MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'cof2misp' of github.com:aaronkaplan/misp-modules into cof2misp

pull/491/head
aaronkaplan 2021-05-02 20:51:52 +00:00
parent f1da1dd6fa c06b8ff604
commit ff950bc50c
2 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
misp_modules/lib/cof2misp/cof.py
View File

@ -65,7 +65,7 @@ def is_cof_valid_simple(d: dict) -> bool:
def validate_cof(d: dict, strict=True) -> bool: def validate_cof(d: dict, strict=False) -> bool:
"""Validate an input passive DNS COF (given as dict). """Validate an input passive DNS COF (given as dict).
strict might be set to False in order to loosen the checking. strict might be set to False in order to loosen the checking.
With strict==True, a full JSON Schema validation will happen. With strict==True, a full JSON Schema validation will happen.

15
misp_modules/modules/import_mod/cof2misp.py
View File

@ -15,9 +15,10 @@ import base64
import pprint import pprint
import ndjson import ndjson
from pymisp import MISPObject, MISPEvent, PyMISP # from pymisp import MISPObject, MISPEvent, PyMISP
from pymisp import MISPObject
from cof2misp.cof import is_valid_ip, validate_cof from cof2misp.cof import validate_cof
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
@ -58,19 +59,17 @@ def parse_and_insert_cof(data: str) -> dict:
objects = [] objects = []
try: try:
entries = ndjson.loads(data) entries = ndjson.loads(data)
# pprint.pprint(entries)
for l in entries: # iterate over all ndjson lines for l in entries: # iterate over all ndjson lines
# validate here (simple validation or full JSON Schema validation) # validate here (simple validation or full JSON Schema validation)
# FIXME if not validate_cof(l):
return {"error": "Could not validate the COF input '%r'" % l}
# Next, extract some fields # Next, extract some fields
rrtype = l['rrtype'].upper() rrtype = l['rrtype'].upper()
rrname = l['rrname'].rstrip('.') rrname = l['rrname'].rstrip('.')
rdata = [x.rstrip('.') for x in l['rdata']] rdata = [x.rstrip('.') for x in l['rdata']]
# create a new MISP object, based on the passive-dns object for each nd-JSON line # create a new MISP object, based on the passive-dns object for each nd-JSON line
o = MISPObject(name='passive-dns', standalone=False, comment='created by cof2misp') o = MISPObject(name='passive-dns', standalone=False, comment='created by cof2misp')
@ -143,7 +142,6 @@ def parse_and_insert_dnsdbflex(data: str):
pass # XXX FIXME: need a MISP object for dnsdbflex pass # XXX FIXME: need a MISP object for dnsdbflex
def is_dnsdbflex(data: str) -> bool: def is_dnsdbflex(data: str) -> bool:
"""Check if the supplied data conforms to the dnsdbflex output (which only contains rrname and rrtype) """Check if the supplied data conforms to the dnsdbflex output (which only contains rrname and rrtype)
@ -170,7 +168,6 @@ def is_dnsdbflex(data: str) -> bool:
return False return False
def is_cof(data: str) -> bool: def is_cof(data: str) -> bool:
return True return True
@ -178,7 +175,7 @@ def is_cof(data: str) -> bool:
def handler(q=False): def handler(q=False):
if q is False: if q is False:
return False return False
r = {'results': []}
request = json.loads(q) request = json.loads(q)
# Parse the json, determine which type of JSON it is (dnsdbflex or COF?) # Parse the json, determine which type of JSON it is (dnsdbflex or COF?)
# Validate it # Validate it