def create_new_event(self, entry): attribute = MISPAttribute() attribute.type = "malware-sample" attribute.value = entry["shasum"] attribute.data = Path(entry["outfile"]) attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"]) attribute.expand = "binary" if "url" in entry: attributeURL = MISPAttribute() attributeURL.type = "url" attributeURL.value = entry["url"] attributeURL.to_ids = True else: attributeURL = MISPAttribute() attributeURL.type = "text" attributeURL.value = "External upload" attributeIP = MISPAttribute() attributeIP.type = "ip-src" attributeIP.value = entry["src_ip"] attributeDT = MISPAttribute() attributeDT.type = "datetime" attributeDT.value = entry["timestamp"] event = MISPEvent() event.info = "File uploaded to Cowrie ({})".format(entry["sensor"]) event.add_tag("tlp:white") event.attributes = [attribute, attributeURL, attributeIP, attributeDT] event.run_expansions() if self.publish: event.publish() result = self.misp_api.add_event(event) if self.debug: log.msg(f"Event creation result: \n{result}")
def addHash(hashValue): eid = checkAge() hashValue = hashValue.strip() md5 = re.compile(r'[0-9a-f]{32}$', flags=re.IGNORECASE) sha1 = re.compile(r'[0-9a-f]{40}$', flags=re.IGNORECASE) sha256 = re.compile(r'[0-9a-f]{64}$', flags=re.IGNORECASE) if re.match(sha256, hashValue): hashType = "sha256" mispAttribute = MISPAttribute() mispAttribute.type = 'sha256' mispAttribute.value = hashValue misp.add_attribute(eid, mispAttribute) elif re.match(sha1, hashValue): hashType = "sha1" mispAttribute = MISPAttribute() mispAttribute.type = 'sha1' mispAttribute.value = hashValue misp.add_attribute(eid, mispAttribute) elif re.match(md5, hashValue): hashType = "md5" mispAttribute = MISPAttribute() mispAttribute.type = 'md5' mispAttribute.value = hashValue misp.add_attribute(eid, mispAttribute) else: returnFailure("hash", hashValue, "length of %s" % len(hashValue)) returnSuccess("%s hash" % hashType, hashValue, eid)
def create_attr(self, raw_attr: dict) -> MISPAttribute: # Create attribute and assign simple values attr = MISPAttribute() attr.type = 'url' attr.value = raw_attr['url'] attr.disable_correlation = False attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S')) # Add URLhaus tag self.add_tag_to_attribute(attr, 'URLhaus') # Add other tags if raw_attr['tags']: for tag in raw_attr['tags'].split(','): self.add_tag_to_attribute(attr, tag.strip()) # Add online/offline tag if not pandas.isna(raw_attr['url_status']): if raw_attr['url_status'] == 'online': attr.to_ids = True else: attr.to_ids = False self.add_tag_to_attribute(attr, raw_attr['url_status']) # Add reporter tag if not pandas.isna(raw_attr['reporter']): self.add_tag_to_attribute(attr, raw_attr['reporter']) attr.comment = raw_attr['urlhaus_link'] return attr
def create_new_event(self, entry): if self.is_python2: self.misp_api.upload_sample( entry["shasum"], entry["outfile"], None, distribution=1, info="File uploaded to Cowrie ({})".format(entry["sensor"]), analysis=0, threat_level_id=2 ) else: attribute = MISPAttribute() attribute.type = "malware-sample" attribute.value = entry["shasum"] attribute.data = Path(entry["outfile"]) attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"]) attribute.expand = "binary" event = MISPEvent() event.info = "File uploaded to Cowrie ({})".format(entry["sensor"]) event.attributes = [attribute] event.run_expansions() if self.publish: event.publish() result = self.misp_api.add_event(event) if self.debug: log.msg("Event creation result: \n%s" % result)
def misp_add_attribute(self, event, a_type, a_value): # Create Attribute object in MISP misp_attribute = MISPAttribute() if a_type: misp_attribute.type = a_type if a_value: misp_attribute.value = a_value event.add_attribute(misp_attribute.type, misp_attribute.value)
def addDomain(domainValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'domain' mispAttribute.value = domainValue misp.add_attribute(eid, mispAttribute) returnSuccess("domain", domainValue, eid)
def addIP(ipValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'ip-dst' mispAttribute.value = ipValue misp.add_attribute(eid, mispAttribute) returnSuccess("IP address", ipValue, eid)
def addEmail(emailValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'email' mispAttribute.value = emailValue misp.add_attribute(eid, mispAttribute) returnSuccess("email", emailValue, eid)
def addBIC(bicValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'bic' mispAttribute.value = bicValue misp.add_attribute(eid, mispAttribute) returnSuccess("Bank Account", bicValue, eid)
def generate_MISP_Event(deduplicated_observations, conf, tags, attr_tags): dt = datetime.now() event = MISPEvent() event.info = dt.strftime("%Y%m%d ") + 'TIE' event.publish_timestamp = dt.strftime("%s") event.timestamp = dt.strftime("%s") event['timestamp'] = dt.strftime("%s") event.analysis = 2 event.published = conf.event_published orgc = MISPOrganisation() orgc.from_json(json.dumps({'name': conf.org_name, 'uuid': conf.org_uuid})) event.orgc = orgc event.threat_level_id = conf.event_base_thread_level event.date = dt event['uuid'] = str(uuid.uuid1()) if len(tags) > 0: event['Tag'] = tags attr_hashes = [] for key, attr in deduplicated_observations.items(): misp_attr = MISPAttribute() misp_attr.timestamp = dt.strftime("%s") misp_attr['timestamp'] = dt.strftime("%s") misp_attr.type = get_Attribute_Type(attr) misp_attr.value = get_MISP_Fitted_Value(attr["value"], misp_attr.type) if 'c2-server' in attr['categories'] and attr_tags.c2tags: misp_attr['Tag'] = attr_tags.c2tags if 'malware' in attr['categories'] and attr_tags.malwaretags: misp_attr['Tag'] = attr_tags.malwaretags if 'espionage' in attr['categories'] and attr_tags.espionagetags: misp_attr['Tag'] = attr_tags.espionagetags if 'bot' in attr['categories'] and attr_tags.bottags: misp_attr['Tag'] = attr_tags.bottags if 'whitelist' in attr['categories'] and attr_tags.whitelisttags: misp_attr['Tag'] = attr_tags.whitelisttags if 'cybercrime' in attr['categories'] and attr_tags.cybercrimetags: misp_attr['Tag'] = attr_tags.cybercrimetags if 'phishing' in attr['categories'] and attr_tags.phishingtags: misp_attr['Tag'] = attr_tags.phishingtags misp_attr.category = get_Attribute_Category(attr) if conf.attr_to_ids and attr[ 'min_confidence'] >= conf.attr_to_ids_threshold: misp_attr.to_ids = True else: misp_attr.to_ids = False misp_attr['comment'] = 'categories: ' + str(attr['categories']) + ' actors: ' + str(attr['actors']) + \ ' families: ' + str(attr['families']) + ' sources: ' + str(attr['sources']) + \ ' severity: ' + str(attr['max_severity']) + \ ' confidence: ' + str(attr['max_confidence']) misp_attr.edited = False event.add_attribute(**(misp_attr.to_dict())) attr_hashes.append([ hashlib.md5(attr['value'].encode("utf-8")).hexdigest(), event['uuid'] ]) event.edited = False return event, attr_hashes
def addFullName(fullnameValue): eid = checkAge() mispAttribute = MISPAttribute() mispAttribute.type = 'first-name' mispAttribute.value = fullnameValue misp.add_attribute(eid, mispAttribute) returnSuccess("Full Name", fullnameValue, eid)
def ip_attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.org = "RST Cloud" attribute.type = type if value['ip']: if value['ip']['v4']: attribute.value = value['ip']['v4'] attribute.add_tag("rstcloud:asn:firstip=" + str(value['asn']['firstip']['netv4'])) attribute.add_tag("rstcloud:asn:lastip=" + str(value['asn']['lastip']['netv4'])) else: if value['ip']['v6']: attribute.value = value['ip']['v6'] attribute.add_tag("rstcloud:asn:firstip=" + str(value['asn']['firstip']['netv6'])) attribute.add_tag("rstcloud:asn:lastip=" + str(value['asn']['lastip']['netv6'])) attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num'])) attribute.comment = listToString(value['src']['str']) attribute.first_seen = value['fseen'] attribute.last_seen = value['lseen'] attribute.timestamp = value['collect'] attribute.distribution = distribution_level attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) for rsttag in value['tags']['str']: attribute.add_tag("rstcloud:tag=" + str(rsttag)) if value['asn']['cloud']: attribute.add_tag("rstcloud:cloudprovider=" + str(value['asn']['cloud'])) if value['asn']['domains']: attribute.add_tag("rstcloud:number_of_hosted_domains=" + str(value['asn']['domains'])) attribute.add_tag("rstcloud:org=" + str(value['asn']['org'])) attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp'])) attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city'])) attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region'])) attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country'])) attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) attribute.add_tag("rstcloud:false-positive:alarm=" + str(value['fp']['alarm'])) if value['fp']['descr']: attribute.add_tag("rstcloud:false-positive:description=" + str(value['fp']['descr'])) return attribute
def __misp_add_urlscan_to_event(self, capture_uuid: str, visibility: str) -> Optional[MISPAttribute]: response = self.urlscan.url_submit(self.get_info(capture_uuid), visibility) if 'result' in response: attribute = MISPAttribute() attribute.value = response['result'] attribute.type = 'link' return attribute return None
def create_misp_attribute(misp_client, misp_event_id, misp_attribute_type, misp_attribute_value): misp_event = MISPEvent() misp_event.id = int(misp_event_id) misp_event.uuid = get_event_uuid(misp_client, misp_event_id) misp_attribute = MISPAttribute() misp_attribute.type = misp_attribute_type misp_attribute.value = misp_attribute_value attribute_response = misp_client.add_attribute(misp_event, misp_attribute) return attribute_response
def map_attribute(self, row): misp_attribute = MISPAttribute() fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs misp_attribute.last_seen = fs value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"') misp_attribute.type = "ip-dst|port" misp_attribute.value = value return misp_attribute
def map_attribute(self, row): misp_attribute = MISPAttribute() fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs misp_attribute.last_seen = fs value = row[1].strip().strip('"') misp_attribute.type = "x509-fingerprint-sha1" misp_attribute.comment = 'https://sslbl.abuse.ch/ssl-certificates/sha1/' + value misp_attribute.value = value return misp_attribute
def map_attribute(self, row): malware_info = self.get_malware_info(row) misp_attribute = MISPAttribute() value = row[2].strip().strip('"') fs = datetime.strptime(row[1].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs misp_attribute.last_seen = fs misp_attribute.type = "url" if row[4].strip().strip('"') == "malware_download": misp_attribute.add_tag('kill-chain:Delivery') if malware_info['ft'] is not None: misp_attribute.add_tag(malware_info['ft']) misp_attribute.value = value misp_attribute.comment = row[6].strip().strip('"') return misp_attribute
def create_new_event(self, entry): attribute = MISPAttribute() attribute.type = "malware-sample" attribute.value = entry["shasum"] attribute.data = Path(entry["outfile"]) attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"]) attribute.expand = "binary" event = MISPEvent() event.info = "File uploaded to Cowrie ({})".format(entry["sensor"]) event.attributes = [attribute] event.run_expansions() if self.publish: event.publish() result = self.misp_api.add_event(event) if self.debug: log.msg(f"Event creation result: \n{result}")
def propose(type, value, category): attr_type = type value = value category = category to_ids = False # Attribute data already defined attribute = MISPAttribute() attribute.type = attr_type attribute.value = value attribute.category = category attribute.to_ids = to_ids event_id = EVENTid proposal = misp.add_attribute_proposal(event_id, attribute) print('Proposed!')
def form_attr_obj(self, type, value, file=None): try: attr = MISPAttribute() attr.type = type attr.value = value if file is not None: path = Path(file) attr.data = path self.attributes.append(attr) except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print("ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}" .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
def create_attr_azorult(self, raw_attr: dict) -> MISPAttribute: attr_list = [] for type in [{'json': 'domain', 'misp': 'domain'}, {'json': 'ip', 'misp': 'ip-dst'}, {'json': 'panel_index', 'misp': 'url'}]: if type['json'] in raw_attr: attr = MISPAttribute() self.add_tag_to_attribute(attr, 'AzorultTracker') self.add_tag_to_attribute(attr, raw_attr['panel_version']) self.add_tag_to_attribute(attr, raw_attr['feeder']) self.add_tag_to_attribute(attr, raw_attr['status']) attr.comment = f'Azorult panel {type["misp"]}' attr.__setattr__('first_seen', datetime.fromtimestamp(raw_attr['first_seen'])) attr.to_ids = False attr.disable_correlation = False attr.type = type['misp'] attr.value = f"{raw_attr[type['json']]}" attr_list.append(attr) return attr_list
def create_attr_feodo(self, raw_attr: dict) -> MISPAttribute: attr = MISPAttribute() attr.type = 'ip-dst|port' attr.value = f"{raw_attr['DstIP']}|{raw_attr['DstPort']}" self.add_tag_to_attribute(attr, 'FeodoTracker') self.add_tag_to_attribute(attr, raw_attr['Malware']) attr.comment = 'Feodo tracker DST IP/port' attr.__setattr__('first_seen', datetime.strptime(raw_attr['Firstseen'], '%Y-%m-%d %H:%M:%S')) if not pandas.isna(raw_attr['LastOnline']): last_seen_time = datetime.strptime(str(raw_attr['LastOnline']), '%Y-%m-%d').replace(tzinfo=pytz.utc) first_seen_time = datetime.strptime(str(raw_attr["Firstseen"]), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc) if first_seen_time > last_seen_time: last_seen_time = first_seen_time + timedelta(seconds=1) attr.__setattr__('last_seen', last_seen_time) else: last_seen_time = datetime.strptime(str(raw_attr['Firstseen']), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc) attr.__setattr__('last_seen', last_seen_time) attr.to_ids = False attr.disable_correlation = False return attr
def map_attribute(self, row): misp_attribute = MISPAttribute() fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs try: ls_string = row[3].strip().strip('"') if ls_string != '': ls = datetime.strptime(ls_string, '%Y-%m-%d') if ls > fs: misp_attribute.last_seen = ls else: misp_attribute.last_seen = fs except ValueError: pass value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"') misp_attribute.type = "ip-dst|port" misp_attribute.comment = 'https://feodotracker.abuse.ch/browse/host/' + row[1].strip().strip('"') misp_attribute.value = value return misp_attribute
def domain_attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.type = type attribute.value = value['domain'] attribute.comment = listToString(value['src']['str']) attribute.first_seen = value['fseen'] attribute.last_seen = value['lseen'] attribute.timestamp = value['collect'] attribute.distribution = distribution_level attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) for rsttag in value['tags']['str']: attribute.add_tag("rstcloud:tag=" + str(rsttag)) if value['resolved'] and value['resolved']['whois']: if value['resolved']['whois']['age'] > 0: attribute.add_tag("rstcloud:whois:created=" + str(value['resolved']['whois']['created'])) attribute.add_tag("rstcloud:whois:updated=" + str(value['resolved']['whois']['updated'])) attribute.add_tag("rstcloud:whois:expires=" + str(value['resolved']['whois']['expires'])) attribute.add_tag("rstcloud:whois:age=" + str(value['resolved']['whois']['age'])) if value['resolved']['whois']['registrar'] and value['resolved'][ 'whois']['registrar'] != 'unknown': attribute.add_tag("rstcloud:whois:registrar=" + str(value['resolved']['whois']['registrar'])) if value['resolved']['whois']['registrar'] and value['resolved'][ 'whois']['registrant'] != 'unknown': attribute.add_tag("rstcloud:whois:registrant=" + str(value['resolved']['whois']['registrant'])) attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) attribute.add_tag("rstcloud:false-positive:alarm=" + str(value['fp']['alarm'])) if value['fp']['descr']: attribute.add_tag("rstcloud:false-positive:description=" + str(value['fp']['descr'])) return attribute
# dictionary while iterating through it; this allows for # one level of sample crawling. i.e. all samples refered # to by sampled tagged COVID-19 will be included in the Event for hash, sample in samples.copy().items(): # get a detailed report of the sample details = getSampleDetail(hash) if (details is not None): # if it exists, add the comment if ('comment' in details): comment = details['comment'] if (comment is not None): newattr = MISPAttribute() newattr.category = commattr['category'] newattr.type = commattr['type'] newattr.value = commattr['value'] newattr.to_ids = commattr['to_ids'] sample.add_reference(referenced_uuid=newattr.uuid, relationship_type='related-to') attributes.update({newattr.value: newattr}) # find and add x-references if ('file_information' in details): info = details['file_information'] if (info is not None): for context_set in info: context = context_set['context'] value = context_set['value'] print("context: {}, value: {}".format(context, value))
def poll_taxii(): global f_hashes, f_manifest, f_events results_dict = {} client = create_client( CYBERSAIYAN_FEED_URL, use_https=TAXII_USE_TLS, discovery_path=TAXII_DISCOVERY_PATH ) blocks = client.poll(collection_name=CYBERSAIYAN_COLLECTION_NAME) for block in blocks: content = block.content if content: if type(content) == str: continue elif type(content) == bytes: content = content.decode('utf-8') pkg = STIXPackage.from_xml(StringIO(content)) title = pkg.stix_header.title information_source = pkg.stix_header.information_source.identity.name cs_event = (title, information_source) cs_event_hash = hash(cs_event) db_cursor.execute("SELECT uuid FROM hashes WHERE hash = '%s'" % cs_event_hash) element = db_cursor.fetchone() if element: e_uuid = element[0] else: e_uuid = str(uuid.uuid4()) db_cursor.execute("INSERT INTO hashes VALUES (?,?)", (cs_event_hash,e_uuid,)) if cs_event_hash not in results_dict: results_dict[cs_event_hash] = MISPEvent() m_ev = results_dict[cs_event_hash] m_ev.info = str(pkg.stix_header.description) m_ev.analysis = 0 m_ev.uuid = e_uuid #m_ev.org = "CyberSaiyan" csorg = MISPOrganisation() csorg.name = "CyberSaiyan" csorg.uuid = "8aaa81ed-72ef-4fb1-8e96-fa1bc200faeb" m_ev.orgc = csorg marking = pkg.stix_header.handling.marking tlp = 0 found_tlp = False for m in marking: for struct in m.marking_structures: if struct._XSI_TYPE == "tlpMarking:TLPMarkingStructureType": found_tlp = True tlp = max(TLP[struct.color.lower()], tlp) if tlp == 0 and not found_tlp: tlp = TLP["amber"] m_ev.add_tag("tlp:"+TLP[tlp]) m_ev.add_tag("CyberSaiyan") indicators = pkg.indicators last_ts = utc.localize(datetime.datetime(1970,1,1)) for indicator in indicators: cur_ts = indicator.timestamp if cur_ts > last_ts: last_ts = cur_ts obj = indicator.observable.object_ obj_d = obj.properties.to_dict() attr_type = obj_d["xsi:type"] if attr_type == "AddressObjectType": attr = MISPAttribute() attr.category = "Network activity" attr.type = "ip-dst" attr.value = obj_d["address_value"] attr.disable_correlation = False attr.to_ids = True elif attr_type == "DomainNameObjectType": attr = MISPAttribute() attr.category = "Network activity" attr.type = "domain" attr.value = obj_d["value"] attr.disable_correlation = False attr.to_ids = True elif attr_type == "URIObjectType": attr = MISPAttribute() attr.category = "Network activity" attr.type = "url" attr.value = obj_d["value"] attr.disable_correlation = False attr.to_ids = True elif attr_type == "FileObjectType": hash_type = obj_d["hashes"][0]["type"]["value"].lower() hash_value = obj_d["hashes"][0]["simple_hash_value"] attr = MISPAttribute() attr.category = "Payload delivery" assert hash_type in ('md5', "sha1", "sha224", "sha256", "sha384", "sha512", "ssdeep") attr.type = hash_type attr.value = hash_value attr.disable_correlation = False attr.to_ids = True m_ev.date = last_ts.strftime("%Y-%m-%d") m_ev.attributes.append(attr) db_conn.commit() c_hashes, c_manifest, c_events = list(), dict(), dict() for event in results_dict.values(): e_feed = event.to_feed(with_meta=True).get("Event") c_hashes += [[h, event.uuid] for h in e_feed.pop("_hashes")] c_manifest.update(e_feed.pop('_manifest')) c_events[event.uuid] = e_feed f_hashes, f_manifest, f_events = c_hashes, c_manifest, c_events
def create_attributes(misp_api, event_id, site): """ Create MISP IOCs attributes. :param misp_api: MISP Object API. :param event_id: MISP Event ID. :param site: Site Object. :return: """ print( str(timezone.now()) + " - " + 'Create MISP IOCs attributes for: ', event_id) print('-----------------------------') tag = None tags = misp_api.tags(pythonify=True) for t in tags: if t.name == 'Watcher': tag = t attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "domain" attribute.distribution = 5 attribute.comment = "Domain name monitored" attribute.tags = [tag] attribute.value = site.domain_name misp_api.add_attribute(event=event_id, attribute=attribute) if settings.MISP_TICKETING_URL != '': attribute = MISPAttribute() attribute.category = "Internal reference" attribute.type = "link" attribute.distribution = 0 attribute.comment = "Ticketing link" attribute.tags = [tag] attribute.value = settings.MISP_TICKETING_URL + "?id=" + str(site.rtir) misp_api.add_attribute(event=event_id, attribute=attribute) if site.ip: attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = "First IP" attribute.tags = [tag] attribute.value = site.ip misp_api.add_attribute(event=event_id, attribute=attribute) if site.ip_second: attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = "Second IP" attribute.tags = [tag] attribute.value = site.ip_second misp_api.add_attribute(event=event_id, attribute=attribute) if site.mail_A_record_ip and site.ip != site.mail_A_record_ip and site.ip_second != site.mail_A_record_ip: attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name attribute.tags = [tag] attribute.value = site.mail_A_record_ip misp_api.add_attribute(event=event_id, attribute=attribute) if site.MX_records: for mx in site.MX_records: attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "domain" attribute.distribution = 5 attribute.comment = "MX record" attribute.tags = [tag] attribute.value = str(mx).split()[1][:-1] misp_api.add_attribute(event=event_id, attribute=attribute)
def update_attributes(misp_api, site): """ Update MISP IOCs attributes. :param misp_api: MISP Object API. :param site: Site Object. :return: """ print( str(timezone.now()) + " - " + 'Update MISP IOCs attributes for: ', site.misp_event_id) print('-----------------------------') tag = None tags = misp_api.tags(pythonify=True) for t in tags: if t.name == 'Watcher': tag = t if site.ip and not search_attributes(misp_api, site.misp_event_id, site.ip, site.pk): attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = "First IP" attribute.tags = [tag] attribute.value = site.ip misp_api.add_attribute(event=site.misp_event_id, attribute=attribute) if site.ip_second and not search_attributes(misp_api, site.misp_event_id, site.ip_second, site.pk): attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = "Second IP" attribute.tags = [tag] attribute.value = site.ip_second misp_api.add_attribute(event=site.misp_event_id, attribute=attribute) if site.mail_A_record_ip and not search_attributes( misp_api, site.misp_event_id, site.mail_A_record_ip, site.pk): attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "ip-dst" attribute.distribution = 5 attribute.comment = 'Mail Server A record IP: mail.' + site.domain_name attribute.tags = [tag] attribute.value = site.mail_A_record_ip misp_api.add_attribute(event=site.misp_event_id, attribute=attribute) if site.MX_records: for mx in site.MX_records: if not search_attributes(misp_api, site.misp_event_id, str(mx).split()[1][:-1], site.pk): attribute = MISPAttribute() attribute.category = "Network activity" attribute.type = "domain" attribute.distribution = 5 attribute.comment = "MX record" attribute.tags = [tag] attribute.value = str(mx).split()[1][:-1] misp_api.add_attribute(event=site.misp_event_id, attribute=attribute)
def search_vmray_incomplete( m, url, wait_period, module_import_url, module_import_port, vmray_url, vmray_api, vmray_attribute_category, vmray_include_analysisid, vmray_include_imphash_ssdeep, vmray_include_extracted_files, vmray_include_analysisdetails, vmray_include_vtidetails, custom_tags_incomplete, custom_tags_complete): controller = 'attributes' vmray_value = 'VMRay Sample ID:' # How sample IDs are stored in MISP req = None # Search for the events try: result = m.search(controller, tags=custom_tags_incomplete) attribute = result['Attribute'] if len(attribute) == 0: sys.exit("No VMRay attributes found that match %s" % custom_tags_incomplete) timestamp = int(attribute[0]["timestamp"]) # Not enough time has gone by to lookup the analysis jobs if int((time.time() - timestamp) / 60) < int(wait_period): if module_DEBUG: r_timestamp = datetime.datetime.fromtimestamp( timestamp).strftime('%Y-%m-%d %H:%M:%S') print( "Attribute to recent for wait_period (%s minutes) - timestamp attribute: %s (%s minutes old)" % (wait_period, r_timestamp, round((int(time.time() - timestamp) / 60), 2))) return False if module_DEBUG: print("All attributes older than %s" % int(wait_period)) for att in attribute: value = att['value'] if vmray_value in value: # We found a sample ID att_id = att['id'] att_uuid = att['uuid'] # VMRay Sample IDs are stored as VMRay Sample ID: 2796577 vmray_sample_id = value.split(vmray_value)[1].strip() if vmray_sample_id.isdigit(): event_id = att['event_id'] if module_DEBUG: print( "Found event %s with matching tags %s for sample id %s " % (event_id, custom_tags_incomplete, vmray_sample_id)) # Prepare request to send to vmray_import via misp modules misp_modules_url = module_import_url + ':' + module_import_port + '/query' misp_modules_headers = {'Content-Type': 'application/json'} misp_modules_body = '{ "sample_id":"' + vmray_sample_id + '","module":"vmray_import","event_id":"' + event_id + '","config":{"apikey":"' + vmray_api + '","url":"' + vmray_url + '","include_analysisid":"' + vmray_include_analysisid + '","include_analysisdetails":"' + vmray_include_analysisdetails + '","include_extracted_files":"' + vmray_include_extracted_files + '","include_imphash_ssdeep":"' + vmray_include_imphash_ssdeep + '","include_vtidetails":"' + vmray_include_vtidetails + '","sample_id":"' + vmray_sample_id + '"},"data":""}' req = requests.post(misp_modules_url, data=misp_modules_body, headers=misp_modules_headers) if module_DEBUG and req is not None: print( "Response code from submitting to MISP modules %s" % (req.status_code)) # Succesful response from the misp modules? if req.status_code == 200: req_json = req.json() if "error" in req_json: print("Error code in reply %s " % req_json["error"]) continue else: results = req_json["results"] # Walk through all results in the misp-module reply for el in results: to_ids = True values = el['values'] types = el['types'] if "to_ids" in el: to_ids = el['to_ids'] if "text" in types: to_ids = False comment = el['comment'] if len(comment) < 1: comment = "Enriched via the vmray_import module" # Attribute can belong in different types for attr_type in types: try: new_attribute = MISPAttribute() new_attribute.type = attr_type new_attribute.category = vmray_attribute_category new_attribute.value = values new_attribute.to_ids = to_ids new_attribute.comment = comment r = m.add_attribute( event_id, new_attribute) if module_DEBUG: print( "Add event %s: %s as %s (%s) (toids: %s)" % (event_id, values, attr_type, comment, to_ids)) except Exception as e: if module_DEBUG: print( "Unable to add attribute %s as type %s for event %s" % (values, attr_type, event_id)) continue # Remove 'incomplete' state tags m.untag(att_uuid, custom_tags_incomplete) # Update tags to 'complete' state m.tag(att_uuid, custom_tags_complete) if module_DEBUG: print("Updated event %s" % event_id) else: sys.exit( 'MISP modules did not return HTTP 200 code (event %s ; sampleid %s)' % (event_id, vmray_sample_id)) except Exception as e: sys.exit("Invalid response received from MISP : %s", e)
def _attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.type = type attribute.value = value return attribute