def addHash(hashValue):
eid = checkAge()
hashValue = hashValue.strip()
md5 = re.compile(r'[0-9a-f]{32}$', flags=re.IGNORECASE)
sha1 = re.compile(r'[0-9a-f]{40}$', flags=re.IGNORECASE)
sha256 = re.compile(r'[0-9a-f]{64}$', flags=re.IGNORECASE)
if re.match(sha256, hashValue):
hashType = "sha256"
mispAttribute = MISPAttribute()
mispAttribute.type = 'sha256'
mispAttribute.value = hashValue
misp.add_attribute(eid, mispAttribute)
elif re.match(sha1, hashValue):
hashType = "sha1"
mispAttribute = MISPAttribute()
mispAttribute.type = 'sha1'
mispAttribute.value = hashValue
misp.add_attribute(eid, mispAttribute)
elif re.match(md5, hashValue):
hashType = "md5"
mispAttribute = MISPAttribute()
mispAttribute.type = 'md5'
mispAttribute.value = hashValue
misp.add_attribute(eid, mispAttribute)
else:
returnFailure("hash", hashValue, "length of %s" % len(hashValue))
returnSuccess("%s hash" % hashType, hashValue, eid)
def create_new_event(self, entry):
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
if "url" in entry:
attributeURL = MISPAttribute()
attributeURL.type = "url"
attributeURL.value = entry["url"]
attributeURL.to_ids = True
else:
attributeURL = MISPAttribute()
attributeURL.type = "text"
attributeURL.value = "External upload"
attributeIP = MISPAttribute()
attributeIP.type = "ip-src"
attributeIP.value = entry["src_ip"]
attributeDT = MISPAttribute()
attributeDT.type = "datetime"
attributeDT.value = entry["timestamp"]
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.add_tag("tlp:white")
event.attributes = [attribute, attributeURL, attributeIP, attributeDT]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg(f"Event creation result: \n{result}")
def addFullName(fullnameValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'first-name'
mispAttribute.value = fullnameValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("Full Name", fullnameValue, eid)
def addBIC(bicValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'bic'
mispAttribute.value = bicValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("Bank Account", bicValue, eid)
def addEmail(emailValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'email'
mispAttribute.value = emailValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("email", emailValue, eid)
def addIP(ipValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'ip-dst'
mispAttribute.value = ipValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("IP address", ipValue, eid)
def create_new_event(self, entry):
if self.is_python2:
self.misp_api.upload_sample(
entry["shasum"],
entry["outfile"],
None,
distribution=1,
info="File uploaded to Cowrie ({})".format(entry["sensor"]),
analysis=0,
threat_level_id=2
)
else:
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.attributes = [attribute]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg("Event creation result: \n%s" % result)
def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags):
dt = datetime.now()
event = MISPEvent()
event.info = dt.strftime("%Y%m%d ") + 'TIE'
event.publish_timestamp = dt.strftime("%s")
event.timestamp = dt.strftime("%s")
event['timestamp'] = dt.strftime("%s")
event.analysis = 2
event.published = conf.event_published
orgc = MISPOrganisation()
orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid}))
event.orgc = orgc
event.threat_level_id = conf.event_base_thread_level
event.date = dt
event['uuid'] = str(uuid.uuid1())
if len(tags) > 0:
event['Tag'] = tags
attr_hashes = []
for key, attr in deduplicated_observations.items():
misp_attr = MISPAttribute()
misp_attr.timestamp = dt.strftime("%s")
misp_attr['timestamp'] = dt.strftime("%s")
misp_attr.type = get_Attribute_Type(attr)
misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type)
if 'c2-server' in attr['categories'] and attr_tags.c2tags:
misp_attr['Tag'] = attr_tags.c2tags
if 'malware' in attr['categories'] and attr_tags.malwaretags:
misp_attr['Tag'] = attr_tags.malwaretags
if 'espionage' in attr['categories'] and attr_tags.espionagetags:
misp_attr['Tag'] = attr_tags.espionagetags
if 'bot' in attr['categories'] and attr_tags.bottags:
misp_attr['Tag'] = attr_tags.bottags
if 'whitelist' in attr['categories'] and attr_tags.whitelisttags:
misp_attr['Tag'] = attr_tags.whitelisttags
if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags:
misp_attr['Tag'] = attr_tags.cybercrimetags
if 'phishing' in attr['categories'] and attr_tags.phishingtags:
misp_attr['Tag'] = attr_tags.phishingtags
misp_attr.category = get_Attribute_Category(attr)
if conf.attr_to_ids and attr[
'min_confidence'] >= conf.attr_to_ids_threshold:
misp_attr.to_ids = True
else:
misp_attr.to_ids = False
misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \
' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \
' severity: ' + str(attr['max_severity']) + \
' confidence: ' + str(attr['max_confidence'])
misp_attr.edited = False
event.add_attribute(**(misp_attr.to_dict()))
attr_hashes.append([
hashlib.md5(attr['value'].encode("utf-8")).hexdigest(),
event['uuid']
])
event.edited = False
return event, attr_hashes
def misp_add_attribute(self, event, a_type, a_value):
# Create Attribute object in MISP
misp_attribute = MISPAttribute()
if a_type: misp_attribute.type = a_type
if a_value: misp_attribute.value = a_value
event.add_attribute(misp_attribute.type, misp_attribute.value)
def create_attr(self, raw_attr: dict) -> MISPAttribute:
# Create attribute and assign simple values
attr = MISPAttribute()
attr.type = 'url'
attr.value = raw_attr['url']
attr.disable_correlation = False
attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S'))
# Add URLhaus tag
self.add_tag_to_attribute(attr, 'URLhaus')
# Add other tags
if raw_attr['tags']:
for tag in raw_attr['tags'].split(','):
self.add_tag_to_attribute(attr, tag.strip())
# Add online/offline tag
if not pandas.isna(raw_attr['url_status']):
if raw_attr['url_status'] == 'online':
attr.to_ids = True
else:
attr.to_ids = False
self.add_tag_to_attribute(attr, raw_attr['url_status'])
# Add reporter tag
if not pandas.isna(raw_attr['reporter']):
self.add_tag_to_attribute(attr, raw_attr['reporter'])
attr.comment = raw_attr['urlhaus_link']
return attr
def addDomain(domainValue):
eid = checkAge()
mispAttribute = MISPAttribute()
mispAttribute.type = 'domain'
mispAttribute.value = domainValue
misp.add_attribute(eid, mispAttribute)
returnSuccess("domain", domainValue, eid)
def __misp_add_urlscan_to_event(self, capture_uuid: str, visibility: str) -> Optional[MISPAttribute]:
response = self.urlscan.url_submit(self.get_info(capture_uuid), visibility)
if 'result' in response:
attribute = MISPAttribute()
attribute.value = response['result']
attribute.type = 'link'
return attribute
return None
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"')
misp_attribute.type = "ip-dst|port"
misp_attribute.value = value
return misp_attribute
def create_misp_attribute(misp_client, misp_event_id, misp_attribute_type,
misp_attribute_value):
misp_event = MISPEvent()
misp_event.id = int(misp_event_id)
misp_event.uuid = get_event_uuid(misp_client, misp_event_id)
misp_attribute = MISPAttribute()
misp_attribute.type = misp_attribute_type
misp_attribute.value = misp_attribute_value
attribute_response = misp_client.add_attribute(misp_event, misp_attribute)
return attribute_response
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
value = row[1].strip().strip('"')
misp_attribute.type = "x509-fingerprint-sha1"
misp_attribute.comment = 'https://sslbl.abuse.ch/ssl-certificates/sha1/' + value
misp_attribute.value = value
return misp_attribute
def propose(type, value, category):
attr_type = type
value = value
category = category
to_ids = False
# Attribute data already defined
attribute = MISPAttribute()
attribute.type = attr_type
attribute.value = value
attribute.category = category
attribute.to_ids = to_ids
event_id = EVENTid
proposal = misp.add_attribute_proposal(event_id, attribute)
print('Proposed!')
def map_attribute(self, row):
malware_info = self.get_malware_info(row)
misp_attribute = MISPAttribute()
value = row[2].strip().strip('"')
fs = datetime.strptime(row[1].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
misp_attribute.type = "url"
if row[4].strip().strip('"') == "malware_download":
misp_attribute.add_tag('kill-chain:Delivery')
if malware_info['ft'] is not None:
misp_attribute.add_tag(malware_info['ft'])
misp_attribute.value = value
misp_attribute.comment = row[6].strip().strip('"')
return misp_attribute
def create_new_event(self, entry):
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.attributes = [attribute]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg(f"Event creation result: \n{result}")
def ip_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.org = "RST Cloud"
attribute.type = type
if value['ip']:
if value['ip']['v4']:
attribute.value = value['ip']['v4']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv4']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv4']))
else:
if value['ip']['v6']:
attribute.value = value['ip']['v6']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv6']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv6']))
attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num']))
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['asn']['cloud']:
attribute.add_tag("rstcloud:cloudprovider=" +
str(value['asn']['cloud']))
if value['asn']['domains']:
attribute.add_tag("rstcloud:number_of_hosted_domains=" +
str(value['asn']['domains']))
attribute.add_tag("rstcloud:org=" + str(value['asn']['org']))
attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp']))
attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city']))
attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region']))
attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
def fill_misp_object(self, item, name, to_ids=False):
try:
misp_object = MISPObject(name)
if to_ids:
observables = item.observable.observable_composition.observables
misp_object.timestamp = self.getTimestampfromDate(item.timestamp)
else:
observables = item.observable_composition.observables
for observable in observables:
properties = observable.object_.properties
misp_attribute = MISPAttribute()
misp_attribute.type, misp_attribute.value, misp_attribute.object_relation = self.handle_attribute_type(properties, is_object=True, observable_id=observable.id_)
misp_object.add_attribute(**misp_attribute)
self.misp_event.add_object(**misp_object)
except AttributeError:
properties = item.observable.object_.properties if to_ids else item.object_.properties
self.parse_observable(properties, to_ids)
def form_attr_obj(self, type, value, file=None):
try:
attr = MISPAttribute()
attr.type = type
attr.value = value
if file is not None:
path = Path(file)
attr.data = path
self.attributes.append(attr)
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
print("ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}"
.format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
error=str(e)))
def parse_coa(self, courses_of_action):
for coa in courses_of_action:
misp_object = MISPObject('course-of-action')
if coa.title:
attribute = {'type': 'text', 'object_relation': 'name',
'value': coa.title}
misp_object.add_attribute(**attribute)
if coa.type_:
attribute = {'type': 'text', 'object_relation': 'type',
'value': coa.type_.value}
misp_object.add_attribute(**attribute)
if coa.stage:
attribute = {'type': 'text', 'object_relation': 'stage',
'value': coa.stage.value}
misp_object.add_attribute(**attribute)
if coa.description:
attribute = {'type': 'text', 'object_relation': 'description',
'value': coa.description.value} # POSSIBLE ISSUE HERE, need example to test
misp_object.add_attribute(**attribute)
if coa.objective:
attribute = {'type': 'text', 'object_relation': 'objective',
'value': coa.objective.description.value}
misp_object.add_attribute(**attribute)
if coa.cost:
attribute = {'type': 'text', 'object_relation': 'cost',
'value': coa.cost.value.value}
misp_object.add_attribute(**attribute)
if coa.efficacy:
attribute = {'type': 'text', 'object_relation': 'efficacy',
'value': coa.efficacy.value.value}
misp_object.add_attribute(**attribute)
if coa.impact:
attribute = {'type': 'text', 'object_relation': 'impact',
'value': coa.impact.value.value}
misp_object.add_attribute(**attribute)
if coa.parameter_observables:
for observable in coa.parameter_observables.observables:
properties = observable.object_.properties
attribute = MISPAttribute()
attribute.type, attribute.value, _ = self.handle_attribute_type(properties)
referenced_uuid = str(uuid.uuid4())
attribute.uuid = referenced_uuid
self.misp_event.add_attribute(**attribute)
misp_object.add_reference(referenced_uuid, 'observable', None, **attribute)
self.misp_event.add_object(**misp_object)
def create_attr_azorult(self, raw_attr: dict) -> MISPAttribute:
attr_list = []
for type in [{'json': 'domain', 'misp': 'domain'},
{'json': 'ip', 'misp': 'ip-dst'},
{'json': 'panel_index', 'misp': 'url'}]:
if type['json'] in raw_attr:
attr = MISPAttribute()
self.add_tag_to_attribute(attr, 'AzorultTracker')
self.add_tag_to_attribute(attr, raw_attr['panel_version'])
self.add_tag_to_attribute(attr, raw_attr['feeder'])
self.add_tag_to_attribute(attr, raw_attr['status'])
attr.comment = f'Azorult panel {type["misp"]}'
attr.__setattr__('first_seen', datetime.fromtimestamp(raw_attr['first_seen']))
attr.to_ids = False
attr.disable_correlation = False
attr.type = type['misp']
attr.value = f"{raw_attr[type['json']]}"
attr_list.append(attr)
return attr_list
def create_attr_feodo(self, raw_attr: dict) -> MISPAttribute:
attr = MISPAttribute()
attr.type = 'ip-dst|port'
attr.value = f"{raw_attr['DstIP']}|{raw_attr['DstPort']}"
self.add_tag_to_attribute(attr, 'FeodoTracker')
self.add_tag_to_attribute(attr, raw_attr['Malware'])
attr.comment = 'Feodo tracker DST IP/port'
attr.__setattr__('first_seen', datetime.strptime(raw_attr['Firstseen'], '%Y-%m-%d %H:%M:%S'))
if not pandas.isna(raw_attr['LastOnline']):
last_seen_time = datetime.strptime(str(raw_attr['LastOnline']), '%Y-%m-%d').replace(tzinfo=pytz.utc)
first_seen_time = datetime.strptime(str(raw_attr["Firstseen"]), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc)
if first_seen_time > last_seen_time:
last_seen_time = first_seen_time + timedelta(seconds=1)
attr.__setattr__('last_seen', last_seen_time)
else:
last_seen_time = datetime.strptime(str(raw_attr['Firstseen']), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc)
attr.__setattr__('last_seen', last_seen_time)
attr.to_ids = False
attr.disable_correlation = False
return attr
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
try:
ls_string = row[3].strip().strip('"')
if ls_string != '':
ls = datetime.strptime(ls_string, '%Y-%m-%d')
if ls > fs:
misp_attribute.last_seen = ls
else:
misp_attribute.last_seen = fs
except ValueError:
pass
value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"')
misp_attribute.type = "ip-dst|port"
misp_attribute.comment = 'https://feodotracker.abuse.ch/browse/host/' + row[1].strip().strip('"')
misp_attribute.value = value
return misp_attribute
def domain_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.type = type
attribute.value = value['domain']
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['resolved'] and value['resolved']['whois']:
if value['resolved']['whois']['age'] > 0:
attribute.add_tag("rstcloud:whois:created=" +
str(value['resolved']['whois']['created']))
attribute.add_tag("rstcloud:whois:updated=" +
str(value['resolved']['whois']['updated']))
attribute.add_tag("rstcloud:whois:expires=" +
str(value['resolved']['whois']['expires']))
attribute.add_tag("rstcloud:whois:age=" +
str(value['resolved']['whois']['age']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrar'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrar=" +
str(value['resolved']['whois']['registrar']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrant'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrant=" +
str(value['resolved']['whois']['registrant']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
def search_vmray_incomplete(
m, url, wait_period, module_import_url, module_import_port, vmray_url,
vmray_api, vmray_attribute_category, vmray_include_analysisid,
vmray_include_imphash_ssdeep, vmray_include_extracted_files,
vmray_include_analysisdetails, vmray_include_vtidetails,
custom_tags_incomplete, custom_tags_complete):
controller = 'attributes'
vmray_value = 'VMRay Sample ID:' # How sample IDs are stored in MISP
req = None
# Search for the events
try:
result = m.search(controller, tags=custom_tags_incomplete)
attribute = result['Attribute']
if len(attribute) == 0:
sys.exit("No VMRay attributes found that match %s" %
custom_tags_incomplete)
timestamp = int(attribute[0]["timestamp"])
# Not enough time has gone by to lookup the analysis jobs
if int((time.time() - timestamp) / 60) < int(wait_period):
if module_DEBUG:
r_timestamp = datetime.datetime.fromtimestamp(
timestamp).strftime('%Y-%m-%d %H:%M:%S')
print(
"Attribute to recent for wait_period (%s minutes) - timestamp attribute: %s (%s minutes old)"
% (wait_period, r_timestamp,
round((int(time.time() - timestamp) / 60), 2)))
return False
if module_DEBUG:
print("All attributes older than %s" % int(wait_period))
for att in attribute:
value = att['value']
if vmray_value in value: # We found a sample ID
att_id = att['id']
att_uuid = att['uuid']
# VMRay Sample IDs are stored as VMRay Sample ID: 2796577
vmray_sample_id = value.split(vmray_value)[1].strip()
if vmray_sample_id.isdigit():
event_id = att['event_id']
if module_DEBUG:
print(
"Found event %s with matching tags %s for sample id %s "
% (event_id, custom_tags_incomplete,
vmray_sample_id))
# Prepare request to send to vmray_import via misp modules
misp_modules_url = module_import_url + ':' + module_import_port + '/query'
misp_modules_headers = {'Content-Type': 'application/json'}
misp_modules_body = '{ "sample_id":"' + vmray_sample_id + '","module":"vmray_import","event_id":"' + event_id + '","config":{"apikey":"' + vmray_api + '","url":"' + vmray_url + '","include_analysisid":"' + vmray_include_analysisid + '","include_analysisdetails":"' + vmray_include_analysisdetails + '","include_extracted_files":"' + vmray_include_extracted_files + '","include_imphash_ssdeep":"' + vmray_include_imphash_ssdeep + '","include_vtidetails":"' + vmray_include_vtidetails + '","sample_id":"' + vmray_sample_id + '"},"data":""}'
req = requests.post(misp_modules_url,
data=misp_modules_body,
headers=misp_modules_headers)
if module_DEBUG and req is not None:
print(
"Response code from submitting to MISP modules %s"
% (req.status_code))
# Succesful response from the misp modules?
if req.status_code == 200:
req_json = req.json()
if "error" in req_json:
print("Error code in reply %s " %
req_json["error"])
continue
else:
results = req_json["results"]
# Walk through all results in the misp-module reply
for el in results:
to_ids = True
values = el['values']
types = el['types']
if "to_ids" in el:
to_ids = el['to_ids']
if "text" in types:
to_ids = False
comment = el['comment']
if len(comment) < 1:
comment = "Enriched via the vmray_import module"
# Attribute can belong in different types
for attr_type in types:
try:
new_attribute = MISPAttribute()
new_attribute.type = attr_type
new_attribute.category = vmray_attribute_category
new_attribute.value = values
new_attribute.to_ids = to_ids
new_attribute.comment = comment
r = m.add_attribute(
event_id, new_attribute)
if module_DEBUG:
print(
"Add event %s: %s as %s (%s) (toids: %s)"
% (event_id, values, attr_type,
comment, to_ids))
except Exception as e:
if module_DEBUG:
print(
"Unable to add attribute %s as type %s for event %s"
%
(values, attr_type, event_id))
continue
# Remove 'incomplete' state tags
m.untag(att_uuid, custom_tags_incomplete)
# Update tags to 'complete' state
m.tag(att_uuid, custom_tags_complete)
if module_DEBUG:
print("Updated event %s" % event_id)
else:
sys.exit(
'MISP modules did not return HTTP 200 code (event %s ; sampleid %s)'
% (event_id, vmray_sample_id))
except Exception as e:
sys.exit("Invalid response received from MISP : %s", e)
def create_attributes(misp_api, event_id, site):
"""
Create MISP IOCs attributes.
:param misp_api: MISP Object API.
:param event_id: MISP Event ID.
:param site: Site Object.
:return:
"""
print(
str(timezone.now()) + " - " + 'Create MISP IOCs attributes for: ',
event_id)
print('-----------------------------')
tag = None
tags = misp_api.tags(pythonify=True)
for t in tags:
if t.name == 'Watcher':
tag = t
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "Domain name monitored"
attribute.tags = [tag]
attribute.value = site.domain_name
misp_api.add_attribute(event=event_id, attribute=attribute)
if settings.MISP_TICKETING_URL != '':
attribute = MISPAttribute()
attribute.category = "Internal reference"
attribute.type = "link"
attribute.distribution = 0
attribute.comment = "Ticketing link"
attribute.tags = [tag]
attribute.value = settings.MISP_TICKETING_URL + "?id=" + str(site.rtir)
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.ip:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "First IP"
attribute.tags = [tag]
attribute.value = site.ip
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.ip_second:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = "Second IP"
attribute.tags = [tag]
attribute.value = site.ip_second
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.mail_A_record_ip and site.ip != site.mail_A_record_ip and site.ip_second != site.mail_A_record_ip:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "ip-dst"
attribute.distribution = 5
attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name
attribute.tags = [tag]
attribute.value = site.mail_A_record_ip
misp_api.add_attribute(event=event_id, attribute=attribute)
if site.MX_records:
for mx in site.MX_records:
attribute = MISPAttribute()
attribute.category = "Network activity"
attribute.type = "domain"
attribute.distribution = 5
attribute.comment = "MX record"
attribute.tags = [tag]
attribute.value = str(mx).split()[1][:-1]
misp_api.add_attribute(event=event_id, attribute=attribute)
def parse_observable(self, properties, misp_object):
misp_attribute = MISPAttribute()
misp_attribute.type, misp_attribute.value, misp_attribute.object_relation = self.handle_attribute_type(
properties, is_object=True)
misp_object.add_attribute(**misp_attribute)
def poll_taxii():
global f_hashes, f_manifest, f_events
results_dict = {}
client = create_client(
CYBERSAIYAN_FEED_URL,
use_https=TAXII_USE_TLS,
discovery_path=TAXII_DISCOVERY_PATH
)
blocks = client.poll(collection_name=CYBERSAIYAN_COLLECTION_NAME)
for block in blocks:
content = block.content
if content:
if type(content) == str:
continue
elif type(content) == bytes:
content = content.decode('utf-8')
pkg = STIXPackage.from_xml(StringIO(content))
title = pkg.stix_header.title
information_source = pkg.stix_header.information_source.identity.name
cs_event = (title, information_source)
cs_event_hash = hash(cs_event)
db_cursor.execute("SELECT uuid FROM hashes WHERE hash = '%s'" % cs_event_hash)
element = db_cursor.fetchone()
if element:
e_uuid = element[0]
else:
e_uuid = str(uuid.uuid4())
db_cursor.execute("INSERT INTO hashes VALUES (?,?)", (cs_event_hash,e_uuid,))
if cs_event_hash not in results_dict:
results_dict[cs_event_hash] = MISPEvent()
m_ev = results_dict[cs_event_hash]
m_ev.info = str(pkg.stix_header.description)
m_ev.analysis = 0
m_ev.uuid = e_uuid
#m_ev.org = "CyberSaiyan"
csorg = MISPOrganisation()
csorg.name = "CyberSaiyan"
csorg.uuid = "8aaa81ed-72ef-4fb1-8e96-fa1bc200faeb"
m_ev.orgc = csorg
marking = pkg.stix_header.handling.marking
tlp = 0
found_tlp = False
for m in marking:
for struct in m.marking_structures:
if struct._XSI_TYPE == "tlpMarking:TLPMarkingStructureType":
found_tlp = True
tlp = max(TLP[struct.color.lower()], tlp)
if tlp == 0 and not found_tlp:
tlp = TLP["amber"]
m_ev.add_tag("tlp:"+TLP[tlp])
m_ev.add_tag("CyberSaiyan")
indicators = pkg.indicators
last_ts = utc.localize(datetime.datetime(1970,1,1))
for indicator in indicators:
cur_ts = indicator.timestamp
if cur_ts > last_ts:
last_ts = cur_ts
obj = indicator.observable.object_
obj_d = obj.properties.to_dict()
attr_type = obj_d["xsi:type"]
if attr_type == "AddressObjectType":
attr = MISPAttribute()
attr.category = "Network activity"
attr.type = "ip-dst"
attr.value = obj_d["address_value"]
attr.disable_correlation = False
attr.to_ids = True
elif attr_type == "DomainNameObjectType":
attr = MISPAttribute()
attr.category = "Network activity"
attr.type = "domain"
attr.value = obj_d["value"]
attr.disable_correlation = False
attr.to_ids = True
elif attr_type == "URIObjectType":
attr = MISPAttribute()
attr.category = "Network activity"
attr.type = "url"
attr.value = obj_d["value"]
attr.disable_correlation = False
attr.to_ids = True
elif attr_type == "FileObjectType":
hash_type = obj_d["hashes"][0]["type"]["value"].lower()
hash_value = obj_d["hashes"][0]["simple_hash_value"]
attr = MISPAttribute()
attr.category = "Payload delivery"
assert hash_type in ('md5', "sha1", "sha224",
"sha256", "sha384", "sha512", "ssdeep")
attr.type = hash_type
attr.value = hash_value
attr.disable_correlation = False
attr.to_ids = True
m_ev.date = last_ts.strftime("%Y-%m-%d")
m_ev.attributes.append(attr)
db_conn.commit()
c_hashes, c_manifest, c_events = list(), dict(), dict()
for event in results_dict.values():
e_feed = event.to_feed(with_meta=True).get("Event")
c_hashes += [[h, event.uuid] for h in e_feed.pop("_hashes")]
c_manifest.update(e_feed.pop('_manifest'))
c_events[event.uuid] = e_feed
f_hashes, f_manifest, f_events = c_hashes, c_manifest, c_events
