if 'issuer' in r: + self.__get_object_certificate(r) + + def __summary_hostname(self): + results = self.onyphe_client.summary_hostname(self.attribute['value']) + if 'results' in results: + + for r in results['results']: + if 'domain' in r: + if type(r['domain']) is str: + self.misp_event.add_attribute( + 'domain', r['domain']) + if type(r['domain']) is list: + for domain in r['domain']: + self.misp_event.add_attribute('domain', domain) + + if 'hostname' in r: + if type(r['hostname']) is str: + self.misp_event.add_attribute( + 'hostname', r['hostname']) + if type(r['hostname']) is list: + for hostname in r['hostname']: + self.misp_event.add_attribute( + 'hostname', r['hostname']) + + if 'ip' in r: + if type(r['ip']) is str: + self.__get_object_domain_ip(r['ip'], 'ip') + if type(r['ip']) is list: + for ip in r['ip']: + self.__get_object_domain_ip(ip, 'ip') + + if 'issuer' in r: + self.__get_object_certificate(r) + + if 'cve' in r: + if type(r['cve']) is list: + for cve in r['cve']: + self.__get_object_cve(r, cve) + def __get_object_certificate(self, r): object_certificate = MISPObject('x509') object_certificate.add_attribute('ip', self.attribute['value']) object_certificate.add_attribute('serial-number', r['serial']) - object_certificate.add_attribute('x509-fingerprint-sha256', r['fingerprint']['sha256']) - object_certificate.add_attribute('x509-fingerprint-sha1', r['fingerprint']['sha1']) - object_certificate.add_attribute('x509-fingerprint-md5', r['fingerprint']['md5']) - + object_certificate.add_attribute( + 'x509-fingerprint-sha256', r['fingerprint']['sha256']) + object_certificate.add_attribute( + 'x509-fingerprint-sha1', r['fingerprint']['sha1']) + object_certificate.add_attribute( + 'x509-fingerprint-md5', r['fingerprint']['md5']) + signature = r['signature']['algorithm'] value = '' if 'sha256' in signature and 'RSA' in signature: value = 'SHA256_WITH_RSA_ENCRYPTION' elif 'sha1' in signature and 'RSA' in signature: - value = 'SHA1_WITH_RSA_ENCRYPTION' + value = 'SHA1_WITH_RSA_ENCRYPTION' if value: object_certificate.add_attribute('signature_algorithm', value) - - object_certificate.add_attribute('pubkey-info-algorithm',r['publickey']['algorithm']) - - if 'exponent' in r['publickey']: - object_certificate.add_attribute('pubkey-info-exponent',r['publickey']['exponent']) - if 'length' in r['publickey']: - object_certificate.add_attribute('pubkey-info-size',r['publickey']['length']) - object_certificate.add_attribute('issuer',r['issuer']['commonname']) - object_certificate.add_attribute('validity-not-before',r['validity']['notbefore']) - object_certificate.add_attribute('validity-not-after',r['validity']['notbefore']) + object_certificate.add_attribute( + 'pubkey-info-algorithm', r['publickey']['algorithm']) + + if 'exponent' in r['publickey']: + object_certificate.add_attribute( + 'pubkey-info-exponent', r['publickey']['exponent']) + if 'length' in r['publickey']: + object_certificate.add_attribute( + 'pubkey-info-size', r['publickey']['length']) + + object_certificate.add_attribute('issuer', r['issuer']['commonname']) + object_certificate.add_attribute( + 'validity-not-before', r['validity']['notbefore']) + object_certificate.add_attribute( + 'validity-not-after', r['validity']['notbefore']) object_certificate.add_reference(self.attribute['uuid'], 'related-to') self.misp_event.add_object(object_certificate) - - + def __get_object_domain_ip(self, obs, relation): objet_domain_ip = MISPObject('domain-ip') objet_domain_ip.add_attribute(relation, obs) relation_attr = self.__get_relation_attribute() if relation_attr: - objet_domain_ip.add_attribute(relation_attr, self.attribute['value']) + objet_domain_ip.add_attribute( + relation_attr, self.attribute['value']) objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to') self.misp_event.add_object(objet_domain_ip) @@ -115,6 +185,28 @@ class OnypheClient: elif self.attribute['type'] == 'hostname': return 'domain' + def __get_object_cve(self, item, cve): + attributes = [] + object_cve = MISPObject('vulnerability') + object_cve.add_attribute('id', cve) + object_cve.add_attribute('state', 'Published') + + if type(item['ip']) is list: + for ip in item['ip']: + attributes.extend( + list(filter(lambda x: x['value'] == ip, self.misp_event['Attribute']))) + for obj in self.misp_event['Object']: + attributes.extend( + list(filter(lambda x: x['value'] == ip, obj['Attribute']))) + if type(item['ip']) is str: + + for obj in self.misp_event['Object']: + for att in obj['Attribute']: + if att['value'] == item['ip']: + object_cve.add_reference(obj['uuid'], 'cve') + + self.misp_event.add_object(object_cve) + def handler(q=False): if q: @@ -134,6 +226,7 @@ def handler(q=False): return {'results': results} + def introspection(): return mispattributes From eb48635ce59de9edc3b132f1eb838c0c9aa30633 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 7 May 2021 14:07:18 +0200 Subject: [PATCH 18/19] remove print and variable unsuable --- misp_modules/modules/expansion/onyphe.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 874eff4..eba3564 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -46,7 +46,6 @@ class OnypheClient: self.__summary_hostname() def __summary_ip(self): - print('ip') results = self.onyphe_client.summary_ip(self.attribute['value']) if 'results' in results: for r in results['results']: @@ -67,11 +66,9 @@ class OnypheClient: self.__get_object_domain_ip(hostname, 'domain') if 'issuer' in r: - issuer = r['issuer'] self.__get_object_certificate(r) def __summary_domain(self): - print('domain') results = self.onyphe_client.summary_domain(self.attribute['value']) if 'results' in results: for r in results['results']: From 382025453ec2adb658e31d46d4f4352d160ca68d Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 7 May 2021 14:38:42 +0200 Subject: [PATCH 19/19] fix bug on loop --- misp_modules/modules/expansion/onyphe.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index eba3564..c777707 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -106,7 +106,7 @@ class OnypheClient: if type(r['hostname']) is list: for hostname in r['hostname']: self.misp_event.add_attribute( - 'hostname', r['hostname']) + 'hostname', hostname) if 'ip' in r: if type(r['ip']) is str: