def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"')
misp_attribute.type = "ip-dst|port"
misp_attribute.value = value
return misp_attribute
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
value = row[1].strip().strip('"')
misp_attribute.type = "x509-fingerprint-sha1"
misp_attribute.comment = 'https://sslbl.abuse.ch/ssl-certificates/sha1/' + value
misp_attribute.value = value
return misp_attribute
def map_attribute(self, row):
malware_info = self.get_malware_info(row)
misp_attribute = MISPAttribute()
value = row[2].strip().strip('"')
fs = datetime.strptime(row[1].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
misp_attribute.last_seen = fs
misp_attribute.type = "url"
if row[4].strip().strip('"') == "malware_download":
misp_attribute.add_tag('kill-chain:Delivery')
if malware_info['ft'] is not None:
misp_attribute.add_tag(malware_info['ft'])
misp_attribute.value = value
misp_attribute.comment = row[6].strip().strip('"')
return misp_attribute
def ip_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.org = "RST Cloud"
attribute.type = type
if value['ip']:
if value['ip']['v4']:
attribute.value = value['ip']['v4']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv4']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv4']))
else:
if value['ip']['v6']:
attribute.value = value['ip']['v6']
attribute.add_tag("rstcloud:asn:firstip=" +
str(value['asn']['firstip']['netv6']))
attribute.add_tag("rstcloud:asn:lastip=" +
str(value['asn']['lastip']['netv6']))
attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num']))
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['asn']['cloud']:
attribute.add_tag("rstcloud:cloudprovider=" +
str(value['asn']['cloud']))
if value['asn']['domains']:
attribute.add_tag("rstcloud:number_of_hosted_domains=" +
str(value['asn']['domains']))
attribute.add_tag("rstcloud:org=" + str(value['asn']['org']))
attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp']))
attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city']))
attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region']))
attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
def map_attribute(self, row):
misp_attribute = MISPAttribute()
fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S')
misp_attribute.first_seen = fs
try:
ls_string = row[3].strip().strip('"')
if ls_string != '':
ls = datetime.strptime(ls_string, '%Y-%m-%d')
if ls > fs:
misp_attribute.last_seen = ls
else:
misp_attribute.last_seen = fs
except ValueError:
pass
value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"')
misp_attribute.type = "ip-dst|port"
misp_attribute.comment = 'https://feodotracker.abuse.ch/browse/host/' + row[1].strip().strip('"')
misp_attribute.value = value
return misp_attribute
def domain_attribute(category, type, value):
attribute = MISPAttribute()
attribute.category = category
attribute.type = type
attribute.value = value['domain']
attribute.comment = listToString(value['src']['str'])
attribute.first_seen = value['fseen']
attribute.last_seen = value['lseen']
attribute.timestamp = value['collect']
attribute.distribution = distribution_level
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
for rsttag in value['tags']['str']:
attribute.add_tag("rstcloud:tag=" + str(rsttag))
if value['resolved'] and value['resolved']['whois']:
if value['resolved']['whois']['age'] > 0:
attribute.add_tag("rstcloud:whois:created=" +
str(value['resolved']['whois']['created']))
attribute.add_tag("rstcloud:whois:updated=" +
str(value['resolved']['whois']['updated']))
attribute.add_tag("rstcloud:whois:expires=" +
str(value['resolved']['whois']['expires']))
attribute.add_tag("rstcloud:whois:age=" +
str(value['resolved']['whois']['age']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrar'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrar=" +
str(value['resolved']['whois']['registrar']))
if value['resolved']['whois']['registrar'] and value['resolved'][
'whois']['registrant'] != 'unknown':
attribute.add_tag("rstcloud:whois:registrant=" +
str(value['resolved']['whois']['registrant']))
attribute.add_tag("rstcloud:score:total=" + str(value['score']['total']))
attribute.add_tag("rstcloud:false-positive:alarm=" +
str(value['fp']['alarm']))
if value['fp']['descr']:
attribute.add_tag("rstcloud:false-positive:description=" +
str(value['fp']['descr']))
return attribute
