mirror of https://github.com/MISP/misp-modules
				
				
				
			
		
			
				
	
	
		
			109 lines
		
	
	
		
			3.6 KiB
		
	
	
	
		
			Python
		
	
	
			
		
		
	
	
			109 lines
		
	
	
		
			3.6 KiB
		
	
	
	
		
			Python
		
	
	
| # -*- coding: utf-8 -*-
 | |
| 
 | |
| import json
 | |
| try:
 | |
|     from onyphe import Onyphe
 | |
| except ImportError:
 | |
|     print("pyonyphe module not installed.")
 | |
| 
 | |
| misperrors = {'error': 'Error'}
 | |
| 
 | |
| mispattributes = {'input': ['ip-src', 'ip-dst', 'hostname', 'domain'],
 | |
|                   'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url']}
 | |
| # possible module-types: 'expansion', 'hover' or both
 | |
| moduleinfo = {'version': '1', 'author': 'Sebastien Larinier @sebdraven',
 | |
|               'description': 'Query on Onyphe',
 | |
|               'module-type': ['expansion', 'hover']}
 | |
| 
 | |
| # config fields that your code expects from the site admin
 | |
| moduleconfig = ['apikey']
 | |
| 
 | |
| 
 | |
| def handler(q=False):
 | |
|     if q:
 | |
| 
 | |
|         request = json.loads(q)
 | |
| 
 | |
|         if not request.get('config') and not (request['config'].get('apikey')):
 | |
|             misperrors['error'] = 'Onyphe authentication is missing'
 | |
|             return misperrors
 | |
| 
 | |
|         api = Onyphe(request['config'].get('apikey'))
 | |
| 
 | |
|         if not api:
 | |
|             misperrors['error'] = 'Onyphe Error instance api'
 | |
| 
 | |
|         ip = ''
 | |
|         if request.get('ip-src'):
 | |
|             ip = request['ip-src']
 | |
|         elif request.get('ip-dst'):
 | |
|             ip = request['ip-dst']
 | |
|         else:
 | |
|             misperrors['error'] = "Unsupported attributes type"
 | |
|             return misperrors
 | |
| 
 | |
|         return handle_expansion(api, ip, misperrors)
 | |
|     else:
 | |
|         return False
 | |
| 
 | |
| 
 | |
| def handle_expansion(api, ip, misperrors):
 | |
|     result = api.ip(ip)
 | |
| 
 | |
|     if result['status'] == 'nok':
 | |
|         misperrors['error'] = result['message']
 | |
|         return misperrors
 | |
| 
 | |
|     # categories = list(set([item['@category'] for item in result['results']]))
 | |
| 
 | |
|     result_filtered = {"results": []}
 | |
|     urls_pasties = []
 | |
|     asn_list = []
 | |
|     os_list = []
 | |
|     domains_resolver = []
 | |
|     domains_forward = []
 | |
| 
 | |
|     for r in result['results']:
 | |
|         if r['@category'] == 'pastries':
 | |
|             if r['source'] == 'pastebin':
 | |
|                 urls_pasties.append('https://pastebin.com/raw/%s' % r['key'])
 | |
|         elif r['@category'] == 'synscan':
 | |
|             asn_list.append(r['asn'])
 | |
|             os_target = r['os']
 | |
|             if os_target != 'Unknown':
 | |
|                 os_list.append(r['os'])
 | |
|         elif r['@category'] == 'resolver' and r['type'] == 'reverse':
 | |
|             domains_resolver.append(r['reverse'])
 | |
|         elif r['@category'] == 'resolver' and r['type'] == 'forward':
 | |
|             domains_forward.append(r['forward'])
 | |
| 
 | |
|     result_filtered['results'].append({'types': ['url'], 'values': urls_pasties,
 | |
|                                        'categories': ['External analysis']})
 | |
| 
 | |
|     result_filtered['results'].append({'types': ['AS'], 'values': list(set(asn_list)),
 | |
|                                        'categories': ['Network activity']})
 | |
| 
 | |
|     result_filtered['results'].append({'types': ['target-machine'],
 | |
|                                        'values': list(set(os_list)),
 | |
|                                        'categories': ['Targeting data']})
 | |
| 
 | |
|     result_filtered['results'].append({'types': ['domain'],
 | |
|                                        'values': list(set(domains_resolver)),
 | |
|                                        'categories': ['Network activity'],
 | |
|                                        'comment': 'resolver to %s' % ip})
 | |
| 
 | |
|     result_filtered['results'].append({'types': ['domain'],
 | |
|                                        'values': list(set(domains_forward)),
 | |
|                                        'categories': ['Network activity'],
 | |
|                                        'comment': 'forward to %s' % ip})
 | |
|     return result_filtered
 | |
| 
 | |
| 
 | |
| def introspection():
 | |
|     return mispattributes
 | |
| 
 | |
| 
 | |
| def version():
 | |
|     moduleinfo['config'] = moduleconfig
 | |
|     return moduleinfo
 |