MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-modules

Browse Source
pull/82/merge
Raphaël Vinot 6 years ago
parent f8bedd4554 82d59a7311
commit fdbbd0e138
3 changed files with 198 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      README.md
  2. 2
      misp_modules/modules/import_mod/__init__.py
  3. 196
      misp_modules/modules/import_mod/cuckooimport.py

1
README.md
Unescape View File

@ -22,6 +22,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
* [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
* [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
* [DNS](misp_modules/modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
* [DomainTools](misp_modules/modules/expansion/domaintools.py) - a hover and expansion module to get information from [DomainTools](http://www.domaintools.com/) whois.
* [EUPI](misp_modules/modules/expansion/eupi.py) - a hover and expansion module to get information about an URL from the [Phishing Initiative project](https://phishing-initiative.eu/?lang=en).
* [IPASN](misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
* [passivetotal](misp_modules/modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.

2
misp_modules/modules/import_mod/__init__.py
Unescape View File

@ -1,3 +1,3 @@
from . import _vmray
__all__ = ['vmray_import', 'testimport', 'ocr', 'stiximport']
__all__ = ['vmray_import', 'testimport', 'ocr', 'stiximport', 'cuckooimport']

196
misp_modules/modules/import_mod/cuckooimport.py
Unescape View File

@ -0,0 +1,196 @@
import json
import logging
import sys
import base64
misperrors = {'error': 'Error'}
userConfig = {}
inputSource = ['file']
moduleinfo = {'version': '0.1', 'author': 'Victor van der Stoep',
'description': 'Cuckoo JSON import',
'module-type': ['import']}
moduleconfig = []
def handler(q=False):
# Just in case we have no data
if q is False:
return False
# The return value
r = {'results': []}
# Load up that JSON
q = json.loads(q)
data = base64.b64decode(q.get("data")).decode('utf-8')
# If something really weird happened
if not data:
return json.dumps({"success": 0})
data = json.loads(data)
# Get characteristics of file
targetFile = data['target']['file']
# Process the inital binary
processBinary(r, targetFile, initial = True)
# Get binary information for dropped files
if(data.get('dropped')):
for droppedFile in data['dropped']:
processBinary(r, droppedFile, dropped = True)
# Add malscore to results
r["results"].append({
"values": "Malscore: {} ".format(data['malscore']),
"types": "comment",
"categories": "Payload delivery",
"comment": "Cuckoo analysis: MalScore"
})
# Add virustotal data, if exists
if(data.get('virustotal')):
processVT(r, data['virustotal'])
# Add network information, should be improved
processNetwork(r, data['network'])
# Add behavioral information
processSummary(r, data['behavior']['summary'])
# Return
return r
def processSummary(r, summary):
r["results"].append({
"values": summary['mutexes'],
"types": "mutex",
"categories": "Artifacts dropped",
"comment": "Cuckoo analysis: Observed mutexes"
})
def processVT(r, virustotal):
category = "Antivirus detection"
comment = "VirusTotal analysis"
if(virustotal.get('permalink')):
r["results"].append({
"values": virustotal['permalink'],
"types": "link",
"categories": category,
"comments": comment + " - Permalink"
})
if(virustotal.get('total')):
r["results"].append({
"values": "VirusTotal detection rate {}/{}".format(
virustotal['positives'],
virustotal['total']
),
"types": "comment",
"categories": category,
"comment": comment
})
else:
r["results"].append({
"values": "Sample not detected on VirusTotal",
"types": "comment",
"categories": category,
"comment": comment
})
def processNetwork(r, network):
category = "Network activity"
for host in network['hosts']:
r["results"].append({
"values": host['ip'],
"types": "ip-dst",
"categories": category,
"comment": "Cuckoo analysis: Observed network traffic"
})
def processBinary(r, target, initial = False, dropped = False):
if(initial):
comment = "Cuckoo analysis: Initial file"
category = "Payload delivery"
elif(dropped):
category = "Artifacts dropped"
comment = "Cuckoo analysis: Dropped file"
r["results"].append({
"values": target['name'],
"types": "filename",
"categories": category,
"comment": comment
})
r["results"].append({
"values": target['md5'],
"types": "md5",
"categories": category,
"comment": comment
})
r["results"].append({
"values": target['sha1'],
"types": "sha1",
"categories": category,
"comment": comment
})
r["results"].append({
"values": target['sha256'],
"types": "sha256",
"categories": category,
"comment": comment
})
r["results"].append({
"values": target['sha512'],
"types": "sha512",
"categories": category,
"comment": comment
})
# todo : add file size?
if(target.get('guest_paths')):
r["results"].append({
"values": target['guest_paths'],
"types": "filename",
"categories": "Payload installation",
"comment": comment + " - Path"
})
def introspection():
modulesetup = {}
try:
userConfig
modulesetup['userConfig'] = userConfig
except NameError:
pass
try:
inputSource
modulesetup['inputSource'] = inputSource
except NameError:
pass
return modulesetup
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo
if __name__ == '__main__':
x = open('test.json', 'r')
q = []
q['data'] = x.read()
q = base64.base64encode(q)
handler(q)
Write Preview
Loading…
Cancel
Save