def handler(q=False):
# Just in case we have no data
if q is False:
return False
# The return value
r = {'results': []}
# Load up that JSON
q = json.loads(q)
# It's b64 encoded, so decode that stuff
package = base64.b64decode(q.get("data")).decode('utf-8')
# If something really weird happened
if not package:
return json.dumps({"success": 0})
pkg = stix.load_stix(package)
for attrib in pkg.attributes:
r["results"].append({
"values": [attrib.value],
"types": [attrib.type],
"categories": [attrib.category]
})
return r
def upload_misp(self, package_id):
stix_file = StixFiles.objects.get(package_id=package_id)
stix_package = STIXPackage.from_xml(stix_file.content)
misp_event = load_stix(stix_package)
tag = self.get_tlp_tag(stix_package)
if tag is not None:
misp_event.add_tag(tag)
resp = self.py_misp.add_event(misp_event)
if resp.has_key('Event') == True:
return resp
else:
raise Exception(str(resp['errors']))
def upload_misp(self, package_id):
stix_file = StixFiles.objects.get(package_id=package_id)
if stix_file.version.startswith('1.'):
content = stix_file.content
else:
content = io.StringIO(stix_file.get_slide_12())
stix_package = STIXPackage.from_xml(content)
misp_event = load_stix(stix_package)
tag = self.get_tlp_tag(stix_package)
if tag is not None:
misp_event.add_tag(tag)
resp = self.py_misp.add_event(misp_event)
if ('Event' in resp):
return resp
else:
raise Exception(str(resp['errors']))
def handler(q=False):
# Just in case we have no data
if q is False:
return False
# The return value
r = {'results': []}
# Load up that JSON
q = json.loads(q)
# It's b64 encoded, so decode that stuff
package = base64.b64decode(q.get("data")).decode('utf-8')
# If something really weird happened
if not package:
return json.dumps({"success": 0})
pkg = stix.load_stix(package)
for attrib in pkg.attributes:
r["results"].append({ "values" : [attrib.value] , "types": [attrib.type], "categories": [attrib.category]})
return r
def handler(q=False):
# Just in case we have no data
if q is False:
return False
# The return value
r = OrderedDict()
r = {'results': []}
comment = ""
# Load up that JSON
q = json.loads(q)
# Get virustotal api key
key = q["config"]["VTapikey"]
#MISPurl = q["config"]["MISPurl"]
#MISPkey = q["config"]["MISPkey"]
# It's b64 encoded, so decode that stuff
package = base64.b64decode(q.get("data")).decode('utf-8')
# If something really weird happened
if not package:
return json.dumps({"success": 0})
pkg = stix.load_stix(package)
for attrib in pkg.attributes:
#If it's a md5, scan with virustotal API
if "md5" in attrib.type:
md5 = attrib.value
VTAPIresult = vtAPIscan(md5, key)
r["results"].append({
"values": [attrib.value],
"types": [attrib.type],
"categories": [attrib.category],
"comment": VTAPIresult
})
#If it's domain or url, perform webcrawling
elif "url" in attrib.type or "ip-dst" in attrib.type or "domain" in attrib.type:
url = attrib.value
# If the url contains directory or filename, remove them and create a new attribute
if url.find("/", 8) > 0:
pos = url.find("/", 8)
print(pos)
newURL = url[:pos]
comment = scanURL(newURL)
r["results"].append({
"values": [newURL],
"types": [attrib.type],
"categories": [attrib.category],
"comment": comment
})
comment = scanURL(url)
r["results"].append({
"values": [attrib.value],
"types": [attrib.type],
"categories": [attrib.category],
"comment": comment
})
else:
r["results"].append({
"values": [attrib.value],
"types": [attrib.type],
"categories": [attrib.category],
"comment": " "
})
return r
