def create_attr(self, raw_attr: dict) -> MISPAttribute: # Create attribute and assign simple values attr = MISPAttribute() attr.type = 'url' attr.value = raw_attr['url'] attr.disable_correlation = False attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S')) # Add URLhaus tag self.add_tag_to_attribute(attr, 'URLhaus') # Add other tags if raw_attr['tags']: for tag in raw_attr['tags'].split(','): self.add_tag_to_attribute(attr, tag.strip()) # Add online/offline tag if not pandas.isna(raw_attr['url_status']): if raw_attr['url_status'] == 'online': attr.to_ids = True else: attr.to_ids = False self.add_tag_to_attribute(attr, raw_attr['url_status']) # Add reporter tag if not pandas.isna(raw_attr['reporter']): self.add_tag_to_attribute(attr, raw_attr['reporter']) attr.comment = raw_attr['urlhaus_link'] return attr
def create_attr_azorult(self, raw_attr: dict) -> MISPAttribute: attr_list = [] for type in [{'json': 'domain', 'misp': 'domain'}, {'json': 'ip', 'misp': 'ip-dst'}, {'json': 'panel_index', 'misp': 'url'}]: if type['json'] in raw_attr: attr = MISPAttribute() self.add_tag_to_attribute(attr, 'AzorultTracker') self.add_tag_to_attribute(attr, raw_attr['panel_version']) self.add_tag_to_attribute(attr, raw_attr['feeder']) self.add_tag_to_attribute(attr, raw_attr['status']) attr.comment = f'Azorult panel {type["misp"]}' attr.__setattr__('first_seen', datetime.fromtimestamp(raw_attr['first_seen'])) attr.to_ids = False attr.disable_correlation = False attr.type = type['misp'] attr.value = f"{raw_attr[type['json']]}" attr_list.append(attr) return attr_list
def create_attr_feodo(self, raw_attr: dict) -> MISPAttribute: attr = MISPAttribute() attr.type = 'ip-dst|port' attr.value = f"{raw_attr['DstIP']}|{raw_attr['DstPort']}" self.add_tag_to_attribute(attr, 'FeodoTracker') self.add_tag_to_attribute(attr, raw_attr['Malware']) attr.comment = 'Feodo tracker DST IP/port' attr.__setattr__('first_seen', datetime.strptime(raw_attr['Firstseen'], '%Y-%m-%d %H:%M:%S')) if not pandas.isna(raw_attr['LastOnline']): last_seen_time = datetime.strptime(str(raw_attr['LastOnline']), '%Y-%m-%d').replace(tzinfo=pytz.utc) first_seen_time = datetime.strptime(str(raw_attr["Firstseen"]), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc) if first_seen_time > last_seen_time: last_seen_time = first_seen_time + timedelta(seconds=1) attr.__setattr__('last_seen', last_seen_time) else: last_seen_time = datetime.strptime(str(raw_attr['Firstseen']), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc) attr.__setattr__('last_seen', last_seen_time) attr.to_ids = False attr.disable_correlation = False return attr
def poll_taxii(): global f_hashes, f_manifest, f_events results_dict = {} client = create_client( CYBERSAIYAN_FEED_URL, use_https=TAXII_USE_TLS, discovery_path=TAXII_DISCOVERY_PATH ) blocks = client.poll(collection_name=CYBERSAIYAN_COLLECTION_NAME) for block in blocks: content = block.content if content: if type(content) == str: continue elif type(content) == bytes: content = content.decode('utf-8') pkg = STIXPackage.from_xml(StringIO(content)) title = pkg.stix_header.title information_source = pkg.stix_header.information_source.identity.name cs_event = (title, information_source) cs_event_hash = hash(cs_event) db_cursor.execute("SELECT uuid FROM hashes WHERE hash = '%s'" % cs_event_hash) element = db_cursor.fetchone() if element: e_uuid = element[0] else: e_uuid = str(uuid.uuid4()) db_cursor.execute("INSERT INTO hashes VALUES (?,?)", (cs_event_hash,e_uuid,)) if cs_event_hash not in results_dict: results_dict[cs_event_hash] = MISPEvent() m_ev = results_dict[cs_event_hash] m_ev.info = str(pkg.stix_header.description) m_ev.analysis = 0 m_ev.uuid = e_uuid #m_ev.org = "CyberSaiyan" csorg = MISPOrganisation() csorg.name = "CyberSaiyan" csorg.uuid = "8aaa81ed-72ef-4fb1-8e96-fa1bc200faeb" m_ev.orgc = csorg marking = pkg.stix_header.handling.marking tlp = 0 found_tlp = False for m in marking: for struct in m.marking_structures: if struct._XSI_TYPE == "tlpMarking:TLPMarkingStructureType": found_tlp = True tlp = max(TLP[struct.color.lower()], tlp) if tlp == 0 and not found_tlp: tlp = TLP["amber"] m_ev.add_tag("tlp:"+TLP[tlp]) m_ev.add_tag("CyberSaiyan") indicators = pkg.indicators last_ts = utc.localize(datetime.datetime(1970,1,1)) for indicator in indicators: cur_ts = indicator.timestamp if cur_ts > last_ts: last_ts = cur_ts obj = indicator.observable.object_ obj_d = obj.properties.to_dict() attr_type = obj_d["xsi:type"] if attr_type == "AddressObjectType": attr = MISPAttribute() attr.category = "Network activity" attr.type = "ip-dst" attr.value = obj_d["address_value"] attr.disable_correlation = False attr.to_ids = True elif attr_type == "DomainNameObjectType": attr = MISPAttribute() attr.category = "Network activity" attr.type = "domain" attr.value = obj_d["value"] attr.disable_correlation = False attr.to_ids = True elif attr_type == "URIObjectType": attr = MISPAttribute() attr.category = "Network activity" attr.type = "url" attr.value = obj_d["value"] attr.disable_correlation = False attr.to_ids = True elif attr_type == "FileObjectType": hash_type = obj_d["hashes"][0]["type"]["value"].lower() hash_value = obj_d["hashes"][0]["simple_hash_value"] attr = MISPAttribute() attr.category = "Payload delivery" assert hash_type in ('md5', "sha1", "sha224", "sha256", "sha384", "sha512", "ssdeep") attr.type = hash_type attr.value = hash_value attr.disable_correlation = False attr.to_ids = True m_ev.date = last_ts.strftime("%Y-%m-%d") m_ev.attributes.append(attr) db_conn.commit() c_hashes, c_manifest, c_events = list(), dict(), dict() for event in results_dict.values(): e_feed = event.to_feed(with_meta=True).get("Event") c_hashes += [[h, event.uuid] for h in e_feed.pop("_hashes")] c_manifest.update(e_feed.pop('_manifest')) c_events[event.uuid] = e_feed f_hashes, f_manifest, f_events = c_hashes, c_manifest, c_events
if (context == "dropped_by_sha256"): sample.add_reference( referenced_uuid=ref_uuid, relationship_type='dropped-by') else: sample.add_reference(referenced_uuid=ref_uuid, relationship_type='drops') elif (context.casefold() in API_LINK_CONTEXTS): url_ref = value.replace('\\', '') attribute = MISPAttribute() if (url_ref not in attributes): attribute.category = "External analysis" attribute.type = "url" attribute.value = url_ref attribute.to_ids = False attribute.disable_correlation = True attributes.update({attribute.value: attribute}) else: attribute = attributes[url_ref] sample.add_reference(referenced_uuid=attribute.uuid, relationship_type='related-to') else: print("Lost context: {}".format(context)) attribute = MISPAttribute() attribute.category = "External analysis" attribute.type = "url" attribute.value = "https://bazaar.abuse.ch/sample/{}/".format(hash) attribute.to_ids = False attribute.disable_correlation = True