mirror of https://github.com/MISP/misp-modules
71 lines
2.5 KiB
Python
71 lines
2.5 KiB
Python
import json
|
|
from pymisp import MISPEvent, MISPObject
|
|
from . import check_input_attribute, standard_error_message
|
|
from pyfaup.faup import Faup
|
|
|
|
misperrors = {'error': 'Error'}
|
|
mispattributes = {'input': ['url'], 'format': 'misp_standard'}
|
|
moduleinfo = {'version': '1', 'author': 'MISP Team',
|
|
'description': "Extract URL components",
|
|
'module-type': ['expansion', 'hover']}
|
|
moduleconfig = []
|
|
|
|
|
|
def createObjectFromURL(url):
|
|
f = Faup()
|
|
f.decode(url)
|
|
parsed = f.get()
|
|
obj = MISPObject('url')
|
|
obj.add_attribute('url', type='url', value=url)
|
|
if parsed['tld'] is not None:
|
|
obj.add_attribute('tld', type='text', value=parsed['tld'])
|
|
if parsed['subdomain'] is not None:
|
|
obj.add_attribute('subdomain', type='text', value=parsed['subdomain'])
|
|
obj.add_attribute('scheme', type='text', value=parsed['scheme'])
|
|
obj.add_attribute('resource_path', type='text', value=parsed['resource_path'])
|
|
obj.add_attribute('query_string', type='text', value=parsed['query_string'])
|
|
obj.add_attribute('port', type='port', value=parsed['port'])
|
|
obj.add_attribute('host', type='hostname', value=parsed['host'])
|
|
if parsed['fragment'] is not None:
|
|
obj.add_attribute('fragment', type='text', value=parsed['fragment'])
|
|
obj.add_attribute('domain_without_tld', type='text', value=parsed['domain_without_tld'])
|
|
obj.add_attribute('domain', type='domain', value=parsed['domain'])
|
|
return obj
|
|
|
|
|
|
def createEvent(urlObject, attributeUUID, urlAttribute):
|
|
mispEvent = MISPEvent()
|
|
mispEvent.add_attribute(**urlAttribute)
|
|
urlObject.add_reference(attributeUUID, 'generated-from')
|
|
mispEvent.add_object(urlObject)
|
|
return mispEvent
|
|
|
|
def handler(q=False):
|
|
if q is False:
|
|
return False
|
|
request = json.loads(q)
|
|
if not request.get('attribute') or not check_input_attribute(request['attribute']):
|
|
return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
|
|
attribute = request['attribute']
|
|
|
|
if attribute['type'] not in mispattributes['input']:
|
|
return {'error': 'Bad attribute type'}
|
|
|
|
url = attribute['value']
|
|
urlObject = createObjectFromURL(url)
|
|
|
|
event = createEvent(urlObject, attribute['uuid'], attribute)
|
|
event = json.loads(event.to_json())
|
|
|
|
result = {'results': {'Object': event['Object']}}
|
|
return result
|
|
|
|
|
|
def introspection():
|
|
return mispattributes
|
|
|
|
|
|
def version():
|
|
moduleinfo['config'] = moduleconfig
|
|
return moduleinfo
|