def create_attr(self, raw_attr: dict) -> MISPAttribute:
# Create attribute and assign simple values
attr = MISPAttribute()
attr.type = 'url'
attr.value = raw_attr['url']
attr.disable_correlation = False
attr.__setattr__('first_seen', datetime.strptime(raw_attr['dateadded'], '%Y-%m-%d %H:%M:%S'))
# Add URLhaus tag
self.add_tag_to_attribute(attr, 'URLhaus')
# Add other tags
if raw_attr['tags']:
for tag in raw_attr['tags'].split(','):
self.add_tag_to_attribute(attr, tag.strip())
# Add online/offline tag
if not pandas.isna(raw_attr['url_status']):
if raw_attr['url_status'] == 'online':
attr.to_ids = True
else:
attr.to_ids = False
self.add_tag_to_attribute(attr, raw_attr['url_status'])
# Add reporter tag
if not pandas.isna(raw_attr['reporter']):
self.add_tag_to_attribute(attr, raw_attr['reporter'])
attr.comment = raw_attr['urlhaus_link']
return attr
def create_attr_azorult(self, raw_attr: dict) -> MISPAttribute:
attr_list = []
for type in [{'json': 'domain', 'misp': 'domain'},
{'json': 'ip', 'misp': 'ip-dst'},
{'json': 'panel_index', 'misp': 'url'}]:
if type['json'] in raw_attr:
attr = MISPAttribute()
self.add_tag_to_attribute(attr, 'AzorultTracker')
self.add_tag_to_attribute(attr, raw_attr['panel_version'])
self.add_tag_to_attribute(attr, raw_attr['feeder'])
self.add_tag_to_attribute(attr, raw_attr['status'])
attr.comment = f'Azorult panel {type["misp"]}'
attr.__setattr__('first_seen', datetime.fromtimestamp(raw_attr['first_seen']))
attr.to_ids = False
attr.disable_correlation = False
attr.type = type['misp']
attr.value = f"{raw_attr[type['json']]}"
attr_list.append(attr)
return attr_list
def create_attr_feodo(self, raw_attr: dict) -> MISPAttribute:
attr = MISPAttribute()
attr.type = 'ip-dst|port'
attr.value = f"{raw_attr['DstIP']}|{raw_attr['DstPort']}"
self.add_tag_to_attribute(attr, 'FeodoTracker')
self.add_tag_to_attribute(attr, raw_attr['Malware'])
attr.comment = 'Feodo tracker DST IP/port'
attr.__setattr__('first_seen', datetime.strptime(raw_attr['Firstseen'], '%Y-%m-%d %H:%M:%S'))
if not pandas.isna(raw_attr['LastOnline']):
last_seen_time = datetime.strptime(str(raw_attr['LastOnline']), '%Y-%m-%d').replace(tzinfo=pytz.utc)
first_seen_time = datetime.strptime(str(raw_attr["Firstseen"]), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc)
if first_seen_time > last_seen_time:
last_seen_time = first_seen_time + timedelta(seconds=1)
attr.__setattr__('last_seen', last_seen_time)
else:
last_seen_time = datetime.strptime(str(raw_attr['Firstseen']), '%Y-%m-%d %H:%M:%S').replace(tzinfo=pytz.utc)
attr.__setattr__('last_seen', last_seen_time)
attr.to_ids = False
attr.disable_correlation = False
return attr
