MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Sanity checks

pull/516/head
Jason Zhang 2021-08-12 11:08:09 +01:00
parent b4938c77cb
commit f5fdf343b8
1 changed files with 20 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
misp_modules/modules/expansion/vmware_nsx.py
View File

@ -44,7 +44,7 @@ mispattributes = {
moduleinfo = { moduleinfo = {
"version": "0.2", "version": "0.2",
"author": "Jason Zhang", "author": "Jason Zhang, Stefano Ortolani",
"description": "Enrich a file or URL with VMware NSX Defender", "description": "Enrich a file or URL with VMware NSX Defender",
"module-type": ["expansion", "hover"], "module-type": ["expansion", "hover"],
} }
@ -111,11 +111,15 @@ class ResultParser:
# Add HTTP requests from url analyses # Add HTTP requests from url analyses
network_dict = result.get("report", {}).get("analysis", {}).get("network", {}) network_dict = result.get("report", {}).get("analysis", {}).get("network", {})
for request in network_dict.get("requests", []): for request in network_dict.get("requests", []):
parsed_uri = parse.urlparse(request["url"]) if not request["url"] and not request["ip"]:
continue
o = pymisp.MISPObject(name="http-request") o = pymisp.MISPObject(name="http-request")
o.add_attribute("host", parsed_uri.netloc)
o.add_attribute("method", "GET") o.add_attribute("method", "GET")
if request["url"]:
parsed_uri = parse.urlparse(request["url"])
o.add_attribute("host", parsed_uri.netloc)
o.add_attribute("uri", request["url"]) o.add_attribute("uri", request["url"])
if request["ip"]:
o.add_attribute("ip-dst", request["ip"]) o.add_attribute("ip-dst", request["ip"])
misp_event.add_object(o) misp_event.add_object(o)
@ -129,8 +133,8 @@ class ResultParser:
try: try:
if hostname == "wpad" or hostname == "localhost": if hostname == "wpad" or hostname == "localhost":
continue continue
# Invalid hostname, e.g., hostname: '2.2.0.10.in-addr.arpa. # Invalid hostname, e.g., hostname: ZLKKJRPY or 2.2.0.10.in-addr.arpa.
if hostname[-1] == ".": if "." not in hostname or hostname[-1] == ".":
continue continue
_ = ipaddress.ip_address(hostname) _ = ipaddress.ip_address(hostname)
continue continue
@ -183,6 +187,8 @@ class ResultParser:
misp_event.add_object(o) misp_event.add_object(o)
# Add behaviors # Add behaviors
# Check if its not empty first, as at least one attribute has to be set for sb-signature object
if result.get("malicious_activity", []):
o = pymisp.MISPObject(name="sb-signature") o = pymisp.MISPObject(name="sb-signature")
o.add_attribute("software", "VMware NSX Defender") o.add_attribute("software", "VMware NSX Defender")
for activity in result.get("malicious_activity", []): for activity in result.get("malicious_activity", []):