Exemple #1
0
def export_domain(domain):
    domain_obj = Domain.Domain(domain)
    dict_metadata = domain_obj.get_domain_metadata(tags=True)
    dict_metadata['ports'] = ['80', '223', '443']

    # create domain-ip obj
    obj = MISPObject('domain-ip', standalone=True)
    obj.first_seen = dict_metadata['first_seen']
    obj.last_seen = dict_metadata['last_check']

    l_obj_attr = []
    l_obj_attr.append(
        obj.add_attribute('first-seen', value=dict_metadata['first_seen']))
    l_obj_attr.append(
        obj.add_attribute('last-seen', value=dict_metadata['last_check']))
    l_obj_attr.append(obj.add_attribute('domain', value=domain))
    for port in dict_metadata['ports']:
        l_obj_attr.append(obj.add_attribute('port', value=port))

    # add tags
    if dict_metadata['tags']:
        tag_misp_object_attributes(l_obj_attr, dict_metadata['tags'])

    #print(obj.to_json())
    return obj
Exemple #2
0
def export_domain(domain):
    domain_obj = Domain.Domain(domain)
    dict_metadata = domain_obj.get_domain_metadata(tags=True)

    # create domain-ip obj
    obj = MISPObject('domain-crawled', standalone=True)
    obj.first_seen = dict_metadata['first_seen']
    obj.last_seen = dict_metadata['last_check']

    l_obj_attr = []
    l_obj_attr.append(obj.add_attribute('domain', value=domain))
    dict_all_url = Domain.get_domain_all_url(domain,
                                             domain_obj.get_domain_type())
    for crawled_url in dict_all_url:
        attribute = obj.add_attribute('url', value=crawled_url)
        attribute.first_seen = str(dict_all_url[crawled_url]['first_seen'])
        attribute.last_seen = str(dict_all_url[crawled_url]['last_seen'])
        l_obj_attr.append(attribute)

    # add tags
    if dict_metadata['tags']:
        tag_misp_object_attributes(l_obj_attr, dict_metadata['tags'])

    #print(obj.to_json())
    return obj
Exemple #3
0
def export_cryptocurrency(crypto_type, crypto_address):
    dict_metadata = Cryptocurrency.cryptocurrency.get_metadata(crypto_type, crypto_address)

    obj = MISPObject('coin-address')
    obj.first_seen = dict_metadata['first_seen']
    obj.last_seen = dict_metadata['last_seen']

    l_obj_attr = []
    l_obj_attr.append( obj.add_attribute('address', value=crypto_address) )
    crypto_symbol = Cryptocurrency.get_cryptocurrency_symbol(crypto_type)
    if crypto_symbol:
        l_obj_attr.append( obj.add_attribute('symbol', value=crypto_symbol) )

    return obj
Exemple #4
0
def export_pgp(pgp_type, pgp_value):
    dict_metadata = Pgp.pgp.get_metadata(pgp_type, pgp_value)

    obj = MISPObject('pgp-meta')
    obj.first_seen = dict_metadata['first_seen']
    obj.last_seen = dict_metadata['last_seen']

    l_obj_attr = []
    if pgp_type == 'key':
        l_obj_attr.append(obj.add_attribute('key-id', value=pgp_value))
    elif pgp_type == 'name':
        #l_obj_attr.append( obj.add_attribute('key-id', value='debug') )
        l_obj_attr.append(obj.add_attribute('user-id-name', value=pgp_value))
    else:  # mail
        #l_obj_attr.append( obj.add_attribute('key-id', value='debug') )
        l_obj_attr.append(obj.add_attribute('user-id-email', value=pgp_value))
    return obj
Exemple #5
0
def export_decoded(sha1_string):

    decoded_metadata = Decoded.get_decoded_metadata(sha1_string, tag=True)

    obj = MISPObject('file')
    obj.first_seen = decoded_metadata['first_seen']
    obj.last_seen = decoded_metadata['last_seen']

    l_obj_attr = []
    l_obj_attr.append( obj.add_attribute('sha1', value=sha1_string) )
    l_obj_attr.append( obj.add_attribute('mimetype', value=Decoded.get_decoded_item_type(sha1_string)) )
    l_obj_attr.append( obj.add_attribute('malware-sample', value=sha1_string, data=Decoded.get_decoded_file_content(sha1_string)) )

    # add tags
    if decoded_metadata['tags']:
        tag_misp_object_attributes(l_obj_attr, decoded_metadata['tags'])

    return obj
Exemple #6
0
 def parse_passivedns_results(self, query_response):
     for query_type, results in query_response.items():
         comment = self.comment % (query_type,
                                   TYPE_TO_FEATURE[self.attribute['type']],
                                   self.attribute['value'])
         for result in results:
             passivedns_object = MISPObject('passive-dns')
             if result.get('rdata') and isinstance(result['rdata'], list):
                 for rdata in result.pop('rdata'):
                     passivedns_object.add_attribute(
                         **self._parse_attribute(comment, 'rdata', rdata))
             for feature, value in result.items():
                 passivedns_object.add_attribute(
                     **self._parse_attribute(comment, feature, value))
             if result.get('time_first'):
                 passivedns_object.first_seen = result['time_first']
             if result.get('time_last'):
                 passivedns_object.last_seen = result['time_last']
             passivedns_object.add_reference(self.attribute['uuid'],
                                             'related-to')
             self.misp_event.add_object(passivedns_object)
Exemple #7
0
def parse_and_insert_cof(data: str) -> dict:
    """Parse and validate the COF data.

    Parameters
    ----------
      data as a string

    Returns
    -------
      A dict with either the error message or the data which may be sent off the the caller of handler()

    Raises
    --------
      none. All Exceptions will be handled here. On error, a misperror is returned.
    """

    objects = []
    try:
        entries = ndjson.loads(data)
        for entry in entries:  # iterate over all ndjson lines

            # validate here (simple validation or full JSON Schema validation)
            if not validate_cof(entry):
                return {
                    "error": "Could not validate the COF input '%s'" % entry
                }

            # Next, extract some fields
            rrtype = entry['rrtype'].upper()
            rrname = entry['rrname'].rstrip('.')
            rdata = [x.rstrip('.') for x in entry['rdata']]

            # create a new MISP object, based on the passive-dns object for each nd-JSON line
            o = MISPObject(name='passive-dns',
                           standalone=False,
                           comment='created by cof2misp')

            # o.add_tag('tlp:amber')                                    # FIXME: we'll want to add a tlp: tag to the object
            if 'bailiwick' in entry:
                o.add_attribute('bailiwick',
                                value=entry['bailiwick'].rstrip('.'),
                                distribution=0)

            #
            # handle the combinations of rrtype (domain, ip) on both left and right side
            #

            if create_specific_attributes:
                if rrtype in ['A', 'AAAA', 'A6']:  # address type
                    # address type
                    o.add_attribute('rrname_domain',
                                    value=rrname,
                                    distribution=0)
                    for r in rdata:
                        o.add_attribute('rdata_ip', value=r, distribution=0)
                elif rrtype in ['CNAME', 'DNAME',
                                'NS']:  # both sides are domains
                    o.add_attribute('rrname_domain',
                                    value=rrname,
                                    distribution=0)
                    for r in rdata:
                        o.add_attribute('rdata_domain',
                                        value=r,
                                        distribution=0)
                elif rrtype in ['SOA'
                                ]:  # left side is a domain, right side is text
                    o.add_attribute('rrname_domain',
                                    value=rrname,
                                    distribution=0)

            #
            # now do the regular filling up of rrname, rrtype, time_first, etc.
            #
            o.add_attribute('rrname', value=rrname, distribution=0)
            o.add_attribute('rrtype', value=rrtype, distribution=0)
            for r in rdata:
                o.add_attribute('rdata', value=r, distribution=0)
            o.add_attribute(
                'raw_rdata', value=json.dumps(rdata),
                distribution=0)  # FIXME: do we need to hex encode it?
            o.add_attribute('time_first',
                            value=entry['time_first'],
                            distribution=0)
            o.add_attribute('time_last',
                            value=entry['time_last'],
                            distribution=0)
            o.first_seen = entry['time_first']  # is this redundant?
            o.last_seen = entry['time_last']

            #
            # Now add the other optional values.                        # FIXME: how about a map() other function. DNRY
            #
            for k in [
                    'count', 'sensor_id', 'origin', 'text', 'time_first_ms',
                    'time_last_ms', 'zone_time_first', 'zone_time_last'
            ]:
                if k in entry and entry[k]:
                    o.add_attribute(k, value=entry[k], distribution=0)

            #
            # add COF entry to MISP object
            #
            objects.append(o.to_json())

        r = {'results': {'Object': [json.loads(o) for o in objects]}}
    except Exception as ex:
        misperrors[
            "error"] = "An error occured during parsing of input: '%s'" % (
                str(ex), )
        return misperrors
    return r