def add_hashes(self): if self.args.filename is None and self.args.md5 is None and self.args.sha1 is None and self.args.sha256 is None: if not __sessions__.is_attached_file(True): self.log('error', "Not attached to a file, please set the hashes manually.") return False file_obj, bin_obj, sections = make_binary_objects(filepath=__sessions__.current.file.path, standalone=False) __sessions__.current.misp_event.event.add_object(file_obj) if bin_obj: __sessions__.current.misp_event.event.add_object(bin_obj) for s in sections: __sessions__.current.misp_event.event.add_object(s) else: if self.args.filename: if self.args.md5: __sessions__.current.misp_event.event.add_attribute('filename|md5', '{}|{}'.format( self.args.filename, self.args.md5)) if self.args.sha1: __sessions__.current.misp_event.event.add_attribute('filename|sha1', '{}|{}'.format( self.args.filename, self.args.sha1)) if self.args.sha256: __sessions__.current.misp_event.event.add_attribute('filename|sha256', '{}|{}'.format( self.args.filename, self.args.sha256)) else: if self.args.md5: __sessions__.current.misp_event.event.add_attribute('md5', self.args.md5) if self.args.sha1: __sessions__.current.misp_event.event.add_attribute('sha1', self.args.sha1) if self.args.sha256: __sessions__.current.misp_event.event.add_attribute('sha256', self.args.sha256) self._change_event()
def add_hashes(self): if self.args.filename is None and self.args.md5 is None and self.args.sha1 is None and self.args.sha256 is None: if not __sessions__.is_attached_file(True): self.log('error', "Not attached to a file, please set the hashes manually.") return False file_object = MISPObject('file') file_object.add_attribute('filename', value=__sessions__.current.file.name, comment=__sessions__.current.file.tags) file_object.add_attribute('md5', value=__sessions__.current.file.md5, comment=__sessions__.current.file.tags) file_object.add_attribute('sha1', value=__sessions__.current.file.sha1, comment=__sessions__.current.file.tags) file_object.add_attribute('sha256', value=__sessions__.current.file.sha256, comment=__sessions__.current.file.tags) __sessions__.current.misp_event.event.add_object(file_object) else: if self.args.filename: if self.args.md5: __sessions__.current.misp_event.event.add_attribute('filename|md5', '{}|{}'.format( self.args.filename, self.args.md5)) if self.args.sha1: __sessions__.current.misp_event.event.add_attribute('filename|sha1', '{}|{}'.format( self.args.filename, self.args.sha1)) if self.args.sha256: __sessions__.current.misp_event.event.add_attribute('filename|sha256', '{}|{}'.format( self.args.filename, self.args.sha256)) else: if self.args.md5: __sessions__.current.misp_event.event.add_attribute('md5', self.args.md5) if self.args.sha1: __sessions__.current.misp_event.event.add_attribute('sha1', self.args.sha1) if self.args.sha256: __sessions__.current.misp_event.event.add_attribute('sha256', self.args.sha256) self._change_event()
def add(self): current_event = copy.deepcopy(__sessions__.current.misp_event.event) if self.args.add == "hashes": if ( self.args.filename is None and self.args.md5 is None and self.args.sha1 is None and self.args.sha256 is None ): if not __sessions__.is_attached_file(True): self.log("error", "Not attached to a file, please set the hashes manually.") return False event = self.misp.add_hashes( current_event, filename=__sessions__.current.file.name, md5=__sessions__.current.file.md5, sha1=__sessions__.current.file.sha1, sha256=__sessions__.current.file.sha256, comment=__sessions__.current.file.tags, ) else: event = self.misp.add_hashes( current_event, filename=self.args.filename, md5=self.args.md5, sha1=self.args.sha1, sha256=self.args.sha256, ) elif self.args.add == "regkey": if len(self.args.regkey) == 2: reg, val = self.args.regkey else: reg = self.args.regkey[0] val = None event = self.misp.add_regkey(current_event, reg, val) elif self.args.add == "pipe": event = self.misp.add_pipe(current_event, self.args.pipe) elif self.args.add == "mutex": event = self.misp.add_mutex(current_event, self.args.mutex) elif self.args.add == "ipdst": event = self.misp.add_ipdst(current_event, self.args.ipdst) elif self.args.add == "hostname": event = self.misp.add_hostname(current_event, self.args.hostname) elif self.args.add == "domain": event = self.misp.add_domain(current_event, self.args.domain) elif self.args.add == "url": event = self.misp.add_url(current_event, self.args.full_url) elif self.args.add == "ua": event = self.misp.add_useragent(current_event, self.args.ua) elif self.args.add == "pattern_file": event = self.misp.add_pattern(current_event, self.args.pfile, True, False) elif self.args.add == "pattern_mem": event = self.misp.add_pattern(current_event, self.args.pmem, False, True) elif self.args.add == "pattern_traffic": event = self.misp.add_traffic_pattern(current_event, self.args.ptraffic) if self._has_error_message(event): return self._check_add(event)
def add(self): current_event = copy.deepcopy(__sessions__.current.misp_event.event) if self.args.add == 'hashes': if self.args.filename is None and self.args.md5 is None and self.args.sha1 is None and self.args.sha256 is None: if not __sessions__.is_attached_file(True): self.log( 'error', "Not attached to a file, please set the hashes manually." ) return False event = self.misp.add_hashes( current_event, filename=__sessions__.current.file.name, md5=__sessions__.current.file.md5, sha1=__sessions__.current.file.sha1, sha256=__sessions__.current.file.sha256, comment=__sessions__.current.file.tags) else: event = self.misp.add_hashes(current_event, filename=self.args.filename, md5=self.args.md5, sha1=self.args.sha1, sha256=self.args.sha256) elif self.args.add == 'regkey': if len(self.args.regkey) == 2: reg, val = self.args.regkey else: reg = self.args.regkey[0] val = None event = self.misp.add_regkey(current_event, reg, val) elif self.args.add == 'pipe': event = self.misp.add_pipe(current_event, self.args.pipe) elif self.args.add == 'mutex': event = self.misp.add_mutex(current_event, self.args.mutex) elif self.args.add == 'ipdst': event = self.misp.add_ipdst(current_event, self.args.ipdst) elif self.args.add == 'hostname': event = self.misp.add_hostname(current_event, self.args.hostname) elif self.args.add == 'domain': event = self.misp.add_domain(current_event, self.args.domain) elif self.args.add == 'url': event = self.misp.add_url(current_event, self.args.full_url) elif self.args.add == 'ua': event = self.misp.add_useragent(current_event, self.args.ua) elif self.args.add == 'pattern_file': event = self.misp.add_pattern(current_event, self.args.pfile, True, False) elif self.args.add == 'pattern_mem': event = self.misp.add_pattern(current_event, self.args.pmem, False, True) elif self.args.add == 'pattern_traffic': event = self.misp.add_traffic_pattern(current_event, self.args.ptraffic) if self._has_error_message(event): return self._check_add(event)
def searchall(self): if self.args.query: self._search(' '.join(self.args.query)) else: if not __sessions__.is_attached_file(True): self.log('error', "Not attached to a file, nothing to search for.") return False to_search = [__sessions__.current.file.md5, __sessions__.current.file.sha1, __sessions__.current.file.sha256] for q in to_search: self._search(q)
def add_hashes(self): if self.args.filename is None and self.args.md5 is None and self.args.sha1 is None and self.args.sha256 is None: if not __sessions__.is_attached_file(True): self.log( 'error', "Not attached to a file, please set the hashes manually.") return False __sessions__.current.misp_event.event.add_attribute( 'filename|md5', '{}|{}'.format(__sessions__.current.file.name, __sessions__.current.file.md5), comment=__sessions__.current.file.tags) __sessions__.current.misp_event.event.add_attribute( 'filename|sha1', '{}|{}'.format(__sessions__.current.file.name, __sessions__.current.file.sha1), comment=__sessions__.current.file.tags) __sessions__.current.misp_event.event.add_attribute( 'filename|sha256', '{}|{}'.format(__sessions__.current.file.name, __sessions__.current.file.sha256), comment=__sessions__.current.file.tags) else: if self.args.filename: if self.args.md5: __sessions__.current.misp_event.event.add_attribute( 'filename|md5', '{}|{}'.format(self.args.filename, self.args.md5)) if self.args.sha1: __sessions__.current.misp_event.event.add_attribute( 'filename|sha1', '{}|{}'.format(self.args.filename, self.args.sha1)) if self.args.sha256: __sessions__.current.misp_event.event.add_attribute( 'filename|sha256', '{}|{}'.format(self.args.filename, self.args.sha256)) else: if self.args.md5: __sessions__.current.misp_event.event.add_attribute( 'md5', self.args.md5) if self.args.sha1: __sessions__.current.misp_event.event.add_attribute( 'sha1', self.args.sha1) if self.args.sha256: __sessions__.current.misp_event.event.add_attribute( 'sha256', self.args.sha256) self._change_event()
def add_hashes(self): if self.args.filename is None and self.args.md5 is None and self.args.sha1 is None and self.args.sha256 is None: if not __sessions__.is_attached_file(True): self.log( 'error', "Not attached to a file, please set the hashes manually.") return False file_obj, bin_obj, sections = make_binary_objects( filepath=__sessions__.current.file.path, standalone=False) __sessions__.current.misp_event.event.add_object(file_obj) if bin_obj: __sessions__.current.misp_event.event.add_object(bin_obj) for s in sections: __sessions__.current.misp_event.event.add_object(s) else: if self.args.filename: if self.args.md5: __sessions__.current.misp_event.event.add_attribute( 'filename|md5', '{}|{}'.format(self.args.filename, self.args.md5)) if self.args.sha1: __sessions__.current.misp_event.event.add_attribute( 'filename|sha1', '{}|{}'.format(self.args.filename, self.args.sha1)) if self.args.sha256: __sessions__.current.misp_event.event.add_attribute( 'filename|sha256', '{}|{}'.format(self.args.filename, self.args.sha256)) else: if self.args.md5: __sessions__.current.misp_event.event.add_attribute( 'md5', self.args.md5) if self.args.sha1: __sessions__.current.misp_event.event.add_attribute( 'sha1', self.args.sha1) if self.args.sha256: __sessions__.current.misp_event.event.add_attribute( 'sha256', self.args.sha256) self._change_event()
def run(self): super(MISP, self).run() if self.args is None: return if not HAVE_PYMISP: self.log('error', "Missing dependency, install pymisp (`pip install pymisp`)") return self.offline_mode = False if self.args.on: self.offline_mode = False if __sessions__.is_attached_misp(True): __sessions__.current.misp_event.off = False elif self.args.off or (__sessions__.is_attached_misp(True) and __sessions__.current.misp_event.off): self.offline_mode = True if __sessions__.is_attached_misp(True): __sessions__.current.misp_event.off = True self.url = self.args.url if self.url is None: self.url = cfg.misp.misp_url if self.url is None: self.log('error', "This command requires the URL of the MISP instance you want to query.") return self.key = self.args.key if self.key is None: self.key = cfg.misp.misp_key if self.key is None: self.log('error', "This command requires a MISP private API key.") return if not self.args.verify: verify = False else: verify = cfg.misp.tls_verify # Capture default distribution and sharing group settings. Backwards compatability and empty string check self.distribution = cfg.misp.get("misp_distribution", None) self.distribution = None if self.distribution == "" else self.distribution if type(self.distribution) not in (type(None), int): self.distribution = None self.log('info', "The distribution stored in viper config is not an integer, setting to None") self.sharinggroup = cfg.misp.get("misp_sharinggroup", None) self.sharinggroup = None if self.sharinggroup == "" else self.sharinggroup if type(self.sharinggroup) not in (type(None), int): self.sharinggroup = None self.log('info', "The sharing group stored in viper config is not an integer, setting to None") if not self.offline_mode: try: self.misp = PyMISP(self.url, self.key, ssl=verify, proxies=cfg.misp.proxies, cert=cfg.misp.cert) except PyMISPError as e: self.log('error', e.message) return # Require an open MISP session if self.args.subname in ['add_hashes', 'add', 'show', 'publish'] and not __sessions__.is_attached_misp(): return # Require an open file session if self.args.subname in ['upload'] and not __sessions__.is_attached_file(): return try: if self.args.subname == 'upload': self.upload() elif self.args.subname == 'search': self.searchall() elif self.args.subname == 'download': self.download() elif self.args.subname == 'check_hashes': self.check_hashes() elif self.args.subname == 'yara': self.yara() elif self.args.subname == 'pull': self.pull() elif self.args.subname == 'create_event': self.create_event() elif self.args.subname == 'add': self.add() elif self.args.subname == 'add_hashes': self.add_hashes() elif self.args.subname == 'show': self.show() elif self.args.subname == 'open': self.open_samples() elif self.args.subname == 'publish': self.publish() elif self.args.subname == 'version': self.version() elif self.args.subname == 'store': self.store() elif self.args.subname == 'tag': self.tag() elif self.args.subname == 'galaxies': self.galaxies() elif self.args.subname == 'admin': self.admin() else: self.log('error', "No calls defined for this command.") except requests.exceptions.HTTPError as e: self.log('error', e)
def run(self): super(VirusTotal, self).run() if self.args is None: return if not HAVE_VT: self.log('error', "Missing dependency, install virustotal-api (`pip install virustotal-api`)") return to_search = None path_to_submit = None if self.args.misp: self.misp(self.args.misp, self.args.verbose, self.args.submit) elif self.args.ip: self.pdns_ip(self.args.ip, self.args.verbose) elif self.args.domain: self.pdns_domain(self.args.domain, self.args.verbose) elif self.args.url: self.url(self.args.url, self.args.verbose, self.args.submit) elif self.args.download_list: self._display_tmp_files() elif self.args.download_open is not None: tmp_samples = self._load_tmp_samples() try: eid, path, name = tmp_samples[self.args.download_open] if eid: if __sessions__.is_attached_misp(quiet=True): if __sessions__.current.misp_event.event.id != int(eid): self.log('warning', 'You opened a sample related to a MISP event different than the one you are currently connected to: {}.'.format(eid)) else: self.log('success', 'You opened a sample related to the current MISP event.') else: self.log('warning', 'This samples is linked to the MISP event {eid}. You may want to run misp pull {eid}'.format(eid=eid)) return __sessions__.new(path) except IndexError: self.log('error', 'Invalid id, please use virustotal -dl.') elif self.args.download_open_name is not None: tmp_samples = self._load_tmp_samples() try: for tmp_sample in tmp_samples: eid, path, name = tmp_sample if name == self.args.download_open_name: if eid: if __sessions__.is_attached_misp(quiet=True): if __sessions__.current.misp_event.event.id != int(eid): self.log('warning', 'You opened a sample related to a MISP event different than the one you are currently connected to: {}.'.format(eid)) else: self.log('success', 'You opened a sample related to the current MISP event.') else: self.log('warning', 'This samples is linked to the MISP event {eid}. You may want to run misp pull {eid}'.format(eid=eid)) return __sessions__.new(path) except IndexError: self.log('error', 'Invalid id, please use virustotal -dl.') elif self.args.download_delete is not None: if self.args.download_delete == 'all': samples_path = os.path.join(self.cur_path, 'vt_samples') if os.path.exists(samples_path): shutil.rmtree(samples_path) self.log('success', 'Successfully removed {}'.format(samples_path)) else: self.log('error', '{} does not exists'.format(samples_path)) else: tmp_samples = self._load_tmp_samples() try: eid, path, name = tmp_samples[int(self.args.download_delete)] os.remove(path) self.log('success', 'Successfully removed {}'.format(path)) except: self.log('error', 'Invalid id, please use virustotal -dl.') elif self.args.search: to_search = self.args.search elif __sessions__.is_attached_file(): to_search = __sessions__.current.file.md5 if self.args.submit and __sessions__.is_attached_file(): path_to_submit = __sessions__.current.file.path if to_search: self.scan(to_search, self.args.verbose, self.args.submit, path_to_submit) if self.args.download: self.download(to_search, self.args.verbose) if self.args.comment: response = self.vt.put_comments(to_search, ' '.join(self.args.comment)) if not self._has_fail(response): self.log('info', ("{}: {}".format(bold("VirusTotal message"), response['results']['verbose_msg'])))
def run(self): super(VirusTotal, self).run() if self.args is None: return if not HAVE_VT: self.log( 'error', "Missing dependency, install virustotal-api (`pip install virustotal-api`)" ) return to_search = None path_to_submit = None if self.args.misp: self.misp(self.args.misp, self.args.verbose, self.args.submit) elif self.args.ip: self.pdns_ip(self.args.ip, self.args.verbose) elif self.args.domain: self.pdns_domain(self.args.domain, self.args.verbose) elif self.args.url: self.url(self.args.url, self.args.verbose, self.args.submit) elif self.args.download_list: self._display_tmp_files() elif self.args.download_open is not None: tmp_samples = self._load_tmp_samples() try: eid, path, name = tmp_samples[self.args.download_open] if eid: if __sessions__.is_attached_misp(quiet=True): if __sessions__.current.misp_event.event_id != eid: self.log( 'warning', 'You opened a sample related to a MISP event different than the one you are currently connected to: {}.' .format(eid)) else: self.log( 'success', 'You opened a sample related to the current MISP event.' ) else: self.log( 'warning', 'This samples is linked to the MISP event {eid}. You may want to run misp pull {eid}' .format(eid=eid)) return __sessions__.new(path) except IndexError: self.log('error', 'Invalid id, please use virustotal -dl.') elif self.args.download_delete is not None: if self.args.download_delete == 'all': samples_path = os.path.join(self.cur_path, 'vt_samples') if os.path.exists(samples_path): shutil.rmtree(samples_path) self.log('success', 'Successfully removed {}'.format(samples_path)) else: self.log('error', '{} does not exists'.format(samples_path)) else: tmp_samples = self._load_tmp_samples() try: eid, path, name = tmp_samples[int( self.args.download_delete)] os.remove(path) self.log('success', 'Successfully removed {}'.format(path)) except: self.log('error', 'Invalid id, please use virustotal -dl.') elif self.args.search: to_search = self.args.search elif __sessions__.is_attached_file(): to_search = __sessions__.current.file.md5 if self.args.submit and __sessions__.is_attached_file(): path_to_submit = __sessions__.current.file.path if to_search: self.scan(to_search, self.args.verbose, self.args.submit, path_to_submit) if self.args.download: self.download(to_search, self.args.verbose) if self.args.comment: response = self.vt.put_comments(to_search, ' '.join(self.args.comment)) if not self._has_fail(response): self.log( 'info', ("{}: {}".format(bold("VirusTotal message"), response['results']['verbose_msg'])))
def run(self): super(MISP, self).run() if self.args is None: return if not HAVE_PYMISP: self.log('error', "Missing dependency, install pymisp (`pip install pymisp`)") return if self.args.url is None: self.url = cfg.misp.misp_url else: self.url = self.args.url if self.args.key is None: self.key = cfg.misp.misp_key else: self.key = self.args.key if self.url is None: self.log('error', "This command requires the URL of the MISP instance you want to query.") return if self.key is None: self.log('error', "This command requires a MISP private API key.") return if not self.args.verify: verify = False else: verify = cfg.misp.misp_verify try: self.misp = PyMISP(self.url, self.key, verify, 'json') except PyMISPError as e: self.log('error', e.message) return # Require an open MISP session if self.args.subname in ['add', 'show', 'publish'] and not __sessions__.is_attached_misp(): return # Require an open file session if self.args.subname in ['upload'] and not __sessions__.is_attached_file(): return try: if self.args.subname == 'upload': self.upload() elif self.args.subname == 'search': self.searchall() elif self.args.subname == 'download': self.download() elif self.args.subname == 'check_hashes': self.check_hashes() elif self.args.subname == 'yara': self.yara() elif self.args.subname == 'pull': self.pull() elif self.args.subname == 'create_event': self.create_event() elif self.args.subname == 'add': self.add() elif self.args.subname == 'show': self.show() elif self.args.subname == 'open': self.open() elif self.args.subname == 'publish': self.publish() elif self.args.subname == 'version': self.version() elif self.args.subname == 'store': self.store() else: self.log('error', "No calls defined for this command.") except requests.exceptions.HTTPError as e: self.log('error', e)
def run(self): super(MISP, self).run() if self.args is None: return if not HAVE_PYMISP: self.log("error", "Missing dependency, install pymisp (`pip install pymisp`)") return if self.args.url is None: self.url = cfg.misp.misp_url else: self.url = self.args.url if self.args.key is None: self.key = cfg.misp.misp_key else: self.key = self.args.key if self.url is None: self.log("error", "This command requires the URL of the MISP instance you want to query.") return if self.key is None: self.log("error", "This command requires a MISP private API key.") return if not self.args.verify: verify = False else: verify = cfg.misp.misp_verify try: self.misp = PyMISP(self.url, self.key, verify, "json") except PyMISPError as e: self.log("error", e.message) return # Require an open MISP session if self.args.subname in ["add", "show", "publish"] and not __sessions__.is_attached_misp(): return # Require an open file session if self.args.subname in ["upload"] and not __sessions__.is_attached_file(): return try: if self.args.subname == "upload": self.upload() elif self.args.subname == "search": self.searchall() elif self.args.subname == "download": self.download() elif self.args.subname == "check_hashes": self.check_hashes() elif self.args.subname == "yara": self.yara() elif self.args.subname == "pull": self.pull() elif self.args.subname == "create_event": self.create_event() elif self.args.subname == "add": self.add() elif self.args.subname == "show": self.show() elif self.args.subname == "open": self.open() elif self.args.subname == "publish": self.publish() elif self.args.subname == "version": self.version() elif self.args.subname == "store": self.store() else: self.log("error", "No calls defined for this command.") except requests.exceptions.HTTPError as e: self.log("error", e)