mirror of https://github.com/MISP/misp-modules
Merge 5e4e56cab2
into 5b692eeca9
commit
ebe1e39dfc
25
.travis.yml
25
.travis.yml
|
@ -3,17 +3,42 @@ language: python
|
|||
services:
|
||||
- redis-server
|
||||
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- libgpg-error-dev
|
||||
- libgpgme11-dev
|
||||
- haveged
|
||||
- swig
|
||||
|
||||
dist: trusty
|
||||
group: beta
|
||||
sudo: required
|
||||
|
||||
python:
|
||||
- "3.3"
|
||||
- "3.4"
|
||||
- "3.5"
|
||||
- "3.5-dev"
|
||||
- "3.6-dev"
|
||||
- "nightly"
|
||||
|
||||
before_install:
|
||||
- wget ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.6.0.tar.bz2
|
||||
- tar xjf gpgme-1.6.0.tar.bz2
|
||||
- pushd gpgme-1.6.0
|
||||
- ./configure --prefix=/usr && make
|
||||
- sudo make install
|
||||
- sudo ldconfig
|
||||
- popd
|
||||
- gpg --batch --gen-key tests/gpg/test_org_gpg
|
||||
|
||||
install:
|
||||
- pip install -U pip
|
||||
- pip install -U nose
|
||||
- pip install coveralls
|
||||
- pip install codecov
|
||||
- pip install --pre pyme3
|
||||
- pip install -U -r REQUIREMENTS
|
||||
- pip install .
|
||||
|
||||
|
|
|
@ -17,3 +17,5 @@ git+https://github.com/CIRCL/PyMISP.git#egg=pymisp
|
|||
pillow
|
||||
pytesseract
|
||||
SPARQLWrapper
|
||||
git+https://github.com/MISP/PyMISP.git
|
||||
--pre pyme3
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
from .expansion import *
|
||||
from .import_mod import *
|
||||
from .export_mod import *
|
||||
from .event import *
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
__all__ = ['sign', 'verify']
|
|
@ -0,0 +1,39 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
import json
|
||||
|
||||
from pymisp import MISPEvent, EncodeUpdate
|
||||
|
||||
misperrors = {'error': 'Error'}
|
||||
|
||||
moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
|
||||
'description': 'Sign a MISP Event',
|
||||
'module-type': ['event']}
|
||||
|
||||
moduleconfig = ['uid', 'passphrase']
|
||||
|
||||
'''
|
||||
NOTE:
|
||||
* requires pyme3 + dependencies
|
||||
* working gpg-agent
|
||||
* private key for signing
|
||||
'''
|
||||
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
request = json.loads(q) # Assuming request has two keys: config & mispevent (mispevent being the json dump of the event)
|
||||
mispevent = MISPEvent()
|
||||
mispevent.load(request['mispevent'])
|
||||
mispevent.sign(request['config']['uid'], request['config']['passphrase'])
|
||||
return json.dumps(mispevent, cls=EncodeUpdate)
|
||||
|
||||
|
||||
def introspection():
|
||||
return moduleconfig
|
||||
|
||||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleinfo
|
|
@ -0,0 +1,39 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
import json
|
||||
|
||||
from pymisp import MISPEvent
|
||||
|
||||
misperrors = {'error': 'Error'}
|
||||
|
||||
moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
|
||||
'description': 'Verify the signature of a MISP Event',
|
||||
'module-type': ['event']}
|
||||
|
||||
moduleconfig = []
|
||||
|
||||
'''
|
||||
NOTE:
|
||||
* requires pyme3 + dependencies
|
||||
* working gpg-agent
|
||||
* the public key which signed the event in the keyring
|
||||
'''
|
||||
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
request = json.loads(q) # Assuming request has two keys: config & mispevent (mispevent being the json dump of the event)
|
||||
mispevent = MISPEvent()
|
||||
mispevent.load(request['mispevent'])
|
||||
verified = mispevent.verify(mispevent.Orgc['uuid'])
|
||||
return json.dumps(verified)
|
||||
|
||||
|
||||
def introspection():
|
||||
return moduleconfig
|
||||
|
||||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleinfo
|
|
@ -0,0 +1 @@
|
|||
{"Event": {"info": "Ransomware - Xorist", "publish_timestamp": "1472548231", "timestamp": "1472541011", "analysis": "2", "Attribute": [{"category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68", "uuid": "57c5300c-0560-4146-bfaa-40e802de0b81", "timestamp": "1472540684", "to_ids": false, "value": "https://www.virustotal.com/file/b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68/analysis/1469554268/", "type": "link"}, {"category": "External analysis", "comment": "", "uuid": "57c5310b-dc34-43cb-8b8e-4846950d210f", "timestamp": "1472541011", "to_ids": false, "value": "http://www.xylibox.com/2011/06/have-fun-with-trojan-ransomwin32xorist.html", "type": "link"}, {"category": "Other", "comment": "", "uuid": "57c444c0-8004-48fa-9c33-8aca950d210f", "timestamp": "1472480448", "to_ids": false, "value": "UPX packed", "type": "comment"}, {"category": "Other", "comment": "", "uuid": "57c44648-96f4-45d4-a8eb-453e950d210f", "timestamp": "1472480840", "to_ids": false, "value": "Key: 85350044dF4AC3518D185678A9414A7F,\r\nEncryption rounds:8,\r\nStart offset: 64,\r\nAlgorithm: TEA", "type": "text"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448a-fb04-457d-87e7-4127950d210f", "timestamp": "1472480394", "to_ids": true, "value": "3Z4wnG9603it23y.exe", "type": "filename"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448b-454c-4d17-90d1-4d2f950d210f", "timestamp": "1472480395", "to_ids": true, "value": "0749bae92ca336a02c83d126e04ec628", "type": "md5"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448a-bef0-4ba7-a071-444e950d210f", "timestamp": "1472480394", "to_ids": true, "value": "77b0c41b7d340b8a3d903f21347bbf06aa766b5b", "type": "sha1"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448b-3fa4-4d65-9ccc-4afa950d210f", "timestamp": "1472480395", "to_ids": true, "value": "b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68", "type": "sha256"}, {"category": "Persistence mechanism", "comment": "", "uuid": "57c54b0f-27a4-458b-8e63-4455950d210f", "timestamp": "1472547599", "to_ids": true, "value": "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run|%TEMP%\\3Z4wnG9603it23y.exe", "type": "regkey|value"}], "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#3d7a00", "exportable": true, "name": "circl:incident-classification=\"malware\""}, {"colour": "#420053", "exportable": true, "name": "ms-caro-malware:malware-type=\"Ransom\""}, {"colour": "#2c4f00", "exportable": true, "name": "malware_classification:malware-category=\"Ransomware\""}], "published": true, "date": "2016-08-29", "Orgc": {"name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"}, "threat_level_id": "3", "uuid": "57c4445b-c548-4654-af0b-4be3950d210f"}}
|
|
@ -0,0 +1,7 @@
|
|||
%echo Generating a basic OpenPGP key
|
||||
Key-Type: RSA
|
||||
Name-Real: 5832bfa8-76d0-4bdb-a221-46fa950d210f
|
||||
Passphrase: misptestorg
|
||||
# Do a commit here, so that we can later print "done" :-)
|
||||
%commit
|
||||
%echo done
|
|
@ -6,6 +6,7 @@ import requests
|
|||
import base64
|
||||
import json
|
||||
import os
|
||||
from pymisp import MISPEvent, EncodeUpdate
|
||||
|
||||
|
||||
class TestModules(unittest.TestCase):
|
||||
|
@ -59,5 +60,22 @@ class TestModules(unittest.TestCase):
|
|||
response = requests.post(self.url + "query", data=f.read()).json()
|
||||
assert(response)
|
||||
|
||||
def test_sign(self):
|
||||
event = MISPEvent()
|
||||
event.load('tests/57c4445b-c548-4654-af0b-4be3950d210f.json')
|
||||
data = {'module': 'sign',
|
||||
'config': {'uid': '5832bfa8-76d0-4bdb-a221-46fa950d210f', 'passphrase': 'misptestorg'},
|
||||
'mispevent': json.dumps(event, cls=EncodeUpdate)}
|
||||
try:
|
||||
signed_event = requests.post(self.url + "query", data=json.dumps(data)).json()
|
||||
event.load(signed_event)
|
||||
data = {'module': 'verify',
|
||||
'config': {'uid': '5832bfa8-76d0-4bdb-a221-46fa950d210f'},
|
||||
'mispevent': json.dumps(event, cls=EncodeUpdate)}
|
||||
verified = requests.post(self.url + "query", data=json.dumps(data))
|
||||
assert(verified)
|
||||
except:
|
||||
pass
|
||||
|
||||
if __name__ == '__main__':
|
||||
unittest.main()
|
||||
|
|
Loading…
Reference in New Issue