mirror of https://github.com/MISP/misp-modules
passed local run check
parent
68250094ff
commit
de3495ea6c
misp_modules/modules/expansion
|
@ -5,16 +5,17 @@ import sys
|
||||||
BASEurl = "https://api.xforce.ibmcloud.com/"
|
BASEurl = "https://api.xforce.ibmcloud.com/"
|
||||||
|
|
||||||
extensions = {"ip1": "ipr/%s",
|
extensions = {"ip1": "ipr/%s",
|
||||||
"ip2": "ipr/malware/%s",
|
"ip2": "ipr/malware/%s",
|
||||||
"url": "url/%s",
|
"url": "url/%s",
|
||||||
"hash": "malware/%s",
|
"hash": "malware/%s",
|
||||||
"vuln": "/vulnerabilities/search/%s"}
|
"vuln": "/vulnerabilities/search/%s",
|
||||||
|
"dns": "resolve/%s"}
|
||||||
|
|
||||||
sys.path.append('./')
|
sys.path.append('./')
|
||||||
|
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
mispattributes = {'input': ['ip-src','ip-dst' 'vulnerability', 'md5', 'sha1', 'sha256'],
|
mispattributes = {'input': ['ip-src','ip-dst' 'vulnerability', 'md5', 'sha1', 'sha256'],
|
||||||
'output': ['ip-src', 'ip-dst', 'text']}
|
'output': ['ip-src', 'ip-dst', 'text', 'domain']}
|
||||||
|
|
||||||
# possible module-types: 'expansion', 'hover' or both
|
# possible module-types: 'expansion', 'hover' or both
|
||||||
moduleinfo = {'version': '1', 'author': 'Joerg Stephan (@johest)',
|
moduleinfo = {'version': '1', 'author': 'Joerg Stephan (@johest)',
|
||||||
|
@ -49,9 +50,9 @@ def handler(q=False):
|
||||||
r = {"results": []}
|
r = {"results": []}
|
||||||
|
|
||||||
if "ip-src" in q:
|
if "ip-src" in q:
|
||||||
r["results"] += dict( (apicall("ip1", q["ip-src"], key)).items() + (apicall("ip2", q["ip-src"], key)).items())
|
r["results"] += apicall("dns", q["ip-src"], key)
|
||||||
if "ip-dst" in q:
|
if "ip-dst" in q:
|
||||||
r["results"] += dict( (apicall("ip1", q["ip-src"], key)).items() + (apicall("ip2", q["ip-src"], key)).items())
|
r["results"] += apicall("dns", q["ip-dst"], key)
|
||||||
if "md5" in q:
|
if "md5" in q:
|
||||||
r["results"] += apicall("hash", q["md5"], key)
|
r["results"] += apicall("hash", q["md5"], key)
|
||||||
if "sha1" in q:
|
if "sha1" in q:
|
||||||
|
@ -60,6 +61,8 @@ def handler(q=False):
|
||||||
r["results"] += apicall("hash", q["sha256"], key)
|
r["results"] += apicall("hash", q["sha256"], key)
|
||||||
if 'vulnerability' in q:
|
if 'vulnerability' in q:
|
||||||
r["results"] += apicall("vuln", q["vulnerability"], key)
|
r["results"] += apicall("vuln", q["vulnerability"], key)
|
||||||
|
if "domain" in q:
|
||||||
|
r["results"] += apicall("dns", q["domain"], key)
|
||||||
|
|
||||||
uniq = []
|
uniq = []
|
||||||
for res in r["results"]:
|
for res in r["results"]:
|
||||||
|
@ -73,8 +76,21 @@ def apicall(indicator_type, indicator, key=False):
|
||||||
myURL = BASEurl + (extensions[str(indicator_type)])%indicator
|
myURL = BASEurl + (extensions[str(indicator_type)])%indicator
|
||||||
jsondata = requests.get(myURL, headers=MyHeader(key)).json()
|
jsondata = requests.get(myURL, headers=MyHeader(key)).json()
|
||||||
except:
|
except:
|
||||||
return None
|
jsondata = None
|
||||||
return jsondata
|
redata = []
|
||||||
|
#print(jsondata)
|
||||||
|
if not jsondata is None:
|
||||||
|
if indicator_type is "hash":
|
||||||
|
if "malware" in jsondata:
|
||||||
|
lopointer = jsondata["malware"]
|
||||||
|
redata.append({"type": "text", "values": lopointer["risk"]})
|
||||||
|
if indicator_type is "dns":
|
||||||
|
if "records" in str(jsondata):
|
||||||
|
lopointer = jsondata["Passive"]["records"]
|
||||||
|
for dataset in lopointer:
|
||||||
|
redata.append({"type":"domain", "values": dataset["value"]})
|
||||||
|
|
||||||
|
return redata
|
||||||
|
|
||||||
def introspection():
|
def introspection():
|
||||||
return mispattributes
|
return mispattributes
|
||||||
|
@ -82,4 +98,4 @@ def introspection():
|
||||||
|
|
||||||
def version():
|
def version():
|
||||||
moduleinfo['config'] = moduleconfig
|
moduleinfo['config'] = moduleconfig
|
||||||
return moduleinfo
|
return moduleinfo
|
||||||
|
|
Loading…
Reference in New Issue