def addHash(hashValue): eid = checkAge() hashValue = hashValue.strip() md5 = re.compile(r'[0-9a-f]{32}$', flags=re.IGNORECASE) sha1 = re.compile(r'[0-9a-f]{40}$', flags=re.IGNORECASE) sha256 = re.compile(r'[0-9a-f]{64}$', flags=re.IGNORECASE) if re.match(sha256, hashValue): hashType = "sha256" mispAttribute = MISPAttribute() mispAttribute.type = 'sha256' mispAttribute.value = hashValue misp.add_attribute(eid, mispAttribute) elif re.match(sha1, hashValue): hashType = "sha1" mispAttribute = MISPAttribute() mispAttribute.type = 'sha1' mispAttribute.value = hashValue misp.add_attribute(eid, mispAttribute) elif re.match(md5, hashValue): hashType = "md5" mispAttribute = MISPAttribute() mispAttribute.type = 'md5' mispAttribute.value = hashValue misp.add_attribute(eid, mispAttribute) else: returnFailure("hash", hashValue, "length of %s" % len(hashValue)) returnSuccess("%s hash" % hashType, hashValue, eid)
def create_new_event(self, entry): attribute = MISPAttribute() attribute.type = "malware-sample" attribute.value = entry["shasum"] attribute.data = Path(entry["outfile"]) attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"]) attribute.expand = "binary" if "url" in entry: attributeURL = MISPAttribute() attributeURL.type = "url" attributeURL.value = entry["url"] attributeURL.to_ids = True else: attributeURL = MISPAttribute() attributeURL.type = "text" attributeURL.value = "External upload" attributeIP = MISPAttribute() attributeIP.type = "ip-src" attributeIP.value = entry["src_ip"] attributeDT = MISPAttribute() attributeDT.type = "datetime" attributeDT.value = entry["timestamp"] event = MISPEvent() event.info = "File uploaded to Cowrie ({})".format(entry["sensor"]) event.add_tag("tlp:white") event.attributes = [attribute, attributeURL, attributeIP, attributeDT] event.run_expansions() if self.publish: event.publish() result = self.misp_api.add_event(event) if self.debug: log.msg(f"Event creation result: \n{result}")
def __init__(self, api_token: str, attribute_props: dict): self.api_token = api_token self.event = MISPEvent() self.enrichment_object = MISPObject('Recorded Future Enrichment') self.enrichment_object.from_dict( **{ 'meta-category': 'misc', 'description': 'An object containing the enriched attribute and related ' 'entities from Recorded Future.', 'distribution': 0 }) # Create a copy of enriched attribute to add tags to temp_attr = MISPAttribute() temp_attr.from_dict(**attribute_props) self.enriched_attribute = MISPAttribute() self.enriched_attribute.from_dict(**{ 'value': temp_attr.value, 'type': temp_attr.type, 'distribution': 0 }) self.related_attributes = [] self.color_picker = RFColors() self.galaxy_finder = GalaxyFinder() # Mapping from MISP-type to RF-type self.type_to_rf_category = { 'ip': 'ip', 'ip-src': 'ip', 'ip-dst': 'ip', 'domain': 'domain', 'hostname': 'domain', 'md5': 'hash', 'sha1': 'hash', 'sha256': 'hash', 'uri': 'url', 'url': 'url', 'vulnerability': 'vulnerability', 'weakness': 'vulnerability' } # Related entities from RF portrayed as related attributes in MISP self.related_attribute_types = [ 'RelatedIpAddress', 'RelatedInternetDomainName', 'RelatedHash', 'RelatedEmailAddress', 'RelatedCyberVulnerability' ] # Related entities from RF portrayed as tags in MISP self.galaxy_tag_types = ['RelatedMalware', 'RelatedThreatActor']
def create_new_event(self, entry): if self.is_python2: self.misp_api.upload_sample( entry["shasum"], entry["outfile"], None, distribution=1, info="File uploaded to Cowrie ({})".format(entry["sensor"]), analysis=0, threat_level_id=2 ) else: attribute = MISPAttribute() attribute.type = "malware-sample" attribute.value = entry["shasum"] attribute.data = Path(entry["outfile"]) attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"]) attribute.expand = "binary" event = MISPEvent() event.info = "File uploaded to Cowrie ({})".format(entry["sensor"]) event.attributes = [attribute] event.run_expansions() if self.publish: event.publish() result = self.misp_api.add_event(event) if self.debug: log.msg("Event creation result: \n%s" % result)
def misp_add_attribute(self, event, a_type, a_value): # Create Attribute object in MISP misp_attribute = MISPAttribute() if a_type: misp_attribute.type = a_type if a_value: misp_attribute.value = a_value event.add_attribute(misp_attribute.type, misp_attribute.value)
def parse_resolutions(self, resolutions, subdomains=None, uuids=None): domain_ip_object = MISPObject('domain-ip') if self.attribute.type in ('domain', 'hostname'): domain_ip_object.add_attribute('domain', type='domain', value=self.attribute.value) attribute_type, relation, key = ('ip-dst', 'ip', 'ip_address') else: domain_ip_object.add_attribute('ip', type='ip-dst', value=self.attribute.value) attribute_type, relation, key = ('domain', 'domain', 'hostname') for resolution in resolutions: domain_ip_object.add_attribute(relation, type=attribute_type, value=resolution[key]) if subdomains: for subdomain in subdomains: attribute = MISPAttribute() attribute.from_dict(**dict(type='domain', value=subdomain)) self.misp_event.add_attribute(**attribute) domain_ip_object.add_reference(attribute.uuid, 'subdomain') if uuids: for uuid in uuids: domain_ip_object.add_reference(uuid, 'sibling-of') self.misp_event.add_object(**domain_ip_object) return domain_ip_object.uuid
def addDomain(domainValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'domain' mispAttribute.value = domainValue misp.add_attribute(eid, mispAttribute) returnSuccess("domain", domainValue, eid)
def addIP(ipValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'ip-dst' mispAttribute.value = ipValue misp.add_attribute(eid, mispAttribute) returnSuccess("IP address", ipValue, eid)
def create_attr(self, raw_attr: dict) -> MISPAttribute: # Create attribute and assign simple values attr = MISPAttribute() attr.type = 'url' attr.value = raw_attr['url'] attr.disable_correlation = False attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S')) # Add URLhaus tag self.add_tag_to_attribute(attr, 'URLhaus') # Add other tags if raw_attr['tags']: for tag in raw_attr['tags'].split(','): self.add_tag_to_attribute(attr, tag.strip()) # Add online/offline tag if not pandas.isna(raw_attr['url_status']): if raw_attr['url_status'] == 'online': attr.to_ids = True else: attr.to_ids = False self.add_tag_to_attribute(attr, raw_attr['url_status']) # Add reporter tag if not pandas.isna(raw_attr['reporter']): self.add_tag_to_attribute(attr, raw_attr['reporter']) attr.comment = raw_attr['urlhaus_link'] return attr
def addEmail(emailValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'email' mispAttribute.value = emailValue misp.add_attribute(eid, mispAttribute) returnSuccess("email", emailValue, eid)
def _handle_ip_attribute(self, ip_address): if ip_address == self.attribute.value: return self.attribute.uuid ip_attribute = MISPAttribute() ip_attribute.from_dict(**{'type': self.attribute.type, 'value': ip_address}) self.misp_event.add_attribute(**ip_attribute) return ip_attribute.uuid
def addBIC(bicValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'bic' mispAttribute.value = bicValue misp.add_attribute(eid, mispAttribute) returnSuccess("Bank Account", bicValue, eid)
def addFullName(fullnameValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'first-name' mispAttribute.value = fullnameValue misp.add_attribute(eid, mispAttribute) returnSuccess("Full Name", fullnameValue, eid)
def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags): dt = datetime.now() event = MISPEvent() event.info = dt.strftime("%Y%m%d ") + 'TIE' event.publish_timestamp = dt.strftime("%s") event.timestamp = dt.strftime("%s") event['timestamp'] = dt.strftime("%s") event.analysis = 2 event.published = conf.event_published orgc = MISPOrganisation() orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid})) event.orgc = orgc event.threat_level_id = conf.event_base_thread_level event.date = dt event['uuid'] = str(uuid.uuid1()) if len(tags) > 0: event['Tag'] = tags attr_hashes = [] for key, attr in deduplicated_observations.items(): misp_attr = MISPAttribute() misp_attr.timestamp = dt.strftime("%s") misp_attr['timestamp'] = dt.strftime("%s") misp_attr.type = get_Attribute_Type(attr) misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type) if 'c2-server' in attr['categories'] and attr_tags.c2tags: misp_attr['Tag'] = attr_tags.c2tags if 'malware' in attr['categories'] and attr_tags.malwaretags: misp_attr['Tag'] = attr_tags.malwaretags if 'espionage' in attr['categories'] and attr_tags.espionagetags: misp_attr['Tag'] = attr_tags.espionagetags if 'bot' in attr['categories'] and attr_tags.bottags: misp_attr['Tag'] = attr_tags.bottags if 'whitelist' in attr['categories'] and attr_tags.whitelisttags: misp_attr['Tag'] = attr_tags.whitelisttags if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags: misp_attr['Tag'] = attr_tags.cybercrimetags if 'phishing' in attr['categories'] and attr_tags.phishingtags: misp_attr['Tag'] = attr_tags.phishingtags misp_attr.category = get_Attribute_Category(attr) if conf.attr_to_ids and attr[ 'min_confidence'] >= conf.attr_to_ids_threshold: misp_attr.to_ids = True else: misp_attr.to_ids = False misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \ ' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \ ' severity: ' + str(attr['max_severity']) + \ ' confidence: ' + str(attr['max_confidence']) misp_attr.edited = False event.add_attribute(**(misp_attr.to_dict())) attr_hashes.append([ hashlib.md5(attr['value'].encode("utf-8")).hexdigest(), event['uuid'] ]) event.edited = False return event, attr_hashes
def _fill_object(self, obj_def, values): empty_object = self.__new_empty_object(obj_def) if self.links: empty_object["ObjectReference"] = [] for link in self.links: uuid, comment = link empty_object['ObjectReference'].append({ 'referenced_object_uuid': uuid, 'comment': comment }) for object_type, value in values.items(): if value.get('value') is None: continue attribute = MISPAttribute(self.misp_event.describe_types) value['type'] = obj_def['attributes'][object_type][ 'misp-attribute'] if value.get('disable_correlation') is None: value['disable_correlation'] = obj_def['attributes'][ object_type].get('disable_correlation') if value.get('to_ids') is None: value['to_ids'] = obj_def['attributes'][object_type].get( 'to_ids') attribute.set_all_values(**value) empty_object['ObjectAttribute'].append({ 'type': object_type, 'Attribute': attribute._json() }) return empty_object
def create_attribute(self, attribute_type, attribute_value): attribute = MISPAttribute() attribute.from_dict(**{ 'type': attribute_type, 'value': attribute_value }) self.misp_event.add_attribute(**attribute) return attribute.uuid
def __misp_add_urlscan_to_event(self, capture_uuid: str, visibility: str) -> Optional[MISPAttribute]: response = self.urlscan.url_submit(self.get_info(capture_uuid), visibility) if 'result' in response: attribute = MISPAttribute() attribute.value = response['result'] attribute.type = 'link' return attribute return None
def __init__(self, attribute, config): config['enclave_ids'] = config.get('enclave_ids', "").strip().split(',') config['client_metatag'] = self.CLIENT_METATAG self.ts_client = TruStar(config=config) self.misp_event = MISPEvent() self.misp_attribute = MISPAttribute() self.misp_attribute.from_dict(**attribute) self.misp_event.add_attribute(**self.misp_attribute)
def map_attribute(self, row): misp_attribute = MISPAttribute() fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs misp_attribute.last_seen = fs value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"') misp_attribute.type = "ip-dst|port" misp_attribute.value = value return misp_attribute
def create_misp_attribute(misp_client, misp_event_id, misp_attribute_type, misp_attribute_value): misp_event = MISPEvent() misp_event.id = int(misp_event_id) misp_event.uuid = get_event_uuid(misp_client, misp_event_id) misp_attribute = MISPAttribute() misp_attribute.type = misp_attribute_type misp_attribute.value = misp_attribute_value attribute_response = misp_client.add_attribute(misp_event, misp_attribute) return attribute_response
def add_attribute(self, indicator: str, indicator_type: str) -> None: """Helper method for adding an indicator to the attribute list.""" out_type = self.get_output_type(indicator_type, indicator) attribute = MISPAttribute() attribute.from_dict(**{ "value": indicator, "type": out_type, "distribution": 0 }) self.related_attributes.append((indicator_type, attribute))
def add_related_attribute(self, indicator: str, related_type: str) -> None: """Helper method for adding an indicator to the related attribute list.""" out_type = self.get_output_type(related_type, indicator) attribute = MISPAttribute() attribute.from_dict(**{ 'value': indicator, 'type': out_type, 'distribution': 0 }) self.related_attributes.append((related_type, attribute))
def map_attribute(self, row): misp_attribute = MISPAttribute() fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs misp_attribute.last_seen = fs value = row[1].strip().strip('"') misp_attribute.type = "x509-fingerprint-sha1" misp_attribute.comment = 'https://sslbl.abuse.ch/ssl-certificates/sha1/' + value misp_attribute.value = value return misp_attribute
def __init__(self, attribute, apikey, apipassword): self.base_url = "https://api.xforce.ibmcloud.com" self.misp_event = MISPEvent() self.attribute = MISPAttribute() self.attribute.from_dict(**attribute) self._apikey = apikey self._apipassword = apipassword self.result = {} self.objects = defaultdict(dict) self.status_mapping = {403: "Access denied, please check if your authentication is valid and if you did not reach the limit of queries.", 404: "No result found for your query."}
def _create_attribute(self, result, attribute_type): attribute = MISPAttribute() attribute.from_dict(type=attribute_type, value=result['value'], **self.attribute) if result['classification'] != 'UNCLASSIFIED': attribute.add_tag(result['classification'].lower()) self.misp_event.add_attribute(**attribute) return { 'referenced_uuid': attribute.uuid, 'relationship_type': '-'.join(result['context'].lower().split(' ')) }
def __init__(self, attribute, config_object): self.misp_event = MISPEvent() self.attribute = MISPAttribute() self.attribute.from_dict(**attribute) self.misp_event.add_attribute(**self.attribute) self.config_object = config_object if self.config_object: self.token = self.get_token() else: sys.exit('Missing configuration')
def __init__(self, attribute, authentication): self.misp_event = MISPEvent() self.attribute = MISPAttribute() self.attribute.from_dict(**attribute) self.misp_event.add_attribute(**self.attribute) self.pssl = pypssl.PyPSSL(basic_auth=authentication) self.cert_hash = 'x509-fingerprint-sha1' self.cert_type = 'pem' self.mapping = {'issuer': ('text', 'issuer'), 'keylength': ('text', 'pubkey-info-size'), 'not_after': ('datetime', 'validity-not-after'), 'not_before': ('datetime', 'validity-not-before'), 'subject': ('text', 'subject')}
def create_attribute(self, attribute_type, attribute_value, attribute_tags=list()): attribute = MISPAttribute() attribute.from_dict(**{ 'type': attribute_type, 'value': attribute_value, 'to_ids': False }) for tag in attribute_tags: attribute.add_tag(tag) self.misp_event.add_attribute(**attribute) return attribute.uuid
def __init__(self, attribute, api_key, client_id, client_secret): self.misp_event = MISPEvent() self.attribute = MISPAttribute() self.attribute.from_dict(**attribute) self.misp_event.add_attribute(**self.attribute) self.base_url = 'https://api.mvision.mcafee.com' self.session = requests.Session() self.api_key = api_key auth = (client_id, client_secret) self.logging() self.auth(auth)
def propose(type, value, category): attr_type = type value = value category = category to_ids = False # Attribute data already defined attribute = MISPAttribute() attribute.type = attr_type attribute.value = value attribute.category = category attribute.to_ids = to_ids event_id = EVENTid proposal = misp.add_attribute_proposal(event_id, attribute) print('Proposed!')