mirror of https://github.com/MISP/misp-modules
388 lines
12 KiB
Python
388 lines
12 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
import json
|
|
try:
|
|
from onyphe import Onyphe
|
|
except ImportError:
|
|
print("pyonyphe module not installed.")
|
|
|
|
misperrors = {'error': 'Error'}
|
|
|
|
mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'],
|
|
'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url']}
|
|
|
|
# possible module-types: 'expansion', 'hover' or both
|
|
moduleinfo = {
|
|
'version': '1',
|
|
'author': 'Sebastien Larinier @sebdraven',
|
|
'description': 'Module to process a full query on Onyphe.',
|
|
'module-type': ['expansion', 'hover'],
|
|
'name': 'Onyphe Full Lookup',
|
|
'logo': 'onyphe.jpg',
|
|
'requirements': ['onyphe python library', 'An access to the Onyphe API (apikey)'],
|
|
'features': 'This module takes a domain, hostname, or IP address attribute as input in order to query the Onyphe API. Data fetched from the query is then parsed and MISP attributes are extracted.\n\nThe parsing is here more advanced than the one on onyphe module, and is returning more attributes, since more fields of the query result are watched and parsed.',
|
|
'references': ['https://www.onyphe.io/', 'https://github.com/sebdraven/pyonyphe'],
|
|
'input': 'A domain, hostname or IP address MISP attribute.',
|
|
'output': 'MISP attributes fetched from the Onyphe query.',
|
|
}
|
|
|
|
# config fields that your code expects from the site admin
|
|
moduleconfig = ['apikey']
|
|
|
|
|
|
def handler(q=False):
|
|
if q:
|
|
|
|
request = json.loads(q)
|
|
|
|
if not request.get('config') or not request['config'].get('apikey'):
|
|
misperrors['error'] = 'Onyphe authentication is missing'
|
|
return misperrors
|
|
|
|
api = Onyphe(request['config'].get('apikey'))
|
|
|
|
if not api:
|
|
misperrors['error'] = 'Onyphe Error instance api'
|
|
|
|
ip = ''
|
|
if request.get('ip-src'):
|
|
ip = request['ip-src']
|
|
return handle_ip(api, ip, misperrors)
|
|
elif request.get('ip-dst'):
|
|
ip = request['ip-dst']
|
|
return handle_ip(api, ip, misperrors)
|
|
elif request.get('domain'):
|
|
domain = request['domain']
|
|
return handle_domain(api, domain, misperrors)
|
|
elif request.get('hostname'):
|
|
hostname = request['hostname']
|
|
return handle_domain(api, hostname, misperrors)
|
|
else:
|
|
misperrors['error'] = "Unsupported attributes type"
|
|
return misperrors
|
|
else:
|
|
return False
|
|
|
|
|
|
def handle_domain(api, domain, misperrors):
|
|
result_filtered = {"results": []}
|
|
|
|
r, status_ok = expand_pastries(api, misperrors, domain=domain)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = 'Error pastries result'
|
|
return misperrors
|
|
|
|
r, status_ok = expand_datascan(api, misperrors, domain=domain)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = 'Error datascan result '
|
|
return misperrors
|
|
|
|
r, status_ok = expand_threatlist(api, misperrors, domain=domain)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = 'Error threat list'
|
|
return misperrors
|
|
|
|
return result_filtered
|
|
|
|
|
|
def handle_ip(api, ip, misperrors):
|
|
result_filtered = {"results": []}
|
|
|
|
r, status_ok = expand_syscan(api, ip, misperrors)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = "Error syscan result"
|
|
|
|
r, status_ok = expand_pastries(api, misperrors, ip=ip)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = 'Error pastries result'
|
|
return misperrors
|
|
|
|
r, status_ok = expand_datascan(api, misperrors, ip=ip)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = 'Error datascan result '
|
|
return misperrors
|
|
|
|
r, status_ok = expand_forward(api, ip, misperrors)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = 'Error forward result'
|
|
return misperrors
|
|
|
|
r, status_ok = expand_reverse(api, ip, misperrors)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = 'Error reverse result'
|
|
return misperrors
|
|
|
|
r, status_ok = expand_threatlist(api, misperrors, ip=ip)
|
|
|
|
if status_ok:
|
|
result_filtered['results'].extend(r)
|
|
else:
|
|
misperrors['error'] = 'Error threat list'
|
|
return misperrors
|
|
|
|
return result_filtered
|
|
|
|
|
|
def expand_syscan(api, ip, misperror):
|
|
status_ok = False
|
|
r = []
|
|
asn_list = []
|
|
os_list = []
|
|
geoloc = []
|
|
orgs = []
|
|
results = api.synscan(ip)
|
|
|
|
if results['status'] == 'ok':
|
|
status_ok = True
|
|
for elem in results['results']:
|
|
asn_list.append(elem['asn'])
|
|
os_target = elem['os']
|
|
geoloc.append(elem['location'])
|
|
orgs.append(elem['organization'])
|
|
if os_target != 'Unknown' and os_target != 'Undefined':
|
|
os_list.append(elem['os'])
|
|
|
|
r.append({'types': ['target-machine'],
|
|
'values': list(set(os_list)),
|
|
'categories': ['Targeting data'],
|
|
'comment': 'OS found on %s with synscan of Onyphe' % ip})
|
|
|
|
r.append({'types': ['target-location'],
|
|
'values': list(set(geoloc)),
|
|
'categories': ['Targeting data'],
|
|
'comment': 'Geolocalisation of %s found with synscan of Onyphe'
|
|
% ip
|
|
})
|
|
|
|
r.append({'types': ['target-org'],
|
|
'values': list(set(orgs)),
|
|
'categories': ['Targeting data'],
|
|
'comment': 'Organisations of %s found with synscan of Onyphe'
|
|
% ip
|
|
})
|
|
|
|
r.append({'types': ['AS'],
|
|
'values': list(set(asn_list)),
|
|
'categories': ['Network activity'],
|
|
'comment': 'As number of %s found with synscan of Onyphe' % ip
|
|
})
|
|
|
|
return r, status_ok
|
|
|
|
|
|
def expand_datascan(api, misperror, **kwargs):
|
|
status_ok = False
|
|
r = []
|
|
# ip = ''
|
|
query = ''
|
|
asn_list = []
|
|
geoloc = []
|
|
orgs = []
|
|
ports = []
|
|
|
|
if 'ip' in kwargs:
|
|
query = kwargs.get('ip')
|
|
results = api.datascan(query)
|
|
else:
|
|
query = kwargs.get('domain')
|
|
results = api.search_datascan('domain:%s' % query)
|
|
|
|
if results['status'] == 'ok':
|
|
status_ok = True
|
|
for elem in results['results']:
|
|
asn_list.append(elem['asn'])
|
|
geoloc.append(elem['location'])
|
|
orgs.append(elem['organization'])
|
|
ports.append(elem['port'])
|
|
|
|
r.append({'types': ['port'],
|
|
'values': list(set(ports)),
|
|
'categories': ['Other'],
|
|
'comment': 'Ports of %s found with datascan of Onyphe'
|
|
% query
|
|
})
|
|
|
|
r.append({'types': ['target-location'],
|
|
'values': list(set(geoloc)),
|
|
'categories': ['Targeting data'],
|
|
'comment': 'Geolocalisation of %s found with synscan of Onyphe'
|
|
% query
|
|
})
|
|
|
|
r.append({'types': ['target-org'],
|
|
'values': list(set(orgs)),
|
|
'categories': ['Targeting data'],
|
|
'comment': 'Organisations of %s found with synscan of Onyphe'
|
|
% query
|
|
})
|
|
|
|
r.append({'types': ['AS'],
|
|
'values': list(set(asn_list)),
|
|
'categories': ['Network activity'],
|
|
'comment': 'As number of %s found with synscan of Onyphe' % query
|
|
})
|
|
return r, status_ok
|
|
|
|
|
|
def expand_reverse(api, ip, misperror):
|
|
status_ok = False
|
|
r = None
|
|
status_ok = False
|
|
r = []
|
|
results = api.reverse(ip)
|
|
|
|
domains_reverse = []
|
|
|
|
domains = []
|
|
if results['status'] == 'ok':
|
|
status_ok = True
|
|
|
|
for elem in results['results']:
|
|
domains_reverse.append(elem['reverse'])
|
|
domains.append(elem['domain'])
|
|
|
|
r.append({'types': ['domain'],
|
|
'values': list(set(domains)),
|
|
'categories': ['Network activity'],
|
|
'comment': 'Domains of %s from forward service of Onyphe' % ip})
|
|
|
|
r.append({'types': ['domain'],
|
|
'values': list(set(domains_reverse)),
|
|
'categories': ['Network activity'],
|
|
'comment': 'Reverse Domains of %s from forward service of Onyphe' % ip})
|
|
return r, status_ok
|
|
|
|
|
|
def expand_forward(api, ip, misperror):
|
|
status_ok = False
|
|
r = []
|
|
results = api.forward(ip)
|
|
|
|
domains_forward = []
|
|
|
|
domains = []
|
|
if results['status'] == 'ok':
|
|
status_ok = True
|
|
|
|
for elem in results['results']:
|
|
domains_forward.append(elem['forward'])
|
|
domains.append(elem['domain'])
|
|
|
|
r.append({'types': ['domain'],
|
|
'values': list(set(domains)),
|
|
'categories': ['Network activity'],
|
|
'comment': 'Domains of %s from forward service of Onyphe' % ip})
|
|
|
|
r.append({'types': ['domain'],
|
|
'values': list(set(domains_forward)),
|
|
'categories': ['Network activity'],
|
|
'comment': 'Forward Domains of %s from forward service of Onyphe' % ip})
|
|
return r, status_ok
|
|
|
|
|
|
def expand_pastries(api, misperror, **kwargs):
|
|
status_ok = False
|
|
r = []
|
|
|
|
query = None
|
|
result = None
|
|
urls_pasties = []
|
|
domains = []
|
|
ips = []
|
|
if 'ip' in kwargs:
|
|
query = kwargs.get('ip')
|
|
result = api.pastries(query)
|
|
if 'domain' in kwargs:
|
|
query = kwargs.get('domain')
|
|
result = api.search_pastries('domain:%s' % query)
|
|
|
|
if result['status'] == 'ok':
|
|
status_ok = True
|
|
for item in result['results']:
|
|
if item['@category'] == 'pastries':
|
|
if item['source'] == 'pastebin':
|
|
urls_pasties.append('https://pastebin.com/raw/%s' % item['key'])
|
|
|
|
if 'domain' in item:
|
|
domains.extend(item['domain'])
|
|
if 'ip' in item:
|
|
ips.extend(item['ip'])
|
|
if 'hostname' in item:
|
|
domains.extend(item['hostname'])
|
|
|
|
r.append({'types': ['url'],
|
|
'values': urls_pasties,
|
|
'categories': ['External analysis'],
|
|
'comment': 'URLs of pasties where %s has found' % query})
|
|
r.append({'types': ['domain'], 'values': list(set(domains)),
|
|
'categories': ['Network activity'],
|
|
'comment': 'Domains found in pasties of Onyphe'})
|
|
|
|
r.append({'types': ['ip-dst'], 'values': list(set(ips)),
|
|
'categories': ['Network activity'],
|
|
'comment': 'IPs found in pasties of Onyphe'})
|
|
|
|
return r, status_ok
|
|
|
|
|
|
def expand_threatlist(api, misperror, **kwargs):
|
|
status_ok = False
|
|
r = []
|
|
|
|
query = None
|
|
|
|
threat_list = []
|
|
|
|
if 'ip' in kwargs:
|
|
query = kwargs.get('ip')
|
|
results = api.threatlist(query)
|
|
else:
|
|
query = kwargs.get('domain')
|
|
results = api.search_threatlist('domain:%s' % query)
|
|
|
|
if results['status'] == 'ok':
|
|
status_ok = True
|
|
threat_list = ['seen %s on %s ' % (item['seen_date'], item['threatlist'])
|
|
for item in results['results']]
|
|
|
|
r.append({'types': ['comment'],
|
|
'categories': ['Other'],
|
|
'values': threat_list,
|
|
'comment': '%s is present in threatlist' % query
|
|
})
|
|
|
|
return r, status_ok
|
|
|
|
|
|
def introspection():
|
|
return mispattributes
|
|
|
|
|
|
def version():
|
|
moduleinfo['config'] = moduleconfig
|
|
return moduleinfo
|