def populate(self, json):
item = json['event']
self.event = Event()
self.event.populate(item)
# Check if not a report
if json.get('report', None) or json.get('reference', None):
item = json.get('report', None)
if item:
self.report = Report()
self.report.populate(item)
item = json.get('reference', None)
if item:
self.reference = Reference()
self.reference.populate(item)
else:
item = json.get('observable', None)
if item:
self.observable = Observable()
self.observable.populate(item)
item = json.get('object', None)
if item:
self.object = Object()
self.object.populate(item)
item = json.get('attribute', None)
if item:
self.attribute = Attribute()
self.attribute.populate(item)
class SearchResult(RestBase):
def __init__(self):
RestBase.__init__(self)
self.event = None
self.object = None
self.observable = None
self.attribute = None
self.report = None
self.reference = None
def populate(self, json):
item = json['event']
self.event = Event()
self.event.populate(item)
# Check if not a report
if json.get('report', None) or json.get('reference', None):
item = json.get('report', None)
if item:
self.report = Report()
self.report.populate(item)
item = json.get('reference', None)
if item:
self.reference = Reference()
self.reference.populate(item)
else:
item = json.get('observable', None)
if item:
self.observable = Observable()
self.observable.populate(item)
item = json.get('object', None)
if item:
self.object = Object()
self.object.populate(item)
item = json.get('attribute', None)
if item:
self.attribute = Attribute()
self.attribute.populate(item)
def populate(self, json):
self.identifier = json.get('identifier', None)
self.title = json.get('title', None)
self.description = json.get('description', None)
self.version = json.get('version', '')
self.properties.populate(json.get('properties', Properties('0')))
obj = self.title = json.get('object', None)
if obj:
obj_instance = Object()
obj_instance.populate(obj)
self.object = obj_instance
comp = self.title = json.get('observable_composition', None)
if comp:
comp_instance = ObservableComposition()
comp_instance.populate(comp)
self.observable_composition = comp_instance
rel_obs = self.title = json.get('related_observables', None)
if rel_obs:
for rel_ob in rel_obs:
obj_instance = RelatedObservable()
obj_instance.populate(rel_ob)
self.related_observables.append(obj_instance)
modifier_group = json.get('modifier_group', None)
if modifier_group:
cg_instance = Group()
cg_instance.populate(modifier_group)
self.modifier = cg_instance
creator_group = json.get('creator_group', None)
if creator_group:
cg_instance = Group()
cg_instance.populate(creator_group)
self.creator_group = cg_instance
created_at = json.get('created_at', None)
if created_at:
self.created_at = strings.stringToDateTime(created_at)
modified_on = json.get('modified_on', None)
if modified_on:
self.modified_on = strings.stringToDateTime(modified_on)
def create_observable(self, id_, uuid, category, type_, value, data, comment, ioc, share, event):
if ((category in ['external analysis', 'internal reference', 'targeting data', 'antivirus detection'] and
(type_ in ['attachment', 'comment', 'link', 'text', 'url', 'text', 'malware-sample', 'filename|sha1', 'filename|md5', 'filename|sha256', 'vulnerability'])) or
(category == 'internal reference' and type_ in ['text', 'comment']) or
type_ == 'other' or (category == 'attribution' and type_ == 'comment') or
category == 'other' or (category == 'antivirus detection' and type_ == 'link')):
# make a report
# Create Report it will be just a single one
reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
if reference:
if len(event.reports) == 0:
report = Report()
report.identifier = uuid4()
self.set_properties(report, True)
self.set_extended_logging(report, event)
event.reports.append(report)
if comment:
if event.reports[0].description:
event.reports[0].description = event.reports[0].description + ' - ' + comment
else:
event.reports[0].description = comment
event.reports[0].references.append(reference)
elif category == 'payload installation' and type_ == 'vulnerability':
reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
if reference:
reference.value = u'Vulnerablility: {0}'.format(reference.value)
if len(event.reports) == 0:
report = Report()
report.identifier = uuid4()
self.set_properties(report, True)
self.set_extended_logging(report, event)
event.reports.append(report)
if comment:
if event.reports[0].description:
event.reports[0].description = event.reports[0].description + ' - ' + comment
else:
event.reports[0].description = comment
event.reports[0].references.append(reference)
elif category == 'attribution':
reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
if reference:
reference.value = u'Attribution: {0}'.format(reference.value)
if len(event.reports) == 0:
report = Report()
report.identifier = uuid4()
self.set_properties(report, True)
self.set_extended_logging(report, event)
event.reports.append(report)
if comment:
if event.reports[0].description:
event.reports[0].description = event.reports[0].description + ' - ' + comment
else:
event.reports[0].description = comment
event.reports[0].references.append(reference)
else:
observable = self.make_observable(event, comment, share)
# create object
obj = Object()
obj.identifier = uuid4()
self.set_properties(obj, share)
self.set_extended_logging(obj, event)
observable.object = obj
obj.definition = self.get_object_definition(category, type_, value, event)
if obj.definition:
obj.definition_id = obj.definition.identifier
# create attribute(s) for object
self.append_attributes(obj, observable, id_, category, type_, value, ioc, share, event, uuid)
if not observable.description:
observable.description = None
return observable
else:
return None
def append_attributes(self, obj, observable, id_, category, type_, value, ioc, share, event, uuid):
if type_ in ['regkey', 'regkey|value']:
if '|' in value:
value = value.replace('/', '\\')
splited = value.split('|')
pos = splited[0].find("\\")
key_name = splited[0][pos + 1:]
splitted = key_name.split(' ')
if len(splitted) > 1:
key = splitted[0]
name = splitted[1]
else:
key = key_name
name = None
hive = splited[0][0:pos]
data = splited[1]
else:
value = value.replace('/', '\\')
pos = value.find("\\")
key = value[pos + 1:]
hive = value[0:pos]
data = None
name = None
if hive == 'HKLM' or 'HKEY_LOCAL_MACHINE' in hive:
hive = 'HKEY_LOCAL_MACHINE'
elif hive in ['HKCU', 'HK_CURRENT_USER', 'HCKU'] or 'HKEY_CURRENT_USER' in hive:
hive = 'HKEY_CURRENT_USER'
elif hive in ['HKEY_CURRENTUSER', 'HKU']:
hive = 'HKEY_CURRENT_USER'
elif hive in ['HKCR', 'HKEY_CLASSES_ROOT']:
hive = 'HKEY_CLASSES_ROOT'
else:
if hive[0:1] == 'H' and hive != 'HKCU_Classes':
message = '"{0}" not defined from {1}'.format(hive, self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
else:
hive = None
if hive:
self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_Hive', hive, ioc, share, event, uuid4())
if name:
self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_RegistryValue_Name', name, ioc, share, event, uuid4())
if data:
self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_RegistryValue_Data', data, ioc, share, event, uuid4())
self.append_attributes(obj, observable, id_, category, 'WindowsRegistryKey_Key', key, ioc, share, event, uuid)
elif '|' in type_:
# it is a composed attribute
if type_ in ('filename|md5', 'filename|sha1', 'filename|sha256'):
splitted = type_.split('|')
if len(splitted) == 2:
first_type = splitted[0]
second_type = splitted[1]
splitted_values = value.split('|')
first_value = splitted_values[0]
second_value = splitted_values[1]
self.append_attributes(obj, observable, id_, category, first_type, first_value, ioc, share, event, uuid)
self.append_attributes(obj, observable, id_, category, second_type, second_value, ioc, share, event, uuid4())
else:
message = 'Composed attribute {0} splits into more than 2 elements for {1}'.format(type_, self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
else:
message = 'Composed attribute {0} cannot be mapped for {1}'.format(type_, self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
elif category in ['artifacts dropped', 'payload delivery', 'payload installation'] and type_ == 'malware-sample':
filename = value
filename_uuid = uuid
splitted = value.split('|')
if len(splitted) == 2:
first_type = 'File_Name'
first_value = splitted[0]
filename = first_value
second_value = splitted[1]
second_type = self.get_hash_type(second_value)
self.append_attributes(obj, observable, id_, category, first_type, first_value, ioc, share, event, uuid)
self.append_attributes(obj, observable, id_, category, second_type, second_value, ioc, share, event, uuid4())
else:
message = 'Composed attribute {0} splits into more than 2 elements for {1}'.format(type_, self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
# Download the attachment if it exists
data = self.fetch_attachment(id_, filename_uuid, event.identifier, filename)
if data:
message = u'Downloaded file "{0}" id:{1} from {2}'.format(filename, id_, self.__get_event_msg(event))
self.syslogger.info(message)
# build raw_artifact
raw_artifact = Object()
raw_artifact.identifier = uuid4()
self.set_properties(raw_artifact, share)
self.set_extended_logging(raw_artifact, event)
raw_artifact.definition = self.get_object_definition('Artifact', None, None, event)
if raw_artifact.definition:
raw_artifact.definition_id = raw_artifact.definition.identifier
else:
message = 'Could not find object definition Artifact from {0}'.format(self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
# add raw artifact
attr = Attribute()
attr.identifier = uuid4()
attr.definition = self.get_attibute_definition('', 'raw_artifact', None, raw_artifact, observable, attr, event)
if attr.definition:
attr.definition_id = attr.definition.identifier
else:
message = 'Could not find attribute definition raw_artifact from {0}'.format(self.__get_event_msg(event))
self.syslogger.error(message)
raise MispMappingException(message)
# TODO
attr.value = base64.b64encode(data)
self.set_properties(attr, share)
self.set_extended_logging(attr, event)
raw_artifact.attributes.append(attr)
rel_Object = RelatedObject()
rel_Object.object = raw_artifact
obj.related_objects.append(rel_Object)
else:
message = u'Failed to download file "{0}" id:{1}, add manually form {2}'.format(filename, id_, self.__get_event_msg(event))
self.syslogger.warning(message)
else:
attribute = Attribute()
# workaround for https://github.com/MISP/MISP/issues/452
if uuid not in self.seen_attr_ids:
attribute.identifier = uuid
self.seen_attr_ids.append(uuid)
else:
uuid = '{0}'.format(uuid4())
self.seen_attr_ids.append(uuid)
attribute.identifier = uuid
self.set_properties(attribute, share)
self.set_extended_logging(attribute, event)
attribute.definition = self.get_attibute_definition(category, type_, value, obj, observable, attribute, event)
if attribute.definition:
attribute.definition_id = attribute.definition.identifier
attribute.value = value
if ioc == 1:
attribute.is_ioc = True
else:
attribute.is_ioc = False
attribute.properties.is_shareable = True
obj.attributes.append(attribute)