def ip_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.org = "RST Cloud"
attribute.type = type
if value['ip']:
if value['ip']['v4']:
attribute.value = value['ip']['v4']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv4']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv4']))
else:
if value['ip']['v6']:
attribute.value = value['ip']['v6']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv6']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv6']))
attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num']))
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['asn']['cloud']:
attribute.add_tag("rstcloud:cloudprovider=" +
str(value['asn']['cloud']))
if value['asn']['domains']:
attribute.add_tag("rstcloud:number_of_hosted_domains=" +
str(value['asn']['domains']))
attribute.add_tag("rstcloud:org=" + str(value['asn']['org']))
attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp']))
attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city']))
attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region']))
attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
def domain_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.type = type
attribute.value = value['domain']
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['resolved'] and value['resolved']['whois']:
if value['resolved']['whois']['age'] > 0:
attribute.add_tag("rstcloud:whois:created=" +
str(value['resolved']['whois']['created']))
attribute.add_tag("rstcloud:whois:updated=" +
str(value['resolved']['whois']['updated']))
attribute.add_tag("rstcloud:whois:expires=" +
str(value['resolved']['whois']['expires']))
attribute.add_tag("rstcloud:whois:age=" +
str(value['resolved']['whois']['age']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrar'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrar=" +
str(value['resolved']['whois']['registrar']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrant'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrant=" +
str(value['resolved']['whois']['registrant']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
def create_attributes(misp_api, event_id, site):
"""
Create MISP IOCs attributes.
:param misp_api: MISP Object API.
:param event_id: MISP Event ID.
:param site: Site Object.
:return:
"""
print(
str(timezone.now()) + " - " + 'Create MISP IOCs attributes for: ',
event_id)
print('-----------------------------')
tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "Domain name monitored"
attribute.tags = [tag]
attribute.value = site.domain_name
misp_api.add_attribute(event=event_id, attribute=attribute)
if settings.MISP_TICKETING_URL != '':
attribute = MISPAttribute()
attribute.category = "Internal reference"
attribute.type = "link"
attribute.distribution = 0
attribute.comment = "Ticketing link"
attribute.tags = [tag]
attribute.value = settings.MISP_TICKETING_URL + "?id=" + str(site.rtir)
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.ip:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.ip_second:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.mail_A_record_ip and site.ip != site.mail_A_record_ip and site.ip_second != site.mail_A_record_ip:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.MX_records:
for mx in site.MX_records:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=event_id, attribute=attribute)
def update_attributes(misp_api, site):
"""
Update MISP IOCs attributes.
:param misp_api: MISP Object API.
:param site: Site Object.
:return:
"""
print(
str(timezone.now()) + " - " + 'Update MISP IOCs attributes for: ',
site.misp_event_id)
print('-----------------------------')
tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t
if site.ip and not search_attributes(misp_api, site.misp_event_id, site.ip,
site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.ip_second and not search_attributes(misp_api, site.misp_event_id,
site.ip_second, site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.mail_A_record_ip and not search_attributes(
misp_api, site.misp_event_id, site.mail_A_record_ip, site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
if site.MX_records:
for mx in site.MX_records:
if not search_attributes(misp_api, site.misp_event_id,
str(mx).split()[1][:-1], site.pk):
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=site.misp_event_id,
attribute=attribute)
exit(0)
if args.is_malware:
arg_type = 'malware-sample'
else:
arg_type = 'attachment'
# Create attributes
attributes = []
for f in files:
a = MISPAttribute()
a.type = arg_type
a.value = f.name
a.data = f
a.comment = args.comment
a.distribution = args.distrib
if args.expand and arg_type == 'malware-sample':
a.expand = 'binary'
attributes.append(a)
if args.event:
for a in attributes:
misp.add_attribute(args.event, a)
else:
m = MISPEvent()
m.info = args.info
m.distribution = args.distrib
m.attributes = attributes
if args.expand and arg_type == 'malware-sample':
m.run_expansions()
misp.add_event(m)
