def addHash(hashValue):
eid = checkAge()
hashValue = hashValue.strip()
md5 = re.compile(r'[0-9a-f]{32}$', flags=re.IGNORECASE)
sha1 = re.compile(r'[0-9a-f]{40}$', flags=re.IGNORECASE)
sha256 = re.compile(r'[0-9a-f]{64}$', flags=re.IGNORECASE)
if re.match(sha256, hashValue):
hashType = "sha256"
mispAttribute = MISPAttribute()
mispAttribute.type = 'sha256'
mispAttribute.value = hashValue
misp.add_attribute(eid, mispAttribute)
elif re.match(sha1, hashValue):
hashType = "sha1"
mispAttribute = MISPAttribute()
mispAttribute.type = 'sha1'
mispAttribute.value = hashValue
misp.add_attribute(eid, mispAttribute)
elif re.match(md5, hashValue):
hashType = "md5"
mispAttribute = MISPAttribute()
mispAttribute.type = 'md5'
mispAttribute.value = hashValue
misp.add_attribute(eid, mispAttribute)
else:
returnFailure("hash", hashValue, "length of %s" % len(hashValue))
returnSuccess("%s hash" % hashType, hashValue, eid)
def create_new_event(self, entry):
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
if "url" in entry:
attributeURL = MISPAttribute()
attributeURL.type = "url"
attributeURL.value = entry["url"]
attributeURL.to_ids = True
else:
attributeURL = MISPAttribute()
attributeURL.type = "text"
attributeURL.value = "External upload"
attributeIP = MISPAttribute()
attributeIP.type = "ip-src"
attributeIP.value = entry["src_ip"]
attributeDT = MISPAttribute()
attributeDT.type = "datetime"
attributeDT.value = entry["timestamp"]
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.add_tag("tlp:white")
event.attributes = [attribute, attributeURL, attributeIP, attributeDT]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg(f"Event creation result: \n{result}")
def __init__(self, api_token: str, attribute_props: dict):
self.api_token = api_token
self.event = MISPEvent()
self.enrichment_object = MISPObject('Recorded Future Enrichment')
self.enrichment_object.from_dict(
**{
'meta-category':
'misc',
'description':
'An object containing the enriched attribute and related '
'entities from Recorded Future.',
'distribution':
0
})
# Create a copy of enriched attribute to add tags to
temp_attr = MISPAttribute()
temp_attr.from_dict(**attribute_props)
self.enriched_attribute = MISPAttribute()
self.enriched_attribute.from_dict(**{
'value': temp_attr.value,
'type': temp_attr.type,
'distribution': 0
})
self.related_attributes = []
self.color_picker = RFColors()
self.galaxy_finder = GalaxyFinder()
# Mapping from MISP-type to RF-type
self.type_to_rf_category = {
'ip': 'ip',
'ip-src': 'ip',
'ip-dst': 'ip',
'domain': 'domain',
'hostname': 'domain',
'md5': 'hash',
'sha1': 'hash',
'sha256': 'hash',
'uri': 'url',
'url': 'url',
'vulnerability': 'vulnerability',
'weakness': 'vulnerability'
}
# Related entities from RF portrayed as related attributes in MISP
self.related_attribute_types = [
'RelatedIpAddress', 'RelatedInternetDomainName', 'RelatedHash',
'RelatedEmailAddress', 'RelatedCyberVulnerability'
]
# Related entities from RF portrayed as tags in MISP
self.galaxy_tag_types = ['RelatedMalware', 'RelatedThreatActor']
def create_new_event(self, entry):
if self.is_python2:
self.misp_api.upload_sample(
entry["shasum"],
entry["outfile"],
None,
distribution=1,
info="File uploaded to Cowrie ({})".format(entry["sensor"]),
analysis=0,
threat_level_id=2
)
else:
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.attributes = [attribute]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg("Event creation result: \n%s" % result)
def misp_add_attribute(self, event, a_type, a_value):
# Create Attribute object in MISP
misp_attribute = MISPAttribute()
if a_type: misp_attribute.type = a_type
if a_value: misp_attribute.value = a_value
event.add_attribute(misp_attribute.type, misp_attribute.value)
def parse_resolutions(self, resolutions, subdomains=None, uuids=None):
domain_ip_object = MISPObject('domain-ip')
if self.attribute.type in ('domain', 'hostname'):
domain_ip_object.add_attribute('domain',
type='domain',
value=self.attribute.value)
attribute_type, relation, key = ('ip-dst', 'ip', 'ip_address')
else:
domain_ip_object.add_attribute('ip',
type='ip-dst',
value=self.attribute.value)
attribute_type, relation, key = ('domain', 'domain', 'hostname')
for resolution in resolutions:
domain_ip_object.add_attribute(relation,
type=attribute_type,
value=resolution[key])
if subdomains:
for subdomain in subdomains:
attribute = MISPAttribute()
attribute.from_dict(**dict(type='domain', value=subdomain))
self.misp_event.add_attribute(**attribute)
domain_ip_object.add_reference(attribute.uuid, 'subdomain')
if uuids:
for uuid in uuids:
domain_ip_object.add_reference(uuid, 'sibling-of')
self.misp_event.add_object(**domain_ip_object)
return domain_ip_object.uuid
def addDomain(domainValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'domain'
mispAttribute.value = domainValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("domain", domainValue, eid)
def addIP(ipValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'ip-dst'
mispAttribute.value = ipValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("IP address", ipValue, eid)
def create_attr(self, raw_attr: dict) -> MISPAttribute:
# Create attribute and assign simple values
attr = MISPAttribute()
attr.type = 'url'
attr.value = raw_attr['url']
attr.disable_correlation = False
attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S'))
# Add URLhaus tag
self.add_tag_to_attribute(attr, 'URLhaus')
# Add other tags
if raw_attr['tags']:
for tag in raw_attr['tags'].split(','):
self.add_tag_to_attribute(attr, tag.strip())
# Add online/offline tag
if not pandas.isna(raw_attr['url_status']):
if raw_attr['url_status'] == 'online':
attr.to_ids = True
else:
attr.to_ids = False
self.add_tag_to_attribute(attr, raw_attr['url_status'])
# Add reporter tag
if not pandas.isna(raw_attr['reporter']):
self.add_tag_to_attribute(attr, raw_attr['reporter'])
attr.comment = raw_attr['urlhaus_link']
return attr
def addEmail(emailValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'email'
mispAttribute.value = emailValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("email", emailValue, eid)
def _handle_ip_attribute(self, ip_address):
if ip_address == self.attribute.value:
return self.attribute.uuid
ip_attribute = MISPAttribute()
ip_attribute.from_dict(**{'type': self.attribute.type, 'value': ip_address})
self.misp_event.add_attribute(**ip_attribute)
return ip_attribute.uuid
def addBIC(bicValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'bic'
mispAttribute.value = bicValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("Bank Account", bicValue, eid)
def addFullName(fullnameValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'first-name'
mispAttribute.value = fullnameValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("Full Name", fullnameValue, eid)
def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags):
dt = datetime.now()
event = MISPEvent()
event.info = dt.strftime("%Y%m%d ") + 'TIE'
event.publish_timestamp = dt.strftime("%s")
event.timestamp = dt.strftime("%s")
event['timestamp'] = dt.strftime("%s")
event.analysis = 2
event.published = conf.event_published
orgc = MISPOrganisation()
orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid}))
event.orgc = orgc
event.threat_level_id = conf.event_base_thread_level
event.date = dt
event['uuid'] = str(uuid.uuid1())
if len(tags) > 0:
event['Tag'] = tags
attr_hashes = []
for key, attr in deduplicated_observations.items():
misp_attr = MISPAttribute()
misp_attr.timestamp = dt.strftime("%s")
misp_attr['timestamp'] = dt.strftime("%s")
misp_attr.type = get_Attribute_Type(attr)
misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type)
if 'c2-server' in attr['categories'] and attr_tags.c2tags:
misp_attr['Tag'] = attr_tags.c2tags
if 'malware' in attr['categories'] and attr_tags.malwaretags:
misp_attr['Tag'] = attr_tags.malwaretags
if 'espionage' in attr['categories'] and attr_tags.espionagetags:
misp_attr['Tag'] = attr_tags.espionagetags
if 'bot' in attr['categories'] and attr_tags.bottags:
misp_attr['Tag'] = attr_tags.bottags
if 'whitelist' in attr['categories'] and attr_tags.whitelisttags:
misp_attr['Tag'] = attr_tags.whitelisttags
if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags:
misp_attr['Tag'] = attr_tags.cybercrimetags
if 'phishing' in attr['categories'] and attr_tags.phishingtags:
misp_attr['Tag'] = attr_tags.phishingtags
misp_attr.category = get_Attribute_Category(attr)
if conf.attr_to_ids and attr[
'min_confidence'] >= conf.attr_to_ids_threshold:
misp_attr.to_ids = True
else:
misp_attr.to_ids = False
misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \
' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \
' severity: ' + str(attr['max_severity']) + \
' confidence: ' + str(attr['max_confidence'])
misp_attr.edited = False
event.add_attribute(**(misp_attr.to_dict()))
attr_hashes.append([
hashlib.md5(attr['value'].encode("utf-8")).hexdigest(),
event['uuid']
])
event.edited = False
return event, attr_hashes
def _fill_object(self, obj_def, values):
empty_object = self.__new_empty_object(obj_def)
if self.links:
empty_object["ObjectReference"] = []
for link in self.links:
uuid, comment = link
empty_object['ObjectReference'].append({
'referenced_object_uuid':
uuid,
'comment':
comment
})
for object_type, value in values.items():
if value.get('value') is None:
continue
attribute = MISPAttribute(self.misp_event.describe_types)
value['type'] = obj_def['attributes'][object_type][
'misp-attribute']
if value.get('disable_correlation') is None:
value['disable_correlation'] = obj_def['attributes'][
object_type].get('disable_correlation')
if value.get('to_ids') is None:
value['to_ids'] = obj_def['attributes'][object_type].get(
'to_ids')
attribute.set_all_values(**value)
empty_object['ObjectAttribute'].append({
'type':
object_type,
'Attribute':
attribute._json()
})
return empty_object
def create_attribute(self, attribute_type, attribute_value):
attribute = MISPAttribute()
attribute.from_dict(**{
'type': attribute_type,
'value': attribute_value
})
self.misp_event.add_attribute(**attribute)
return attribute.uuid
def __misp_add_urlscan_to_event(self, capture_uuid: str, visibility: str) -> Optional[MISPAttribute]:
response = self.urlscan.url_submit(self.get_info(capture_uuid), visibility)
if 'result' in response:
attribute = MISPAttribute()
attribute.value = response['result']
attribute.type = 'link'
return attribute
return None
def __init__(self, attribute, config):
config['enclave_ids'] = config.get('enclave_ids',
"").strip().split(',')
config['client_metatag'] = self.CLIENT_METATAG
self.ts_client = TruStar(config=config)
self.misp_event = MISPEvent()
self.misp_attribute = MISPAttribute()
self.misp_attribute.from_dict(**attribute)
self.misp_event.add_attribute(**self.misp_attribute)
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"')
misp_attribute.type = "ip-dst|port"
misp_attribute.value = value
return misp_attribute
def create_misp_attribute(misp_client, misp_event_id, misp_attribute_type,
misp_attribute_value):
misp_event = MISPEvent()
misp_event.id = int(misp_event_id)
misp_event.uuid = get_event_uuid(misp_client, misp_event_id)
misp_attribute = MISPAttribute()
misp_attribute.type = misp_attribute_type
misp_attribute.value = misp_attribute_value
attribute_response = misp_client.add_attribute(misp_event, misp_attribute)
return attribute_response
def add_attribute(self, indicator: str, indicator_type: str) -> None:
"""Helper method for adding an indicator to the attribute list."""
out_type = self.get_output_type(indicator_type, indicator)
attribute = MISPAttribute()
attribute.from_dict(**{
"value": indicator,
"type": out_type,
"distribution": 0
})
self.related_attributes.append((indicator_type, attribute))
def add_related_attribute(self, indicator: str, related_type: str) -> None:
"""Helper method for adding an indicator to the related attribute list."""
out_type = self.get_output_type(related_type, indicator)
attribute = MISPAttribute()
attribute.from_dict(**{
'value': indicator,
'type': out_type,
'distribution': 0
})
self.related_attributes.append((related_type, attribute))
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
value = row[1].strip().strip('"')
misp_attribute.type = "x509-fingerprint-sha1"
misp_attribute.comment = 'https://sslbl.abuse.ch/ssl-certificates/sha1/' + value
misp_attribute.value = value
return misp_attribute
def __init__(self, attribute, apikey, apipassword):
self.base_url = "https://api.xforce.ibmcloud.com"
self.misp_event = MISPEvent()
self.attribute = MISPAttribute()
self.attribute.from_dict(**attribute)
self._apikey = apikey
self._apipassword = apipassword
self.result = {}
self.objects = defaultdict(dict)
self.status_mapping = {403: "Access denied, please check if your authentication is valid and if you did not reach the limit of queries.",
404: "No result found for your query."}
def _create_attribute(self, result, attribute_type):
attribute = MISPAttribute()
attribute.from_dict(type=attribute_type,
value=result['value'],
**self.attribute)
if result['classification'] != 'UNCLASSIFIED':
attribute.add_tag(result['classification'].lower())
self.misp_event.add_attribute(**attribute)
return {
'referenced_uuid': attribute.uuid,
'relationship_type': '-'.join(result['context'].lower().split(' '))
}
def __init__(self, attribute, config_object):
self.misp_event = MISPEvent()
self.attribute = MISPAttribute()
self.attribute.from_dict(**attribute)
self.misp_event.add_attribute(**self.attribute)
self.config_object = config_object
if self.config_object:
self.token = self.get_token()
else:
sys.exit('Missing configuration')
def __init__(self, attribute, authentication):
self.misp_event = MISPEvent()
self.attribute = MISPAttribute()
self.attribute.from_dict(**attribute)
self.misp_event.add_attribute(**self.attribute)
self.pssl = pypssl.PyPSSL(basic_auth=authentication)
self.cert_hash = 'x509-fingerprint-sha1'
self.cert_type = 'pem'
self.mapping = {'issuer': ('text', 'issuer'),
'keylength': ('text', 'pubkey-info-size'),
'not_after': ('datetime', 'validity-not-after'),
'not_before': ('datetime', 'validity-not-before'),
'subject': ('text', 'subject')}
def create_attribute(self,
attribute_type,
attribute_value,
attribute_tags=list()):
attribute = MISPAttribute()
attribute.from_dict(**{
'type': attribute_type,
'value': attribute_value,
'to_ids': False
})
for tag in attribute_tags:
attribute.add_tag(tag)
self.misp_event.add_attribute(**attribute)
return attribute.uuid
def __init__(self, attribute, api_key, client_id, client_secret):
self.misp_event = MISPEvent()
self.attribute = MISPAttribute()
self.attribute.from_dict(**attribute)
self.misp_event.add_attribute(**self.attribute)
self.base_url = 'https://api.mvision.mcafee.com'
self.session = requests.Session()
self.api_key = api_key
auth = (client_id, client_secret)
self.logging()
self.auth(auth)
def propose(type, value, category):
attr_type = type
value = value
category = category
to_ids = False
# Attribute data already defined
attribute = MISPAttribute()
attribute.type = attr_type
attribute.value = value
attribute.category = category
attribute.to_ids = to_ids
event_id = EVENTid
proposal = misp.add_attribute_proposal(event_id, attribute)
print('Proposed!')
