mirror of https://github.com/MISP/misp-modules
commit
d7fac002af
12 changed files with 165 additions and 14 deletions
@ -1,3 +1,3 @@ |
||||
from . import _vmray |
||||
|
||||
__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator'] |
||||
__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries'] |
||||
|
@ -0,0 +1,50 @@ |
||||
import sys, os, io, json |
||||
try: |
||||
from sigma.parser import SigmaCollectionParser |
||||
from sigma.config import SigmaConfiguration |
||||
from sigma.backends import getBackend, BackendOptions |
||||
except ModuleNotFoundError: |
||||
print("sigma or yaml is missing, use 'pip3 install sigmatools' to install it.") |
||||
|
||||
misperrors = {'error': 'Error'} |
||||
mispattributes = {'input': ['sigma'], 'output': ['text']} |
||||
moduleinfo = {'version': '0.1', 'author': 'Christian Studer', 'module-type': ['expansion', 'hover'], |
||||
'description': 'An expansion hover module to display the result of sigma queries.'} |
||||
moduleconfig = [] |
||||
sigma_targets = ('es-dsl', 'es-qs', 'graylog', 'kibana', 'xpack-watcher', 'logpoint', 'splunk', 'grep', 'wdatp', 'splunkxml', 'arcsight', 'qualys') |
||||
|
||||
def handler(q=False): |
||||
if q is False: |
||||
return False |
||||
request = json.loads(q) |
||||
if not request.get('sigma'): |
||||
misperrors['error'] = 'Sigma rule missing' |
||||
return misperrors |
||||
config = SigmaConfiguration() |
||||
backend_options = BackendOptions(None) |
||||
f = io.TextIOWrapper(io.BytesIO(request.get('sigma').encode()), encoding='utf-8') |
||||
parser = SigmaCollectionParser(f, config, None) |
||||
targets = [] |
||||
old_stdout = sys.stdout |
||||
result = io.StringIO() |
||||
sys.stdout = result |
||||
for t in sigma_targets: |
||||
backend = getBackend(t)(config, backend_options, None) |
||||
try: |
||||
parser.generate(backend) |
||||
backend.finalize() |
||||
print("#NEXT") |
||||
targets.append(t) |
||||
except: |
||||
continue |
||||
sys.stdout = old_stdout |
||||
results = result.getvalue()[:-5].split('#NEXT') |
||||
d_result = {t: r.strip() for t,r in zip(targets, results)} |
||||
return {'results': [{'types': mispattributes['output'], 'values': d_result}]} |
||||
|
||||
def introspection(): |
||||
return mispattributes |
||||
|
||||
def version(): |
||||
moduleinfo['config'] = moduleconfig |
||||
return moduleinfo |
@ -0,0 +1,42 @@ |
||||
import json |
||||
try: |
||||
from stix2patterns.validator import run_validator |
||||
except ModuleNotFoundError: |
||||
print("stix2 patterns python library is missing, use 'pip3 install stix2-patterns' to install it.") |
||||
|
||||
misperrors = {'error': 'Error'} |
||||
mispattributes = {'input': ['stix2-pattern'], 'output': ['text']} |
||||
moduleinfo = {'version': '0.1', 'author': 'Christian Studer', 'module-type': ['expansion', 'hover'], |
||||
'description': 'An expansion hover module to perform a syntax check on stix2 patterns.'} |
||||
moduleconfig = [] |
||||
|
||||
def handler(q=False): |
||||
if q is False: |
||||
return False |
||||
request = json.loads(q) |
||||
if not request.get('stix2-pattern'): |
||||
misperrors['error'] = 'STIX2 pattern missing' |
||||
return misperrors |
||||
pattern = request.get('stix2-pattern') |
||||
syntax_errors = [] |
||||
for p in pattern[2:-2].split(' AND '): |
||||
syntax_validator = run_validator("[{}]".format(p)) |
||||
if syntax_validator: |
||||
for error in syntax_validator: |
||||
syntax_errors.append(error) |
||||
if syntax_errors: |
||||
s = 's' if len(syntax_errors) > 1 else '' |
||||
s_errors = "" |
||||
for error in syntax_errors: |
||||
s_errors += "{}\n".format(error[6:]) |
||||
result = "Syntax error{}: \n{}".format(s, s_errors[:-1]) |
||||
else: |
||||
result = "Syntax valid" |
||||
return {'results': [{'types': mispattributes['output'], 'values': result}]} |
||||
|
||||
def introspection(): |
||||
return mispattributes |
||||
|
||||
def version(): |
||||
moduleinfo['config'] = moduleconfig |
||||
return moduleinfo |
@ -1 +1 @@ |
||||
__all__ = ['testexport','cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export'] |
||||
__all__ = ['cef_export','liteexport','goamlexport','threat_connect_export','pdfexport','threatStream_misp_export'] |
||||
|
@ -1,3 +1,3 @@ |
||||
from . import _vmray |
||||
|
||||
__all__ = ['vmray_import', 'testimport', 'ocr', 'cuckooimport', 'goamlimport', 'email_import', 'mispjson', 'openiocimport', 'threatanalyzer_import', 'csvimport'] |
||||
__all__ = ['vmray_import', 'ocr', 'cuckooimport', 'goamlimport', 'email_import', 'mispjson', 'openiocimport', 'threatanalyzer_import', 'csvimport'] |
||||
|
Loading…
Reference in new issue