def map_object(self, row):
misp_object = MISPObject("file")
misp_object.name = "file"
misp_object.first_seen = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
ft = row[6].strip().strip("")
file_type = "File Type Guess: " + ft
sha256 = row[1].strip().strip('"')
tax = self.mh.get_file_taxonomy(ft)
link = "https://bazaar.abuse.ch/sample/" + sha256
res = self.misp.search(controller='attributes', value=link)
if len(res['Attribute']) > 0:
return None
misp_object.add_attribute("sha1", value=row[3].strip().strip('"'), type="sha1")
misp_object.add_attribute("md5", value=row[2].strip().strip('"'), type="md5")
misp_object.add_attribute("sha256", value=sha256, type="sha256")
misp_object.add_attribute("filename", value=row[5].strip().strip('"'), type='filename')
misp_object.add_attribute("ssdeep", value=row[12].strip().strip('"'), type='ssdeep')
misp_object.add_attribute("tlsh", value=row[13].strip().strip('"'), type='tlsh')
mime_type = "Mime-Type: " + row[7].strip().strip('"')
misp_object.add_attribute("mimetype", value=mime_type, type='mime-type')
misp_object.add_attribute("link", value=link, type='link')
vt = "VT detection Rate: " + row[10].strip().strip('"') + "%"
if vt != 'n/a%':
misp_object.add_attribute("text", value=vt, type='text')
imphash = row[11].strip().strip('"')
if imphash != 'n/a':
misp_object.add_attribute("imphash", value=imphash, type='imphash')
if tax == '':
misp_object.add_attribute("text", value=file_type, type="text")
else:
for attr in misp_object.attributes:
if attr.to_ids and not attr.disable_correlation:
attr.add_tag(tax)
return misp_object
def export_domain(domain):
domain_obj = Domain.Domain(domain)
dict_metadata = domain_obj.get_domain_metadata(tags=True)
# create domain-ip obj
obj = MISPObject('domain-crawled', standalone=True)
obj.first_seen = dict_metadata['first_seen']
obj.last_seen = dict_metadata['last_check']
l_obj_attr = []
l_obj_attr.append(obj.add_attribute('domain', value=domain))
dict_all_url = Domain.get_domain_all_url(domain,
domain_obj.get_domain_type())
for crawled_url in dict_all_url:
attribute = obj.add_attribute('url', value=crawled_url)
attribute.first_seen = str(dict_all_url[crawled_url]['first_seen'])
attribute.last_seen = str(dict_all_url[crawled_url]['last_seen'])
l_obj_attr.append(attribute)
# add tags
if dict_metadata['tags']:
tag_misp_object_attributes(l_obj_attr, dict_metadata['tags'])
#print(obj.to_json())
return obj
def export_domain(domain):
domain_obj = Domain.Domain(domain)
dict_metadata = domain_obj.get_domain_metadata(tags=True)
dict_metadata['ports'] = ['80', '223', '443']
# create domain-ip obj
obj = MISPObject('domain-ip', standalone=True)
obj.first_seen = dict_metadata['first_seen']
obj.last_seen = dict_metadata['last_check']
l_obj_attr = []
l_obj_attr.append(
obj.add_attribute('first-seen', value=dict_metadata['first_seen']))
l_obj_attr.append(
obj.add_attribute('last-seen', value=dict_metadata['last_check']))
l_obj_attr.append(obj.add_attribute('domain', value=domain))
for port in dict_metadata['ports']:
l_obj_attr.append(obj.add_attribute('port', value=port))
# add tags
if dict_metadata['tags']:
tag_misp_object_attributes(l_obj_attr, dict_metadata['tags'])
#print(obj.to_json())
return obj
def export_ail_item(item_id, tags=[]):
dict_metadata = Item.get_item({
'id': item_id,
'date': True,
'tags': True,
'raw_content': True
})[0]
# force tags
for tag in tags:
if tag not in dict_metadata['tags']:
dict_metadata['tags'].append(tag)
#obj = MISPObject('ail-item', standalone=True)
obj = MISPObject('ail-leak', standalone=True)
obj.first_seen = dict_metadata['date']
l_obj_attr = []
l_obj_attr.append(
obj.add_attribute('first-seen', value=dict_metadata['date']))
l_obj_attr.append(
obj.add_attribute('raw-data',
value=item_id,
data=dict_metadata['raw_content']))
l_obj_attr.append(obj.add_attribute('sensor', value=Export.get_ail_uuid()))
# add tags
if dict_metadata['tags']:
tag_misp_object_attributes(l_obj_attr, dict_metadata['tags'])
return obj
def export_cryptocurrency(crypto_type, crypto_address):
dict_metadata = Cryptocurrency.cryptocurrency.get_metadata(crypto_type, crypto_address)
obj = MISPObject('coin-address')
obj.first_seen = dict_metadata['first_seen']
obj.last_seen = dict_metadata['last_seen']
l_obj_attr = []
l_obj_attr.append( obj.add_attribute('address', value=crypto_address) )
crypto_symbol = Cryptocurrency.get_cryptocurrency_symbol(crypto_type)
if crypto_symbol:
l_obj_attr.append( obj.add_attribute('symbol', value=crypto_symbol) )
return obj
def export_pgp(pgp_type, pgp_value):
dict_metadata = Pgp.pgp.get_metadata(pgp_type, pgp_value)
obj = MISPObject('pgp-meta')
obj.first_seen = dict_metadata['first_seen']
obj.last_seen = dict_metadata['last_seen']
l_obj_attr = []
if pgp_type == 'key':
l_obj_attr.append(obj.add_attribute('key-id', value=pgp_value))
elif pgp_type == 'name':
#l_obj_attr.append( obj.add_attribute('key-id', value='debug') )
l_obj_attr.append(obj.add_attribute('user-id-name', value=pgp_value))
else: # mail
#l_obj_attr.append( obj.add_attribute('key-id', value='debug') )
l_obj_attr.append(obj.add_attribute('user-id-email', value=pgp_value))
return obj
def export_decoded(sha1_string):
decoded_metadata = Decoded.get_decoded_metadata(sha1_string, tag=True)
obj = MISPObject('file')
obj.first_seen = decoded_metadata['first_seen']
obj.last_seen = decoded_metadata['last_seen']
l_obj_attr = []
l_obj_attr.append( obj.add_attribute('sha1', value=sha1_string) )
l_obj_attr.append( obj.add_attribute('mimetype', value=Decoded.get_decoded_item_type(sha1_string)) )
l_obj_attr.append( obj.add_attribute('malware-sample', value=sha1_string, data=Decoded.get_decoded_file_content(sha1_string)) )
# add tags
if decoded_metadata['tags']:
tag_misp_object_attributes(l_obj_attr, decoded_metadata['tags'])
return obj
def parse_passivedns_results(self, query_response):
for query_type, results in query_response.items():
comment = self.comment % (query_type,
TYPE_TO_FEATURE[self.attribute['type']],
self.attribute['value'])
for result in results:
passivedns_object = MISPObject('passive-dns')
if result.get('rdata') and isinstance(result['rdata'], list):
for rdata in result.pop('rdata'):
passivedns_object.add_attribute(
**self._parse_attribute(comment, 'rdata', rdata))
for feature, value in result.items():
passivedns_object.add_attribute(
**self._parse_attribute(comment, feature, value))
if result.get('time_first'):
passivedns_object.first_seen = result['time_first']
if result.get('time_last'):
passivedns_object.last_seen = result['time_last']
passivedns_object.add_reference(self.attribute['uuid'],
'related-to')
self.misp_event.add_object(passivedns_object)
def parse_and_insert_cof(data: str) -> dict:
"""Parse and validate the COF data.
Parameters
----------
data as a string
Returns
-------
A dict with either the error message or the data which may be sent off the the caller of handler()
Raises
--------
none. All Exceptions will be handled here. On error, a misperror is returned.
"""
objects = []
try:
entries = ndjson.loads(data)
for entry in entries: # iterate over all ndjson lines
# validate here (simple validation or full JSON Schema validation)
if not validate_cof(entry):
return {
"error": "Could not validate the COF input '%s'" % entry
}
# Next, extract some fields
rrtype = entry['rrtype'].upper()
rrname = entry['rrname'].rstrip('.')
rdata = [x.rstrip('.') for x in entry['rdata']]
# create a new MISP object, based on the passive-dns object for each nd-JSON line
o = MISPObject(name='passive-dns',
standalone=False,
comment='created by cof2misp')
# o.add_tag('tlp:amber') # FIXME: we'll want to add a tlp: tag to the object
if 'bailiwick' in entry:
o.add_attribute('bailiwick',
value=entry['bailiwick'].rstrip('.'),
distribution=0)
#
# handle the combinations of rrtype (domain, ip) on both left and right side
#
if create_specific_attributes:
if rrtype in ['A', 'AAAA', 'A6']: # address type
# address type
o.add_attribute('rrname_domain',
value=rrname,
distribution=0)
for r in rdata:
o.add_attribute('rdata_ip', value=r, distribution=0)
elif rrtype in ['CNAME', 'DNAME',
'NS']: # both sides are domains
o.add_attribute('rrname_domain',
value=rrname,
distribution=0)
for r in rdata:
o.add_attribute('rdata_domain',
value=r,
distribution=0)
elif rrtype in ['SOA'
]: # left side is a domain, right side is text
o.add_attribute('rrname_domain',
value=rrname,
distribution=0)
#
# now do the regular filling up of rrname, rrtype, time_first, etc.
#
o.add_attribute('rrname', value=rrname, distribution=0)
o.add_attribute('rrtype', value=rrtype, distribution=0)
for r in rdata:
o.add_attribute('rdata', value=r, distribution=0)
o.add_attribute(
'raw_rdata', value=json.dumps(rdata),
distribution=0) # FIXME: do we need to hex encode it?
o.add_attribute('time_first',
value=entry['time_first'],
distribution=0)
o.add_attribute('time_last',
value=entry['time_last'],
distribution=0)
o.first_seen = entry['time_first'] # is this redundant?
o.last_seen = entry['time_last']
#
# Now add the other optional values. # FIXME: how about a map() other function. DNRY
#
for k in [
'count', 'sensor_id', 'origin', 'text', 'time_first_ms',
'time_last_ms', 'zone_time_first', 'zone_time_last'
]:
if k in entry and entry[k]:
o.add_attribute(k, value=entry[k], distribution=0)
#
# add COF entry to MISP object
#
objects.append(o.to_json())
r = {'results': {'Object': [json.loads(o) for o in objects]}}
except Exception as ex:
misperrors[
"error"] = "An error occured during parsing of input: '%s'" % (
str(ex), )
return misperrors
return r
