def export_domain(domain):
domain_obj = Domain.Domain(domain)
dict_metadata = domain_obj.get_domain_metadata(tags=True)
dict_metadata['ports'] = ['80', '223', '443']
# create domain-ip obj
obj = MISPObject('domain-ip', standalone=True)
obj.first_seen = dict_metadata['first_seen']
obj.last_seen = dict_metadata['last_check']
l_obj_attr = []
l_obj_attr.append(
obj.add_attribute('first-seen', value=dict_metadata['first_seen']))
l_obj_attr.append(
obj.add_attribute('last-seen', value=dict_metadata['last_check']))
l_obj_attr.append(obj.add_attribute('domain', value=domain))
for port in dict_metadata['ports']:
l_obj_attr.append(obj.add_attribute('port', value=port))
# add tags
if dict_metadata['tags']:
tag_misp_object_attributes(l_obj_attr, dict_metadata['tags'])
#print(obj.to_json())
return obj
def export_domain(domain):
domain_obj = Domain.Domain(domain)
dict_metadata = domain_obj.get_domain_metadata(tags=True)
# create domain-ip obj
obj = MISPObject('domain-crawled', standalone=True)
obj.first_seen = dict_metadata['first_seen']
obj.last_seen = dict_metadata['last_check']
l_obj_attr = []
l_obj_attr.append(obj.add_attribute('domain', value=domain))
dict_all_url = Domain.get_domain_all_url(domain,
domain_obj.get_domain_type())
for crawled_url in dict_all_url:
attribute = obj.add_attribute('url', value=crawled_url)
attribute.first_seen = str(dict_all_url[crawled_url]['first_seen'])
attribute.last_seen = str(dict_all_url[crawled_url]['last_seen'])
l_obj_attr.append(attribute)
# add tags
if dict_metadata['tags']:
tag_misp_object_attributes(l_obj_attr, dict_metadata['tags'])
#print(obj.to_json())
return obj
def export_cryptocurrency(crypto_type, crypto_address):
dict_metadata = Cryptocurrency.cryptocurrency.get_metadata(crypto_type, crypto_address)
obj = MISPObject('coin-address')
obj.first_seen = dict_metadata['first_seen']
obj.last_seen = dict_metadata['last_seen']
l_obj_attr = []
l_obj_attr.append( obj.add_attribute('address', value=crypto_address) )
crypto_symbol = Cryptocurrency.get_cryptocurrency_symbol(crypto_type)
if crypto_symbol:
l_obj_attr.append( obj.add_attribute('symbol', value=crypto_symbol) )
return obj
def export_pgp(pgp_type, pgp_value):
dict_metadata = Pgp.pgp.get_metadata(pgp_type, pgp_value)
obj = MISPObject('pgp-meta')
obj.first_seen = dict_metadata['first_seen']
obj.last_seen = dict_metadata['last_seen']
l_obj_attr = []
if pgp_type == 'key':
l_obj_attr.append(obj.add_attribute('key-id', value=pgp_value))
elif pgp_type == 'name':
#l_obj_attr.append( obj.add_attribute('key-id', value='debug') )
l_obj_attr.append(obj.add_attribute('user-id-name', value=pgp_value))
else: # mail
#l_obj_attr.append( obj.add_attribute('key-id', value='debug') )
l_obj_attr.append(obj.add_attribute('user-id-email', value=pgp_value))
return obj
def export_decoded(sha1_string):
decoded_metadata = Decoded.get_decoded_metadata(sha1_string, tag=True)
obj = MISPObject('file')
obj.first_seen = decoded_metadata['first_seen']
obj.last_seen = decoded_metadata['last_seen']
l_obj_attr = []
l_obj_attr.append( obj.add_attribute('sha1', value=sha1_string) )
l_obj_attr.append( obj.add_attribute('mimetype', value=Decoded.get_decoded_item_type(sha1_string)) )
l_obj_attr.append( obj.add_attribute('malware-sample', value=sha1_string, data=Decoded.get_decoded_file_content(sha1_string)) )
# add tags
if decoded_metadata['tags']:
tag_misp_object_attributes(l_obj_attr, decoded_metadata['tags'])
return obj
def parse_passivedns_results(self, query_response):
for query_type, results in query_response.items():
comment = self.comment % (query_type,
TYPE_TO_FEATURE[self.attribute['type']],
self.attribute['value'])
for result in results:
passivedns_object = MISPObject('passive-dns')
if result.get('rdata') and isinstance(result['rdata'], list):
for rdata in result.pop('rdata'):
passivedns_object.add_attribute(
**self._parse_attribute(comment, 'rdata', rdata))
for feature, value in result.items():
passivedns_object.add_attribute(
**self._parse_attribute(comment, feature, value))
if result.get('time_first'):
passivedns_object.first_seen = result['time_first']
if result.get('time_last'):
passivedns_object.last_seen = result['time_last']
passivedns_object.add_reference(self.attribute['uuid'],
'related-to')
self.misp_event.add_object(passivedns_object)
def parse_and_insert_cof(data: str) -> dict:
"""Parse and validate the COF data.
Parameters
----------
data as a string
Returns
-------
A dict with either the error message or the data which may be sent off the the caller of handler()
Raises
--------
none. All Exceptions will be handled here. On error, a misperror is returned.
"""
objects = []
try:
entries = ndjson.loads(data)
for entry in entries: # iterate over all ndjson lines
# validate here (simple validation or full JSON Schema validation)
if not validate_cof(entry):
return {
"error": "Could not validate the COF input '%s'" % entry
}
# Next, extract some fields
rrtype = entry['rrtype'].upper()
rrname = entry['rrname'].rstrip('.')
rdata = [x.rstrip('.') for x in entry['rdata']]
# create a new MISP object, based on the passive-dns object for each nd-JSON line
o = MISPObject(name='passive-dns',
standalone=False,
comment='created by cof2misp')
# o.add_tag('tlp:amber') # FIXME: we'll want to add a tlp: tag to the object
if 'bailiwick' in entry:
o.add_attribute('bailiwick',
value=entry['bailiwick'].rstrip('.'),
distribution=0)
#
# handle the combinations of rrtype (domain, ip) on both left and right side
#
if create_specific_attributes:
if rrtype in ['A', 'AAAA', 'A6']: # address type
# address type
o.add_attribute('rrname_domain',
value=rrname,
distribution=0)
for r in rdata:
o.add_attribute('rdata_ip', value=r, distribution=0)
elif rrtype in ['CNAME', 'DNAME',
'NS']: # both sides are domains
o.add_attribute('rrname_domain',
value=rrname,
distribution=0)
for r in rdata:
o.add_attribute('rdata_domain',
value=r,
distribution=0)
elif rrtype in ['SOA'
]: # left side is a domain, right side is text
o.add_attribute('rrname_domain',
value=rrname,
distribution=0)
#
# now do the regular filling up of rrname, rrtype, time_first, etc.
#
o.add_attribute('rrname', value=rrname, distribution=0)
o.add_attribute('rrtype', value=rrtype, distribution=0)
for r in rdata:
o.add_attribute('rdata', value=r, distribution=0)
o.add_attribute(
'raw_rdata', value=json.dumps(rdata),
distribution=0) # FIXME: do we need to hex encode it?
o.add_attribute('time_first',
value=entry['time_first'],
distribution=0)
o.add_attribute('time_last',
value=entry['time_last'],
distribution=0)
o.first_seen = entry['time_first'] # is this redundant?
o.last_seen = entry['time_last']
#
# Now add the other optional values. # FIXME: how about a map() other function. DNRY
#
for k in [
'count', 'sensor_id', 'origin', 'text', 'time_first_ms',
'time_last_ms', 'zone_time_first', 'zone_time_last'
]:
if k in entry and entry[k]:
o.add_attribute(k, value=entry[k], distribution=0)
#
# add COF entry to MISP object
#
objects.append(o.to_json())
r = {'results': {'Object': [json.loads(o) for o in objects]}}
except Exception as ex:
misperrors[
"error"] = "An error occured during parsing of input: '%s'" % (
str(ex), )
return misperrors
return r