add: Parsing domains, urls & ips contacted by processes

pull/304/head
chrisr3d 2019-05-22 17:12:49 +02:00
parent cfec9a6b1c
commit e608107a09
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 43 additions and 0 deletions

View File

@ -15,6 +15,7 @@ moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
moduleconfig = []
domain_object_mapping = {'@ip': ('ip-dst', 'ip'), '@name': ('domain', 'domain')}
dropped_file_mapping = {'@entropy': ('float', 'entropy'),
'@file': ('filename', 'filename'),
'@size': ('size-in-bytes', 'size-in-bytes'),
@ -66,6 +67,7 @@ class JoeParser():
self.parse_fileinfo()
self.parse_system_behavior()
self.parse_network_behavior()
self.parse_network_interactions()
self.parse_dropped_files()
if self.attributes:
self.handle_attributes()
@ -207,6 +209,47 @@ class JoeParser():
self.references[pe_object.uuid].append({'idref': section_object.uuid, 'relationship': 'included-in'})
self.misp_event.add_object(**section_object)
def parse_network_interactions(self):
domaininfo = self.data['domaininfo']
if domaininfo:
for domain in domaininfo['domain']:
domain_object = MISPObject('domain-ip')
for key, mapping in domain_object_mapping.items():
attribute_type, object_relation = mapping
domain_object.add_attribute(object_relation, **{'type': attribute_type, 'value': domain[key]})
self.misp_event.add_object(**domain_object)
self.references[self.process_references[(int(domain['@targetid']), domain['@currentpath'])]].append({
'idref': domain_object.uuid,
'relationship': 'contacts'
})
ipinfo = self.data['ipinfo']
if ipinfo:
for ip in ipinfo['ip']:
attribute = MISPAttribute()
attribute.from_dict(**{'type': 'ip-dst', 'value': ip['@ip']})
self.misp_event.add_attribute(**attribute)
self.references[self.process_references[(int(ip['@targetid']), ip['@currentpath'])]].append({
'idref': attribute.uuid,
'relationship': 'contacts'
})
urlinfo = self.data['urlinfo']
if urlinfo:
for url in urlinfo['url']:
target_id = int(url['@targetid'])
current_path = url['@currentpath']
attribute = MISPAttribute()
attribute_dict = {'type': 'url', 'value': url['@name']}
if target_id != -1 and current_path != 'unknown':
self.references[self.process_references[(target_id, current_path)]].append({
'idref': attribute.uuid,
'relationship': 'contacts'
})
else:
attribute_dict['comment'] = 'From Memory - Enriched via the joe_import module'
attribute.from_dict(**attribute_dict)
self.misp_event.add_attribute(**attribute)
def parse_pe_section(self, section):
section_object = MISPObject('pe-section')
for feature, mapping in section_object_mapping.items():