From 023c35f5d85ed9c094a0ee0efb67e0241691bc45 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Thu, 14 Jun 2018 16:47:11 +0200 Subject: [PATCH 01/37] add onyphe full module and code the stub --- misp_modules/modules/expansion/onyphe_full.py | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 misp_modules/modules/expansion/onyphe_full.py diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py new file mode 100644 index 0000000..1b121a9 --- /dev/null +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -0,0 +1,126 @@ +import json +# -*- coding: utf-8 -*- + +import json +try: + from onyphe import Onyphe +except ImportError: + print("pyonyphe module not installed.") + +misperrors = {'error': 'Error'} + +mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'], 'output': ['hostname', 'domain', 'ip-src', 'ip-dst','url']} +# possible module-types: 'expansion', 'hover' or both +moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven', + 'description': 'Query on Onyphe', + 'module-type': ['expansion', 'hover']} + +# config fields that your code expects from the site admin +moduleconfig = ['apikey'] + + +def handler(q=False): + if q: + + request = json.loads(q) + + if not request.get('config') and not (request['config'].get('apikey')): + misperrors['error'] = 'Onyphe authentication is missing' + return misperrors + + api = Onyphe(request['config'].get('apikey')) + + if not api: + misperrors['error'] = 'Onyphe Error instance api' + + ip = '' + if request.get('ip-src'): + ip = request['ip-src'] + return handle_ip(api ,ip, misperrors) + elif request.get('ip-dst'): + ip = request['ip-dst'] + return handle_ip(api,ip,misperrors) + elif request.get('domain'): + domain = request['domain'] + elif request.get('hostname'): + hostname = request['hostname'] + else: + misperrors['error'] = "Unsupported attributes type" + return misperrors + + + else: + return False + + +def handle_domain(api, domain, misperrors): + pass + +def handle_ip(api, ip, misperrors): + result_filtered = {"results": []} + + r,status_ok = expand_syscan(api,ip,misperrors) + + if status_ok: + result_filtered['results'].append(r) + else: + return r + + r, status_ok = expand_datascan(api,misperrors, ip=ip) + + if status_ok: + result_filtered['results'].append(r) + else: + return r + + r, status_ok = expand_forward(api, ip,misperrors) + + if status_ok: + result_filtered['results'].append(r) + else: + return r + + r, status_ok = expand_reverse(api, ip,misperrors) + + if status_ok: + result_filtered['results'].append(r) + else: + return r + + return result_filtered + + +def expand_syscan(api, ip, misperror): + status_ok = False + r = None + + return r,status_ok + + +def expand_datascan(api, misperror,**kwargs): + status_ok = False + r = None + + return r,status_ok + + +def expand_reverse(api, ip, misperror): + status_ok = False + r = None + + return r,status_ok + + +def expand_forward(api, ip, misperror): + status_ok = False + r = None + + return r,status_ok + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo \ No newline at end of file From 8ae7210aef0ab5c17232ed60da89e889f305617e Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 11:07:33 +0200 Subject: [PATCH 02/37] add onyphe full module --- misp_modules/modules/expansion/onyphe_full.py | 71 +++++++++++++++---- 1 file changed, 58 insertions(+), 13 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 1b121a9..7047a30 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -56,31 +56,33 @@ def handler(q=False): def handle_domain(api, domain, misperrors): pass + def handle_ip(api, ip, misperrors): result_filtered = {"results": []} - r,status_ok = expand_syscan(api,ip,misperrors) + r, status_ok = expand_syscan(api, ip, misperrors) + + if status_ok: + result_filtered['results'].append(r) + else: + misperrors['error'] = "Error syscan result" + return misperrors + + r, status_ok = expand_datascan(api, misperrors, ip=ip) if status_ok: result_filtered['results'].append(r) else: return r - r, status_ok = expand_datascan(api,misperrors, ip=ip) + r, status_ok = expand_forward(api, ip, misperrors) if status_ok: result_filtered['results'].append(r) else: return r - r, status_ok = expand_forward(api, ip,misperrors) - - if status_ok: - result_filtered['results'].append(r) - else: - return r - - r, status_ok = expand_reverse(api, ip,misperrors) + r, status_ok = expand_reverse(api, ip, misperrors) if status_ok: result_filtered['results'].append(r) @@ -94,7 +96,7 @@ def expand_syscan(api, ip, misperror): status_ok = False r = None - return r,status_ok + return r, status_ok def expand_datascan(api, misperror,**kwargs): @@ -108,14 +110,57 @@ def expand_reverse(api, ip, misperror): status_ok = False r = None - return r,status_ok + return r, status_ok def expand_forward(api, ip, misperror): status_ok = False r = None - return r,status_ok + return r, status_ok + + +def expand_pastries(api, misperror, **kwargs): + status_ok = False + r = [] + ip = None + domain = None + result = None + urls_pasties = [] + domains = [] + ips = [] + if 'ip' in kwargs: + ip = kwargs.get('ip') + result = api.pastries(ip) + + if 'domain' in kwargs: + domain = kwargs.get('domain') + result = api.pastries(domain) + + if result['status'] =='ok': + status_ok = True + for item in result['results']: + if item['@category'] == 'pastries': + if item['@type'] == 'pastebin': + urls_pasties.append('https://pastebin.com/raw/%s' % item['key']) + + if 'domain' in item: + domains.extend(item['domain']) + if 'ip' in item: + ips.extend(item['ips']) + if 'hostname' in item: + domains.extend(item['hostname']) + + r.append({'types': ['url'], 'values': urls_pasties, + 'categories': ['External analysis']}) + r.append({'types': ['domains'], 'values': list(set(domains)), + 'categories': ['Network activity']}) + + r.append({'types': ['ip-dst'], 'values': list(set(ips)), + 'categories': ['Network activity']}) + + return r, status_ok + def introspection(): return mispattributes From c14d05adefa94498b6e37fc1656481717a1a74b9 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 12:32:54 +0200 Subject: [PATCH 03/37] test patries expansion --- misp_modules/modules/expansion/onyphe_full.py | 49 +++++++++++-------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 7047a30..220fb50 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -62,32 +62,39 @@ def handle_ip(api, ip, misperrors): r, status_ok = expand_syscan(api, ip, misperrors) + # if status_ok: + # result_filtered['results'].append(r) + # else: + # misperrors['error'] = "Error syscan result" + + r,status_ok = expand_pastries(api,misperrors,ip=ip) + if status_ok: result_filtered['results'].append(r) else: - misperrors['error'] = "Error syscan result" + misperrors['error'] = 'Error pastries result' return misperrors - r, status_ok = expand_datascan(api, misperrors, ip=ip) - - if status_ok: - result_filtered['results'].append(r) - else: - return r - - r, status_ok = expand_forward(api, ip, misperrors) - - if status_ok: - result_filtered['results'].append(r) - else: - return r - - r, status_ok = expand_reverse(api, ip, misperrors) - - if status_ok: - result_filtered['results'].append(r) - else: - return r + # r, status_ok = expand_datascan(api, misperrors, ip=ip) + # + # if status_ok: + # result_filtered['results'].append(r) + # else: + # return r + # + # r, status_ok = expand_forward(api, ip, misperrors) + # + # if status_ok: + # result_filtered['results'].append(r) + # else: + # return r + # + # r, status_ok = expand_reverse(api, ip, misperrors) + # + # if status_ok: + # result_filtered['results'].append(r) + # else: + # return r return result_filtered From 7195f33f5dccdba730f6937433b92d2b3d4c15fe Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 12:34:07 +0200 Subject: [PATCH 04/37] correct error keys --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 220fb50..cad7135 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -154,7 +154,7 @@ def expand_pastries(api, misperror, **kwargs): if 'domain' in item: domains.extend(item['domain']) if 'ip' in item: - ips.extend(item['ips']) + ips.extend(item['ip']) if 'hostname' in item: domains.extend(item['hostname']) From e8aefde2ee50364e61f95fddce2dead8d7feab21 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 12:36:32 +0200 Subject: [PATCH 05/37] add logs --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index cad7135..a13df9b 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -95,7 +95,7 @@ def handle_ip(api, ip, misperrors): # result_filtered['results'].append(r) # else: # return r - + print(result_filtered) return result_filtered From 7a3c4b10846bd149d15b2d2e256c8ef9f00d8d8b Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 12:38:41 +0200 Subject: [PATCH 06/37] change add in results --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index a13df9b..c003672 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -70,7 +70,7 @@ def handle_ip(api, ip, misperrors): r,status_ok = expand_pastries(api,misperrors,ip=ip) if status_ok: - result_filtered['results'].append(r) + result_filtered['results'].extend(r) else: misperrors['error'] = 'Error pastries result' return misperrors From 5426ec5380c8395ce3b7c17677c29e7938aabee7 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 12:40:52 +0200 Subject: [PATCH 07/37] change key access domains --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index c003672..e910dc4 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -160,7 +160,7 @@ def expand_pastries(api, misperror, **kwargs): r.append({'types': ['url'], 'values': urls_pasties, 'categories': ['External analysis']}) - r.append({'types': ['domains'], 'values': list(set(domains)), + r.append({'types': ['domain'], 'values': list(set(domains)), 'categories': ['Network activity']}) r.append({'types': ['ip-dst'], 'values': list(set(ips)), From e1bc67afad5c2e7f5e04d5ac9e629200f2cc232e Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 14:41:57 +0200 Subject: [PATCH 08/37] add expansion synscan --- misp_modules/modules/expansion/onyphe_full.py | 42 ++++++++++++++++--- 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index e910dc4..1a34d54 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -62,12 +62,12 @@ def handle_ip(api, ip, misperrors): r, status_ok = expand_syscan(api, ip, misperrors) - # if status_ok: - # result_filtered['results'].append(r) - # else: - # misperrors['error'] = "Error syscan result" + if status_ok: + result_filtered['results'].append(r) + else: + misperrors['error'] = "Error syscan result" - r,status_ok = expand_pastries(api,misperrors,ip=ip) + r, status_ok = expand_pastries(api,misperrors,ip=ip) if status_ok: result_filtered['results'].extend(r) @@ -101,7 +101,37 @@ def handle_ip(api, ip, misperrors): def expand_syscan(api, ip, misperror): status_ok = False - r = None + r = [] + asn_list = [] + os_list = [] + geoloc = [] + orgs = [] + results = api.synscan(ip) + + if results['status'] == 'ok': + status_ok = True + for elem in results['result']: + asn_list.append(elem['asn']) + os_list = elem['os'] + geoloc.append(elem['location']) + orgs.append(elem['organization']) + if os_list != 'Unknown': + os_list.append(elem['os']) + + r.append({'types': ['target-machine'], + 'values': list(set(os_list)), + 'categories': ['Targeting data']}) + + r.append({'types': ['target-location'], + 'values': list(set(geoloc)), + 'categories': ['Targeting data']}) + + r.append({'types': ['target-org'], + 'values': list(set(orgs)), + 'categories': ['Targeting data']}) + + r.append({'types': ['AS'], 'values': list(set(asn_list)), + 'categories': ['Network activity']}) return r, status_ok From 9427c766038cbac8a572fcd4004c9b92916ac5b4 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 14:45:06 +0200 Subject: [PATCH 09/37] error keys --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 1a34d54..f6c334e 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -110,7 +110,7 @@ def expand_syscan(api, ip, misperror): if results['status'] == 'ok': status_ok = True - for elem in results['result']: + for elem in results['results']: asn_list.append(elem['asn']) os_list = elem['os'] geoloc.append(elem['location']) From 3a4294391fa83024779b546a94c4a07555e78177 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 14:48:18 +0200 Subject: [PATCH 10/37] error type --- misp_modules/modules/expansion/onyphe_full.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index f6c334e..9b9c06c 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -112,10 +112,10 @@ def expand_syscan(api, ip, misperror): status_ok = True for elem in results['results']: asn_list.append(elem['asn']) - os_list = elem['os'] + os_target = elem['os'] geoloc.append(elem['location']) orgs.append(elem['organization']) - if os_list != 'Unknown': + if os_target != 'Unknown': os_list.append(elem['os']) r.append({'types': ['target-machine'], @@ -131,7 +131,7 @@ def expand_syscan(api, ip, misperror): 'categories': ['Targeting data']}) r.append({'types': ['AS'], 'values': list(set(asn_list)), - 'categories': ['Network activity']}) + 'categories': ['Network activity']}) return r, status_ok From d1e72676f18bb44fe770b9031fb720ee96727ca4 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 14:50:48 +0200 Subject: [PATCH 11/37] error method --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 9b9c06c..27ed2f7 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -63,7 +63,7 @@ def handle_ip(api, ip, misperrors): r, status_ok = expand_syscan(api, ip, misperrors) if status_ok: - result_filtered['results'].append(r) + result_filtered['results'].extend(r) else: misperrors['error'] = "Error syscan result" From 7eba7c0386cd29cc8b350b6134841e0557a9e940 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 14:53:08 +0200 Subject: [PATCH 12/37] error loops --- misp_modules/modules/expansion/onyphe_full.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 27ed2f7..0dad6fd 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -118,19 +118,19 @@ def expand_syscan(api, ip, misperror): if os_target != 'Unknown': os_list.append(elem['os']) - r.append({'types': ['target-machine'], + r.append({'types': ['target-machine'], 'values': list(set(os_list)), 'categories': ['Targeting data']}) - r.append({'types': ['target-location'], + r.append({'types': ['target-location'], 'values': list(set(geoloc)), 'categories': ['Targeting data']}) - r.append({'types': ['target-org'], + r.append({'types': ['target-org'], 'values': list(set(orgs)), 'categories': ['Targeting data']}) - r.append({'types': ['AS'], 'values': list(set(asn_list)), + r.append({'types': ['AS'], 'values': list(set(asn_list)), 'categories': ['Network activity']}) return r, status_ok From 915747073a2f917b76261106f6ecb6021febfef6 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 15:05:00 +0200 Subject: [PATCH 13/37] add comment of attributes --- misp_modules/modules/expansion/onyphe_full.py | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 0dad6fd..eaf7a37 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -115,23 +115,32 @@ def expand_syscan(api, ip, misperror): os_target = elem['os'] geoloc.append(elem['location']) orgs.append(elem['organization']) - if os_target != 'Unknown': + if os_target != 'Unknown' and os_target != 'Undefined': os_list.append(elem['os']) r.append({'types': ['target-machine'], 'values': list(set(os_list)), - 'categories': ['Targeting data']}) + 'categories': ['Targeting data'], + 'comment':'OS found on %s with synscan of Onyphe' % ip}) r.append({'types': ['target-location'], 'values': list(set(geoloc)), - 'categories': ['Targeting data']}) + 'categories': ['Targeting data'], + 'comment': 'geolocalisation of %s found with synscan of Onyphe' + % ip + }) r.append({'types': ['target-org'], - 'values': list(set(orgs)), - 'categories': ['Targeting data']}) + 'values': list(set(orgs)), + 'categories': ['Targeting data'], + 'comment': 'Organisations of %s found with synscan of Onyphe' + }) - r.append({'types': ['AS'], 'values': list(set(asn_list)), - 'categories': ['Network activity']}) + r.append({'types': ['AS'], + 'values': list(set(asn_list)), + 'categories': ['Network activity'], + 'comment': 'As number of %s found with synscan of Onyphe' + }) return r, status_ok @@ -191,10 +200,12 @@ def expand_pastries(api, misperror, **kwargs): r.append({'types': ['url'], 'values': urls_pasties, 'categories': ['External analysis']}) r.append({'types': ['domain'], 'values': list(set(domains)), - 'categories': ['Network activity']}) + 'categories': ['Network activity'], + 'comment': 'domains found in pasties of Onyphe'}) r.append({'types': ['ip-dst'], 'values': list(set(ips)), - 'categories': ['Network activity']}) + 'categories': ['Network activity'], + 'comment': 'IPs found in pasties of Onyphe'}) return r, status_ok From d0f42c1772cdef93e3bb260e99b4cd0b930e1772 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 15:07:55 +0200 Subject: [PATCH 14/37] add comment of attributes --- misp_modules/modules/expansion/onyphe_full.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index eaf7a37..ba27e11 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -197,11 +197,13 @@ def expand_pastries(api, misperror, **kwargs): if 'hostname' in item: domains.extend(item['hostname']) - r.append({'types': ['url'], 'values': urls_pasties, - 'categories': ['External analysis']}) + r.append({'types': ['url'], + 'values': urls_pasties, + 'categories': ['External analysis'], + 'comment':'URLs of pasties where %s has found' % ip}) r.append({'types': ['domain'], 'values': list(set(domains)), 'categories': ['Network activity'], - 'comment': 'domains found in pasties of Onyphe'}) + 'comment': 'Domains found in pasties of Onyphe'}) r.append({'types': ['ip-dst'], 'values': list(set(ips)), 'categories': ['Network activity'], From a24b529868fc1f4b2067be8226a21f8c562bd8b9 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 15:33:21 +0200 Subject: [PATCH 15/37] add forward infos --- misp_modules/modules/expansion/onyphe_full.py | 53 +++++++++++++------ 1 file changed, 38 insertions(+), 15 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index ba27e11..fca5af0 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -9,7 +9,9 @@ except ImportError: misperrors = {'error': 'Error'} -mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'], 'output': ['hostname', 'domain', 'ip-src', 'ip-dst','url']} +mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'], + 'output': ['hostname', 'domain', 'ip-src', 'ip-dst','url']} + # possible module-types: 'expansion', 'hover' or both moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven', 'description': 'Query on Onyphe', @@ -82,12 +84,13 @@ def handle_ip(api, ip, misperrors): # else: # return r # - # r, status_ok = expand_forward(api, ip, misperrors) - # - # if status_ok: - # result_filtered['results'].append(r) - # else: - # return r + r, status_ok = expand_forward(api, ip, misperrors) + + if status_ok: + result_filtered['results'].extend(r) + else: + misperrors['error'] = 'Error forward result' + return # # r, status_ok = expand_reverse(api, ip, misperrors) # @@ -119,14 +122,14 @@ def expand_syscan(api, ip, misperror): os_list.append(elem['os']) r.append({'types': ['target-machine'], - 'values': list(set(os_list)), - 'categories': ['Targeting data'], - 'comment':'OS found on %s with synscan of Onyphe' % ip}) + 'values': list(set(os_list)), + 'categories': ['Targeting data'], + 'comment': 'OS found on %s with synscan of Onyphe' % ip}) r.append({'types': ['target-location'], - 'values': list(set(geoloc)), - 'categories': ['Targeting data'], - 'comment': 'geolocalisation of %s found with synscan of Onyphe' + 'values': list(set(geoloc)), + 'categories': ['Targeting data'], + 'comment': 'Geolocalisation of %s found with synscan of Onyphe' % ip }) @@ -149,7 +152,7 @@ def expand_datascan(api, misperror,**kwargs): status_ok = False r = None - return r,status_ok + return r, status_ok def expand_reverse(api, ip, misperror): @@ -161,8 +164,28 @@ def expand_reverse(api, ip, misperror): def expand_forward(api, ip, misperror): status_ok = False - r = None + r = [] + results = api.forward(ip) + domains_forward = [] + + domains = [] + if results['status'] == 'ok': + status_ok = True + + for elem in results['results']: + domains_forward.append(elem['forward']) + domains.append(elem['domain']) + + r.append({'types': ['domain'], + 'values': list(set(domains)), + 'categories': ['Network activity'], + 'comment': 'Domains of %s from forward service of Onyphe' % ip}) + + r.append({'types': ['domain'], + 'values': list(set(domains_forward)), + 'categories': ['Network activity'], + 'comment': 'Forward Domains of %s from forward service of Onyphe' % ip}) return r, status_ok From 0d120af64715b5fe5a191a8d6fa22a05e5a4c3b6 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 16:24:17 +0200 Subject: [PATCH 16/37] add reverse infos --- misp_modules/modules/expansion/onyphe_full.py | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index fca5af0..a2876a1 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -158,7 +158,29 @@ def expand_datascan(api, misperror,**kwargs): def expand_reverse(api, ip, misperror): status_ok = False r = None + status_ok = False + r = [] + results = api.forward(ip) + domains_reverse = [] + + domains = [] + if results['status'] == 'ok': + status_ok = True + + for elem in results['results']: + domains_reverse.append(elem['forward']) + domains.append(elem['domain']) + + r.append({'types': ['domain'], + 'values': list(set(domains)), + 'categories': ['Network activity'], + 'comment': 'Domains of %s from forward service of Onyphe' % ip}) + + r.append({'types': ['domain'], + 'values': list(set(domains_reverse)), + 'categories': ['Network activity'], + 'comment': 'Reverse Domains of %s from forward service of Onyphe' % ip}) return r, status_ok From 4a8a79c56062e77aab1f64e9602f192961064824 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 16:26:09 +0200 Subject: [PATCH 17/37] add reverse infos --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index a2876a1..f340f92 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -169,7 +169,7 @@ def expand_reverse(api, ip, misperror): status_ok = True for elem in results['results']: - domains_reverse.append(elem['forward']) + domains_reverse.append(elem['reverse']) domains.append(elem['domain']) r.append({'types': ['domain'], From d4be9d9fda875582485a9230fdd7f1cf1566fabd Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 16:29:04 +0200 Subject: [PATCH 18/37] add reverse infos --- misp_modules/modules/expansion/onyphe_full.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index f340f92..19fb207 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -92,12 +92,14 @@ def handle_ip(api, ip, misperrors): misperrors['error'] = 'Error forward result' return # - # r, status_ok = expand_reverse(api, ip, misperrors) - # - # if status_ok: - # result_filtered['results'].append(r) - # else: - # return r + r, status_ok = expand_reverse(api, ip, misperrors) + + if status_ok: + result_filtered['results'].extend(r) + else: + misperrors['error'] = 'Error reverse result' + return misperrors + print(result_filtered) return result_filtered From b56f8cfa36071d62a9f422c0d828868ecb9c4c94 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 16:30:56 +0200 Subject: [PATCH 19/37] add reverse infos --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 19fb207..9f4e16d 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -162,7 +162,7 @@ def expand_reverse(api, ip, misperror): r = None status_ok = False r = [] - results = api.forward(ip) + results = api.reverse(ip) domains_reverse = [] From 04e932cce063d10759a0e708ed3cb8c43d68ab55 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 17:47:11 +0200 Subject: [PATCH 20/37] add datascan expansion --- misp_modules/modules/expansion/onyphe_full.py | 67 ++++++++++++++++--- 1 file changed, 58 insertions(+), 9 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 9f4e16d..8b8e0a2 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -77,13 +77,13 @@ def handle_ip(api, ip, misperrors): misperrors['error'] = 'Error pastries result' return misperrors - # r, status_ok = expand_datascan(api, misperrors, ip=ip) - # - # if status_ok: - # result_filtered['results'].append(r) - # else: - # return r - # + r, status_ok = expand_datascan(api, misperrors, ip=ip) + + if status_ok: + result_filtered['results'].append(r) + else: + return r + r, status_ok = expand_forward(api, ip, misperrors) if status_ok: @@ -139,12 +139,13 @@ def expand_syscan(api, ip, misperror): 'values': list(set(orgs)), 'categories': ['Targeting data'], 'comment': 'Organisations of %s found with synscan of Onyphe' + % ip }) r.append({'types': ['AS'], 'values': list(set(asn_list)), 'categories': ['Network activity'], - 'comment': 'As number of %s found with synscan of Onyphe' + 'comment': 'As number of %s found with synscan of Onyphe' % ip }) return r, status_ok @@ -152,7 +153,55 @@ def expand_syscan(api, ip, misperror): def expand_datascan(api, misperror,**kwargs): status_ok = False - r = None + r = [] + ip = '' + query ='' + asn_list = [] + geoloc = [] + orgs = [] + ports = [] + if 'ip' in kwargs: + query = kwargs.get('ip') + else: + query = kwargs.get('domain') + + results = api.datascan(query) + + if results['status'] == 'ok': + for elem in results['results']: + asn_list.append(elem['asn']) + os_target = elem['os'] + geoloc.append(elem['location']) + orgs.append(elem['organization']) + ports.append(elem['port']) + + r.append({'types': ['port'], + 'values': list(set(ports)), + 'categories': ['Other'], + 'comment': 'Ports of %s found with datascan of Onyphe' + % ip + }) + + r.append({'types': ['target-location'], + 'values': list(set(geoloc)), + 'categories': ['Targeting data'], + 'comment': 'Geolocalisation of %s found with synscan of Onyphe' + % ip + }) + + r.append({'types': ['target-org'], + 'values': list(set(orgs)), + 'categories': ['Targeting data'], + 'comment': 'Organisations of %s found with synscan of Onyphe' + % ip + }) + + r.append({'types': ['AS'], + 'values': list(set(asn_list)), + 'categories': ['Network activity'], + 'comment': 'As number of %s found with synscan of Onyphe' % ip + }) + return r, status_ok From 2afd2b8aaf901a3dd89e58070917d27bbb490b02 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 17:50:28 +0200 Subject: [PATCH 21/37] correct bug --- misp_modules/modules/expansion/onyphe_full.py | 1 - 1 file changed, 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 8b8e0a2..1f6c580 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -170,7 +170,6 @@ def expand_datascan(api, misperror,**kwargs): if results['status'] == 'ok': for elem in results['results']: asn_list.append(elem['asn']) - os_target = elem['os'] geoloc.append(elem['location']) orgs.append(elem['organization']) ports.append(elem['port']) From 9195887f986cfa123fb87d3971c1cb290e8145ce Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 17:51:46 +0200 Subject: [PATCH 22/37] pep 8 --- misp_modules/modules/expansion/onyphe_full.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 1f6c580..4ca9a26 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -200,8 +200,6 @@ def expand_datascan(api, misperror,**kwargs): 'categories': ['Network activity'], 'comment': 'As number of %s found with synscan of Onyphe' % ip }) - - return r, status_ok From 153d8bd340e407e058fa97b0c2b11b04e70d5b94 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 17:56:19 +0200 Subject: [PATCH 23/37] add logs --- misp_modules/modules/expansion/onyphe_full.py | 1 + 1 file changed, 1 insertion(+) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 4ca9a26..acdaced 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -22,6 +22,7 @@ moduleconfig = ['apikey'] def handler(q=False): + print(q) if q: request = json.loads(q) From fe00f099f618e2628560552a6592c61030207a37 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 17:59:49 +0200 Subject: [PATCH 24/37] add logs --- misp_modules/modules/expansion/onyphe_full.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index acdaced..66c208f 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -22,7 +22,6 @@ moduleconfig = ['apikey'] def handler(q=False): - print(q) if q: request = json.loads(q) @@ -83,7 +82,8 @@ def handle_ip(api, ip, misperrors): if status_ok: result_filtered['results'].append(r) else: - return r + misperrors['error'] = 'Error datascan result' + return misperrors r, status_ok = expand_forward(api, ip, misperrors) @@ -91,8 +91,8 @@ def handle_ip(api, ip, misperrors): result_filtered['results'].extend(r) else: misperrors['error'] = 'Error forward result' - return - # + return misperrors + r, status_ok = expand_reverse(api, ip, misperrors) if status_ok: From 4166475f9e7d9906e691b581469dc8ac343c11e2 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 18:02:12 +0200 Subject: [PATCH 25/37] add logs --- misp_modules/modules/expansion/onyphe_full.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 66c208f..6982ccb 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -82,7 +82,7 @@ def handle_ip(api, ip, misperrors): if status_ok: result_filtered['results'].append(r) else: - misperrors['error'] = 'Error datascan result' + misperrors['error'] = 'Error datascan result %s' % status_ok return misperrors r, status_ok = expand_forward(api, ip, misperrors) @@ -90,7 +90,7 @@ def handle_ip(api, ip, misperrors): if status_ok: result_filtered['results'].extend(r) else: - misperrors['error'] = 'Error forward result' + misperrors['error'] = 'Error forward result %s' % status_ok return misperrors r, status_ok = expand_reverse(api, ip, misperrors) @@ -167,6 +167,7 @@ def expand_datascan(api, misperror,**kwargs): query = kwargs.get('domain') results = api.datascan(query) + print(results) if results['status'] == 'ok': for elem in results['results']: From a9b7a10c4117472f745337c7491d6ab4dfe76521 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 18:03:34 +0200 Subject: [PATCH 26/37] set status after requests --- misp_modules/modules/expansion/onyphe_full.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 6982ccb..7168618 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -167,9 +167,10 @@ def expand_datascan(api, misperror,**kwargs): query = kwargs.get('domain') results = api.datascan(query) - print(results) + if results['status'] == 'ok': + status_ok = False for elem in results['results']: asn_list.append(elem['asn']) geoloc.append(elem['location']) From e712a31760ef29dfd41a1a911e459a3be1a4cc6d Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 18:04:12 +0200 Subject: [PATCH 27/37] set status after requests --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 7168618..1187648 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -170,7 +170,7 @@ def expand_datascan(api, misperror,**kwargs): if results['status'] == 'ok': - status_ok = False + status_ok = True for elem in results['results']: asn_list.append(elem['asn']) geoloc.append(elem['location']) From 1d1fd365693308a8eecb8ca82f62c06a43d73058 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 20 Jun 2018 18:05:28 +0200 Subject: [PATCH 28/37] change method to concat methods --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 1187648..9466d8a 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -80,7 +80,7 @@ def handle_ip(api, ip, misperrors): r, status_ok = expand_datascan(api, misperrors, ip=ip) if status_ok: - result_filtered['results'].append(r) + result_filtered['results'].extend(r) else: misperrors['error'] = 'Error datascan result %s' % status_ok return misperrors From e230c88c155c4956e2478c394c78335eb1dfcee9 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 11:59:09 +0200 Subject: [PATCH 29/37] add threat list expansion --- misp_modules/modules/expansion/onyphe_full.py | 40 +++++++++++++++++-- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 9466d8a..931271c 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -82,7 +82,7 @@ def handle_ip(api, ip, misperrors): if status_ok: result_filtered['results'].extend(r) else: - misperrors['error'] = 'Error datascan result %s' % status_ok + misperrors['error'] = 'Error datascan result ' return misperrors r, status_ok = expand_forward(api, ip, misperrors) @@ -90,7 +90,7 @@ def handle_ip(api, ip, misperrors): if status_ok: result_filtered['results'].extend(r) else: - misperrors['error'] = 'Error forward result %s' % status_ok + misperrors['error'] = 'Error forward result' return misperrors r, status_ok = expand_reverse(api, ip, misperrors) @@ -101,7 +101,14 @@ def handle_ip(api, ip, misperrors): misperrors['error'] = 'Error reverse result' return misperrors - print(result_filtered) + r, status_ok = expand_threatlist(api, misperrors, ip=ip) + + if status_ok: + result_filtered['results'].extend(r) + else: + misperrors['error'] = 'Error threat list' + return misperrors + return result_filtered @@ -168,7 +175,6 @@ def expand_datascan(api, misperror,**kwargs): results = api.datascan(query) - if results['status'] == 'ok': status_ok = True for elem in results['results']: @@ -308,6 +314,32 @@ def expand_pastries(api, misperror, **kwargs): return r, status_ok +def expand_threatlist(api, misperror,**kwargs): + status_ok = False + r = [] + + query = None + + threat_list = [] + + if 'ip' in kwargs: + query = kwargs.get('ip') + else: + query = kwargs.get('domain') + + results = api.threatlist(query) + if results['status'] == 'ok': + status_ok = True + threat_list = ['seen %s on %s ' % (item['seen_date'], item['threatlist']) + for item in results['results']] + + r.append({'types': ['comment'], + 'categories': ['Other'], + 'values': [threat_list] + }) + + return r,status_ok + def introspection(): return mispattributes From e9c18b3d5fe01dcad008d04831f50e7d860c7efa Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 13:03:09 +0200 Subject: [PATCH 30/37] correct comments --- misp_modules/modules/expansion/onyphe_full.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 931271c..02375c7 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -187,27 +187,27 @@ def expand_datascan(api, misperror,**kwargs): 'values': list(set(ports)), 'categories': ['Other'], 'comment': 'Ports of %s found with datascan of Onyphe' - % ip + % query }) r.append({'types': ['target-location'], 'values': list(set(geoloc)), 'categories': ['Targeting data'], 'comment': 'Geolocalisation of %s found with synscan of Onyphe' - % ip + % query }) r.append({'types': ['target-org'], 'values': list(set(orgs)), 'categories': ['Targeting data'], 'comment': 'Organisations of %s found with synscan of Onyphe' - % ip + % query }) r.append({'types': ['AS'], 'values': list(set(asn_list)), 'categories': ['Network activity'], - 'comment': 'As number of %s found with synscan of Onyphe' % ip + 'comment': 'As number of %s found with synscan of Onyphe' % query }) return r, status_ok From 8d03354399f689295c68fee17a4786e9bc74f8ef Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 15:12:10 +0200 Subject: [PATCH 31/37] correct bugs --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 02375c7..5d7011f 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -335,7 +335,7 @@ def expand_threatlist(api, misperror,**kwargs): r.append({'types': ['comment'], 'categories': ['Other'], - 'values': [threat_list] + 'values': threat_list }) return r,status_ok From 96c829470dd205d6dbf007d3e19db9a74fb552d9 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 15:14:44 +0200 Subject: [PATCH 32/37] add comment --- misp_modules/modules/expansion/onyphe_full.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 5d7011f..9e7ae8c 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -335,7 +335,8 @@ def expand_threatlist(api, misperror,**kwargs): r.append({'types': ['comment'], 'categories': ['Other'], - 'values': threat_list + 'values': threat_list, + 'comment': '%s is present in threatlist' % query }) return r,status_ok From 83999d6402030fa5b78630f49cdf1f5d65db5e82 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 15:57:52 +0200 Subject: [PATCH 33/37] add domain expansion --- misp_modules/modules/expansion/onyphe_full.py | 42 ++++++++++++++----- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 9e7ae8c..39f3d42 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -49,13 +49,36 @@ def handler(q=False): else: misperrors['error'] = "Unsupported attributes type" return misperrors - - else: return False def handle_domain(api, domain, misperrors): + result_filtered = {"results": []} + + r, status_ok = expand_pastries(api, misperrors, domain=domain) + + if status_ok: + result_filtered['results'].extend(r) + else: + misperrors['error'] = 'Error pastries result' + return misperrors + + r, status_ok = expand_datascan(api, misperrors, domain=domain) + + if status_ok: + result_filtered['results'].extend(r) + else: + misperrors['error'] = 'Error datascan result ' + return misperrors + + r, status_ok = expand_threatlist(api, misperrors, domain=domain) + + if status_ok: + result_filtered['results'].extend(r) + else: + misperrors['error'] = 'Error threat list' + return misperrors pass @@ -271,19 +294,18 @@ def expand_forward(api, ip, misperror): def expand_pastries(api, misperror, **kwargs): status_ok = False r = [] - ip = None - domain = None + + query = None result = None urls_pasties = [] domains = [] ips = [] if 'ip' in kwargs: - ip = kwargs.get('ip') - result = api.pastries(ip) - + query = kwargs.get('ip') if 'domain' in kwargs: - domain = kwargs.get('domain') - result = api.pastries(domain) + query = kwargs.get('domain') + + api.pastries(query) if result['status'] =='ok': status_ok = True @@ -302,7 +324,7 @@ def expand_pastries(api, misperror, **kwargs): r.append({'types': ['url'], 'values': urls_pasties, 'categories': ['External analysis'], - 'comment':'URLs of pasties where %s has found' % ip}) + 'comment':'URLs of pasties where %s has found' % query}) r.append({'types': ['domain'], 'values': list(set(domains)), 'categories': ['Network activity'], 'comment': 'Domains found in pasties of Onyphe'}) From de6a81d4883afd56a91e8af0fadc683aeac0a3ba Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 16:04:14 +0200 Subject: [PATCH 34/37] correct bugs --- misp_modules/modules/expansion/onyphe_full.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 39f3d42..8a33e3c 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -305,7 +305,7 @@ def expand_pastries(api, misperror, **kwargs): if 'domain' in kwargs: query = kwargs.get('domain') - api.pastries(query) + result = api.pastries(query) if result['status'] =='ok': status_ok = True From 396b71ef3b7481c22474fc5f6d821950a5c63268 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 16:06:34 +0200 Subject: [PATCH 35/37] add domain to expand --- misp_modules/modules/expansion/onyphe_full.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 8a33e3c..bde4d4a 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -44,8 +44,10 @@ def handler(q=False): return handle_ip(api,ip,misperrors) elif request.get('domain'): domain = request['domain'] + return handle_domain(api, domain, misperrors) elif request.get('hostname'): hostname = request['hostname'] + return handle_domain(api, hostname, misperrors) else: misperrors['error'] = "Unsupported attributes type" return misperrors From 87b07b89b54ec1e569f14e1e2e29f4f5de18f2e9 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 16:15:34 +0200 Subject: [PATCH 36/37] add search --- misp_modules/modules/expansion/onyphe_full.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index bde4d4a..6ac4750 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -193,12 +193,13 @@ def expand_datascan(api, misperror,**kwargs): geoloc = [] orgs = [] ports = [] + if 'ip' in kwargs: query = kwargs.get('ip') + results = api.datascan(query) else: query = kwargs.get('domain') - - results = api.datascan(query) + results = api.search_datascan('domain:%s' % query) if results['status'] == 'ok': status_ok = True @@ -304,10 +305,10 @@ def expand_pastries(api, misperror, **kwargs): ips = [] if 'ip' in kwargs: query = kwargs.get('ip') + result = api.pastries(query) if 'domain' in kwargs: query = kwargs.get('domain') - - result = api.pastries(query) + result = api.search_pastries('domain:%s' % query) if result['status'] =='ok': status_ok = True @@ -348,10 +349,11 @@ def expand_threatlist(api, misperror,**kwargs): if 'ip' in kwargs: query = kwargs.get('ip') + results = api.threatlist(query) else: query = kwargs.get('domain') + results = api.search_threatlist('domain:%s' % query) - results = api.threatlist(query) if results['status'] == 'ok': status_ok = True threat_list = ['seen %s on %s ' % (item['seen_date'], item['threatlist']) From 785aac3e6b6d8474f4916f48fde3b16f9d49c4e3 Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Fri, 22 Jun 2018 16:18:23 +0200 Subject: [PATCH 37/37] add return handle domains --- misp_modules/modules/expansion/onyphe_full.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 6ac4750..7a05d12 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -81,7 +81,8 @@ def handle_domain(api, domain, misperrors): else: misperrors['error'] = 'Error threat list' return misperrors - pass + + return result_filtered def handle_ip(api, ip, misperrors):