def create_attr(self, raw_attr: dict) -> MISPAttribute: # Create attribute and assign simple values attr = MISPAttribute() attr.type = 'url' attr.value = raw_attr['url'] attr.disable_correlation = False attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S')) # Add URLhaus tag self.add_tag_to_attribute(attr, 'URLhaus') # Add other tags if raw_attr['tags']: for tag in raw_attr['tags'].split(','): self.add_tag_to_attribute(attr, tag.strip()) # Add online/offline tag if not pandas.isna(raw_attr['url_status']): if raw_attr['url_status'] == 'online': attr.to_ids = True else: attr.to_ids = False self.add_tag_to_attribute(attr, raw_attr['url_status']) # Add reporter tag if not pandas.isna(raw_attr['reporter']): self.add_tag_to_attribute(attr, raw_attr['reporter']) attr.comment = raw_attr['urlhaus_link'] return attr
def create_attr_azorult(self, raw_attr: dict) -> MISPAttribute: attr_list = [] for type in [{'json': 'domain', 'misp': 'domain'}, {'json': 'ip', 'misp': 'ip-dst'}, {'json': 'panel_index', 'misp': 'url'}]: if type['json'] in raw_attr: attr = MISPAttribute() self.add_tag_to_attribute(attr, 'AzorultTracker') self.add_tag_to_attribute(attr, raw_attr['panel_version']) self.add_tag_to_attribute(attr, raw_attr['feeder']) self.add_tag_to_attribute(attr, raw_attr['status']) attr.comment = f'Azorult panel {type["misp"]}' attr.__setattr__('first_seen', datetime.fromtimestamp(raw_attr['first_seen'])) attr.to_ids = False attr.disable_correlation = False attr.type = type['misp'] attr.value = f"{raw_attr[type['json']]}" attr_list.append(attr) return attr_list
def create_attr_feodo(self, raw_attr: dict) -> MISPAttribute: attr = MISPAttribute() attr.type = 'ip-dst|port' attr.value = f"{raw_attr['DstIP']}|{raw_attr['DstPort']}" self.add_tag_to_attribute(attr, 'FeodoTracker') self.add_tag_to_attribute(attr, raw_attr['Malware']) attr.comment = 'Feodo tracker DST IP/port' attr.__setattr__('first_seen', datetime.strptime(raw_attr['Firstseen'], '%Y-%m-%d %H:%M:%S')) if not pandas.isna(raw_attr['LastOnline']): last_seen_time = datetime.strptime(str(raw_attr['LastOnline']), '%Y-%m-%d').replace(tzinfo=pytz.utc) first_seen_time = datetime.strptime(str(raw_attr["Firstseen"]), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc) if first_seen_time > last_seen_time: last_seen_time = first_seen_time + timedelta(seconds=1) attr.__setattr__('last_seen', last_seen_time) else: last_seen_time = datetime.strptime(str(raw_attr['Firstseen']), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc) attr.__setattr__('last_seen', last_seen_time) attr.to_ids = False attr.disable_correlation = False return attr