def map_attribute(self, row): misp_attribute = MISPAttribute() fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs misp_attribute.last_seen = fs value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"') misp_attribute.type = "ip-dst|port" misp_attribute.value = value return misp_attribute
def map_attribute(self, row): misp_attribute = MISPAttribute() fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs misp_attribute.last_seen = fs value = row[1].strip().strip('"') misp_attribute.type = "x509-fingerprint-sha1" misp_attribute.comment = 'https://sslbl.abuse.ch/ssl-certificates/sha1/' + value misp_attribute.value = value return misp_attribute
def map_attribute(self, row): misp_attribute = MISPAttribute() fs = datetime.strptime(row[0].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs try: ls_string = row[3].strip().strip('"') if ls_string != '': ls = datetime.strptime(ls_string, '%Y-%m-%d') if ls > fs: misp_attribute.last_seen = ls else: misp_attribute.last_seen = fs except ValueError: pass value = row[1].strip().strip('"') + "|" + row[2].strip().strip('"') misp_attribute.type = "ip-dst|port" misp_attribute.comment = 'https://feodotracker.abuse.ch/browse/host/' + row[1].strip().strip('"') misp_attribute.value = value return misp_attribute
def map_attribute(self, row): malware_info = self.get_malware_info(row) misp_attribute = MISPAttribute() value = row[2].strip().strip('"') fs = datetime.strptime(row[1].strip().strip('"'), '%Y-%m-%d %H:%M:%S') misp_attribute.first_seen = fs misp_attribute.last_seen = fs misp_attribute.type = "url" if row[4].strip().strip('"') == "malware_download": misp_attribute.add_tag('kill-chain:Delivery') if malware_info['ft'] is not None: misp_attribute.add_tag(malware_info['ft']) misp_attribute.value = value misp_attribute.comment = row[6].strip().strip('"') return misp_attribute
def ip_attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.org = "RST Cloud" attribute.type = type if value['ip']: if value['ip']['v4']: attribute.value = value['ip']['v4'] attribute.add_tag("rstcloud:asn:firstip=" + str(value['asn']['firstip']['netv4'])) attribute.add_tag("rstcloud:asn:lastip=" + str(value['asn']['lastip']['netv4'])) else: if value['ip']['v6']: attribute.value = value['ip']['v6'] attribute.add_tag("rstcloud:asn:firstip=" + str(value['asn']['firstip']['netv6'])) attribute.add_tag("rstcloud:asn:lastip=" + str(value['asn']['lastip']['netv6'])) attribute.add_tag("rstcloud:asn:number=" + str(value['asn']['num'])) attribute.comment = listToString(value['src']['str']) attribute.first_seen = value['fseen'] attribute.last_seen = value['lseen'] attribute.timestamp = value['collect'] attribute.distribution = distribution_level attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) for rsttag in value['tags']['str']: attribute.add_tag("rstcloud:tag=" + str(rsttag)) if value['asn']['cloud']: attribute.add_tag("rstcloud:cloudprovider=" + str(value['asn']['cloud'])) if value['asn']['domains']: attribute.add_tag("rstcloud:number_of_hosted_domains=" + str(value['asn']['domains'])) attribute.add_tag("rstcloud:org=" + str(value['asn']['org'])) attribute.add_tag("rstcloud:isp=" + str(value['asn']['isp'])) attribute.add_tag("rstcloud:geo.city=" + str(value['geo']['city'])) attribute.add_tag("rstcloud:geo.region=" + str(value['geo']['region'])) attribute.add_tag("rstcloud:geo.country=" + str(value['geo']['country'])) attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) attribute.add_tag("rstcloud:false-positive:alarm=" + str(value['fp']['alarm'])) if value['fp']['descr']: attribute.add_tag("rstcloud:false-positive:description=" + str(value['fp']['descr'])) return attribute
def domain_attribute(category, type, value): attribute = MISPAttribute() attribute.category = category attribute.type = type attribute.value = value['domain'] attribute.comment = listToString(value['src']['str']) attribute.first_seen = value['fseen'] attribute.last_seen = value['lseen'] attribute.timestamp = value['collect'] attribute.distribution = distribution_level attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) for rsttag in value['tags']['str']: attribute.add_tag("rstcloud:tag=" + str(rsttag)) if value['resolved'] and value['resolved']['whois']: if value['resolved']['whois']['age'] > 0: attribute.add_tag("rstcloud:whois:created=" + str(value['resolved']['whois']['created'])) attribute.add_tag("rstcloud:whois:updated=" + str(value['resolved']['whois']['updated'])) attribute.add_tag("rstcloud:whois:expires=" + str(value['resolved']['whois']['expires'])) attribute.add_tag("rstcloud:whois:age=" + str(value['resolved']['whois']['age'])) if value['resolved']['whois']['registrar'] and value['resolved'][ 'whois']['registrar'] != 'unknown': attribute.add_tag("rstcloud:whois:registrar=" + str(value['resolved']['whois']['registrar'])) if value['resolved']['whois']['registrar'] and value['resolved'][ 'whois']['registrant'] != 'unknown': attribute.add_tag("rstcloud:whois:registrant=" + str(value['resolved']['whois']['registrant'])) attribute.add_tag("rstcloud:score:total=" + str(value['score']['total'])) attribute.add_tag("rstcloud:false-positive:alarm=" + str(value['fp']['alarm'])) if value['fp']['descr']: attribute.add_tag("rstcloud:false-positive:description=" + str(value['fp']['descr'])) return attribute