mirror of https://github.com/MISP/misp-modules
Compare commits
7 Commits
Author | SHA1 | Date |
---|---|---|
Alexandre Dulaunoy | 0a01b382f4 | |
Andreas Muehlemann | 85af573a74 | |
Alexandre Dulaunoy | 53d4cb3860 | |
Alexandre Dulaunoy | 1c963d3482 | |
Andreas Muehlemann | 8d240e3541 | |
Steve Clement | af1739cec5 | |
Steve Clement | 70543820eb |
|
@ -27,7 +27,6 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
|
|||
* [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
|
||||
* [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate(s) seen.
|
||||
* [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
|
||||
* [CrowdSec](misp_modules/modules/expansion/crowdsec.py) - a hover module to expand using CrowdSec's CTI API.
|
||||
* [CrowdStrike Falcon](misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
|
||||
* [CPE](misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE Search API with a cpe code, to get its related vulnerabilities.
|
||||
* [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
|
||||
|
|
264
REQUIREMENTS
264
REQUIREMENTS
|
@ -1,182 +1,112 @@
|
|||
-i https://pypi.org/simple
|
||||
aiohttp==3.8.3
|
||||
aiosignal==1.2.0 ; python_version >= '3.6'
|
||||
antlr4-python3-runtime==4.9.3
|
||||
anyio==3.6.1 ; python_full_version >= '3.6.2'
|
||||
-e .
|
||||
-e git+https://github.com/D4-project/BGP-Ranking.git/@fd9c0e03af9b61d4bf0b67ac73c7208a55178a54#egg=pybgpranking&subdirectory=client
|
||||
-e git+https://github.com/D4-project/IPASN-History.git/@fc5e48608afc113e101ca6421bf693b7b9753f9e#egg=pyipasnhistory&subdirectory=client
|
||||
-e git+https://github.com/MISP/PyIntel471.git@0df8d51f1c1425de66714b3a5a45edb69b8cc2fc#egg=pyintel471
|
||||
-e git+https://github.com/MISP/PyMISP.git@b5b40ae2c5225a4b349c26294cfc012309a61352#egg=pymisp[fileobjects,openioc,virustotal,pdfexport]
|
||||
-e git+https://github.com/Rafiot/uwhoisd.git@411572840eba4c72dc321c549b36a54ed5cea9de#egg=uwhois&subdirectory=client
|
||||
-e git+https://github.com/cartertemm/ODTReader.git/@49d6938693f6faa3ff09998f86dba551ae3a996b#egg=odtreader
|
||||
-e git+https://github.com/sebdraven/pydnstrails@48c1f740025c51289f43a24863d1845ff12fd21a#egg=pydnstrails
|
||||
-e git+https://github.com/sebdraven/pyonyphe@1ce15581beebb13e841193a08a2eb6f967855fcb#egg=pyonyphe
|
||||
-e git+https://github.com/stricaud/faup.git#egg=pyfaup&subdirectory=src/lib/bindings/python
|
||||
aiohttp==3.4.4
|
||||
antlr4-python3-runtime==4.8 ; python_version >= '3'
|
||||
apiosintds==1.8.3
|
||||
appdirs==1.4.4
|
||||
argparse==1.4.0
|
||||
assemblyline-client==4.5.0
|
||||
async-timeout==4.0.2 ; python_version >= '3.6'
|
||||
asynctest==0.13.0 ; python_version < '3.8'
|
||||
attrs==22.1.0 ; python_version >= '3.5'
|
||||
backoff==2.1.2 ; python_version >= '3.7' and python_version < '4.0'
|
||||
backports.zoneinfo==0.2.1 ; python_version < '3.9'
|
||||
assemblyline-client==3.7.3
|
||||
async-timeout==3.0.1
|
||||
attrs==19.3.0
|
||||
backscatter==0.2.4
|
||||
beautifulsoup4==4.11.1
|
||||
bidict==0.22.0 ; python_version >= '3.7'
|
||||
beautifulsoup4==4.8.2
|
||||
blockchain==1.4.4
|
||||
censys==2.1.8
|
||||
certifi==2022.9.24 ; python_version >= '3.6'
|
||||
cffi==1.15.1
|
||||
chardet==5.0.0
|
||||
charset-normalizer==2.1.1 ; python_full_version >= '3.6.0'
|
||||
clamd==1.0.2
|
||||
click==8.1.3 ; python_version >= '3.7'
|
||||
censys==0.0.8
|
||||
certifi==2019.11.28
|
||||
cffi==1.14.0
|
||||
chardet==3.0.4
|
||||
click-plugins==1.1.1
|
||||
colorama==0.4.5 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
|
||||
colorclass==2.2.2 ; python_version >= '2.6'
|
||||
commonmark==0.9.1
|
||||
compressed-rtf==1.0.6
|
||||
configparser==5.3.0 ; python_version >= '3.7'
|
||||
crowdstrike-falconpy==1.2.2
|
||||
cryptography==38.0.1 ; python_version >= '3.6'
|
||||
dateparser==1.1.1 ; python_version >= '3.5'
|
||||
decorator==5.1.1 ; python_version >= '3.5'
|
||||
deprecated==1.2.13 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
dnsdb2==1.1.4
|
||||
dnspython==2.2.1
|
||||
domaintools-api==1.0.1
|
||||
easygui==0.98.3
|
||||
ebcdic==1.1.1
|
||||
click==7.1.1
|
||||
colorama==0.4.3
|
||||
cryptography==2.8
|
||||
decorator==4.4.2
|
||||
deprecated==1.2.7
|
||||
dnspython==1.16.0
|
||||
domaintools-api==0.3.3
|
||||
enum-compat==0.0.3
|
||||
et-xmlfile==1.1.0 ; python_version >= '3.6'
|
||||
extract-msg==0.36.3
|
||||
ez-setup==0.9
|
||||
ezodf==0.3.2
|
||||
filelock==3.8.0 ; python_version >= '3.7'
|
||||
frozenlist==1.3.1 ; python_version >= '3.7'
|
||||
future==0.18.2 ; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
geoip2==4.6.0
|
||||
h11==0.12.0 ; python_version >= '3.6'
|
||||
httpcore==0.15.0 ; python_version >= '3.7'
|
||||
httplib2==0.20.4 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
httpx==0.23.0 ; python_version >= '3.7'
|
||||
idna==3.4 ; python_version >= '3.5'
|
||||
imapclient==2.3.1
|
||||
importlib-metadata==4.12.0 ; python_version < '3.8'
|
||||
importlib-resources==5.9.0 ; python_version < '3.9'
|
||||
isodate==0.6.1
|
||||
itsdangerous==2.1.2 ; python_version >= '3.7'
|
||||
jaraco.classes==3.2.3 ; python_version >= '3.7'
|
||||
jbxapi==3.18.0
|
||||
jeepney==0.8.0 ; sys_platform == 'linux'
|
||||
jinja2==3.1.2
|
||||
json-log-formatter==0.5.1
|
||||
jsonschema==4.16.0 ; python_version >= '3.7'
|
||||
keyring==23.9.3 ; python_version >= '3.7'
|
||||
lark-parser==0.12.0
|
||||
lief==0.12.1
|
||||
lxml==4.9.1
|
||||
future==0.18.2
|
||||
futures==3.1.1
|
||||
geoip2==3.0.0
|
||||
httplib2==0.17.0
|
||||
idna-ssl==1.1.0 ; python_version < '3.7'
|
||||
idna==2.9
|
||||
importlib-metadata==1.6.0 ; python_version < '3.8'
|
||||
isodate==0.6.0
|
||||
jbxapi==3.4.0
|
||||
jsonschema==3.2.0
|
||||
lief==0.10.1
|
||||
lxml==4.6.4
|
||||
maclookup==1.0.3
|
||||
markdownify==0.5.3
|
||||
markupsafe==2.1.1 ; python_version >= '3.7'
|
||||
mattermostdriver==7.3.2
|
||||
maxminddb==2.2.0 ; python_version >= '3.6'
|
||||
.
|
||||
more-itertools==8.14.0 ; python_version >= '3.5'
|
||||
msoffcrypto-tool==5.0.0 ; python_version >= '3' and platform_python_implementation != 'PyPy' or (platform_system != 'Windows' and platform_system != 'Darwin')
|
||||
multidict==6.0.2 ; python_version >= '3.7'
|
||||
mwdblib==4.3.1
|
||||
ndjson==0.3.1
|
||||
maxminddb==1.5.2
|
||||
multidict==4.7.5
|
||||
np==1.0.2
|
||||
numpy==1.21.6 ; python_version < '3.10' and platform_machine == 'aarch64'
|
||||
numpy==1.21.4
|
||||
oauth2==1.9.0.post1
|
||||
git+https://github.com/cartertemm/ODTReader.git/@49d6938693f6faa3ff09998f86dba551ae3a996b#egg=odtreader
|
||||
olefile==0.46 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
oletools==0.60.1
|
||||
opencv-python==4.6.0.66
|
||||
openpyxl==3.0.10
|
||||
packaging==21.3 ; python_version >= '3.6'
|
||||
pandas==1.3.5
|
||||
pandas-ods-reader==0.1.2
|
||||
passivetotal==2.5.9
|
||||
pcodedmp==1.2.6
|
||||
pdftotext==2.2.2
|
||||
pillow==9.2.0
|
||||
pkgutil-resolve-name==1.3.10 ; python_version < '3.9'
|
||||
progressbar2==4.0.0 ; python_full_version >= '3.7.0'
|
||||
psutil
|
||||
publicsuffixlist==0.8.0 ; python_version >= '2.6'
|
||||
git+https://github.com/D4-project/BGP-Ranking.git/@68de39f6c5196f796055c1ac34504054d688aa59#egg=pybgpranking&subdirectory=client
|
||||
pycparser==2.21
|
||||
pycryptodome==3.15.0 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
|
||||
pycryptodomex==3.15.0 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
|
||||
pydeep2==0.5.1
|
||||
git+https://github.com/sebdraven/pydnstrails@48c1f740025c51289f43a24863d1845ff12fd21a#egg=pydnstrails
|
||||
pyeupi==1.1
|
||||
pyfaup==1.2
|
||||
opencv-python==4.2.0.32
|
||||
pandas-ods-reader==0.1.4
|
||||
pandas==1.3.4
|
||||
passivetotal==1.0.31
|
||||
pdftotext==2.1.4
|
||||
pillow==7.0.0
|
||||
progressbar2==3.50.1
|
||||
psutil==5.7.0
|
||||
pycparser==2.20
|
||||
pycryptodome==3.9.7
|
||||
pycryptodomex==3.9.7
|
||||
pydeep==0.4
|
||||
pyeupi==1.0
|
||||
pygeoip==0.3.2
|
||||
pycountry==22.3.5
|
||||
pygments==2.13.0 ; python_version >= '3.6'
|
||||
git+https://github.com/MISP/PyIntel471.git@917272fafa8e12102329faca52173e90c5256968#egg=pyintel471
|
||||
git+https://github.com/D4-project/IPASN-History.git/@a2853c39265cecdd0c0d16850bd34621c0551b87#egg=pyipasnhistory&subdirectory=client
|
||||
pymisp[email,fileobjects,openioc,pdfexport,url]==2.4.162
|
||||
git+https://github.com/sebdraven/pyonyphe@d1d6741f8ea4475f3bb77ff20c876f08839cabd1#egg=pyonyphe
|
||||
pyparsing==2.4.7 ; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
pypdns==1.5.2
|
||||
pypssl==2.2
|
||||
pyrsistent==0.18.1 ; python_version >= '3.7'
|
||||
pytesseract==0.3.10
|
||||
python-baseconv==1.2.2
|
||||
python-dateutil==2.8.2 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
python-docx==0.8.11
|
||||
python-engineio==4.3.4 ; python_version >= '3.6'
|
||||
python-magic==0.4.27
|
||||
python-pptx==0.6.21
|
||||
python-socketio[client]==5.7.1 ; python_version >= '3.6'
|
||||
python-utils==3.3.3 ; python_version >= '3.7'
|
||||
pytz==2019.3
|
||||
pytz-deprecation-shim==0.1.0.post0 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'
|
||||
pyyaml==6.0 ; python_version >= '3.6'
|
||||
pyzbar==0.1.9
|
||||
pyzipper==0.3.6 ; python_version >= '3.5'
|
||||
rdflib==6.2.0 ; python_version >= '3.7'
|
||||
redis==4.3.4 ; python_version >= '3.6'
|
||||
regex==2022.3.2 ; python_version >= '3.6'
|
||||
reportlab==3.6.11
|
||||
requests==2.28.1
|
||||
requests-cache==0.6.4 ; python_version >= '3.6'
|
||||
requests-file==1.5.1
|
||||
rfc3986[idna2008]==1.5.0
|
||||
rich==12.5.1 ; python_full_version >= '3.6.3' and python_full_version < '4.0.0'
|
||||
rtfde==0.0.2
|
||||
secretstorage==3.3.3 ; sys_platform == 'linux'
|
||||
setuptools==65.4.0 ; python_version >= '3.7'
|
||||
shodan==1.28.0
|
||||
sigmatools==0.19.1
|
||||
simplejson==3.17.6 ; python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
six==1.16.0 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
sniffio==1.3.0 ; python_version >= '3.7'
|
||||
socialscan==1.4.2
|
||||
socketio-client==0.5.7.4
|
||||
soupsieve==2.3.2.post1 ; python_version >= '3.6'
|
||||
sparqlwrapper==2.0.0
|
||||
stix2==3.0.1
|
||||
stix2-patterns==2.0.0
|
||||
tabulate==0.8.10 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
|
||||
tau-clients==0.2.9
|
||||
taxii2-client==2.3.0
|
||||
tldextract==3.3.1 ; python_version >= '3.7'
|
||||
tornado==6.2 ; python_version >= '3.7'
|
||||
tqdm==4.64.1 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
|
||||
git+https://github.com/SteveClement/trustar-python.git@6954eae38e0c77eaeef26084b6c5fd033925c1c7#egg=trustar
|
||||
typing-extensions==4.3.0 ; python_version < '3.8'
|
||||
tzdata==2022.4 ; python_version >= '3.6'
|
||||
tzlocal==4.2 ; python_version >= '3.6'
|
||||
unicodecsv==0.14.1
|
||||
url-normalize==1.4.3 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'
|
||||
pyopenssl==19.1.0
|
||||
pyparsing==2.4.6
|
||||
pypdns==1.5.1
|
||||
pypssl==2.1
|
||||
pyrsistent==0.16.0
|
||||
pytesseract==0.3.3
|
||||
python-dateutil==2.8.2
|
||||
python-docx==0.8.10
|
||||
python-magic==0.4.15
|
||||
python-pptx==0.6.18
|
||||
python-utils==2.4.0
|
||||
pytz==2021.3
|
||||
pyyaml==5.3.1
|
||||
pyzbar==0.1.8
|
||||
pyzipper==0.3.1 ; python_version >= '3.5'
|
||||
rdflib==4.2.2
|
||||
redis==3.4.1
|
||||
reportlab==3.5.42
|
||||
requests-cache==0.5.2
|
||||
requests[security]==2.23.0
|
||||
shodan==1.22.0
|
||||
sigmatools==0.16.0
|
||||
six==1.16.0
|
||||
socketio-client==0.5.6
|
||||
soupsieve==2.0
|
||||
sparqlwrapper==1.8.5
|
||||
stix2-patterns==1.3.0
|
||||
tabulate==0.8.7
|
||||
tornado==6.0.4
|
||||
trustar==0.3.28
|
||||
url-normalize==1.4.1
|
||||
urlarchiver==0.2
|
||||
urllib3==1.26.12 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5' and python_version < '4'
|
||||
urllib3==1.25.8
|
||||
validators==0.14.0
|
||||
vt-graph-api==2.2.0
|
||||
vt-py==0.17.1
|
||||
vulners==2.0.4
|
||||
wand==0.6.10
|
||||
websocket-client==1.4.1 ; python_version >= '3.7'
|
||||
websockets==10.3 ; python_version >= '3.7'
|
||||
wrapt==1.14.1 ; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
|
||||
xlrd==2.0.1
|
||||
xlsxwriter==3.0.3 ; python_version >= '3.4'
|
||||
vt-graph-api==1.0.1
|
||||
vulners==1.5.5
|
||||
wand==0.5.9
|
||||
websocket-client==0.57.0
|
||||
wrapt==1.12.1
|
||||
xlrd==1.2.0
|
||||
xlsxwriter==1.2.8
|
||||
yara-python==3.8.1
|
||||
yarl==1.8.1 ; python_version >= '3.7'
|
||||
zipp==3.8.1 ; python_version >= '3.7'
|
||||
yarl==1.4.2
|
||||
zipp==3.1.0
|
||||
|
|
|
@ -19,7 +19,7 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
|
|||
'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich',
|
||||
'trustar_enrich', 'recordedfuture', 'html_to_markdown', 'socialscan', 'passive-ssh',
|
||||
'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring',
|
||||
'clamav', 'jinja_template_rendering','hyasinsight', 'variotdbs', 'crowdsec', 'extract_url_components']
|
||||
'clamav', 'jinja_template_rendering','hyasinsight', 'variotdbs']
|
||||
|
||||
|
||||
minimum_required_fields = ('type', 'uuid', 'value')
|
||||
|
|
|
@ -1,158 +0,0 @@
|
|||
import json
|
||||
|
||||
from pymisp import MISPEvent, MISPObject
|
||||
import pycountry
|
||||
import requests
|
||||
|
||||
mispattributes = {"input": ["ip-dst", "ip-src"], "output": ["text"]}
|
||||
moduleinfo = {
|
||||
"version": "1.0",
|
||||
"author": "Shivam Sandbhor <shivam@crowdsec.net>",
|
||||
"description": "Module to access CrowdSec CTI API.",
|
||||
"module-type": ["hover"],
|
||||
}
|
||||
moduleconfig = ["api_key", "api_version"]
|
||||
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
|
||||
request = json.loads(q)
|
||||
if not request.get("config"):
|
||||
return {"error": "Missing CrowdSec Config"}
|
||||
|
||||
if not request["config"].get("api_key"):
|
||||
return {"error": "Missing CrowdSec API key"}
|
||||
|
||||
if not request["config"].get("api_version"):
|
||||
return {"error": "Missing CrowdSec API version parameter"}
|
||||
|
||||
if request["config"]["api_version"] == "v2":
|
||||
return _handler_v2(request)
|
||||
return {"error": f'API version {request["config"]["api_version"]} not supported'}
|
||||
|
||||
|
||||
def _handler_v2(request_data):
|
||||
if request_data.get("ip-dst"):
|
||||
ip = request_data.get("ip-dst")
|
||||
elif request_data.get("ip-src"):
|
||||
ip = request_data.get("ip-src")
|
||||
|
||||
crowdsec_cti = requests.get(
|
||||
f"https://cti.api.crowdsec.net/v2/smoke/{ip}",
|
||||
headers={
|
||||
"x-api-key": request_data["config"]["api_key"],
|
||||
"User-Agent": "crowdsec-misp/v1.0.0",
|
||||
},
|
||||
)
|
||||
crowdsec_cti.raise_for_status()
|
||||
crowdsec_cti = crowdsec_cti.json()
|
||||
|
||||
misp_event = MISPEvent()
|
||||
crowdsec_context_object = MISPObject("crowdsec-ip-context")
|
||||
crowdsec_context_object.add_attribute("IP Address", **{"type": "text", "value": ip})
|
||||
crowdsec_context_object.add_attribute(
|
||||
"IP Range", **{"type": "text", "value": crowdsec_cti["ip_range"]}
|
||||
)
|
||||
crowdsec_context_object.add_attribute(
|
||||
"IP Range Score", **{"type": "text", "value": crowdsec_cti["ip_range_score"]}
|
||||
)
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Country",
|
||||
**{
|
||||
"type": "text",
|
||||
"value": get_country_name_from_alpha_2(crowdsec_cti["location"]["country"]),
|
||||
},
|
||||
)
|
||||
if crowdsec_cti["location"]["city"]:
|
||||
crowdsec_context_object.add_attribute(
|
||||
"City", **{"type": "text", "value": crowdsec_cti["location"]["city"]}
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Latitude", **{"type": "float", "value": crowdsec_cti["location"]["latitude"]}
|
||||
)
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Longitude", **{"type": "float", "value": crowdsec_cti["location"]["longitude"]}
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"AS Name", **{"type": "text", "value": crowdsec_cti["as_name"]}
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"AS Number", **{"type": "AS", "value": crowdsec_cti["as_num"]}
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Reverse DNS", **{"type": "domain", "value": crowdsec_cti["reverse_dns"]}
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Attack Categories",
|
||||
**{
|
||||
"type": "text",
|
||||
"value": ",".join(
|
||||
[attack_category["label"] for attack_category in crowdsec_cti["behaviors"]]
|
||||
),
|
||||
},
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Triggered Scenarios",
|
||||
**{
|
||||
"type": "text",
|
||||
"value": ",".join([scenario["name"] for scenario in crowdsec_cti["attack_details"]]),
|
||||
},
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Top 10 Target Countries",
|
||||
**{
|
||||
"type": "float",
|
||||
"value": ",".join(
|
||||
map(get_country_name_from_alpha_2, crowdsec_cti["target_countries"].keys())
|
||||
),
|
||||
},
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Trust", **{"type": "float", "value": crowdsec_cti["scores"]["overall"]["trust"]}
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"First Seen", **{"type": "datetime", "value": crowdsec_cti["history"]["first_seen"]}
|
||||
)
|
||||
|
||||
crowdsec_context_object.add_attribute(
|
||||
"Last Seen", **{"type": "datetime", "value": crowdsec_cti["history"]["last_seen"]}
|
||||
)
|
||||
|
||||
for time_period, indicators in crowdsec_cti["scores"].items():
|
||||
tp = " ".join(map(str.capitalize, time_period.split("_")))
|
||||
|
||||
for indicator_type, indicator_value in indicators.items():
|
||||
crowdsec_context_object.add_attribute(
|
||||
f"{tp} {indicator_type.capitalize()}", **{"type": "float", "value": indicator_value}
|
||||
)
|
||||
|
||||
misp_event.add_object(crowdsec_context_object)
|
||||
|
||||
event = json.loads(misp_event.to_json())
|
||||
results = {key: event[key] for key in ("Attribute", "Object") if (key in event and event[key])}
|
||||
return {"results": results}
|
||||
|
||||
|
||||
def get_country_name_from_alpha_2(alpha_2):
|
||||
country_info = pycountry.countries.get(alpha_2=alpha_2)
|
||||
return country_info.name
|
||||
|
||||
|
||||
def introspection():
|
||||
return mispattributes
|
||||
|
||||
|
||||
def version():
|
||||
moduleinfo["config"] = moduleconfig
|
||||
return moduleinfo
|
|
@ -1,70 +0,0 @@
|
|||
import json
|
||||
from pymisp import MISPEvent, MISPObject
|
||||
from . import check_input_attribute, standard_error_message
|
||||
from pyfaup.faup import Faup
|
||||
|
||||
misperrors = {'error': 'Error'}
|
||||
mispattributes = {'input': ['url'], 'format': 'misp_standard'}
|
||||
moduleinfo = {'version': '1', 'author': 'MISP Team',
|
||||
'description': "Extract URL components",
|
||||
'module-type': ['expansion', 'hover']}
|
||||
moduleconfig = []
|
||||
|
||||
|
||||
def createObjectFromURL(url):
|
||||
f = Faup()
|
||||
f.decode(url)
|
||||
parsed = f.get()
|
||||
obj = MISPObject('url')
|
||||
obj.add_attribute('url', type='url', value=url)
|
||||
if parsed['tld'] is not None:
|
||||
obj.add_attribute('tld', type='text', value=parsed['tld'])
|
||||
if parsed['subdomain'] is not None:
|
||||
obj.add_attribute('subdomain', type='text', value=parsed['subdomain'])
|
||||
obj.add_attribute('scheme', type='text', value=parsed['scheme'])
|
||||
obj.add_attribute('resource_path', type='text', value=parsed['resource_path'])
|
||||
obj.add_attribute('query_string', type='text', value=parsed['query_string'])
|
||||
obj.add_attribute('port', type='port', value=parsed['port'])
|
||||
obj.add_attribute('host', type='hostname', value=parsed['host'])
|
||||
if parsed['fragment'] is not None:
|
||||
obj.add_attribute('fragment', type='text', value=parsed['fragment'])
|
||||
obj.add_attribute('domain_without_tld', type='text', value=parsed['domain_without_tld'])
|
||||
obj.add_attribute('domain', type='domain', value=parsed['domain'])
|
||||
return obj
|
||||
|
||||
|
||||
def createEvent(urlObject, attributeUUID, urlAttribute):
|
||||
mispEvent = MISPEvent()
|
||||
mispEvent.add_attribute(**urlAttribute)
|
||||
urlObject.add_reference(attributeUUID, 'generated-from')
|
||||
mispEvent.add_object(urlObject)
|
||||
return mispEvent
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
request = json.loads(q)
|
||||
if not request.get('attribute') or not check_input_attribute(request['attribute']):
|
||||
return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
|
||||
attribute = request['attribute']
|
||||
|
||||
if attribute['type'] not in mispattributes['input']:
|
||||
return {'error': 'Bad attribute type'}
|
||||
|
||||
url = attribute['value']
|
||||
urlObject = createObjectFromURL(url)
|
||||
|
||||
event = createEvent(urlObject, attribute['uuid'], attribute)
|
||||
event = json.loads(event.to_json())
|
||||
|
||||
result = {'results': {'Object': event['Object']}}
|
||||
return result
|
||||
|
||||
|
||||
def introspection():
|
||||
return mispattributes
|
||||
|
||||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleinfo
|
|
@ -2,10 +2,10 @@ import json
|
|||
from dns import reversename, resolver, exception
|
||||
|
||||
misperrors = {'error': 'Error'}
|
||||
mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip'], 'output': ['hostname']}
|
||||
mispattributes = {'input': ['ip-src', 'ip-dst', 'domain|ip', 'ip-src|port', 'ip-dst|port'], 'output': ['hostname']}
|
||||
|
||||
# possible module-types: 'expansion', 'hover' or both
|
||||
moduleinfo = {'version': '0.1', 'author': 'Andreas Muehlemann',
|
||||
moduleinfo = {'version': '0.3', 'author': 'Andreas Muehlemann',
|
||||
'description': 'Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes',
|
||||
'module-type': ['expansion', 'hover']}
|
||||
|
||||
|
@ -23,6 +23,10 @@ def handler(q=False):
|
|||
toquery = request['ip-src']
|
||||
elif request.get('domain|ip'):
|
||||
toquery = request['domain|ip'].split('|')[1]
|
||||
elif request.get('ip-src|port'):
|
||||
toquery = request['ip-src|port'].split('|')[0]
|
||||
elif request.get('ip-dst|port'):
|
||||
toquery = request['ip-dst|port'].split('|')[0]
|
||||
else:
|
||||
return False
|
||||
|
||||
|
|
|
@ -15,6 +15,5 @@ __all__ = [
|
|||
'csvimport',
|
||||
'cof2misp',
|
||||
'joe_import',
|
||||
'taxii21',
|
||||
'url_import'
|
||||
'taxii21'
|
||||
]
|
||||
|
|
|
@ -1,84 +0,0 @@
|
|||
import json
|
||||
import base64
|
||||
from pymisp import MISPEvent, MISPObject, MISPAttribute
|
||||
|
||||
misperrors = {'error': 'Error'}
|
||||
userConfig = {
|
||||
'number1': {
|
||||
'type': 'Integer',
|
||||
'regex': '/^[0-4]$/i',
|
||||
'errorMessage': 'Expected a number in range [0-4]',
|
||||
'message': 'Column number used for value'
|
||||
},
|
||||
'some_string': {
|
||||
'type': 'String',
|
||||
'message': 'A text field'
|
||||
},
|
||||
'boolean_field': {
|
||||
'type': 'Boolean',
|
||||
'message': 'Boolean field test'
|
||||
},
|
||||
'comment': {
|
||||
'type': 'Integer',
|
||||
'message': 'Column number used for comment'
|
||||
}
|
||||
}
|
||||
|
||||
mispattributes = {
|
||||
'inputSource': ['file', 'paste'],
|
||||
'output': ['MISP Format'],
|
||||
'format': 'misp_standard'
|
||||
}
|
||||
|
||||
|
||||
moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem',
|
||||
'description': 'Generic blueprint to be copy-pasted to quickly boostrap creation of import module.',
|
||||
'module-type': ['import']}
|
||||
|
||||
moduleconfig = []
|
||||
|
||||
|
||||
|
||||
def generateData(event, data, config):
|
||||
# attr = MISPAttribute()
|
||||
# attr.from_dict(**{
|
||||
# 'type': 'ip-src',
|
||||
# 'value': '8.8.8.8',
|
||||
# 'distribution': 2
|
||||
# })
|
||||
# event.add_attribute(attr)
|
||||
pass
|
||||
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
request = json.loads(q)
|
||||
data = getUploadedData(request)
|
||||
config = getPassedConfig(request)
|
||||
event = MISPEvent()
|
||||
generateData(event, data, config)
|
||||
return {"results": json.loads(event.to_json())}
|
||||
|
||||
|
||||
def getUploadedData(request):
|
||||
return base64.b64decode(request['data']).decode('utf8')
|
||||
|
||||
|
||||
def getPassedConfig(request):
|
||||
return request['config']
|
||||
|
||||
|
||||
def introspection():
|
||||
modulesetup = mispattributes
|
||||
try:
|
||||
userConfig
|
||||
modulesetup['userConfig'] = userConfig
|
||||
except NameError:
|
||||
pass
|
||||
return modulesetup
|
||||
|
||||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleinfo
|
|
@ -1,86 +0,0 @@
|
|||
import json
|
||||
import base64
|
||||
from pymisp import MISPEvent, MISPObject, MISPAttribute
|
||||
from pyfaup.faup import Faup
|
||||
|
||||
misperrors = {'error': 'Error'}
|
||||
userConfig = {
|
||||
'include_scheme': {
|
||||
'type': 'Boolean',
|
||||
'message': 'Include scheme'
|
||||
},
|
||||
}
|
||||
|
||||
mispattributes = {
|
||||
'inputSource': ['file', 'paste'],
|
||||
'output': ['MISP Format'],
|
||||
'format': 'misp_standard'
|
||||
}
|
||||
|
||||
|
||||
moduleinfo = {'version': '0.1', 'author': 'Sami Mokaddem',
|
||||
'description': 'Generic blueprint to be copy-pasted to quickly boostrap creation of import module.',
|
||||
'module-type': ['import']}
|
||||
|
||||
moduleconfig = []
|
||||
|
||||
fp = Faup()
|
||||
|
||||
def generateData(event, data, config):
|
||||
for url in data.splitlines():
|
||||
fp.decode(url)
|
||||
parsed = fp.get()
|
||||
obj = MISPObject('url')
|
||||
obj.add_attribute('url', type='url', value=url)
|
||||
if parsed['tld'] is not None:
|
||||
obj.add_attribute('tld', type='text', value=parsed['tld'])
|
||||
if parsed['subdomain'] is not None:
|
||||
obj.add_attribute('subdomain', type='text', value=parsed['subdomain'])
|
||||
if config['include_scheme'] is True:
|
||||
obj.add_attribute('scheme', type='text', value=parsed['scheme'])
|
||||
obj.add_attribute('resource_path', type='text', value=parsed['resource_path'])
|
||||
obj.add_attribute('query_string', type='text', value=parsed['query_string'])
|
||||
obj.add_attribute('port', type='port', value=parsed['port'])
|
||||
obj.add_attribute('host', type='hostname', value=parsed['host'])
|
||||
if parsed['fragment'] is not None:
|
||||
obj.add_attribute('fragment', type='text', value=parsed['fragment'])
|
||||
obj.add_attribute('domain_without_tld', type='text', value=parsed['domain_without_tld'])
|
||||
obj.add_attribute('domain', type='domain', value=parsed['domain'])
|
||||
event.objects.append(obj)
|
||||
|
||||
|
||||
def handler(q=False):
|
||||
if q is False:
|
||||
return False
|
||||
request = json.loads(q)
|
||||
data = getUploadedData(request)
|
||||
config = getPassedConfig(request)
|
||||
event = MISPEvent()
|
||||
generateData(event, data, config)
|
||||
return {"results": json.loads(event.to_json())}
|
||||
|
||||
|
||||
def getUploadedData(request):
|
||||
return base64.b64decode(request['data']).decode('utf8')
|
||||
|
||||
|
||||
def getPassedConfig(request):
|
||||
for k, v in userConfig.items():
|
||||
if v['type'] == 'Boolean':
|
||||
request['config'][k] = True if request['config'][k] == '1' else False
|
||||
return request['config']
|
||||
|
||||
|
||||
def introspection():
|
||||
modulesetup = mispattributes
|
||||
try:
|
||||
userConfig
|
||||
modulesetup['userConfig'] = userConfig
|
||||
except NameError:
|
||||
pass
|
||||
return modulesetup
|
||||
|
||||
|
||||
def version():
|
||||
moduleinfo['config'] = moduleconfig
|
||||
return moduleinfo
|
Loading…
Reference in New Issue