def populate(self, json):
item = json['event']
self.event = Event()
self.event.populate(item)
# Check if not a report
if json.get('report', None) or json.get('reference', None):
item = json.get('report', None)
if item:
self.report = Report()
self.report.populate(item)
item = json.get('reference', None)
if item:
self.reference = Reference()
self.reference.populate(item)
else:
item = json.get('observable', None)
if item:
self.observable = Observable()
self.observable.populate(item)
item = json.get('object', None)
if item:
self.object = Object()
self.object.populate(item)
item = json.get('attribute', None)
if item:
self.attribute = Attribute()
self.attribute.populate(item)
def populate(self, json):
self.identifier = json.get('identifier', None)
definition_id = json.get('definition_id', None)
if definition_id:
self.definition_id = definition_id
definition = json.get('definition', None)
if definition:
definitin_instance = ObjectDefinition()
definitin_instance.populate(definition)
self.definition = definitin_instance
if self.definition_id and self.definition:
if self.definition.identifier and self.definition_id != self.definition.identifier:
raise ValueException(u'Object definitions cannot be updated')
if not (self.definition_id or self.definition):
raise ValueException(u'Object definition or definition_id must be set')
self.properties.populate(json.get('properties', Properties('0')))
creator_group = json.get('creator_group', None)
if creator_group:
cg_instance = Group()
cg_instance.populate(creator_group)
self.creator_group = cg_instance
modifier_group = json.get('modifier_group', None)
if modifier_group:
cg_instance = Group()
cg_instance.populate(modifier_group)
self.modifier = cg_instance
created_at = json.get('created_at', None)
if created_at:
self.created_at = strings.stringToDateTime(created_at)
modified_on = json.get('modified_on', None)
if modified_on:
self.modified_on = strings.stringToDateTime(modified_on)
rel_obs = json.get('related_objects', None)
if rel_obs:
for rel_ob in rel_obs:
obj_instance = RelatedObject()
obj_instance.populate(rel_ob)
self.related_objects.append(obj_instance)
attribtues = json.get('attributes', None)
if attribtues:
for attribtue in attribtues:
attribute = Attribute()
attribute.populate(attribtue)
self.attributes.append(attribute)
class SearchResult(RestBase):
def __init__(self):
RestBase.__init__(self)
self.event = None
self.object = None
self.observable = None
self.attribute = None
self.report = None
self.reference = None
def populate(self, json):
item = json['event']
self.event = Event()
self.event.populate(item)
# Check if not a report
if json.get('report', None) or json.get('reference', None):
item = json.get('report', None)
if item:
self.report = Report()
self.report.populate(item)
item = json.get('reference', None)
if item:
self.reference = Reference()
self.reference.populate(item)
else:
item = json.get('observable', None)
if item:
self.observable = Observable()
self.observable.populate(item)
item = json.get('object', None)
if item:
self.object = Object()
self.object.populate(item)
item = json.get('attribute', None)
if item:
self.attribute = Attribute()
self.attribute.populate(item)
def append_attributes(self, obj, observable, id_, category, type_, value, ioc, share, event, uuid):
if type_ in ['regkey', 'regkey|value']:
if '|' in value:
value = value.replace('/', '\\')
splited = value.split('|')
pos = splited[0].find("\\")
key_name = splited[0][pos + 1:]
splitted = key_name.split(' ')
if len(splitted) > 1:
key = splitted[0]
name = splitted[1]
else:
key = key_name
name = None
hive = splited[0][0:pos]
data = splited[1]
else:
value = value.replace('/', '\\')
pos = value.find("\\")
key = value[pos + 1:]
hive = value[0:pos]
data = None
name = None
if hive == 'HKLM' or 'HKEY_LOCAL_MACHINE' in hive:
hive = 'HKEY_LOCAL_MACHINE'
elif hive in ['HKCU', 'HK_CURRENT_USER', 'HCKU'] or 'HKEY_CURRENT_USER' in hive:
hive = 'HKEY_CURRENT_USER'
elif hive in ['HKEY_CURRENTUSER', 'HKU']:
hive = 'HKEY_CURRENT_USER'
elif hive in ['HKCR', 'HKEY_CLASSES_ROOT']:
hive = 'HKEY_CLASSES_ROOT'
else:
if hive[0:1] == 'H' and hive != 'HKCU_Classes':
message = '"{0}" not defined from {1}'.format(hive, self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
else:
hive = None
if hive:
self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_Hive', hive, ioc, share, event, uuid4())
if name:
self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_RegistryValue_Name', name, ioc, share, event, uuid4())
if data:
self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_RegistryValue_Data', data, ioc, share, event, uuid4())
self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_Key', key, ioc, share, event, uuid)
elif '|' in type_:
# it is a composed attribute
if type_ in ('filename|md5', 'filename|sha1', 'filename|sha256'):
splitted = type_.split('|')
if len(splitted) == 2:
first_type = splitted[0]
second_type = splitted[1]
splitted_values = value.split('|')
first_value = splitted_values[0]
second_value = splitted_values[1]
self.append_attributes(obj, observable, id_, category, first_type, first_value, ioc, share, event, uuid)
self.append_attributes(obj, observable, id_, category, second_type, second_value, ioc, share, event, uuid4())
else:
message = 'Composed attribute {0} splits into more than 2 elements for {1}'.format(type_, self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
else:
message = 'Composed attribute {0} cannot be mapped for {1}'.format(type_, self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
elif category in ['artifacts dropped', 'payload delivery', 'payload installation'] and type_ == 'malware-sample':
filename = value
filename_uuid = uuid
splitted = value.split('|')
if len(splitted) == 2:
first_type = 'File_Name'
first_value = splitted[0]
filename = first_value
second_value = splitted[1]
second_type = self.get_hash_type(second_value)
self.append_attributes(obj, observable, id_, category, first_type, first_value, ioc, share, event, uuid)
self.append_attributes(obj, observable, id_, category, second_type, second_value, ioc, share, event, uuid4())
else:
message = 'Composed attribute {0} splits into more than 2 elements for {1}'.format(type_, self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
# Download the attachment if it exists
data = self.fetch_attachment(id_, filename_uuid, event.identifier, filename)
if data:
message = u'Downloaded file "{0}" id:{1} from {2}'.format(filename, id_, self.__get_event_msg(event))
self.syslogger.info(message)
# build raw_artifact
raw_artifact = Object()
raw_artifact.identifier = uuid4()
self.set_properties(raw_artifact, share)
self.set_extended_logging(raw_artifact, event)
raw_artifact.definition = self.get_object_definition('Artifact', None, None, event)
if raw_artifact.definition:
raw_artifact.definition_id = raw_artifact.definition.identifier
else:
message = 'Could not find object definition Artifact from {0}'.format(self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
# add raw artifact
attr = Attribute()
attr.identifier = uuid4()
attr.definition = self.get_attibute_definition('', 'raw_artifact', None, raw_artifact, observable, attr, event)
if attr.definition:
attr.definition_id = attr.definition.identifier
else:
message = 'Could not find attribute definition raw_artifact from {0}'.format(self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
# TODO
attr.value = base64.b64encode(data)
self.set_properties(attr, share)
self.set_extended_logging(attr, event)
raw_artifact.attributes.append(attr)
rel_Object = RelatedObject()
rel_Object.object = raw_artifact
obj.related_objects.append(rel_Object)
else:
message = u'Failed to download file "{0}" id:{1}, add manually form {2}'.format(filename, id_, self.__get_event_msg(event))
self.syslogger.warning(message)
else:
attribute = Attribute()
# workaround for https://github.com/MISP/MISP/issues/452
if uuid not in self.seen_attr_ids:
attribute.identifier = uuid
self.seen_attr_ids.append(uuid)
else:
uuid = '{0}'.format(uuid4())
self.seen_attr_ids.append(uuid)
attribute.identifier = uuid
self.set_properties(attribute, share)
self.set_extended_logging(attribute, event)
attribute.definition = self.get_attibute_definition(category, type_, value, obj, observable, attribute, event)
if attribute.definition:
attribute.definition_id = attribute.definition.identifier
attribute.value = value
if ioc == 1:
attribute.is_ioc = True
else:
attribute.is_ioc = False
attribute.properties.is_shareable = True
obj.attributes.append(attribute)