Commit Graph

1059 Commits (859d7d2a829bd9735104b85b06aea403b67e19bd)

Author SHA1 Message Date
chrisr3d 3b7a5c4dc2
add: Specific error message for misp_standard format expansion modules
- Checking if the input format is respected and
  displaying an error message if it is not
2020-07-28 11:47:53 +02:00
chrisr3d 8180ecbfa8
chg: Making use of the Greynoise v2 API 2020-07-27 17:20:36 +02:00
johannesh c91a61110a Add Recorded Future expansion module 2020-07-23 12:28:56 +02:00
chrisr3d a4e9fe456e Merge branch 'main' of github.com:MISP/misp-modules into main 2020-07-03 10:24:45 +02:00
chrisr3d 8e4c688dce
fix: Fixed list of sigma backends 2020-07-03 10:10:24 +02:00
Jakub Onderka cda5feedaa fix: [virustotal] Subdomains is optional in VT response 2020-07-01 16:13:40 +02:00
chrisr3d f99174af2e
fix: Removed multiple spaces to comply with pep8 2020-07-01 11:27:36 +02:00
chrisr3d 26b0357ac7
fix: Making pep8 happy 2020-06-30 23:10:35 +02:00
chrisr3d c0dae2b31b
fix: Removed trustar_import module name in init to avoid validation issues
(until it is submitted via PR?)
2020-06-30 18:08:34 +02:00
chrisr3d 3e12feae79
Merge branch 'feat/EN-4664/trustar-misp' of https://github.com/trustar/misp-modules into trustar-feat/EN-4664/trustar-misp 2020-06-30 18:07:14 +02:00
chrisr3d cadcc8947c Merge branch 'main' of github.com:MISP/misp-modules into new_module 2020-06-30 17:14:38 +02:00
Jesse Hedden a70558945a removed obsolete file 2020-06-27 17:46:51 -07:00
Jesse Hedden a91d50b507 corrected variable name 2020-06-27 17:29:01 -07:00
Jesse Hedden 9e1bc5681b fixed indent 2020-06-25 15:22:54 -07:00
Jesse Hedden 2d31b4e037 fixed incorrect attribute name 2020-06-25 13:10:50 -07:00
Jesse Hedden 61fbb30e1c fixed metatag; convert summaries generator to list for error handling 2020-06-25 10:54:34 -07:00
Jesse Hedden b188d2da4e added strip to remove potential whitespace 2020-06-24 17:47:41 -07:00
Jesse Hedden b60d142d32 removed extra parameter 2020-06-22 15:06:39 -07:00
Jesse Hedden b9d191686f added try/except for TruSTAR API errors and additional comments 2020-06-22 14:54:37 -07:00
Jesse Hedden f13233d04c added comments and increased page size to max for get_indicator_summaries 2020-06-22 13:47:25 -07:00
Jesse Hedden f3b27ca9c0 updated client metatag and version 2020-06-22 12:58:10 -07:00
Jesse Hedden 68b4fbba09 added client metatag to trustar client 2020-06-22 12:15:28 -07:00
Jesse Hedden 341a569de5 ready for code review 2020-06-21 19:52:17 -07:00
Jakub Onderka fe1ea90b25 fix: [circl_passivessl] Return proper error for IPv6 addresses 2020-06-03 14:06:57 +02:00
Alexandre Dulaunoy ddf51d482a
Merge pull request #406 from JakubOnderka/ip-port
new: [passivedns, passivessl] Add support for ip-src|port and ip-dst|port
2020-06-03 12:57:11 +02:00
Jakub Onderka b053e1c01b fix: [circl_passivessl] Return not found error
If passivessl returns empty response, return Not found error instead of error in log
2020-06-03 11:19:21 +02:00
Jakub Onderka 6e21893be4 fix: [circl_passivedns] Return not found error
If passivedns returns empty response, return Not found error instead of error in log
2020-06-03 11:15:46 +02:00
Jakub Onderka 31d15056f9 new: [passivedns, passivessl] Add support for ip-src|port and ip-dst|port 2020-06-03 11:12:47 +02:00
Jesse Hedden 67bdb38fc8 WIP: initial push 2020-05-29 17:41:13 -07:00
Jesse Hedden 8a95a000ee initial commit. not a working product. need to create a class to manage the MISP event and TruStar client 2020-05-29 17:21:20 -07:00
chrisr3d 1e27c2de5a
Merge branch 'master' of github.com:MISP/misp-modules into new_module 2020-05-05 11:53:09 +02:00
Steve Clement 3fd6633c01
fix: [pep] Comply to PEP E261 2020-05-01 12:12:33 +09:00
Matthias Meidinger ebf71a371b Update vmray_submit
The submit module hat some smaller issues with the reanalyze flag.
The source for the enrichment object has been changed and the robustness
of user supplied config parsing improved.
2020-04-23 14:47:48 +02:00
Golbark fd3c62c460 Fix variable issue in the loop 2020-04-08 01:07:46 -07:00
Golbark 500f0301a9 Adding support for more input types, including multi-types 2020-04-07 06:53:42 -07:00
Golbark b79636ccfa new: usr: Censys Expansion module 2020-04-03 03:15:03 -07:00
chrisr3d 48b381d704
fix: Making pep8 happy 2020-03-18 18:58:11 +01:00
chrisr3d 0671f93724
new: Expansion module to query MALWAREbazaar API with some hash attribute 2020-03-18 18:05:57 +01:00
chrisr3d 824c0031b3
fix: Catching errors in the reponse of the query to URLhaus 2020-03-18 17:57:55 +01:00
chrisr3d 422f654988
fix: Making pep8 happy with indentation 2020-03-18 10:24:06 +01:00
Jakub Onderka fe34023866
csvimport: Return error if input is not valid UTF-8 2020-03-12 11:02:43 +01:00
Koen Van Impe 2713d3c655 Update __init__ 2020-03-10 19:50:00 +01:00
Koen Van Impe c86f4a4180 Make Travis (a little bit) happy 2020-03-10 18:48:25 +01:00
Koen Van Impe e023f0b470 Cytomic Orion MISP Module
An expansion module to enrich attributes in MISP and share indicators
of compromise with Cytomic Orion
2020-03-10 18:25:30 +01:00
chrisr3d 0b4d6738de
fix: Making pep8 happy 2020-03-10 11:15:16 +01:00
bennyv 6c00f02e42 Removed Unused Import 2020-03-04 11:54:55 +11:00
bennyv 0a8a829ac1 Fixed handler error handling for missing config 2020-03-04 11:30:44 +11:00
bennyv a32685df8a Initial Build of SOPHOSLabs Intelix Product 2020-03-04 09:52:55 +11:00
chrisr3d cda5004a0d
fix: Removed unused import 2020-02-26 14:18:09 +01:00
chrisr3d c9c6f69bd4
fix: Making pep8 happy 2020-02-26 11:59:14 +01:00
Christian Studer fc54785d6b
Merge pull request #374 from M0un/projet-m2-oun-gindt
Rendu projet master2 sécurité par Mathilde OUN et Vincent GINDT // No…
2020-02-26 11:53:11 +01:00
chrisr3d dea42d3929
chg: Catching missing config issue 2020-02-25 15:22:06 +01:00
Sean Whalen f5af7faace
Create __init__.py 2020-02-22 19:44:31 -05:00
Mathilde Oun et Vincent Gindt df3a6986ea Rendu projet master2 sécurité par Mathilde OUN et Vincent GINDT // Nouveau module misp de recherche google sur les urls 2020-02-21 12:05:41 +01:00
chrisr3d 27717c0400
fix: Making the module config available so the module works 2020-02-13 11:40:22 +01:00
GlennHD 0ed0ceab9d
Update geoip_asn.py 2020-02-12 23:48:38 -06:00
GlennHD bdb4185a0a
Update geoip_city.py 2020-02-12 23:48:20 -06:00
GlennHD 46f0f410e7
Added geoip_asn and geoip_city to load 2020-02-12 21:31:41 -06:00
GlennHD 0b9b6c4f41
Added GeoIP_ASN Enrichment module 2020-02-12 21:29:40 -06:00
GlennHD 7a3f9a422d
Added GeoIP_City Enrichment module 2020-02-12 21:28:41 -06:00
Jakub Onderka acdc4b9d03 fix: [VT] Disable SHA512 query for VT 2020-02-07 12:20:12 +01:00
Hendrik 8f9940200b Lastline verify_ssl option
Helps people with on-prem boxes
2020-01-27 07:46:48 +01:00
chrisr3d b2c8f79220
fix: Making pep8 happy 2020-01-24 15:17:35 +01:00
Georg Schölly 04685ea63e joe: (1) allow users to disable PE object import (2) set 'to_ids' to False 2020-01-24 14:51:38 +01:00
Alexandre Dulaunoy 09cdc7277c
Merge pull request #365 from ostefano/analysis
change: migrate to analysis API when submitting files to Lastline
2020-01-21 14:15:22 +01:00
Stefano Ortolani 66bf650b79 change: migrate to analysis API when submitting tasks to Lastline 2020-01-21 11:32:05 +00:00
Koen Van Impe 036933ea14 2nd fix for VT Public module 2020-01-17 11:26:35 +01:00
Koen Van Impe 610c99ce7b Fix error message in Public VT module 2020-01-17 10:58:31 +01:00
chrisr3d 31a74a10c1
fix: Fixed ipasn test input format + module version updated 2020-01-10 15:37:54 +01:00
chrisr3d b3bc533bc3
chg: Making ipasn module return asn object(s)
- Latest changes on the returned value as string
  broke the freetext parser, because no asn number
  could be parsed when we return the full json
  blob as a freetext attribute
- Now returning asn object(s) with a reference to
  the initial attribute
2020-01-10 15:02:59 +01:00
chrisr3d 35c438e6ee
fix: typo 2020-01-10 10:38:12 +01:00
chrisr3d f5452055f6
fix: Fixed vt_graph imports 2020-01-10 10:31:52 +01:00
chrisr3d 70b3079aa3
fix: Fixed pep8 in the new module and related libraries 2020-01-09 16:01:18 +01:00
chrisr3d 7722e2cb93
fix: Fixed typo on function import 2020-01-09 15:28:33 +01:00
Christian Studer 7c2b001df3
Merge pull request #361 from VirusTotal/master
add vt_graph export module
2020-01-09 14:51:09 +01:00
Alvaro Garcia 10b4e78704 add vt_graph export module 2020-01-09 09:57:46 +00:00
Erick Cheng bfcba18e3c
Update ipasn.py 2020-01-07 18:58:40 +01:00
chrisr3d cf5ad29f27
chg: Checking attributes category
- We check the category before adding the
  attribute to the event
- Checking if the category is correct and if not,
  doing a case insensitive check
- If the category is not correct after the 2 first
  tests, we simply delete it from the attribute
  and pymisp will give the attribute a default
  category value based on the atttribute type, at
  the creation of the attribute
2020-01-07 17:03:10 +01:00
chrisr3d 7945d060ff
new: Enrichment module for querying APIVoid with domain attributes 2019-12-18 17:11:13 +01:00
chrisr3d 2fc0b44b90
fix: Making pep8 happy with whitespace after ':' 2019-12-18 16:16:47 +01:00
chrisr3d 3007761a55
fix: Making pep8 happy by having spaces around '+' operators 2019-12-17 16:31:53 +01:00
chrisr3d 5f90ae776f
fix: Making pep8 happy 2019-12-17 14:29:29 +01:00
chrisr3d b8d6141cb7
chg: Made circl_passivedns module able to return MISP objects 2019-12-17 11:18:21 +01:00
chrisr3d 9c9f01b6ff
fix: Quick variable name fix 2019-12-17 11:17:56 +01:00
chrisr3d 6849daebfa
chg: Made circl_passivessl module able to return MISP objects 2019-12-17 10:26:43 +01:00
Raphaël Vinot b70c32af7b fix: Somewhat broken emails needed some love 2019-12-05 19:11:07 +01:00
Raphaël Vinot 6f95445143 chg: Update email import module, support objects 2019-12-04 15:25:01 +01:00
Stefano Ortolani f749578525 add: Modules to query/import/submit data from/to Lastline 2019-12-02 19:09:40 +00:00
Raphaël Vinot 5d7a829583 chg: Use MISPObject in ransomcoindb 2019-11-26 13:27:02 +01:00
aaronkaplan 06025e63d0
oops , use relative import 2019-11-26 01:52:31 +01:00
aaronkaplan d73a9b601a
use a helpful user-agent string 2019-11-26 01:08:28 +01:00
aaronkaplan 777483838b
Revert "fix url"
This reverts commit 44130e2bf9.
2019-11-25 22:24:57 +01:00
aaronkaplan 44130e2bf9
fix url 2019-11-25 20:51:20 +01:00
aaronkaplan 24ec4a0e23
remove pprint 2019-11-25 18:56:12 +01:00
aaronkaplan 5350003e3a
initial version of the ransomcoindb expansion module 2019-11-25 18:52:39 +01:00
chrisr3d ccf12a225c
fix: Making pep8 happy 2019-11-21 17:50:49 -05:00
chrisr3d 96712da5e0
add: Module to query AssemblyLine and parse the results
- Takes an AssemblyLine submission link to query
  the API and get the full submission report
- Parses the potentially malicious files and the
  IPs, domains or URLs they are connecting to
- Possible improvement of the parsing filters in
  order to include more data in the MISP event
2019-11-21 13:25:50 -05:00
chrisr3d de8737d2f3
fix: Fixed input types list since domain should not be submitted to AssemblyLine 2019-11-20 17:35:37 -05:00
chrisr3d dc9ea98d2c
fix: Making pep8 happy 2019-11-20 10:13:51 -05:00
chrisr3d 58a4cb15a1
add: New expansion module to submit samples and urls to AssemblyLine 2019-11-19 15:41:35 -05:00
chrisr3d f08fc6d9a5
chg: Reintroducing the limit to reduce the number of recursive calls to the API when querying for a domain 2019-11-17 19:11:26 -05:00
chrisr3d 4990bcebd8
fix: Avoiding KeyError exception when no result is found 2019-11-17 18:00:19 -05:00
chrisr3d 91d6f1baa0
fix: Fixed csv file parsing 2019-11-07 11:50:16 +01:00
chrisr3d 0fd3f92fe3
fix: Fixed Xforce Exchange authentication + rework
- Now able to return MISP objects
- Support of the xforce exchange authentication
  with apikey & apipassword
2019-11-05 16:43:03 +01:00
chrisr3d 852018bf79
fix: Added urlscan & secuirtytrails modules in __init__ list 2019-11-04 16:52:26 +01:00
chrisr3d bfe227d555
fix: More clarity on the exception raised on the securitytrails module 2019-10-31 17:19:42 +01:00
chrisr3d 69e81b47d7
fix: Better exceptions handling on the passivetotal module 2019-10-31 17:18:23 +01:00
chrisr3d 4411166b43
fix: Fixed config parsing and the associated error message 2019-10-31 11:52:34 +01:00
chrisr3d 4f70011edf
fix: Fixed config parsing + results parsing
- Avoiding errors with config field when it is
  empty or the apikey is not set
- Parsing all the results instead of only the
  first one
2019-10-31 11:48:59 +01:00
Alexandre Dulaunoy c3c6f1a6ea
Merge pull request #346 from blaverick62/master
EQL Query Generation Modules
2019-10-30 22:08:07 +01:00
Braden Laverick 717be2b859 Removed extraneous comments and unused imports 2019-10-30 15:44:47 +00:00
chrisr3d b63a0d1eb8
fix: Making urlscan module available in MISP for ip attributes
- As expected in the the handler function
2019-10-30 16:39:07 +01:00
chrisr3d d4eb88c66a
fix: Avoiding various modules to fail with uncritical issues
- Avoiding securitytrails to fail with an unavailable
  feature for free accounts
- Avoiding urlhaus to fail with input attribute
  fields that are not critical for the query and
  results
- Avoiding VT modules to fail when a certain
  resource does not exist in the dataset
2019-10-30 16:34:15 +01:00
chrisr3d 393b33d02d
fix: Fixed config field parsing for various modules
- Same as previous commit
2019-10-30 16:31:57 +01:00
Braden Laverick dc4c09f751 Fixed python links 2019-10-30 13:47:43 +00:00
Braden Laverick 62d25b1f76 Changed file name to mass eql export 2019-10-30 13:46:52 +00:00
Braden Laverick 08fc938acd Fixed comments 2019-10-30 13:41:40 +00:00
chrisr3d d0ddfb3355
fix: [expansion] Better config field handling for various modules
- Testing if config is present before trying to
  look whithin the config field
- The config field should be there when the module
  is called form MISP, but it is not always the
  case when the module is queried from somewhere else
2019-10-30 09:09:55 +01:00
Braden Laverick 2a4c7ff150 Added ors for compound queries 2019-10-29 20:22:41 +00:00
Braden Laverick c1ca936910 Fixed syntax error 2019-10-29 20:14:07 +00:00
Braden Laverick c06ceedfb8 Changed to single attribute EQL 2019-10-29 20:11:35 +00:00
Braden Laverick a426ad249d Added EQL enrichment module 2019-10-29 19:42:47 +00:00
Braden Laverick 5802575e44 Fixed string formatting 2019-10-29 16:29:36 +00:00
Braden Laverick 3142b0ab02 Fixed type error in JSON parsing 2019-10-29 16:08:58 +00:00
Braden Laverick c3ccc9c577 Attempting to import endgame module 2019-10-29 15:52:49 +00:00
Braden Laverick 8ac4b610b8 Added endgame export to __all__ 2019-10-29 15:11:31 +00:00
Braden Laverick 3e44181aed Added EQL export test module 2019-10-29 15:02:08 +00:00
chrisr3d dc7463a67e
fix: Avoid issues when some config fields are not set 2019-10-29 11:04:29 +01:00
Alexandre Dulaunoy dec2494a0a
chg: [apiosintds] make flake8 happy 2019-10-29 09:33:39 +01:00
Alexandre Dulaunoy fdbb0717e0
Merge pull request #344 from davidonzo/master
Added apiosintDS module to query OSINT.digitalside.it services
2019-10-29 08:56:29 +01:00
chrisr3d 204e5a7de9
Merge branch 'master' of github.com:MISP/misp-modules 2019-10-28 16:45:50 +01:00
chrisr3d 7a56174c40
fix: Fixed Geoip with the supported python library + fixed Geolite db path management 2019-10-28 16:39:08 +01:00
milkmix bdc5282e09 updated to geoip2 to support mmdb format 2019-10-25 18:09:44 +02:00
Davide 56e16dbaf5 Added apiosintDS module to query OSINT.digitalside.it services 2019-10-24 12:49:29 +02:00
chrisr3d e1602fdca9
fix: Updates following the latest CVE-search version
- Support of the new vulnerable configuration
  field for CPE version > 2.2
- Support of different 'unknown CWE' message
2019-10-23 11:55:36 +02:00
chrisr3d 63dba29c52
fix: Fixed module names with - to avoid errors with python paths 2019-10-18 11:09:10 +02:00
chrisr3d d740abe74b
fix: Making pep8 happy 2019-10-17 10:45:51 +02:00
chrisr3d a228e2505d
fix: Avoiding empty values + Fixed empty types error + Fixed filename KeyError 2019-10-17 10:42:34 +02:00
chrisr3d 5f7b127713
chg: Avoids returning empty values + easier results parsing 2019-10-15 23:30:39 +02:00
chrisr3d 8aca19ba68
chg: Taking into consideration if a user agent is specified in the module configuration 2019-10-15 11:25:30 +02:00
chrisr3d 6d19549184
fix: Grouped two if conditions to avoid issues with variable unassigned if the second condition is not true 2019-10-13 20:23:02 +02:00
chrisr3d b560347d5d
fix: Considering the case of empty results 2019-10-08 15:49:09 +02:00
chrisr3d 8bcb630340
fix: Catching results exceptions properly 2019-10-08 15:48:26 +02:00
chrisr3d 2850d6f690
fix: Catching exceptions and results properly depending on the cases 2019-10-08 15:45:06 +02:00
chrisr3d 5d4a0bff98
fix: Handling cases where there is no result from the query 2019-10-08 13:28:23 +02:00
chrisr3d 662e58da88
fix: Fixed pattern parsing + made the module hover only 2019-10-07 16:46:32 +02:00
chrisr3d b9b78d1606
fix: Travis tests should be happy now 2019-10-04 17:22:32 +02:00
chrisr3d 6801289175
fix: Returning results in text format
- Makes the hover functionality display the full
  result instead of skipping the records list
2019-10-04 15:54:25 +02:00
chrisr3d fe1987101d
fix: Making pep8 happy 2019-10-03 17:10:47 +02:00
chrisr3d c5c5c16ff1
fix: Avoiding errors with uncommon lines
- Excluding first from data parsed all lines that
  are comments or empty
- Skipping lines with failing indexes
2019-10-03 16:03:30 +02:00
chrisr3d 3d7de2dc22
fix: Fixed unassigned variable name 2019-10-03 16:02:25 +02:00
chrisr3d ffe43acd89
fix: Removed no longer used variables 2019-09-20 09:22:20 +02:00
chrisr3d cfc6438c47
fix: csv import rework & improvement
- More efficient parsing
- Support of multiple csv formats
- Possibility to customise headers
- More improvement to come for external csv file
2019-09-19 23:19:57 +02:00
chrisr3d 09590ca451
fix: Making pep8 happy 2019-09-17 14:13:05 +02:00
Christian Studer 205342996a
Merge pull request #335 from FafnerKeyZee/patch-2
Travis should not be complaining with the tests after the latest update on "test_cve"
2019-09-17 14:11:03 +02:00
Fafner [_KeyZee_] dc84c9f972
adding custom API
Adding the possibility to have our own API server.
2019-09-17 11:07:23 +02:00
Fafner [_KeyZee_] 5c09b66706
Cleaning the error message
The original message can be confusing is the user change to is own API.
2019-09-17 10:42:29 +02:00
chrisr3d 5ebd0bd4fc Merge branch 'master' of github.com:MISP/misp-modules 2019-09-16 14:31:01 +02:00
chrisr3d 8d33d6c18c
add: New parameter to specify a custom CVE API to query
- Any API specified here must return the same
  format as the CIRCL CVE search one in order to
  be supported by the parsing functions, and
  ideally provide response to the same kind of
  requests (so the CWE search works as well)
2019-09-16 14:19:20 +02:00
Pierre-Jean Grenier b2ab727f9b fix: prevent symlink attacks 2019-08-22 11:23:37 +02:00
Pierre-Jean Grenier 413cc2469f chg: [cuckooimport] Handle archives downloaded from both the WebUI and the API 2019-08-21 16:35:11 +02:00
Alexandre Dulaunoy c019e4d997
Merge pull request #322 from zaphodef/cuckooimport
Rewrite cuckooimport
2019-08-13 14:32:48 +02:00
Pierre-Jean Grenier 6ba6f8bb1f new: Rewrite cuckooimport 2019-08-09 15:44:47 +02:00
chrisr3d 415fa55fff
fix: Avoiding issues when no CWE id is provided 2019-08-06 15:55:50 +02:00
chrisr3d 0b603fc5d3
fix: Fixed unnecessary dictionary field call
- No longer necessary to go under 'Event' field
  since PyMISP does not contain it since the
  latest update
2019-08-05 11:33:04 +02:00
chrisr3d 4df528c331
add: Added initial event to reference it from the vulnerability object created out of it 2019-08-02 15:35:33 +02:00
chrisr3d 034222d7b3
fix: Using the attack-pattern object template (copy-paste typo) 2019-08-02 10:10:44 +02:00
chrisr3d 7eb4f034c0
fix: Making pep8 happy 2019-08-01 17:17:16 +02:00
chrisr3d 5c15c0ff93
add: Making vulnerability object reference to its related capec & cwe objects 2019-08-01 15:37:10 +02:00
chrisr3d c4302aa35e
add: Parsing CAPEC information related to the CVE 2019-08-01 15:21:18 +02:00
chrisr3d 7445d7336e
add: Parsing CWE related to the CVE 2019-08-01 14:55:53 +02:00
chrisr3d 7b1c35d583
fix: Fixed cvss-score object relation name 2019-07-30 09:55:36 +02:00
chrisr3d 3367e47490
fix: Avoid issues when there is no pe field in a windows file sample analysis
- For instance: doc file
2019-07-25 17:57:36 +02:00
chrisr3d 3d41104d5b
fix: Avoid adding file object twice if a KeyError exception comes for some unexpected reasons 2019-07-25 17:47:08 +02:00
chrisr3d ddeb04bd74
add: Parsing linux samples and their elf data 2019-07-25 17:46:21 +02:00
chrisr3d 41bbbeddfb
fix: Testing if file & registry activities fields exist before trying to parse it 2019-07-25 17:44:32 +02:00
chrisr3d 4c8fe9d8ef
fix: Testing if there is some screenshot data before trying to fetch it 2019-07-25 17:43:11 +02:00
chrisr3d e2a0f27d75
fix: Fixed direction of the relationship between files, PEs and their sections
- The file object includes a PE, and the PE
  includes sections, not the other way round
2019-07-24 14:58:45 +02:00
chrisr3d 42b95c4210
fix: Fixed variable names 2019-07-24 12:21:58 +02:00
chrisr3d 27f5c9ceeb Merge branch 'master' of github.com:MISP/misp-modules 2019-07-24 12:08:28 +02:00
chrisr3d 5602cf1759
add: Parsing apk samples and their permissions 2019-07-24 11:59:11 +02:00
chrisr3d fc8a573ba7
fix: Changed the way references added at the end are saved
- Some references are saved until they are added
  at the end, to make it easier when needed
- Here we changed the way they are saved, from a
  dictionary with some keys to identify each part
  to the actual dictionary with the keys the
  function add_reference needs, so we can directly
  use this dictionary as is when the references are
  added to the different objects
2019-07-24 11:14:12 +02:00
chrisr3d 4ee0cbe4c5
add: Added virustotal_public to the list of available modules 2019-07-24 11:10:25 +02:00
Raphaël Vinot 80ce0a58b5 fix: Skip tests on haveibeenpwned.com if 403. Make pep8 happy. 2019-07-24 09:49:05 +02:00
chrisr3d 92d90e8e1c
add: TODO comment for the next improvement 2019-07-23 09:42:10 +02:00
chrisr3d 14cf39d8b6
chg: Updated the module to work with the updated VirusTotal API
- Parsing functions updated to support the updated
  format of the VirusTotal API responses
- The module can now return objects
- /!\ This module requires a high number of
  requests limit rate to work as expected /!\
2019-07-22 16:22:29 +02:00
chrisr3d 1fa37ea712
fix: Avoiding issues with non existing sample types 2019-07-22 11:43:35 +02:00
chrisr3d 675e0815ff
add: Parsing communicating samples returned by domain reports 2019-07-22 11:42:52 +02:00
chrisr3d c9c2027a57
fix: Undetected urls are represented in lists 2019-07-22 11:39:46 +02:00
chrisr3d 6fdfcb0a29
fix: Changed function name to avoid confusion with the same variable name 2019-07-22 09:53:19 +02:00
chrisr3d 729c86c336
fix: Quick fix on siblings & url parsing 2019-07-22 09:16:04 +02:00
chrisr3d 9aa721bc37
fix: typo 2019-07-19 16:20:24 +02:00
chrisr3d 641dda0103
add: Parsing downloaded samples as well as the referrer ones 2019-07-18 21:38:17 +02:00
chrisr3d 795edb7457
chg: Adding references between a domain and their siblings 2019-07-17 20:40:56 +02:00
chrisr3d 8de350744b
chg: Getting domain siblings attributes uuid for further references 2019-07-16 22:39:35 +02:00
chrisr3d a61d09db8b
fix: Parsing detected & undetected urls 2019-07-15 23:44:25 +02:00
chrisr3d d9b03a7aa5
fix: Various fixes about typo, variable names, data types and so on 2019-07-12 10:59:19 +02:00
chrisr3d f862a14ce6
add: Object for VirusTotal public API queries
- Lighter analysis of the report to avoid reaching
  the limit of queries per minute while recursing
  on the different elements
2019-07-11 22:59:07 +02:00
chrisr3d 3edc323836
fix: Making pep8 happy 2019-07-10 15:29:31 +02:00
chrisr3d 5703253961
new: First version of an advanced CVE parser module
- Using cve.circl.lu as well as the initial module
- Going deeper into the CVE parsing
- More parsing to come with the CWE, CAPEC and so on
2019-07-10 15:20:22 +02:00
chrisr3d 181e6383a3
fix: Added missing add_attribute function 2019-07-03 11:14:46 +02:00
chrisr3d 9a6d484188
add: Added screenshot of the behavior of the analyzed sample 2019-06-21 10:53:12 +02:00
chrisr3d 9e45d302b1
fix: Testing if an object is not empty before adding it the the event 2019-06-18 09:45:59 +02:00
chrisr3d 9fdd6c5e58
fix: Making travis happy 2019-06-15 08:17:29 +02:00
chrisr3d 2f3ce1b615
fix: Support of the latest version of sigmatools 2019-06-15 08:06:47 +02:00
chrisr3d 1ac85a4879
fix: We will display galaxies with tags 2019-06-15 08:05:14 +02:00
chrisr3d b7223abe78 Merge branch 'new_module' of github.com:MISP/misp-modules into new_module 2019-06-07 15:30:19 +02:00
chrisr3d de966eac51
fix: Returning tags & galaxies with results
- Tags may exist with the current version of the
  parser
- Galaxies are not yet expected from the parser,
  nevertheless the principle is we want to return
  them as well if ever we have some galaxies from
  parsing a JoeSandbox report. Can be removed if
  we never galaxies at all
2019-06-07 15:22:11 +02:00
chrisr3d b52e17fa8d
fix: Removed duplicate finalize_results function call 2019-06-07 11:38:50 +02:00
Georg Schölly efb0a88eeb joesandbox_query.py: improve behavior in unexpected circumstances 2019-06-04 11:29:40 +02:00
chrisr3d aa3e873845
fix: Making pep8 happy + added joe_import module in the init list 2019-06-04 11:33:42 +10:00
chrisr3d 42bc6f8d2b
fix: Fixed variable name typo 2019-06-04 11:32:21 +10:00
chrisr3d ee48d99845
add: New expansion module to query Joe Sandbox API with a report link 2019-06-04 09:48:50 +10:00
chrisr3d 07698e5c72
fix: Fixed references between domaininfo/ipinfo & their targets
- Fixed references when no target id is set
- Fixed domaininfo parsing when no ip is defined
2019-06-03 18:38:58 +10:00
chrisr3d 0d40830a7f
fix: Some quick fixes
- Fixed strptime matching because months are
  expressed in abbreviated format
- Made data loaded while the parsing function is
  called, in case it has to be called multiple
  times at some point
2019-06-03 18:35:58 +10:00
chrisr3d 74b73f9332
chg: Moved JoeParser class to make it reachable from expansion & import modules 2019-05-29 11:26:14 +10:00
chrisr3d f541b1f4ba Merge branch 'master' of github.com:MISP/misp-modules into new_module 2019-05-29 10:50:39 +10:00
Georg Schölly 9377a892f4 support url analyses 2019-05-28 16:19:35 +02:00
Georg Schölly 380b8d46ba improve forwards-compatibility 2019-05-28 16:14:59 +02:00
chrisr3d 8ac651562e
fix: Making pep8 & travis happy 2019-05-23 16:13:49 +02:00
chrisr3d be05de62c0
add: Parsing MITRE ATT&CK tactic matrix related to the Joe report 2019-05-23 15:59:52 +02:00
chrisr3d e608107a09
add: Parsing domains, urls & ips contacted by processes 2019-05-22 17:12:49 +02:00
chrisr3d cfec9a6b1c
fix: Added references between processes and the files they drop 2019-05-22 15:27:04 +02:00
chrisr3d 191034d311
add: Starting parsing dropped files 2019-05-21 23:37:53 +02:00
Georg Schölly 1745d33ee4 add expansion for joe sandbox 2019-05-21 21:14:21 +02:00
chrisr3d 417c306ace
fix: Avoiding network connection object duplicates 2019-05-20 15:59:18 +02:00
chrisr3d 72e5f0099d
fix: Avoid creating a signer info object when the pe is not signed 2019-05-20 10:52:34 +02:00
chrisr3d 54f5fa6fa9
fix: Avoiding dictionary indexes issues
- Using tuples as a dictionary indexes is better
  than using generators...
2019-05-20 09:19:38 +02:00
chrisr3d 0d5f867825
add: Starting parsing network behavior fields 2019-05-17 22:18:11 +02:00
chrisr3d f9515c14d0
fix: Avoiding attribute & reference duplicates 2019-05-16 16:14:25 +02:00
chrisr3d 2246fc0d02
add: Parsing registry activities under processes 2019-05-16 16:11:43 +02:00
chrisr3d 067b229224
fix: Handling case of multiple processes in behavior field
- Also starting parsing file activities
2019-05-15 22:06:55 +02:00
chrisr3d d195b554a5
fix: Testing if some fields exist before trying to import them
- Testing for pe itself, pe versions and pe signature
2019-05-15 22:05:03 +02:00
chrisr3d fc8a56d1d9
fix: Removed test print 2019-05-15 15:49:29 +02:00
chrisr3d df7047dff0
fix: Fixed output format to match with the recent changes on modules 2019-05-14 10:50:11 +02:00
chrisr3d 29e681ef81
add: Parsing processes called by the file analyzed in the joe sandbox report 2019-05-13 17:30:01 +02:00
chrisr3d d39fb7da18
add: Parsing some object references at the end of the process 2019-05-13 17:29:07 +02:00
chrisr3d 728386d8a0
add: [new_module] Module to import data from Joe sandbox reports
- Parsing file, pe and pe-section objects from the
  report file info field
- Deeper file info parsing to come
- Other fields parsing to come as well
2019-05-08 16:52:49 +02:00
chrisr3d 77db21cf18
fix: Making pep8 happy 2019-05-07 09:37:21 +02:00
chrisr3d f1b5f05bb3
fix: Checking not MISP header fields
- Rejecting fields not recognizable by MISP
2019-05-07 09:35:56 +02:00
chrisr3d 6608671a01 Merge branch 'master' of github.com:MISP/misp-modules into new_module 2019-05-07 08:38:16 +02:00
chrisr3d 28eb92da53
fix: Using pymisp classes & methods to parse the module results 2019-05-06 22:16:14 +02:00
chrisr3d ae5bd8d06a
fix: Clearer user config messages displayed in the import view 2019-05-06 22:15:14 +02:00
Koen Van Impe 1cd60790fd Bugfix for "sources" ; do not include as IDS for "access" registry keys
- Bugfix to query "operations" in files, mutex, registry
- Do not set IDS flag for registry 'access' operations
2019-05-06 16:36:26 +02:00
chrisr3d d4bc85259d
fix: Removed unused library 2019-05-02 14:15:12 +02:00
chrisr3d 6f4b88606b
fix: Make pep8 happy 2019-05-02 14:07:36 +02:00
chrisr3d a5ff849950 Merge branch 'master' of github.com:MISP/misp-modules into new_module 2019-05-02 13:23:24 +02:00
Steve Clement 559ed786ba
chg: [pep8] try/except # noqa
Not sure how to make flake happy on this one.
2019-05-02 11:44:32 +09:00
Steve Clement 9af06fd24c
fix: [pep8] More fixes 2019-05-02 11:23:49 +09:00
Steve Clement 81ffabd621
fix: [pep8] More pep8 happiness 2019-05-02 11:06:32 +09:00
Steve Clement 553cf44337
fix: [pep8] Fixes 2019-05-02 10:37:48 +09:00
Koen Van Impe c8a4d8d76f New VMRay modules
New JSON output format of VMRay
Prepare for automation (via PyMISP) with workflow taxonomy tags
2019-05-01 22:44:24 +02:00
root c886247a64
fix: Fixed standard MISP csv format header
- The csv header we can find in data produced from
  MISP restSearch csv format is the one to use to
  recognize a csv file produced by MISP
2019-05-01 22:32:06 +02:00
root f900cb7c68
fix: Fixed introspection fields for csvimport & goamlimport
- Added format field for goaml so the module is
  known as returning MISP attributes & objects
- Fixed introspection to make the format, user
  config and input source fields visible from
  MISP (format also added at the same time)
2019-05-01 22:28:19 +02:00
root db74c5f49a
fix: Fixed libraries import that changed with the latest merge 2019-05-01 22:26:53 +02:00
root 92351e6679
add: Added urlhaus in the expansion modules init list 2019-05-01 22:22:10 +02:00
chrisr3d ed7a14b057 Merge branch 'features_csvimport' of github.com:MISP/misp-modules into new_module 2019-04-30 17:19:34 +02:00
chrisr3d ee560155a4 Merge branch 'master' of github.com:MISP/misp-modules into features_csvimport 2019-04-30 17:16:48 +02:00
chrisr3d 55e494c9ed Merge branch 'features_csvimport' of github.com:MISP/misp-modules into features_csvimport 2019-04-30 17:16:31 +02:00
chrisr3d 922782f24b Merge branch 'master' of github.com:MISP/misp-modules into new_module 2019-04-30 08:57:19 +02:00
Raphaël Vinot 48c158271b new: Devel mode.
Fix #293
2019-04-26 13:48:41 +02:00
Alexandre Dulaunoy ec766f571c
chg: [init] cleanup for pep 2019-04-26 13:36:53 +02:00
Alexandre Dulaunoy 63c12f34e6
chg: [pdf-enrich] updated 2019-04-26 13:36:07 +02:00
Sascha Rommelfangen fc339c888d removed trailing whitespaces 2019-04-26 12:14:56 +02:00
Sascha Rommelfangen 722ec88b45 Merge branch 'master' of https://github.com/MISP/misp-modules 2019-04-26 12:09:39 +02:00
Sascha Rommelfangen 1d4f8a6989 new modules added 2019-04-26 12:09:16 +02:00
Sascha Rommelfangen f55d7946df introduction of new modules 2019-04-26 12:07:55 +02:00
Raphaël Vinot c3c5b75157 Merge branch 'master' of github.com:MISP/misp-modules 2019-04-26 11:35:44 +02:00
Raphaël Vinot 2c64e5ca67 fix: CTRL+C is working again
Fix #292
2019-04-26 11:35:06 +02:00
Sascha Rommelfangen 06036b7fe5 Merge branch 'master' of https://github.com/MISP/misp-modules 2019-04-24 15:01:03 +02:00
Sascha Rommelfangen 07f759b07a renamed file 2019-04-24 14:53:16 +02:00
Sascha Rommelfangen 5104bce451 renamed module 2019-04-24 14:53:03 +02:00
Alexandre Dulaunoy 81b0082ae5
chg: [init] removed trailing whitespace 2019-04-24 14:01:48 +02:00
Alexandre Dulaunoy 614fc1354b
chg: [ocr] re module not used - removed 2019-04-24 14:01:08 +02:00
Sascha Rommelfangen 7171c8ce92 initial version of OCR expansion module 2019-04-24 13:54:21 +02:00
Alexandre Dulaunoy 18a2370ae3
Merge pull request #291 from Evert0x/submitcuckoo
Expansion module - File/URL submission to Cuckoo Sandbox
2019-04-23 19:36:28 +02:00
Sascha Rommelfangen 2d8aaf09c2
brackets are difficult... 2019-04-23 15:40:22 +02:00
Alexandre Dulaunoy e55ae11a1e
chg: [qrcode] added to the __init__ 2019-04-23 14:45:12 +02:00
Alexandre Dulaunoy 44050ec4da
chg: [qrcode] flake8 needs some drugs 2019-04-23 14:44:00 +02:00
Alexandre Dulaunoy d5180e7e79
chg: [qrcode] various fixes to make it PEP compliant 2019-04-23 14:37:27 +02:00
Alexandre Dulaunoy a0fce1bc90
Merge branch 'qr-code-module' of https://github.com/rommelfs/misp-modules into rommelfs-qr-code-module 2019-04-23 14:33:06 +02:00
Sascha Rommelfangen c85ab8d93c
initial version of QR code reader
Module accepts attachments and processes pictures. It tries to identify and analyze an existing QR code.
Identified values can be inserted into the event.
2019-04-23 11:38:56 +02:00
Ricardo van Zutphen e6326185d5 Use double quotes and provide headers correctly 2019-04-19 16:24:30 +02:00
Ricardo van Zutphen 49acb53745 Update Cuckoo module to support files and URLs 2019-04-19 14:06:35 +02:00
Evert0x e243edb503
Update __init__.py 2019-04-18 14:25:05 +02:00
Evert0x eefa35c65d
Create cuckoo_submit.py 2019-04-18 00:23:38 +02:00
Raphaël Vinot f5167c2f23 fix: Make flake8 happy. 2019-04-16 11:25:39 +02:00
iceone23 d24a6e2e24
Create cisco_firesight_manager_ACL_rule_export.py
Cisco Firesight Manager ACL Rule Export module
2019-04-15 06:17:27 -07:00
chrisr3d 4955698c63 Merge branch 'new_module' of github.com:MISP/misp-modules into new_module 2019-04-03 22:02:44 +02:00
chrisr3d f492465c00 Merge branch 'master' of github.com:MISP/misp-modules into new_module 2019-04-03 22:00:40 +02:00
Raphaël Vinot f82933779f fix: pep8 foobar. 2019-04-02 16:01:36 +02:00
Raphaël Vinot 9cb21f98e1 fix: Add the new module sin the list of modules availables. 2019-04-02 15:46:17 +02:00
Raphaël Vinot c64f514a6f fix: Typos in variable names 2019-04-02 15:39:27 +02:00
Raphaël Vinot b89d068c04 new: Modules for greynoise, haveibeenpwned and macvendors
Source: https://github.com/src7/misp-modules
2019-04-02 15:30:11 +02:00
root 38fc479d12 Merge branch 'master' of https://github.com/MISP/misp-modules into new_module 2019-04-01 16:29:10 +02:00
root 2439d5f75d
fix: Fixed object_id variable name typo 2019-04-01 16:28:19 +02:00
chrisr3d 756a794087 Merge branch 'master' of github.com:MISP/misp-modules into new_module 2019-03-25 15:35:10 +01:00
Raphaël Vinot 1c0984eaec fix: Remove unused import 2019-03-15 11:06:11 +01:00
chrisr3d d87a67c6f3 Merge branch 'master' of github.com:MISP/misp-modules into new_module 2019-03-14 19:04:32 +01:00
chrisr3d 0b92fd5a53
fix: Making json_decode even happier with full json format
- Using MISPEvent because it is cleaner & easier
- Also cleaner implementation globally
2019-03-14 18:48:13 +01:00