mirror of https://github.com/MISP/misp-modules
add: Modules to query/import/submit data from/to Lastline
parent
9744c1e0a5
commit
f749578525
|
@ -48,6 +48,8 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
|
||||||
* [iprep](misp_modules/modules/expansion/iprep.py) - an expansion module to get IP reputation from packetmail.net.
|
* [iprep](misp_modules/modules/expansion/iprep.py) - an expansion module to get IP reputation from packetmail.net.
|
||||||
* [Joe Sandbox submit](misp_modules/modules/expansion/joesandbox_submit.py) - Submit files and URLs to Joe Sandbox.
|
* [Joe Sandbox submit](misp_modules/modules/expansion/joesandbox_submit.py) - Submit files and URLs to Joe Sandbox.
|
||||||
* [Joe Sandbox query](misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox with the link of an analysis and get the parsed data.
|
* [Joe Sandbox query](misp_modules/modules/expansion/joesandbox_query.py) - Query Joe Sandbox with the link of an analysis and get the parsed data.
|
||||||
|
* [Lastline submit](misp_modules/modules/expansion/lastline_submit.py) - Submit files and URLs to Lastline.
|
||||||
|
* [Lastline query](misp_modules/modules/expansion/lastline_query.py) - Query Lastline with the link to an analysis and parse the report.
|
||||||
* [macaddress.io](misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module).
|
* [macaddress.io](misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module).
|
||||||
* [macvendors](misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information.
|
* [macvendors](misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information.
|
||||||
* [ocr-enrich](misp_modules/modules/expansion/ocr_enrich.py) - an enrichment module to get OCRized data from images into MISP.
|
* [ocr-enrich](misp_modules/modules/expansion/ocr_enrich.py) - an enrichment module to get OCRized data from images into MISP.
|
||||||
|
@ -104,6 +106,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
|
||||||
* [Email Import](misp_modules/modules/import_mod/email_import.py) Email import module for MISP to import basic metadata.
|
* [Email Import](misp_modules/modules/import_mod/email_import.py) Email import module for MISP to import basic metadata.
|
||||||
* [GoAML import](misp_modules/modules/import_mod/goamlimport.py) Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format.
|
* [GoAML import](misp_modules/modules/import_mod/goamlimport.py) Module to import [GoAML](http://goaml.unodc.org/goaml/en/index.html) XML format.
|
||||||
* [Joe Sandbox import](misp_modules/modules/import_mod/joe_import.py) Parse data from a Joe Sandbox json report.
|
* [Joe Sandbox import](misp_modules/modules/import_mod/joe_import.py) Parse data from a Joe Sandbox json report.
|
||||||
|
* [Lastline import](misp_modules/modules/import_mod/lastline_import.py) Module to import Lastline analysis reports.
|
||||||
* [OCR](misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
|
* [OCR](misp_modules/modules/import_mod/ocr.py) Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
|
||||||
* [OpenIOC](misp_modules/modules/import_mod/openiocimport.py) OpenIOC import based on PyMISP library.
|
* [OpenIOC](misp_modules/modules/import_mod/openiocimport.py) OpenIOC import based on PyMISP library.
|
||||||
* [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
|
* [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
|
||||||
|
|
|
@ -586,6 +586,41 @@ A module to submit files or URLs to Joe Sandbox for an advanced analysis, and re
|
||||||
|
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
#### [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py)
|
||||||
|
|
||||||
|
<img src=logos/lastline.png height=60>
|
||||||
|
|
||||||
|
Query Lastline with an analysis link and parse the report into MISP attributes and objects.
|
||||||
|
The analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py) expansion module.
|
||||||
|
- **features**:
|
||||||
|
>The module uses the new format and it is able to return MISP attributes and objects.
|
||||||
|
>The module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/lastline_import.py) import module.
|
||||||
|
- **input**:
|
||||||
|
>Link to a Lastline analysis.
|
||||||
|
- **output**:
|
||||||
|
>MISP attributes and objects parsed from the analysis report.
|
||||||
|
- **references**:
|
||||||
|
>https://www.lastline.com
|
||||||
|
|
||||||
|
-----
|
||||||
|
|
||||||
|
#### [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py)
|
||||||
|
|
||||||
|
<img src=logos/lastline.png height=60>
|
||||||
|
|
||||||
|
Module to submit a file or URL to Lastline.
|
||||||
|
- **features**:
|
||||||
|
>The module requires a Lastline API key and token (or username and password).
|
||||||
|
>When the analysis is completed, it is possible to import the generated report by feeding the analysis link to the [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) module.
|
||||||
|
- **input**:
|
||||||
|
>File or URL to submit to Lastline.
|
||||||
|
- **output**:
|
||||||
|
>Link to the report generated by Lastline.
|
||||||
|
- **references**:
|
||||||
|
>https://www.lastline.com
|
||||||
|
|
||||||
|
-----
|
||||||
|
|
||||||
#### [macaddress_io](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macaddress_io.py)
|
#### [macaddress_io](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/macaddress_io.py)
|
||||||
|
|
||||||
<img src=logos/macaddress_io.png height=60>
|
<img src=logos/macaddress_io.png height=60>
|
||||||
|
@ -1620,6 +1655,23 @@ A module to import data from a Joe Sandbox analysis json report.
|
||||||
|
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
#### [lastline_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/lastline_import.py)
|
||||||
|
|
||||||
|
<img src=logos/lastline.png height=60>
|
||||||
|
|
||||||
|
Module to import and parse reports from Lastline analysis links.
|
||||||
|
- **features**:
|
||||||
|
>The module uses the new format and it is able to return MISP attributes and objects.
|
||||||
|
>The module returns the same results as the [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) expansion module.
|
||||||
|
- **input**:
|
||||||
|
>Link to a Lastline analysis.
|
||||||
|
- **output**:
|
||||||
|
>MISP attributes and objects parsed from the analysis report.
|
||||||
|
- **references**:
|
||||||
|
>https://www.lastline.com
|
||||||
|
|
||||||
|
-----
|
||||||
|
|
||||||
#### [mispjson](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/mispjson.py)
|
#### [mispjson](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/mispjson.py)
|
||||||
|
|
||||||
Module to import MISP JSON format for merging MISP events.
|
Module to import MISP JSON format for merging MISP events.
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"description": "Query Lastline with an analysis link and parse the report into MISP attributes and objects.\nThe analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py) expansion module.",
|
||||||
|
"logo": "logos/lastline.png",
|
||||||
|
"requirements": [],
|
||||||
|
"input": "Link to a Lastline analysis.",
|
||||||
|
"output": "MISP attributes and objects parsed from the analysis report.",
|
||||||
|
"references": ["https://www.lastline.com"],
|
||||||
|
"features": "The module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_import](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/lastline_import.py) import module."
|
||||||
|
}
|
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"description": "Module to submit a file or URL to Lastline.",
|
||||||
|
"logo": "logos/lastline.png",
|
||||||
|
"requirements": [],
|
||||||
|
"input": "File or URL to submit to Lastline.",
|
||||||
|
"output": "Link to the report generated by Lastline.",
|
||||||
|
"references": ["https://www.lastline.com"],
|
||||||
|
"features": "The module requires a Lastline API key and token (or username and password).\nWhen the analysis is completed, it is possible to import the generated report by feeding the analysis link to the [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) module."
|
||||||
|
}
|
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"description": "Module to import and parse reports from Lastline analysis links.",
|
||||||
|
"logo": "logos/lastline.png",
|
||||||
|
"requirements": [],
|
||||||
|
"input": "Link to a Lastline analysis.",
|
||||||
|
"output": "MISP attributes and objects parsed from the analysis report.",
|
||||||
|
"references": ["https://www.lastline.com"],
|
||||||
|
"features": "The module uses the new format and it is able to return MISP attributes and objects.\nThe module returns the same results as the [lastline_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_query.py) expansion module."
|
||||||
|
}
|
Binary file not shown.
After Width: | Height: | Size: 7.0 KiB |
|
@ -1 +1 @@
|
||||||
all = ['joe_parser']
|
all = ['joe_parser', 'lastline_api']
|
||||||
|
|
|
@ -0,0 +1,673 @@
|
||||||
|
"""
|
||||||
|
Lastline Community API Client and Utilities.
|
||||||
|
|
||||||
|
:Copyright:
|
||||||
|
Copyright 2019 Lastline, Inc. All Rights Reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
|
||||||
|
Copyright (c) 2010-2012 by Internet Systems Consortium, Inc. ("ISC")
|
||||||
|
|
||||||
|
Permission to use, copy, modify, and/or distribute this software for any
|
||||||
|
purpose with or without fee is hereby granted, provided that the above
|
||||||
|
copyright notice and this permission notice appear in all copies.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
|
||||||
|
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR
|
||||||
|
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
|
||||||
|
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
"""
|
||||||
|
import ipaddress
|
||||||
|
import logging
|
||||||
|
import re
|
||||||
|
import requests
|
||||||
|
import pymisp
|
||||||
|
|
||||||
|
from urllib import parse
|
||||||
|
|
||||||
|
|
||||||
|
DEFAULT_LASTLINE_API = "https://user.lastline.com/papi"
|
||||||
|
|
||||||
|
|
||||||
|
HOSTED_LASTLINE_DOMAINS = frozenset([
|
||||||
|
"user.lastline.com",
|
||||||
|
"user.emea.lastline.com",
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
def purge_none(d):
|
||||||
|
"""Purge None entries from a dictionary."""
|
||||||
|
return {k: v for k, v in d.items() if v is not None}
|
||||||
|
|
||||||
|
|
||||||
|
def get_analysis_link(api_url, uuid):
|
||||||
|
"""
|
||||||
|
Get the analysis link of a task given the task uuid.
|
||||||
|
|
||||||
|
:param str api_url: the URL
|
||||||
|
:param str uuid: the task uuid
|
||||||
|
:rtype: str
|
||||||
|
:return: the analysis link
|
||||||
|
"""
|
||||||
|
portal_url_path = "../portal#/analyst/task/{}/overview".format(uuid)
|
||||||
|
analysis_link = parse.urljoin(api_url, portal_url_path)
|
||||||
|
return analysis_link
|
||||||
|
|
||||||
|
|
||||||
|
def get_uuid_from_link(analysis_link):
|
||||||
|
"""
|
||||||
|
Return task uuid from link or raise ValueError exception.
|
||||||
|
|
||||||
|
:param str analysis_link: a link
|
||||||
|
:rtype: str
|
||||||
|
:return: the uuid
|
||||||
|
:raises ValueError: if the link contains not task uuid
|
||||||
|
"""
|
||||||
|
try:
|
||||||
|
return re.findall("[a-fA-F0-9]{32}", analysis_link)[0]
|
||||||
|
except IndexError:
|
||||||
|
raise ValueError("Link does not contain a valid task uuid")
|
||||||
|
|
||||||
|
|
||||||
|
def is_analysis_hosted(analysis_link):
|
||||||
|
"""
|
||||||
|
Return whether the analysis link is pointing to a hosted submission.
|
||||||
|
|
||||||
|
:param str analysis_link: a link
|
||||||
|
:rtype: boolean
|
||||||
|
:return: whether the link is hosted
|
||||||
|
"""
|
||||||
|
for domain in HOSTED_LASTLINE_DOMAINS:
|
||||||
|
if domain in analysis_link:
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def get_api_url_from_link(analysis_link):
|
||||||
|
"""
|
||||||
|
Return the API url related to the provided analysis link.
|
||||||
|
|
||||||
|
:param str analysis_link: a link
|
||||||
|
:rtype: str
|
||||||
|
:return: the API url
|
||||||
|
"""
|
||||||
|
parsed_uri = parse.urlparse(analysis_link)
|
||||||
|
return "{uri.scheme}://{uri.netloc}/papi".format(uri=parsed_uri)
|
||||||
|
|
||||||
|
|
||||||
|
class InvalidArgument(Exception):
|
||||||
|
"""Error raised invalid."""
|
||||||
|
|
||||||
|
|
||||||
|
class CommunicationError(Exception):
|
||||||
|
"""Exception raised in case of timeouts or other network problem."""
|
||||||
|
|
||||||
|
|
||||||
|
class Error(Exception):
|
||||||
|
"""Generic server error."""
|
||||||
|
|
||||||
|
|
||||||
|
class ApiError(Error):
|
||||||
|
"""Server error with a message and an error code."""
|
||||||
|
def __init__(self, error_msg, error_code=None):
|
||||||
|
super(ApiError, self).__init__(error_msg, error_code)
|
||||||
|
self.error_msg = error_msg
|
||||||
|
self.error_code = error_code
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
if self.error_code is None:
|
||||||
|
error_code = ""
|
||||||
|
else:
|
||||||
|
error_code = " ({})".format(self.error_code)
|
||||||
|
return "{}{}".format(self.error_msg, error_code)
|
||||||
|
|
||||||
|
|
||||||
|
class LastlineResultBaseParser(object):
|
||||||
|
"""
|
||||||
|
This is a parser to extract *basic* information from a Lastline result dictionary.
|
||||||
|
|
||||||
|
Note: this is a *version 0*: the information we extract is merely related to the behaviors and
|
||||||
|
the HTTP connections. Further iterations will include host activity such as files, mutexes,
|
||||||
|
registry keys, strings, etc.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
"""Constructor."""
|
||||||
|
self.misp_event = None
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def _get_mitre_techniques(result):
|
||||||
|
return [
|
||||||
|
"misp-galaxy:mitre-attack-pattern=\"{} - {}\"".format(w[0], w[1])
|
||||||
|
for w in sorted(set([
|
||||||
|
(y["id"], y["name"])
|
||||||
|
for x in result.get("malicious_activity", [])
|
||||||
|
for y in result.get("activity_to_mitre_techniques", {}).get(x, [])
|
||||||
|
]))
|
||||||
|
]
|
||||||
|
|
||||||
|
def parse(self, analysis_link, result):
|
||||||
|
"""
|
||||||
|
Parse the analysis result into a MISP event.
|
||||||
|
|
||||||
|
:param str analysis_link: the analysis link
|
||||||
|
:param dict[str, any] result: the JSON returned by the analysis client.
|
||||||
|
:rtype: MISPEvent
|
||||||
|
:return: some results that can be consumed by MIPS.
|
||||||
|
"""
|
||||||
|
self.misp_event = pymisp.MISPEvent()
|
||||||
|
|
||||||
|
# Add analysis subject info
|
||||||
|
if "url" in result["analysis_subject"]:
|
||||||
|
o = pymisp.MISPObject("url")
|
||||||
|
o.add_attribute("url", result["analysis_subject"]["url"])
|
||||||
|
else:
|
||||||
|
o = pymisp.MISPObject("file")
|
||||||
|
o.add_attribute("md5", type="md5", value=result["analysis_subject"]["md5"])
|
||||||
|
o.add_attribute("sha1", type="sha1", value=result["analysis_subject"]["sha1"])
|
||||||
|
o.add_attribute("sha256", type="sha256", value=result["analysis_subject"]["sha256"])
|
||||||
|
o.add_attribute(
|
||||||
|
"mimetype",
|
||||||
|
type="mime-type",
|
||||||
|
value=result["analysis_subject"]["mime_type"]
|
||||||
|
)
|
||||||
|
self.misp_event.add_object(o)
|
||||||
|
|
||||||
|
# Add HTTP requests from url analyses
|
||||||
|
network_dict = result.get("report", {}).get("analysis", {}).get("network", {})
|
||||||
|
for request in network_dict.get("requests", []):
|
||||||
|
parsed_uri = parse.urlparse(request["url"])
|
||||||
|
o = pymisp.MISPObject(name='http-request')
|
||||||
|
o.add_attribute('host', parsed_uri.netloc)
|
||||||
|
o.add_attribute('method', "GET")
|
||||||
|
o.add_attribute('uri', request["url"])
|
||||||
|
o.add_attribute("ip", request["ip"])
|
||||||
|
self.misp_event.add_object(o)
|
||||||
|
|
||||||
|
# Add network behaviors from files
|
||||||
|
for subject in result.get("report", {}).get("analysis_subjects", []):
|
||||||
|
|
||||||
|
# Add DNS requests
|
||||||
|
for dns_query in subject.get("dns_queries", []):
|
||||||
|
hostname = dns_query.get("hostname")
|
||||||
|
# Skip if it is an IP address
|
||||||
|
try:
|
||||||
|
if hostname == "wpad":
|
||||||
|
continue
|
||||||
|
_ = ipaddress.ip_address(hostname)
|
||||||
|
continue
|
||||||
|
except ValueError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
o = pymisp.MISPObject(name='dns-record')
|
||||||
|
o.add_attribute('queried-domain', hostname)
|
||||||
|
self.misp_event.add_object(o)
|
||||||
|
|
||||||
|
# Add HTTP conversations (as network connection and as http request)
|
||||||
|
for http_conversation in subject.get("http_conversations", []):
|
||||||
|
o = pymisp.MISPObject(name="network-connection")
|
||||||
|
o.add_attribute("ip-src", http_conversation["src_ip"])
|
||||||
|
o.add_attribute("ip-dst", http_conversation["dst_ip"])
|
||||||
|
o.add_attribute("src-port", http_conversation["src_port"])
|
||||||
|
o.add_attribute("dst-port", http_conversation["dst_port"])
|
||||||
|
o.add_attribute("hostname-dst", http_conversation["dst_host"])
|
||||||
|
o.add_attribute("layer3-protocol", "IP")
|
||||||
|
o.add_attribute("layer4-protocol", "TCP")
|
||||||
|
o.add_attribute("layer7-protocol", "HTTP")
|
||||||
|
self.misp_event.add_object(o)
|
||||||
|
|
||||||
|
method, path, http_version = http_conversation["url"].split(" ")
|
||||||
|
if http_conversation["dst_port"] == 80:
|
||||||
|
uri = "http://{}{}".format(http_conversation["dst_host"], path)
|
||||||
|
else:
|
||||||
|
uri = "http://{}:{}{}".format(
|
||||||
|
http_conversation["dst_host"],
|
||||||
|
http_conversation["dst_port"],
|
||||||
|
path
|
||||||
|
)
|
||||||
|
o = pymisp.MISPObject(name='http-request')
|
||||||
|
o.add_attribute('host', http_conversation["dst_host"])
|
||||||
|
o.add_attribute('method', method)
|
||||||
|
o.add_attribute('uri', uri)
|
||||||
|
o.add_attribute('ip', http_conversation["dst_ip"])
|
||||||
|
self.misp_event.add_object(o)
|
||||||
|
|
||||||
|
# Add sandbox info like score and sandbox type
|
||||||
|
o = pymisp.MISPObject(name="sandbox-report")
|
||||||
|
sandbox_type = "saas" if is_analysis_hosted(analysis_link) else "on-premise"
|
||||||
|
o.add_attribute("score", result["score"])
|
||||||
|
o.add_attribute("sandbox-type", sandbox_type)
|
||||||
|
o.add_attribute("{}-sandbox".format(sandbox_type), "lastline")
|
||||||
|
o.add_attribute("permalink", analysis_link)
|
||||||
|
self.misp_event.add_object(o)
|
||||||
|
|
||||||
|
# Add behaviors
|
||||||
|
o = pymisp.MISPObject(name="sb-signature")
|
||||||
|
o.add_attribute("software", "Lastline")
|
||||||
|
for activity in result.get("malicious_activity", []):
|
||||||
|
a = pymisp.MISPAttribute()
|
||||||
|
a.from_dict(type="text", value=activity)
|
||||||
|
o.add_attribute("signature", **a)
|
||||||
|
self.misp_event.add_object(o)
|
||||||
|
|
||||||
|
# Add mitre techniques
|
||||||
|
for technique in self._get_mitre_techniques(result):
|
||||||
|
self.misp_event.add_tag(technique)
|
||||||
|
|
||||||
|
|
||||||
|
class LastlineCommunityHTTPClient(object):
|
||||||
|
""""A very basic HTTP client providing basic functionality."""
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def sanitize_login_params(cls, api_key, api_token, username, password):
|
||||||
|
"""
|
||||||
|
Return a dictionary with either API or USER credentials.
|
||||||
|
|
||||||
|
:param str|None api_key: the API key
|
||||||
|
:param str|None api_token: the API token
|
||||||
|
:param str|None username: the username
|
||||||
|
:param str|None password: the password
|
||||||
|
:rtype: dict[str, str]
|
||||||
|
:return: the dictionary
|
||||||
|
:raises InvalidArgument: if too many values are invalid
|
||||||
|
"""
|
||||||
|
if api_key and api_token:
|
||||||
|
return {
|
||||||
|
"api_key": api_key,
|
||||||
|
"api_token": api_token,
|
||||||
|
}
|
||||||
|
elif username and password:
|
||||||
|
return {
|
||||||
|
"username": username,
|
||||||
|
"password": password,
|
||||||
|
}
|
||||||
|
else:
|
||||||
|
raise InvalidArgument("Arguments provided do not contain valid data")
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def get_login_params_from_conf(cls, conf, section_name):
|
||||||
|
"""
|
||||||
|
Get the module configuration from a ConfigParser object.
|
||||||
|
|
||||||
|
:param ConfigParser conf: the conf object
|
||||||
|
:param str section_name: the section name
|
||||||
|
:rtype: dict[str, str]
|
||||||
|
:return: the parsed configuration
|
||||||
|
"""
|
||||||
|
api_key = conf.get(section_name, "api_key", fallback=None)
|
||||||
|
api_token = conf.get(section_name, "api_token", fallback=None)
|
||||||
|
username = conf.get(section_name, "username", fallback=None)
|
||||||
|
password = conf.get(section_name, "password", fallback=None)
|
||||||
|
return cls.sanitize_login_params(api_key, api_token, username, password)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def get_login_params_from_request(cls, request):
|
||||||
|
"""
|
||||||
|
Get the module configuration from a ConfigParser object.
|
||||||
|
|
||||||
|
:param dict[str, any] request: the request object
|
||||||
|
:rtype: dict[str, str]
|
||||||
|
:return: the parsed configuration
|
||||||
|
"""
|
||||||
|
api_key = request.get("config", {}).get("api_key")
|
||||||
|
api_token = request.get("config", {}).get("api_token")
|
||||||
|
username = request.get("config", {}).get("username")
|
||||||
|
password = request.get("config", {}).get("password")
|
||||||
|
return cls.sanitize_login_params(api_key, api_token, username, password)
|
||||||
|
|
||||||
|
def __init__(self, api_url, login_params, timeout=60, verify_ssl=True):
|
||||||
|
"""
|
||||||
|
Instantiate a Lastline mini client.
|
||||||
|
|
||||||
|
:param str api_url: the URL of the API
|
||||||
|
:param dict[str, str]: the login parameters
|
||||||
|
:param int timeout: the timeout
|
||||||
|
:param boolean verify_ssl: whether to verify the SSL certificate
|
||||||
|
"""
|
||||||
|
self.__url = api_url
|
||||||
|
self.__login_params = login_params
|
||||||
|
self.__timeout = timeout
|
||||||
|
self.__verify_ssl = verify_ssl
|
||||||
|
self.__session = None
|
||||||
|
self.__logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
def __login(self):
|
||||||
|
"""Login using account-based or key-based methods."""
|
||||||
|
if self.__session is None:
|
||||||
|
self.__session = requests.session()
|
||||||
|
|
||||||
|
login_url = "/".join([self.__url, "login"])
|
||||||
|
try:
|
||||||
|
response = self.__session.request(
|
||||||
|
method="POST",
|
||||||
|
url=login_url,
|
||||||
|
data=self.__login_params,
|
||||||
|
verify=self.__verify_ssl,
|
||||||
|
timeout=self.__timeout,
|
||||||
|
proxies=None,
|
||||||
|
)
|
||||||
|
except requests.RequestException as e:
|
||||||
|
raise CommunicationError(e)
|
||||||
|
|
||||||
|
self.__handle_response(response)
|
||||||
|
|
||||||
|
def __is_logged_in(self):
|
||||||
|
"""Return whether we have an active session."""
|
||||||
|
return self.__session is not None
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def __parse_response(response):
|
||||||
|
"""
|
||||||
|
Parse the response.
|
||||||
|
|
||||||
|
:param requests.Response response: the response
|
||||||
|
:rtype: tuple(str|None, Error|ApiError)
|
||||||
|
:return: a tuple with mutually exclusive fields (either the response or the error)
|
||||||
|
"""
|
||||||
|
try:
|
||||||
|
ret = response.json()
|
||||||
|
if "success" not in ret:
|
||||||
|
return None, Error("no success field in response")
|
||||||
|
|
||||||
|
if not ret["success"]:
|
||||||
|
error_msg = ret.get("error", "")
|
||||||
|
error_code = ret.get("error_code", None)
|
||||||
|
return None, ApiError(error_msg, error_code)
|
||||||
|
|
||||||
|
if "data" not in ret:
|
||||||
|
return None, Error("no data field in response")
|
||||||
|
|
||||||
|
return ret["data"], None
|
||||||
|
except ValueError as e:
|
||||||
|
return None, Error("Response not json {}".format(e))
|
||||||
|
|
||||||
|
def __handle_response(self, response, raw=False):
|
||||||
|
"""
|
||||||
|
Check a response for issues and parse the return.
|
||||||
|
|
||||||
|
:param requests.Response response: the response
|
||||||
|
:param boolean raw: whether the raw body should be returned
|
||||||
|
:rtype: str
|
||||||
|
:return: if raw, return the response content; if not raw, the data field
|
||||||
|
:raises: CommunicationError, ApiError, Error
|
||||||
|
"""
|
||||||
|
# Check for HTTP errors, and re-raise in case
|
||||||
|
try:
|
||||||
|
response.raise_for_status()
|
||||||
|
except requests.RequestException as e:
|
||||||
|
_, err = self.__parse_response(response)
|
||||||
|
if isinstance(err, ApiError):
|
||||||
|
err_msg = "{}: {}".format(e, err.error_msg)
|
||||||
|
else:
|
||||||
|
err_msg = "{}".format(e)
|
||||||
|
raise CommunicationError(err_msg)
|
||||||
|
|
||||||
|
# Otherwise return the data (either parsed or not) but reraise if we have an API error
|
||||||
|
if raw:
|
||||||
|
return response.content
|
||||||
|
data, err = self.__parse_response(response)
|
||||||
|
if err:
|
||||||
|
raise err
|
||||||
|
return data
|
||||||
|
|
||||||
|
def do_request(
|
||||||
|
self,
|
||||||
|
method,
|
||||||
|
module,
|
||||||
|
function,
|
||||||
|
params=None,
|
||||||
|
data=None,
|
||||||
|
files=None,
|
||||||
|
url=None,
|
||||||
|
fmt="JSON",
|
||||||
|
raw=False,
|
||||||
|
raw_response=False,
|
||||||
|
headers=None,
|
||||||
|
stream_response=False
|
||||||
|
):
|
||||||
|
if raw_response:
|
||||||
|
raw = True
|
||||||
|
|
||||||
|
if fmt:
|
||||||
|
fmt = fmt.lower().strip()
|
||||||
|
if fmt not in ["json", "xml", "html", "pdf"]:
|
||||||
|
raise InvalidArgument("Only json, xml, html and pdf supported")
|
||||||
|
elif not raw:
|
||||||
|
raise InvalidArgument("Unformatted response requires raw=True")
|
||||||
|
|
||||||
|
if fmt != "json" and not raw:
|
||||||
|
raise InvalidArgument("Non-json format requires raw=True")
|
||||||
|
|
||||||
|
if method not in ["POST", "GET"]:
|
||||||
|
raise InvalidArgument("Only POST and GET supported")
|
||||||
|
|
||||||
|
function = function.strip(" /")
|
||||||
|
if not function:
|
||||||
|
raise InvalidArgument("No function provided")
|
||||||
|
|
||||||
|
# Login after we verified that all arguments are fine
|
||||||
|
if not self.__is_logged_in():
|
||||||
|
self.__login()
|
||||||
|
|
||||||
|
url_parts = [url or self.__url]
|
||||||
|
module = module.strip(" /")
|
||||||
|
if module:
|
||||||
|
url_parts.append(module)
|
||||||
|
if fmt:
|
||||||
|
function_part = "%s.%s" % (function, fmt)
|
||||||
|
else:
|
||||||
|
function_part = function
|
||||||
|
url_parts.append(function_part)
|
||||||
|
url = "/".join(url_parts)
|
||||||
|
|
||||||
|
try:
|
||||||
|
try:
|
||||||
|
response = self.__session.request(
|
||||||
|
method=method,
|
||||||
|
url=url,
|
||||||
|
data=data,
|
||||||
|
params=params,
|
||||||
|
files=files,
|
||||||
|
verify=self.__verify_ssl,
|
||||||
|
timeout=self.__timeout,
|
||||||
|
stream=stream_response,
|
||||||
|
headers=headers,
|
||||||
|
)
|
||||||
|
except requests.RequestException as e:
|
||||||
|
raise CommunicationError(e)
|
||||||
|
|
||||||
|
if raw_response:
|
||||||
|
return response
|
||||||
|
return self.__handle_response(response, raw)
|
||||||
|
|
||||||
|
except Error as e:
|
||||||
|
raise e
|
||||||
|
|
||||||
|
except CommunicationError as e:
|
||||||
|
raise e
|
||||||
|
|
||||||
|
|
||||||
|
class LastlineCommunityAPIClient(object):
|
||||||
|
""""A very basic API client providing basic functionality."""
|
||||||
|
|
||||||
|
def __init__(self, api_url, login_params):
|
||||||
|
"""
|
||||||
|
Instantiate the API client.
|
||||||
|
|
||||||
|
:param str api_url: the URL to the API server
|
||||||
|
:param dict[str, str] login_params: the login parameters
|
||||||
|
"""
|
||||||
|
self._client = LastlineCommunityHTTPClient(api_url, login_params)
|
||||||
|
self._logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
def _post(self, module, function, params=None, data=None, files=None, fmt="JSON"):
|
||||||
|
return self._client.do_request(
|
||||||
|
method="POST",
|
||||||
|
module=module,
|
||||||
|
function=function,
|
||||||
|
params=params,
|
||||||
|
data=data,
|
||||||
|
files=files,
|
||||||
|
fmt=fmt,
|
||||||
|
)
|
||||||
|
|
||||||
|
def _get(self, module, function, params=None, fmt="JSON"):
|
||||||
|
return self._client.do_request(
|
||||||
|
method="GET",
|
||||||
|
module=module,
|
||||||
|
function=function,
|
||||||
|
params=params,
|
||||||
|
fmt=fmt,
|
||||||
|
)
|
||||||
|
|
||||||
|
def get_progress(self, uuid, analysis_instance=None):
|
||||||
|
"""
|
||||||
|
Get the completion progress of a given task.
|
||||||
|
|
||||||
|
:param str uuid: the unique identifier of the submitted task
|
||||||
|
:param str analysis_instance: if set, defines the analysis instance to query
|
||||||
|
:rtype: dict[str, int]
|
||||||
|
:return: a dictionary like the the following:
|
||||||
|
{
|
||||||
|
"completed": 1,
|
||||||
|
"progress": 100
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
params = purge_none({"uuid": uuid, "analysis_instance": analysis_instance})
|
||||||
|
return self._get("analysis", "get_progress", params=params)
|
||||||
|
|
||||||
|
def get_result(self, uuid, analysis_instance=None):
|
||||||
|
"""
|
||||||
|
Get report results for a given task.
|
||||||
|
|
||||||
|
:param str uuid: the unique identifier of the submitted task
|
||||||
|
:param str analysis_instance: if set, defines the analysis instance to query
|
||||||
|
:rtype: dict[str, any]
|
||||||
|
:return: a dictionary like the the following:
|
||||||
|
{
|
||||||
|
"completed": 1,
|
||||||
|
"progress": 100
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
params = purge_none(
|
||||||
|
{
|
||||||
|
"uuid": uuid,
|
||||||
|
"analysis_instance": analysis_instance,
|
||||||
|
"report_format": "json",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
return self._get("analysis", "get_result", params=params)
|
||||||
|
|
||||||
|
def submit_url(
|
||||||
|
self,
|
||||||
|
url,
|
||||||
|
referer=None,
|
||||||
|
user_agent=None,
|
||||||
|
bypass_cache=False,
|
||||||
|
):
|
||||||
|
"""
|
||||||
|
Upload an URL to be analyzed.
|
||||||
|
|
||||||
|
:param str url: the url to analyze
|
||||||
|
:param str|None referer: the referer
|
||||||
|
:param str|None user_agent: the user agent
|
||||||
|
:param boolean bypass_cache: bypass_cache
|
||||||
|
:rtype: dict[str, any]
|
||||||
|
:return: a dictionary like the following if the analysis is already available:
|
||||||
|
{
|
||||||
|
"submission": "2019-11-17 09:33:23",
|
||||||
|
"child_tasks": [...],
|
||||||
|
"reports": [...],
|
||||||
|
"submission_timestamp": "2019-11-18 16:11:04",
|
||||||
|
"task_uuid": "86097fb8e4cd00100464cb001b97ecbe",
|
||||||
|
"score": 0,
|
||||||
|
"analysis_subject": {
|
||||||
|
"url": "https://www.google.com"
|
||||||
|
},
|
||||||
|
"last_submission_timestamp": "2019-11-18 16:11:04"
|
||||||
|
}
|
||||||
|
|
||||||
|
OR the following if the analysis is still pending:
|
||||||
|
|
||||||
|
{
|
||||||
|
"submission_timestamp": "2019-11-18 13:59:25",
|
||||||
|
"task_uuid": "f3c0ae115d51001017ff8da768fa6049",
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
params = purge_none(
|
||||||
|
{
|
||||||
|
"url": url,
|
||||||
|
"bypass_cache": bypass_cache,
|
||||||
|
"referer": referer,
|
||||||
|
"user_agent": user_agent
|
||||||
|
}
|
||||||
|
)
|
||||||
|
return self._post(module="analysis", function="submit_url", params=params)
|
||||||
|
|
||||||
|
def submit_file(
|
||||||
|
self,
|
||||||
|
file_data,
|
||||||
|
file_name=None,
|
||||||
|
password=None,
|
||||||
|
analysis_env=None,
|
||||||
|
allow_network_traffic=True,
|
||||||
|
analysis_timeout=None,
|
||||||
|
bypass_cache=False,
|
||||||
|
):
|
||||||
|
"""
|
||||||
|
Upload a file to be analyzed.
|
||||||
|
|
||||||
|
:param bytes file_data: the data as a byte sequence
|
||||||
|
:param str|None file_name: if set, represents the name of the file to submit
|
||||||
|
:param str|None password: if set, use it to extract the sample
|
||||||
|
:param str|None analysis_env: if set, e.g windowsxp
|
||||||
|
:param boolean allow_network_traffic: if set to False, deny network connections
|
||||||
|
:param int|None analysis_timeout: if set limit the duration of the analysis
|
||||||
|
:param boolean bypass_cache: whether to re-process a file (requires special permissions)
|
||||||
|
:rtype: dict[str, any]
|
||||||
|
:return: a dictionary in the following form if the analysis is already available:
|
||||||
|
{
|
||||||
|
"submission": "2019-11-17 09:33:23",
|
||||||
|
"child_tasks": [...],
|
||||||
|
"reports": [...],
|
||||||
|
"submission_timestamp": "2019-11-18 16:11:04",
|
||||||
|
"task_uuid": "86097fb8e4cd00100464cb001b97ecbe",
|
||||||
|
"score": 0,
|
||||||
|
"analysis_subject": {
|
||||||
|
"url": "https://www.google.com"
|
||||||
|
},
|
||||||
|
"last_submission_timestamp": "2019-11-18 16:11:04"
|
||||||
|
}
|
||||||
|
|
||||||
|
OR the following if the analysis is still pending:
|
||||||
|
|
||||||
|
{
|
||||||
|
"submission_timestamp": "2019-11-18 13:59:25",
|
||||||
|
"task_uuid": "f3c0ae115d51001017ff8da768fa6049",
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
params = purge_none(
|
||||||
|
{
|
||||||
|
"filename": file_name,
|
||||||
|
"password": password,
|
||||||
|
"analysis_env": analysis_env,
|
||||||
|
"allow_network_traffic": allow_network_traffic,
|
||||||
|
"analysis_timeout": analysis_timeout,
|
||||||
|
"bypass_cache": bypass_cache,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
files = {"file": (file_name, file_data, "application/octet-stream")}
|
||||||
|
return self._post(module="analysis", function="submit_file", params=params, files=files)
|
|
@ -15,4 +15,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
|
||||||
'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
|
'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
|
||||||
'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
|
'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
|
||||||
'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails',
|
'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails',
|
||||||
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb']
|
'assemblyline_submit', 'assemblyline_query', 'ransomcoindb',
|
||||||
|
'lastline_query', 'lastline_submit']
|
||||||
|
|
|
@ -0,0 +1,137 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
"""
|
||||||
|
Module (type "expansion") to query a Lastline report from an analysis link.
|
||||||
|
"""
|
||||||
|
import json
|
||||||
|
|
||||||
|
import lastline_api
|
||||||
|
|
||||||
|
|
||||||
|
misperrors = {
|
||||||
|
"error": "Error",
|
||||||
|
}
|
||||||
|
|
||||||
|
mispattributes = {
|
||||||
|
"input": [
|
||||||
|
"link",
|
||||||
|
],
|
||||||
|
"output": ["text"],
|
||||||
|
"format": "misp_standard",
|
||||||
|
}
|
||||||
|
|
||||||
|
moduleinfo = {
|
||||||
|
"version": "0.1",
|
||||||
|
"author": "Stefano Ortolani",
|
||||||
|
"description": "Get a Lastline report from an analysis link.",
|
||||||
|
"module-type": ["expansion"],
|
||||||
|
}
|
||||||
|
|
||||||
|
moduleconfig = [
|
||||||
|
"api_key",
|
||||||
|
"api_token",
|
||||||
|
"username",
|
||||||
|
"password",
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def introspection():
|
||||||
|
return mispattributes
|
||||||
|
|
||||||
|
|
||||||
|
def version():
|
||||||
|
moduleinfo["config"] = moduleconfig
|
||||||
|
return moduleinfo
|
||||||
|
|
||||||
|
|
||||||
|
def handler(q=False):
|
||||||
|
if q is False:
|
||||||
|
return False
|
||||||
|
|
||||||
|
request = json.loads(q)
|
||||||
|
|
||||||
|
# Parse the init parameters
|
||||||
|
try:
|
||||||
|
auth_data = lastline_api.LastlineCommunityHTTPClient.get_login_params_from_request(request)
|
||||||
|
analysis_link = request['attribute']['value']
|
||||||
|
# The API url changes based on the analysis link host name
|
||||||
|
api_url = lastline_api.get_api_url_from_link(analysis_link)
|
||||||
|
except Exception as e:
|
||||||
|
misperrors["error"] = "Error parsing configuration: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Parse the call parameters
|
||||||
|
try:
|
||||||
|
task_uuid = lastline_api.get_uuid_from_link(analysis_link)
|
||||||
|
except (KeyError, ValueError) as e:
|
||||||
|
misperrors["error"] = "Error processing input parameters: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Make the API calls
|
||||||
|
try:
|
||||||
|
api_client = lastline_api.LastlineCommunityAPIClient(api_url, auth_data)
|
||||||
|
response = api_client.get_progress(task_uuid)
|
||||||
|
if response.get("completed") != 1:
|
||||||
|
raise ValueError("Analysis is not finished yet.")
|
||||||
|
|
||||||
|
response = api_client.get_result(task_uuid)
|
||||||
|
if not response:
|
||||||
|
raise ValueError("Analysis report is empty.")
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
misperrors["error"] = "Error issuing the API call: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Parse and return
|
||||||
|
result_parser = lastline_api.LastlineResultBaseParser()
|
||||||
|
result_parser.parse(analysis_link, response)
|
||||||
|
|
||||||
|
event = result_parser.misp_event
|
||||||
|
event_dictionary = json.loads(event.to_json())
|
||||||
|
|
||||||
|
return {
|
||||||
|
"results": {
|
||||||
|
key: event_dictionary[key]
|
||||||
|
for key in ('Attribute', 'Object', 'Tag')
|
||||||
|
if (key in event and event[key])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
"""Test querying information from a Lastline analysis link."""
|
||||||
|
import argparse
|
||||||
|
import configparser
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser()
|
||||||
|
parser.add_argument("-c", "--config-file", dest="config_file")
|
||||||
|
parser.add_argument("-s", "--section-name", dest="section_name")
|
||||||
|
args = parser.parse_args()
|
||||||
|
c = configparser.ConfigParser()
|
||||||
|
c.read(args.config_file)
|
||||||
|
a = lastline_api.LastlineCommunityHTTPClient.get_login_params_from_conf(c, args.section_name)
|
||||||
|
|
||||||
|
j = json.dumps(
|
||||||
|
{
|
||||||
|
"config": a,
|
||||||
|
"attribute": {
|
||||||
|
"value": (
|
||||||
|
"https://user.lastline.com/portal#/analyst/task/"
|
||||||
|
"1fcbcb8f7fb400100772d6a7b62f501b/overview"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
)
|
||||||
|
print(json.dumps(handler(j), indent=4, sort_keys=True))
|
||||||
|
|
||||||
|
j = json.dumps(
|
||||||
|
{
|
||||||
|
"config": a,
|
||||||
|
"attribute": {
|
||||||
|
"value": (
|
||||||
|
"https://user.lastline.com/portal#/analyst/task/"
|
||||||
|
"f3c0ae115d51001017ff8da768fa6049/overview"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
)
|
||||||
|
print(json.dumps(handler(j), indent=4, sort_keys=True))
|
|
@ -0,0 +1,175 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
"""
|
||||||
|
Module (type "expansion") to submit files and URLs to Lastline for analysis.
|
||||||
|
"""
|
||||||
|
import base64
|
||||||
|
import io
|
||||||
|
import json
|
||||||
|
import zipfile
|
||||||
|
|
||||||
|
import lastline_api
|
||||||
|
|
||||||
|
|
||||||
|
misperrors = {
|
||||||
|
"error": "Error",
|
||||||
|
}
|
||||||
|
|
||||||
|
mispattributes = {
|
||||||
|
"input": [
|
||||||
|
"attachment",
|
||||||
|
"malware-sample",
|
||||||
|
"url",
|
||||||
|
],
|
||||||
|
"output": [
|
||||||
|
"link",
|
||||||
|
],
|
||||||
|
}
|
||||||
|
|
||||||
|
moduleinfo = {
|
||||||
|
"version": "0.1",
|
||||||
|
"author": "Stefano Ortolani",
|
||||||
|
"description": "Submit files and URLs to Lastline analyst",
|
||||||
|
"module-type": ["expansion", "hover"],
|
||||||
|
}
|
||||||
|
|
||||||
|
moduleconfig = [
|
||||||
|
"api_url",
|
||||||
|
"api_key",
|
||||||
|
"api_token",
|
||||||
|
"username",
|
||||||
|
"password",
|
||||||
|
# Module options
|
||||||
|
"bypass_cache",
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
DEFAULT_ZIP_PASSWORD = b"infected"
|
||||||
|
|
||||||
|
|
||||||
|
def __unzip(zipped_data, password=None):
|
||||||
|
data_file_object = io.BytesIO(zipped_data)
|
||||||
|
with zipfile.ZipFile(data_file_object) as zip_file:
|
||||||
|
sample_hashname = zip_file.namelist()[0]
|
||||||
|
data_zipped = zip_file.read(sample_hashname, password)
|
||||||
|
return data_zipped
|
||||||
|
|
||||||
|
|
||||||
|
def __str_to_bool(x):
|
||||||
|
return x in ("True", "true", True)
|
||||||
|
|
||||||
|
|
||||||
|
def introspection():
|
||||||
|
return mispattributes
|
||||||
|
|
||||||
|
|
||||||
|
def version():
|
||||||
|
moduleinfo["config"] = moduleconfig
|
||||||
|
return moduleinfo
|
||||||
|
|
||||||
|
|
||||||
|
def handler(q=False):
|
||||||
|
if q is False:
|
||||||
|
return False
|
||||||
|
|
||||||
|
request = json.loads(q)
|
||||||
|
|
||||||
|
# Parse the init parameters
|
||||||
|
try:
|
||||||
|
auth_data = lastline_api.LastlineCommunityHTTPClient.get_login_params_from_request(request)
|
||||||
|
api_url = request.get("config", {}).get("api_url", lastline_api.DEFAULT_LASTLINE_API)
|
||||||
|
except Exception as e:
|
||||||
|
misperrors["error"] = "Error parsing configuration: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Parse the call parameters
|
||||||
|
try:
|
||||||
|
bypass_cache = request.get("config", {}).get("bypass_cache", False)
|
||||||
|
call_args = {"bypass_cache": __str_to_bool(bypass_cache)}
|
||||||
|
if "url" in request:
|
||||||
|
# URLs are text strings
|
||||||
|
api_method = lastline_api.LastlineCommunityAPIClient.submit_url
|
||||||
|
call_args["url"] = request.get("url")
|
||||||
|
else:
|
||||||
|
data = request.get("data")
|
||||||
|
# Malware samples are zip-encrypted and then base64 encoded
|
||||||
|
if "malware-sample" in request:
|
||||||
|
api_method = lastline_api.LastlineCommunityAPIClient.submit_file
|
||||||
|
call_args["file_data"] = __unzip(base64.b64decode(data), DEFAULT_ZIP_PASSWORD)
|
||||||
|
call_args["file_name"] = request.get("malware-sample").split("|", 1)[0]
|
||||||
|
call_args["password"] = DEFAULT_ZIP_PASSWORD
|
||||||
|
# Attachments are just base64 encoded
|
||||||
|
elif "attachment" in request:
|
||||||
|
api_method = lastline_api.LastlineCommunityAPIClient.submit_file
|
||||||
|
call_args["file_data"] = base64.b64decode(data)
|
||||||
|
call_args["file_name"] = request.get("attachment")
|
||||||
|
|
||||||
|
else:
|
||||||
|
raise ValueError("Input parameters do not specify either an URL or a file")
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
misperrors["error"] = "Error processing input parameters: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Make the API call
|
||||||
|
try:
|
||||||
|
api_client = lastline_api.LastlineCommunityAPIClient(api_url, auth_data)
|
||||||
|
response = api_method(api_client, **call_args)
|
||||||
|
task_uuid = response.get("task_uuid")
|
||||||
|
if not task_uuid:
|
||||||
|
raise ValueError("Unable to process returned data")
|
||||||
|
if response.get("score") is not None:
|
||||||
|
tags = ["workflow:state='complete'"]
|
||||||
|
else:
|
||||||
|
tags = ["workflow:state='incomplete'"]
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
misperrors["error"] = "Error issuing the API call: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Assemble and return
|
||||||
|
analysis_link = lastline_api.get_analysis_link(api_url, task_uuid)
|
||||||
|
|
||||||
|
return {
|
||||||
|
"results": [
|
||||||
|
{
|
||||||
|
"types": "link",
|
||||||
|
"categories": ["External analysis"],
|
||||||
|
"values": analysis_link,
|
||||||
|
"tags": tags,
|
||||||
|
},
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
"""Test submitting a test subject to the Lastline backend."""
|
||||||
|
import argparse
|
||||||
|
import configparser
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser()
|
||||||
|
parser.add_argument("-c", "--config-file", dest="config_file")
|
||||||
|
parser.add_argument("-s", "--section-name", dest="section_name")
|
||||||
|
args = parser.parse_args()
|
||||||
|
c = configparser.ConfigParser()
|
||||||
|
c.read(args.config_file)
|
||||||
|
a = lastline_api.LastlineCommunityHTTPClient.get_login_params_from_conf(c, args.section_name)
|
||||||
|
|
||||||
|
j = json.dumps(
|
||||||
|
{
|
||||||
|
"config": a,
|
||||||
|
"url": "https://www.google.com",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
print(json.dumps(handler(j), indent=4, sort_keys=True))
|
||||||
|
|
||||||
|
with open("./tests/test_files/test.docx", "rb") as f:
|
||||||
|
data = f.read()
|
||||||
|
|
||||||
|
j = json.dumps(
|
||||||
|
{
|
||||||
|
"config": a,
|
||||||
|
"data": base64.b64encode(data).decode("utf-8"),
|
||||||
|
"attachment": "test.docx",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
print(json.dumps(handler(j), indent=4, sort_keys=True))
|
|
@ -3,4 +3,16 @@ import os
|
||||||
import sys
|
import sys
|
||||||
sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3])))
|
sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3])))
|
||||||
|
|
||||||
__all__ = ['vmray_import', 'ocr', 'cuckooimport', 'goamlimport', 'email_import', 'mispjson', 'openiocimport', 'threatanalyzer_import', 'csvimport', 'joe_import']
|
__all__ = [
|
||||||
|
'vmray_import',
|
||||||
|
'lastline_import',
|
||||||
|
'ocr',
|
||||||
|
'cuckooimport',
|
||||||
|
'goamlimport',
|
||||||
|
'email_import',
|
||||||
|
'mispjson',
|
||||||
|
'openiocimport',
|
||||||
|
'threatanalyzer_import',
|
||||||
|
'csvimport',
|
||||||
|
'joe_import',
|
||||||
|
]
|
||||||
|
|
|
@ -0,0 +1,151 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
"""
|
||||||
|
Module (type "import") to import a Lastline report from an analysis link.
|
||||||
|
"""
|
||||||
|
import json
|
||||||
|
|
||||||
|
import lastline_api
|
||||||
|
|
||||||
|
|
||||||
|
misperrors = {
|
||||||
|
"error": "Error",
|
||||||
|
}
|
||||||
|
|
||||||
|
userConfig = {
|
||||||
|
"analysis_link": {
|
||||||
|
"type": "String",
|
||||||
|
"errorMessage": "Expected analysis link",
|
||||||
|
"message": "The link to a Lastline analysis"
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
inputSource = []
|
||||||
|
|
||||||
|
moduleinfo = {
|
||||||
|
"version": "0.1",
|
||||||
|
"author": "Stefano Ortolani",
|
||||||
|
"description": "Import a Lastline report from an analysis link.",
|
||||||
|
"module-type": ["import"]
|
||||||
|
}
|
||||||
|
|
||||||
|
moduleconfig = [
|
||||||
|
"api_key",
|
||||||
|
"api_token",
|
||||||
|
"username",
|
||||||
|
"password",
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def introspection():
|
||||||
|
modulesetup = {}
|
||||||
|
try:
|
||||||
|
userConfig
|
||||||
|
modulesetup["userConfig"] = userConfig
|
||||||
|
except NameError:
|
||||||
|
pass
|
||||||
|
try:
|
||||||
|
inputSource
|
||||||
|
modulesetup["inputSource"] = inputSource
|
||||||
|
except NameError:
|
||||||
|
pass
|
||||||
|
modulesetup["format"] = "misp_standard"
|
||||||
|
return modulesetup
|
||||||
|
|
||||||
|
|
||||||
|
def version():
|
||||||
|
moduleinfo["config"] = moduleconfig
|
||||||
|
return moduleinfo
|
||||||
|
|
||||||
|
|
||||||
|
def handler(q=False):
|
||||||
|
if q is False:
|
||||||
|
return False
|
||||||
|
|
||||||
|
request = json.loads(q)
|
||||||
|
|
||||||
|
# Parse the init parameters
|
||||||
|
try:
|
||||||
|
auth_data = lastline_api.LastlineCommunityHTTPClient.get_login_params_from_request(request)
|
||||||
|
analysis_link = request["config"]["analysis_link"]
|
||||||
|
# The API url changes based on the analysis link host name
|
||||||
|
api_url = lastline_api.get_api_url_from_link(analysis_link)
|
||||||
|
except Exception as e:
|
||||||
|
misperrors["error"] = "Error parsing configuration: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Parse the call parameters
|
||||||
|
try:
|
||||||
|
task_uuid = lastline_api.get_uuid_from_link(analysis_link)
|
||||||
|
except (KeyError, ValueError) as e:
|
||||||
|
misperrors["error"] = "Error processing input parameters: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Make the API calls
|
||||||
|
try:
|
||||||
|
api_client = lastline_api.LastlineCommunityAPIClient(api_url, auth_data)
|
||||||
|
response = api_client.get_progress(task_uuid)
|
||||||
|
if response.get("completed") != 1:
|
||||||
|
raise ValueError("Analysis is not finished yet.")
|
||||||
|
|
||||||
|
response = api_client.get_result(task_uuid)
|
||||||
|
if not response:
|
||||||
|
raise ValueError("Analysis report is empty.")
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
misperrors["error"] = "Error issuing the API call: {}".format(e)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
# Parse and return
|
||||||
|
result_parser = lastline_api.LastlineResultBaseParser()
|
||||||
|
result_parser.parse(analysis_link, response)
|
||||||
|
|
||||||
|
event = result_parser.misp_event
|
||||||
|
event_dictionary = json.loads(event.to_json())
|
||||||
|
|
||||||
|
return {
|
||||||
|
"results": {
|
||||||
|
key: event_dictionary[key]
|
||||||
|
for key in ("Attribute", "Object", "Tag")
|
||||||
|
if (key in event and event[key])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
"""Test importing information from a Lastline analysis link."""
|
||||||
|
import argparse
|
||||||
|
import configparser
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser()
|
||||||
|
parser.add_argument("-c", "--config-file", dest="config_file")
|
||||||
|
parser.add_argument("-s", "--section-name", dest="section_name")
|
||||||
|
args = parser.parse_args()
|
||||||
|
c = configparser.ConfigParser()
|
||||||
|
c.read(args.config_file)
|
||||||
|
a = lastline_api.LastlineCommunityHTTPClient.get_login_params_from_conf(c, args.section_name)
|
||||||
|
|
||||||
|
j = json.dumps(
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
**a,
|
||||||
|
"analysis_link": (
|
||||||
|
"https://user.lastline.com/portal#/analyst/task/"
|
||||||
|
"1fcbcb8f7fb400100772d6a7b62f501b/overview"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
)
|
||||||
|
print(json.dumps(handler(j), indent=4, sort_keys=True))
|
||||||
|
|
||||||
|
j = json.dumps(
|
||||||
|
{
|
||||||
|
"config": {
|
||||||
|
**a,
|
||||||
|
"analysis_link": (
|
||||||
|
"https://user.lastline.com/portal#/analyst/task/"
|
||||||
|
"f3c0ae115d51001017ff8da768fa6049/overview"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
)
|
||||||
|
print(json.dumps(handler(j), indent=4, sort_keys=True))
|
Loading…
Reference in New Issue