def handler(q=False): if q: request = json.loads(q) if not request.get('config') and not (request['config'].get('apikey')): misperrors['error'] = 'Onyphe authentication is missing' return misperrors api = Onyphe(request['config'].get('apikey')) if not api: misperrors['error'] = 'Onyphe Error instance api' ip = '' if request.get('ip-src'): ip = request['ip-src'] elif request.get('ip-dst'): ip = request['ip-dst'] else: misperrors['error'] = "Unsupported attributes type" return misperrors return handle_expansion(api, ip, misperrors) else: return False
def handler(q=False): if q: request = json.loads(q) if not request.get('config') and not (request['config'].get('apikey')): misperrors['error'] = 'Onyphe authentication is missing' return misperrors api = Onyphe(request['config'].get('apikey')) if not api: misperrors['error'] = 'Onyphe Error instance api' ip = '' if request.get('ip-src'): ip = request['ip-src'] return handle_ip(api ,ip, misperrors) elif request.get('ip-dst'): ip = request['ip-dst'] return handle_ip(api,ip,misperrors) elif request.get('domain'): domain = request['domain'] return handle_domain(api, domain, misperrors) elif request.get('hostname'): hostname = request['hostname'] return handle_domain(api, hostname, misperrors) else: misperrors['error'] = "Unsupported attributes type" return misperrors else: return False
def __init__(self, api_key, attribute): self.onyphe_client = Onyphe(api_key=api_key) self.attribute = attribute self.misp_event = MISPEvent() self.misp_event.add_attribute(**attribute)
class OnypheClient: def __init__(self, api_key, attribute): self.onyphe_client = Onyphe(api_key=api_key) self.attribute = attribute self.misp_event = MISPEvent() self.misp_event.add_attribute(**attribute) def get_results(self): event = json.loads(self.misp_event.to_json()) results = { key: event[key] for key in ('Attribute', 'Object') if key in event } return results def get_query_onyphe(self): if self.attribute['type'] == 'ip-src' or self.attribute[ 'type'] == 'ip-dst': self.__summary_ip() if self.attribute['type'] == 'domain': self.__summary_domain() if self.attribute['type'] == 'hostname': self.__summary_hostname() def __summary_ip(self): results = self.onyphe_client.summary_ip(self.attribute['value']) if 'results' in results: for r in results['results']: if 'domain' in r: domain = r['domain'] if type(domain) == list: for d in domain: self.__get_object_domain_ip(d, 'domain') elif type(domain) == str: self.__get_object_domain_ip(domain, 'domain') if 'hostname' in r: hostname = r['hostname'] if type(hostname) == list: for d in hostname: self.__get_object_domain_ip(d, 'domain') elif type(hostname) == str: self.__get_object_domain_ip(hostname, 'domain') if 'issuer' in r: self.__get_object_certificate(r) def __summary_domain(self): results = self.onyphe_client.summary_domain(self.attribute['value']) if 'results' in results: for r in results['results']: for domain in r.get('domain'): self.misp_event.add_attribute('domain', domain) for hostname in r.get('hostname'): self.misp_event.add_attribute('hostname', hostname) if 'ip' in r: if type(r['ip']) is str: self.__get_object_domain_ip(r['ip'], 'ip') if type(r['ip']) is list: for ip in r['ip']: self.__get_object_domain_ip(ip, 'ip') if 'issuer' in r: self.__get_object_certificate(r) def __summary_hostname(self): results = self.onyphe_client.summary_hostname(self.attribute['value']) if 'results' in results: for r in results['results']: if 'domain' in r: if type(r['domain']) is str: self.misp_event.add_attribute('domain', r['domain']) if type(r['domain']) is list: for domain in r['domain']: self.misp_event.add_attribute('domain', domain) if 'hostname' in r: if type(r['hostname']) is str: self.misp_event.add_attribute('hostname', r['hostname']) if type(r['hostname']) is list: for hostname in r['hostname']: self.misp_event.add_attribute('hostname', hostname) if 'ip' in r: if type(r['ip']) is str: self.__get_object_domain_ip(r['ip'], 'ip') if type(r['ip']) is list: for ip in r['ip']: self.__get_object_domain_ip(ip, 'ip') if 'issuer' in r: self.__get_object_certificate(r) if 'cve' in r: if type(r['cve']) is list: for cve in r['cve']: self.__get_object_cve(r, cve) def __get_object_certificate(self, r): object_certificate = MISPObject('x509') object_certificate.add_attribute('ip', self.attribute['value']) object_certificate.add_attribute('serial-number', r['serial']) object_certificate.add_attribute('x509-fingerprint-sha256', r['fingerprint']['sha256']) object_certificate.add_attribute('x509-fingerprint-sha1', r['fingerprint']['sha1']) object_certificate.add_attribute('x509-fingerprint-md5', r['fingerprint']['md5']) signature = r['signature']['algorithm'] value = '' if 'sha256' in signature and 'RSA' in signature: value = 'SHA256_WITH_RSA_ENCRYPTION' elif 'sha1' in signature and 'RSA' in signature: value = 'SHA1_WITH_RSA_ENCRYPTION' if value: object_certificate.add_attribute('signature_algorithm', value) object_certificate.add_attribute('pubkey-info-algorithm', r['publickey']['algorithm']) if 'exponent' in r['publickey']: object_certificate.add_attribute('pubkey-info-exponent', r['publickey']['exponent']) if 'length' in r['publickey']: object_certificate.add_attribute('pubkey-info-size', r['publickey']['length']) object_certificate.add_attribute('issuer', r['issuer']['commonname']) object_certificate.add_attribute('validity-not-before', r['validity']['notbefore']) object_certificate.add_attribute('validity-not-after', r['validity']['notbefore']) object_certificate.add_reference(self.attribute['uuid'], 'related-to') self.misp_event.add_object(object_certificate) def __get_object_domain_ip(self, obs, relation): objet_domain_ip = MISPObject('domain-ip') objet_domain_ip.add_attribute(relation, obs) relation_attr = self.__get_relation_attribute() if relation_attr: objet_domain_ip.add_attribute(relation_attr, self.attribute['value']) objet_domain_ip.add_reference(self.attribute['uuid'], 'related-to') self.misp_event.add_object(objet_domain_ip) def __get_relation_attribute(self): if self.attribute['type'] == 'ip-src': return 'ip' elif self.attribute['type'] == 'ip-dst': return 'ip' elif self.attribute['type'] == 'domain': return 'domain' elif self.attribute['type'] == 'hostname': return 'domain' def __get_object_cve(self, item, cve): attributes = [] object_cve = MISPObject('vulnerability') object_cve.add_attribute('id', cve) object_cve.add_attribute('state', 'Published') if type(item['ip']) is list: for ip in item['ip']: attributes.extend( list( filter(lambda x: x['value'] == ip, self.misp_event['Attribute']))) for obj in self.misp_event['Object']: attributes.extend( list( filter(lambda x: x['value'] == ip, obj['Attribute']))) if type(item['ip']) is str: for obj in self.misp_event['Object']: for att in obj['Attribute']: if att['value'] == item['ip']: object_cve.add_reference(obj['uuid'], 'cve') self.misp_event.add_object(object_cve)