def create_new_event(self, entry):
if self.is_python2:
self.misp_api.upload_sample(
entry["shasum"],
entry["outfile"],
None,
distribution=1,
info="File uploaded to Cowrie ({})".format(entry["sensor"]),
analysis=0,
threat_level_id=2
)
else:
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.attributes = [attribute]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg("Event creation result: \n%s" % result)
def create_new_event(self, entry):
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
if "url" in entry:
attributeURL = MISPAttribute()
attributeURL.type = "url"
attributeURL.value = entry["url"]
attributeURL.to_ids = True
else:
attributeURL = MISPAttribute()
attributeURL.type = "text"
attributeURL.value = "External upload"
attributeIP = MISPAttribute()
attributeIP.type = "ip-src"
attributeIP.value = entry["src_ip"]
attributeDT = MISPAttribute()
attributeDT.type = "datetime"
attributeDT.value = entry["timestamp"]
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.add_tag("tlp:white")
event.attributes = [attribute, attributeURL, attributeIP, attributeDT]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg(f"Event creation result: \n{result}")
def create_attr(self, raw_attr: dict) -> MISPAttribute:
# Create attribute and assign simple values
attr = MISPAttribute()
attr.type = 'url'
attr.value = raw_attr['url']
attr.disable_correlation = False
attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S'))
# Add URLhaus tag
self.add_tag_to_attribute(attr, 'URLhaus')
# Add other tags
if raw_attr['tags']:
for tag in raw_attr['tags'].split(','):
self.add_tag_to_attribute(attr, tag.strip())
# Add online/offline tag
if not pandas.isna(raw_attr['url_status']):
if raw_attr['url_status'] == 'online':
attr.to_ids = True
else:
attr.to_ids = False
self.add_tag_to_attribute(attr, raw_attr['url_status'])
# Add reporter tag
if not pandas.isna(raw_attr['reporter']):
self.add_tag_to_attribute(attr, raw_attr['reporter'])
attr.comment = raw_attr['urlhaus_link']
return attr
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
value = row[1].strip().strip('"')
misp_attribute.type = "x509-fingerprint-sha1"
misp_attribute.comment = 'https://sslbl.abuse.ch/ssl-certificates/sha1/' + value
misp_attribute.value = value
return misp_attribute
def create_new_event(self, entry):
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.attributes = [attribute]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg(f"Event creation result: \n{result}")
def map_attribute(self, row):
malware_info = self.get_malware_info(row)
misp_attribute = MISPAttribute()
value = row[2].strip().strip('"')
fs = datetime.strptime(row[1].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
misp_attribute.type = "url"
if row[4].strip().strip('"') == "malware_download":
misp_attribute.add_tag('kill-chain:Delivery')
if malware_info['ft'] is not None:
misp_attribute.add_tag(malware_info['ft'])
misp_attribute.value = value
misp_attribute.comment = row[6].strip().strip('"')
return misp_attribute
def ip_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.org = "RST Cloud"
attribute.type = type
if value['ip']:
if value['ip']['v4']:
attribute.value = value['ip']['v4']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv4']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv4']))
else:
if value['ip']['v6']:
attribute.value = value['ip']['v6']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv6']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv6']))
attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num']))
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['asn']['cloud']:
attribute.add_tag("rstcloud:cloudprovider=" +
str(value['asn']['cloud']))
if value['asn']['domains']:
attribute.add_tag("rstcloud:number_of_hosted_domains=" +
str(value['asn']['domains']))
attribute.add_tag("rstcloud:org=" + str(value['asn']['org']))
attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp']))
attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city']))
attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region']))
attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
def create_attr_azorult(self, raw_attr: dict) -> MISPAttribute:
attr_list = []
for type in [{'json': 'domain', 'misp': 'domain'},
{'json': 'ip', 'misp': 'ip-dst'},
{'json': 'panel_index', 'misp': 'url'}]:
if type['json'] in raw_attr:
attr = MISPAttribute()
self.add_tag_to_attribute(attr, 'AzorultTracker')
self.add_tag_to_attribute(attr, raw_attr['panel_version'])
self.add_tag_to_attribute(attr, raw_attr['feeder'])
self.add_tag_to_attribute(attr, raw_attr['status'])
attr.comment = f'Azorult panel {type["misp"]}'
attr.__setattr__('first_seen', datetime.fromtimestamp(raw_attr['first_seen']))
attr.to_ids = False
attr.disable_correlation = False
attr.type = type['misp']
attr.value = f"{raw_attr[type['json']]}"
attr_list.append(attr)
return attr_list
def create_attr_feodo(self, raw_attr: dict) -> MISPAttribute:
attr = MISPAttribute()
attr.type = 'ip-dst|port'
attr.value = f"{raw_attr['DstIP']}|{raw_attr['DstPort']}"
self.add_tag_to_attribute(attr, 'FeodoTracker')
self.add_tag_to_attribute(attr, raw_attr['Malware'])
attr.comment = 'Feodo tracker DST IP/port'
attr.__setattr__('first_seen', datetime.strptime(raw_attr['Firstseen'], '%Y-%m-%d %H:%M:%S'))
if not pandas.isna(raw_attr['LastOnline']):
last_seen_time = datetime.strptime(str(raw_attr['LastOnline']), '%Y-%m-%d').replace(tzinfo=pytz.utc)
first_seen_time = datetime.strptime(str(raw_attr["Firstseen"]), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc)
if first_seen_time > last_seen_time:
last_seen_time = first_seen_time + timedelta(seconds=1)
attr.__setattr__('last_seen', last_seen_time)
else:
last_seen_time = datetime.strptime(str(raw_attr['Firstseen']), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc)
attr.__setattr__('last_seen', last_seen_time)
attr.to_ids = False
attr.disable_correlation = False
return attr
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
try:
ls_string = row[3].strip().strip('"')
if ls_string != '':
ls = datetime.strptime(ls_string, '%Y-%m-%d')
if ls > fs:
misp_attribute.last_seen = ls
else:
misp_attribute.last_seen = fs
except ValueError:
pass
value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"')
misp_attribute.type = "ip-dst|port"
misp_attribute.comment = 'https://feodotracker.abuse.ch/browse/host/' + row[1].strip().strip('"')
misp_attribute.value = value
return misp_attribute
def domain_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.type = type
attribute.value = value['domain']
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['resolved'] and value['resolved']['whois']:
if value['resolved']['whois']['age'] > 0:
attribute.add_tag("rstcloud:whois:created=" +
str(value['resolved']['whois']['created']))
attribute.add_tag("rstcloud:whois:updated=" +
str(value['resolved']['whois']['updated']))
attribute.add_tag("rstcloud:whois:expires=" +
str(value['resolved']['whois']['expires']))
attribute.add_tag("rstcloud:whois:age=" +
str(value['resolved']['whois']['age']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrar'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrar=" +
str(value['resolved']['whois']['registrar']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrant'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrant=" +
str(value['resolved']['whois']['registrant']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
def search_vmray_incomplete(
m, url, wait_period, module_import_url, module_import_port, vmray_url,
vmray_api, vmray_attribute_category, vmray_include_analysisid,
vmray_include_imphash_ssdeep, vmray_include_extracted_files,
vmray_include_analysisdetails, vmray_include_vtidetails,
custom_tags_incomplete, custom_tags_complete):
controller = 'attributes'
vmray_value = 'VMRay Sample ID:' # How sample IDs are stored in MISP
req = None
# Search for the events
try:
result = m.search(controller, tags=custom_tags_incomplete)
attribute = result['Attribute']
if len(attribute) == 0:
sys.exit("No VMRay attributes found that match %s" %
custom_tags_incomplete)
timestamp = int(attribute[0]["timestamp"])
# Not enough time has gone by to lookup the analysis jobs
if int((time.time() - timestamp) / 60) < int(wait_period):
if module_DEBUG:
r_timestamp = datetime.datetime.fromtimestamp(
timestamp).strftime('%Y-%m-%d %H:%M:%S')
print(
"Attribute to recent for wait_period (%s minutes) - timestamp attribute: %s (%s minutes old)"
% (wait_period, r_timestamp,
round((int(time.time() - timestamp) / 60), 2)))
return False
if module_DEBUG:
print("All attributes older than %s" % int(wait_period))
for att in attribute:
value = att['value']
if vmray_value in value: # We found a sample ID
att_id = att['id']
att_uuid = att['uuid']
# VMRay Sample IDs are stored as VMRay Sample ID: 2796577
vmray_sample_id = value.split(vmray_value)[1].strip()
if vmray_sample_id.isdigit():
event_id = att['event_id']
if module_DEBUG:
print(
"Found event %s with matching tags %s for sample id %s "
% (event_id, custom_tags_incomplete,
vmray_sample_id))
# Prepare request to send to vmray_import via misp modules
misp_modules_url = module_import_url + ':' + module_import_port + '/query'
misp_modules_headers = {'Content-Type': 'application/json'}
misp_modules_body = '{ "sample_id":"' + vmray_sample_id + '","module":"vmray_import","event_id":"' + event_id + '","config":{"apikey":"' + vmray_api + '","url":"' + vmray_url + '","include_analysisid":"' + vmray_include_analysisid + '","include_analysisdetails":"' + vmray_include_analysisdetails + '","include_extracted_files":"' + vmray_include_extracted_files + '","include_imphash_ssdeep":"' + vmray_include_imphash_ssdeep + '","include_vtidetails":"' + vmray_include_vtidetails + '","sample_id":"' + vmray_sample_id + '"},"data":""}'
req = requests.post(misp_modules_url,
data=misp_modules_body,
headers=misp_modules_headers)
if module_DEBUG and req is not None:
print(
"Response code from submitting to MISP modules %s"
% (req.status_code))
# Succesful response from the misp modules?
if req.status_code == 200:
req_json = req.json()
if "error" in req_json:
print("Error code in reply %s " %
req_json["error"])
continue
else:
results = req_json["results"]
# Walk through all results in the misp-module reply
for el in results:
to_ids = True
values = el['values']
types = el['types']
if "to_ids" in el:
to_ids = el['to_ids']
if "text" in types:
to_ids = False
comment = el['comment']
if len(comment) < 1:
comment = "Enriched via the vmray_import module"
# Attribute can belong in different types
for attr_type in types:
try:
new_attribute = MISPAttribute()
new_attribute.type = attr_type
new_attribute.category = vmray_attribute_category
new_attribute.value = values
new_attribute.to_ids = to_ids
new_attribute.comment = comment
r = m.add_attribute(
event_id, new_attribute)
if module_DEBUG:
print(
"Add event %s: %s as %s (%s) (toids: %s)"
% (event_id, values, attr_type,
comment, to_ids))
except Exception as e:
if module_DEBUG:
print(
"Unable to add attribute %s as type %s for event %s"
%
(values, attr_type, event_id))
continue
# Remove 'incomplete' state tags
m.untag(att_uuid, custom_tags_incomplete)
# Update tags to 'complete' state
m.tag(att_uuid, custom_tags_complete)
if module_DEBUG:
print("Updated event %s" % event_id)
else:
sys.exit(
'MISP modules did not return HTTP 200 code (event %s ; sampleid %s)'
% (event_id, vmray_sample_id))
except Exception as e:
sys.exit("Invalid response received from MISP : %s", e)
def create_attributes(misp_api, event_id, site):
"""
Create MISP IOCs attributes.
:param misp_api: MISP Object API.
:param event_id: MISP Event ID.
:param site: Site Object.
:return:
"""
print(
str(timezone.now()) + " - " + 'Create MISP IOCs attributes for: ',
event_id)
print('-----------------------------')
tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "Domain name monitored"
attribute.tags = [tag]
attribute.value = site.domain_name
misp_api.add_attribute(event=event_id, attribute=attribute)
if settings.MISP_TICKETING_URL != '':
attribute = MISPAttribute()
attribute.category = "Internal reference"
attribute.type = "link"
attribute.distribution = 0
attribute.comment = "Ticketing link"
attribute.tags = [tag]
attribute.value = settings.MISP_TICKETING_URL + "?id=" + str(site.rtir)
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.ip:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.ip_second:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.mail_A_record_ip and site.ip != site.mail_A_record_ip and site.ip_second != site.mail_A_record_ip:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.MX_records:
for mx in site.MX_records:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=event_id, attribute=attribute)
def update_attributes(misp_api, site):
"""
Update MISP IOCs attributes.
:param misp_api: MISP Object API.
:param site: Site Object.
:return:
"""
print(
str(timezone.now()) + " - " + 'Update MISP IOCs attributes for: ',
site.misp_event_id)
print('-----------------------------')
tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t
if site.ip and not search_attributes(misp_api, site.misp_event_id, site.ip,
site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.ip_second and not search_attributes(misp_api, site.misp_event_id,
site.ip_second, site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.mail_A_record_ip and not search_attributes(
misp_api, site.misp_event_id, site.mail_A_record_ip, site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.MX_records:
for mx in site.MX_records:
if not search_attributes(misp_api, site.misp_event_id,
str(mx).split()[1][:-1], site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=site.misp_event_id,
attribute=attribute)
print('invalid upload path (must be file or dir)')
exit(0)
if args.is_malware:
arg_type = 'malware-sample'
else:
arg_type = 'attachment'
# Create attributes
attributes = []
for f in files:
a = MISPAttribute()
a.type = arg_type
a.value = f.name
a.data = f
a.comment = args.comment
a.distribution = args.distrib
if args.expand and arg_type == 'malware-sample':
a.expand = 'binary'
attributes.append(a)
if args.event:
for a in attributes:
misp.add_attribute(args.event, a)
else:
m = MISPEvent()
m.info = args.info
m.distribution = args.distrib
m.attributes = attributes
if args.expand and arg_type == 'malware-sample':
m.run_expansions()
