def ip_attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.org = "RST Cloud" attribute.type = type if value['ip']: if value['ip']['v4']: attribute.value = value['ip']['v4'] attribute.add_tag("rstcloud:asn:firstip=" + str(value['asn']['firstip']['netv4'])) attribute.add_tag("rstcloud:asn:lastip=" + str(value['asn']['lastip']['netv4'])) else: if value['ip']['v6']: attribute.value = value['ip']['v6'] attribute.add_tag("rstcloud:asn:firstip=" + str(value['asn']['firstip']['netv6'])) attribute.add_tag("rstcloud:asn:lastip=" + str(value['asn']['lastip']['netv6'])) attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num'])) attribute.comment = listToString(value['src']['str']) attribute.first_seen = value['fseen'] attribute.last_seen = value['lseen'] attribute.timestamp = value['collect'] attribute.distribution = distribution_level attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) for rsttag in value['tags']['str']: attribute.add_tag("rstcloud:tag=" + str(rsttag)) if value['asn']['cloud']: attribute.add_tag("rstcloud:cloudprovider=" + str(value['asn']['cloud'])) if value['asn']['domains']: attribute.add_tag("rstcloud:number_of_hosted_domains=" + str(value['asn']['domains'])) attribute.add_tag("rstcloud:org=" + str(value['asn']['org'])) attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp'])) attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city'])) attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region'])) attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country'])) attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) attribute.add_tag("rstcloud:false-positive:alarm=" + str(value['fp']['alarm'])) if value['fp']['descr']: attribute.add_tag("rstcloud:false-positive:description=" + str(value['fp']['descr'])) return attribute
def domain_attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.type = type attribute.value = value['domain'] attribute.comment = listToString(value['src']['str']) attribute.first_seen = value['fseen'] attribute.last_seen = value['lseen'] attribute.timestamp = value['collect'] attribute.distribution = distribution_level attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) for rsttag in value['tags']['str']: attribute.add_tag("rstcloud:tag=" + str(rsttag)) if value['resolved'] and value['resolved']['whois']: if value['resolved']['whois']['age'] > 0: attribute.add_tag("rstcloud:whois:created=" + str(value['resolved']['whois']['created'])) attribute.add_tag("rstcloud:whois:updated=" + str(value['resolved']['whois']['updated'])) attribute.add_tag("rstcloud:whois:expires=" + str(value['resolved']['whois']['expires'])) attribute.add_tag("rstcloud:whois:age=" + str(value['resolved']['whois']['age'])) if value['resolved']['whois']['registrar'] and value['resolved'][ 'whois']['registrar'] != 'unknown': attribute.add_tag("rstcloud:whois:registrar=" + str(value['resolved']['whois']['registrar'])) if value['resolved']['whois']['registrar'] and value['resolved'][ 'whois']['registrant'] != 'unknown': attribute.add_tag("rstcloud:whois:registrant=" + str(value['resolved']['whois']['registrant'])) attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) attribute.add_tag("rstcloud:false-positive:alarm=" + str(value['fp']['alarm'])) if value['fp']['descr']: attribute.add_tag("rstcloud:false-positive:description=" + str(value['fp']['descr'])) return attribute
def create_attributes(misp_api, event_id, site): """ Create MISP IOCs attributes. :param misp_api: MISP Object API. :param event_id: MISP Event ID. :param site: Site Object. :return: """ print( str(timezone.now()) + " - " + 'Create MISP IOCs attributes for: ', event_id) print('-----------------------------') tag = None tags = misp_api.tags(pythonify=True) for t in tags: if t.name == 'Watcher': tag = t attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "domain" attribute.distribution = 5 attribute.comment = "Domain name monitored" attribute.tags = [tag] attribute.value = site.domain_name misp_api.add_attribute(event=event_id, attribute=attribute) if settings.MISP_TICKETING_URL != '': attribute = MISPAttribute() attribute.category = "Internal reference" attribute.type = "link" attribute.distribution = 0 attribute.comment = "Ticketing link" attribute.tags = [tag] attribute.value = settings.MISP_TICKETING_URL + "?id=" + str(site.rtir) misp_api.add_attribute(event=event_id, attribute=attribute) if site.ip: attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = "First IP" attribute.tags = [tag] attribute.value = site.ip misp_api.add_attribute(event=event_id, attribute=attribute) if site.ip_second: attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = "Second IP" attribute.tags = [tag] attribute.value = site.ip_second misp_api.add_attribute(event=event_id, attribute=attribute) if site.mail_A_record_ip and site.ip != site.mail_A_record_ip and site.ip_second != site.mail_A_record_ip: attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name attribute.tags = [tag] attribute.value = site.mail_A_record_ip misp_api.add_attribute(event=event_id, attribute=attribute) if site.MX_records: for mx in site.MX_records: attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "domain" attribute.distribution = 5 attribute.comment = "MX record" attribute.tags = [tag] attribute.value = str(mx).split()[1][:-1] misp_api.add_attribute(event=event_id, attribute=attribute)
def update_attributes(misp_api, site): """ Update MISP IOCs attributes. :param misp_api: MISP Object API. :param site: Site Object. :return: """ print( str(timezone.now()) + " - " + 'Update MISP IOCs attributes for: ', site.misp_event_id) print('-----------------------------') tag = None tags = misp_api.tags(pythonify=True) for t in tags: if t.name == 'Watcher': tag = t if site.ip and not search_attributes(misp_api, site.misp_event_id, site.ip, site.pk): attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = "First IP" attribute.tags = [tag] attribute.value = site.ip misp_api.add_attribute(event=site.misp_event_id, attribute=attribute) if site.ip_second and not search_attributes(misp_api, site.misp_event_id, site.ip_second, site.pk): attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = "Second IP" attribute.tags = [tag] attribute.value = site.ip_second misp_api.add_attribute(event=site.misp_event_id, attribute=attribute) if site.mail_A_record_ip and not search_attributes( misp_api, site.misp_event_id, site.mail_A_record_ip, site.pk): attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name attribute.tags = [tag] attribute.value = site.mail_A_record_ip misp_api.add_attribute(event=site.misp_event_id, attribute=attribute) if site.MX_records: for mx in site.MX_records: if not search_attributes(misp_api, site.misp_event_id, str(mx).split()[1][:-1], site.pk): attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "domain" attribute.distribution = 5 attribute.comment = "MX record" attribute.tags = [tag] attribute.value = str(mx).split()[1][:-1] misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
exit(0) if args.is_malware: arg_type = 'malware-sample' else: arg_type = 'attachment' # Create attributes attributes = [] for f in files: a = MISPAttribute() a.type = arg_type a.value = f.name a.data = f a.comment = args.comment a.distribution = args.distrib if args.expand and arg_type == 'malware-sample': a.expand = 'binary' attributes.append(a) if args.event: for a in attributes: misp.add_attribute(args.event, a) else: m = MISPEvent() m.info = args.info m.distribution = args.distrib m.attributes = attributes if args.expand and arg_type == 'malware-sample': m.run_expansions() misp.add_event(m)