def create_attr(self, raw_attr: dict) -> MISPAttribute:
# Create attribute and assign simple values
attr = MISPAttribute()
attr.type = 'url'
attr.value = raw_attr['url']
attr.disable_correlation = False
attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S'))
# Add URLhaus tag
self.add_tag_to_attribute(attr, 'URLhaus')
# Add other tags
if raw_attr['tags']:
for tag in raw_attr['tags'].split(','):
self.add_tag_to_attribute(attr, tag.strip())
# Add online/offline tag
if not pandas.isna(raw_attr['url_status']):
if raw_attr['url_status'] == 'online':
attr.to_ids = True
else:
attr.to_ids = False
self.add_tag_to_attribute(attr, raw_attr['url_status'])
# Add reporter tag
if not pandas.isna(raw_attr['reporter']):
self.add_tag_to_attribute(attr, raw_attr['reporter'])
attr.comment = raw_attr['urlhaus_link']
return attr
def create_attr_azorult(self, raw_attr: dict) -> MISPAttribute:
attr_list = []
for type in [{'json': 'domain', 'misp': 'domain'},
{'json': 'ip', 'misp': 'ip-dst'},
{'json': 'panel_index', 'misp': 'url'}]:
if type['json'] in raw_attr:
attr = MISPAttribute()
self.add_tag_to_attribute(attr, 'AzorultTracker')
self.add_tag_to_attribute(attr, raw_attr['panel_version'])
self.add_tag_to_attribute(attr, raw_attr['feeder'])
self.add_tag_to_attribute(attr, raw_attr['status'])
attr.comment = f'Azorult panel {type["misp"]}'
attr.__setattr__('first_seen', datetime.fromtimestamp(raw_attr['first_seen']))
attr.to_ids = False
attr.disable_correlation = False
attr.type = type['misp']
attr.value = f"{raw_attr[type['json']]}"
attr_list.append(attr)
return attr_list
def create_attr_feodo(self, raw_attr: dict) -> MISPAttribute:
attr = MISPAttribute()
attr.type = 'ip-dst|port'
attr.value = f"{raw_attr['DstIP']}|{raw_attr['DstPort']}"
self.add_tag_to_attribute(attr, 'FeodoTracker')
self.add_tag_to_attribute(attr, raw_attr['Malware'])
attr.comment = 'Feodo tracker DST IP/port'
attr.__setattr__('first_seen', datetime.strptime(raw_attr['Firstseen'], '%Y-%m-%d %H:%M:%S'))
if not pandas.isna(raw_attr['LastOnline']):
last_seen_time = datetime.strptime(str(raw_attr['LastOnline']), '%Y-%m-%d').replace(tzinfo=pytz.utc)
first_seen_time = datetime.strptime(str(raw_attr["Firstseen"]), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc)
if first_seen_time > last_seen_time:
last_seen_time = first_seen_time + timedelta(seconds=1)
attr.__setattr__('last_seen', last_seen_time)
else:
last_seen_time = datetime.strptime(str(raw_attr['Firstseen']), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc)
attr.__setattr__('last_seen', last_seen_time)
attr.to_ids = False
attr.disable_correlation = False
return attr
def poll_taxii():
global f_hashes, f_manifest, f_events
results_dict = {}
client = create_client(
CYBERSAIYAN_FEED_URL,
use_https=TAXII_USE_TLS,
discovery_path=TAXII_DISCOVERY_PATH
)
blocks = client.poll(collection_name=CYBERSAIYAN_COLLECTION_NAME)
for block in blocks:
content = block.content
if content:
if type(content) == str:
continue
elif type(content) == bytes:
content = content.decode('utf-8')
pkg = STIXPackage.from_xml(StringIO(content))
title = pkg.stix_header.title
information_source = pkg.stix_header.information_source.identity.name
cs_event = (title, information_source)
cs_event_hash = hash(cs_event)
db_cursor.execute("SELECT uuid FROM hashes WHERE hash = '%s'" % cs_event_hash)
element = db_cursor.fetchone()
if element:
e_uuid = element[0]
else:
e_uuid = str(uuid.uuid4())
db_cursor.execute("INSERT INTO hashes VALUES (?,?)", (cs_event_hash,e_uuid,))
if cs_event_hash not in results_dict:
results_dict[cs_event_hash] = MISPEvent()
m_ev = results_dict[cs_event_hash]
m_ev.info = str(pkg.stix_header.description)
m_ev.analysis = 0
m_ev.uuid = e_uuid
#m_ev.org = "CyberSaiyan"
csorg = MISPOrganisation()
csorg.name = "CyberSaiyan"
csorg.uuid = "8aaa81ed-72ef-4fb1-8e96-fa1bc200faeb"
m_ev.orgc = csorg
marking = pkg.stix_header.handling.marking
tlp = 0
found_tlp = False
for m in marking:
for struct in m.marking_structures:
if struct._XSI_TYPE == "tlpMarking:TLPMarkingStructureType":
found_tlp = True
tlp = max(TLP[struct.color.lower()], tlp)
if tlp == 0 and not found_tlp:
tlp = TLP["amber"]
m_ev.add_tag("tlp:"+TLP[tlp])
m_ev.add_tag("CyberSaiyan")
indicators = pkg.indicators
last_ts = utc.localize(datetime.datetime(1970,1,1))
for indicator in indicators:
cur_ts = indicator.timestamp
if cur_ts > last_ts:
last_ts = cur_ts
obj = indicator.observable.object_
obj_d = obj.properties.to_dict()
attr_type = obj_d["xsi:type"]
if attr_type == "AddressObjectType":
attr = MISPAttribute()
attr.category = "Network activity"
attr.type = "ip-dst"
attr.value = obj_d["address_value"]
attr.disable_correlation = False
attr.to_ids = True
elif attr_type == "DomainNameObjectType":
attr = MISPAttribute()
attr.category = "Network activity"
attr.type = "domain"
attr.value = obj_d["value"]
attr.disable_correlation = False
attr.to_ids = True
elif attr_type == "URIObjectType":
attr = MISPAttribute()
attr.category = "Network activity"
attr.type = "url"
attr.value = obj_d["value"]
attr.disable_correlation = False
attr.to_ids = True
elif attr_type == "FileObjectType":
hash_type = obj_d["hashes"][0]["type"]["value"].lower()
hash_value = obj_d["hashes"][0]["simple_hash_value"]
attr = MISPAttribute()
attr.category = "Payload delivery"
assert hash_type in ('md5', "sha1", "sha224",
"sha256", "sha384", "sha512", "ssdeep")
attr.type = hash_type
attr.value = hash_value
attr.disable_correlation = False
attr.to_ids = True
m_ev.date = last_ts.strftime("%Y-%m-%d")
m_ev.attributes.append(attr)
db_conn.commit()
c_hashes, c_manifest, c_events = list(), dict(), dict()
for event in results_dict.values():
e_feed = event.to_feed(with_meta=True).get("Event")
c_hashes += [[h, event.uuid] for h in e_feed.pop("_hashes")]
c_manifest.update(e_feed.pop('_manifest'))
c_events[event.uuid] = e_feed
f_hashes, f_manifest, f_events = c_hashes, c_manifest, c_events
if (context == "dropped_by_sha256"):
sample.add_reference(
referenced_uuid=ref_uuid,
relationship_type='dropped-by')
else:
sample.add_reference(referenced_uuid=ref_uuid,
relationship_type='drops')
elif (context.casefold() in API_LINK_CONTEXTS):
url_ref = value.replace('\\', '')
attribute = MISPAttribute()
if (url_ref not in attributes):
attribute.category = "External analysis"
attribute.type = "url"
attribute.value = url_ref
attribute.to_ids = False
attribute.disable_correlation = True
attributes.update({attribute.value: attribute})
else:
attribute = attributes[url_ref]
sample.add_reference(referenced_uuid=attribute.uuid,
relationship_type='related-to')
else:
print("Lost context: {}".format(context))
attribute = MISPAttribute()
attribute.category = "External analysis"
attribute.type = "url"
attribute.value = "https://bazaar.abuse.ch/sample/{}/".format(hash)
attribute.to_ids = False
attribute.disable_correlation = True
