Merge remote-tracking branch 'base/master'

Author: 8ear

Pipfile

@@ -18,7 +18,7 @@ pypdns = "*"
 pypssl = "*"
 pyeupi = "*"
 uwhois = {editable = true,git = "https://github.com/Rafiot/uwhoisd.git",ref = "testing",subdirectory = "client"}
-pymisp = {editable = true,extras = ["fileobjects,openioc,virustotal,pdfexport"],git = "https://github.com/MISP/PyMISP.git"}
+pymisp = {editable = true,extras = ["fileobjects,openioc,pdfexport"],git = "https://github.com/MISP/PyMISP.git"}
 pyonyphe = {editable = true,git = "https://github.com/sebdraven/pyonyphe"}
 pydnstrails = {editable = true,git = "https://github.com/sebdraven/pydnstrails"}
 pytesseract = "*"
@@ -60,6 +60,7 @@ geoip2 = "*"
 apiosintDS = "*"
 assemblyline_client = "*"
 vt-graph-api = "*"
+trustar = "*"
 
 [requires]
 python_version = "3"

Pipfile.lock

@@ -57,6 +57,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [Lastline query](misp_modules/modules/expansion/lastline_query.py) - Query Lastline with the link to an analysis and parse the report.
 * [macaddress.io](misp_modules/modules/expansion/macaddress_io.py) - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from [MAC address Vendor Lookup](https://macaddress.io). See [integration tutorial here](https://macaddress.io/integrations/MISP-module).
 * [macvendors](misp_modules/modules/expansion/macvendors.py) - a hover module to retrieve mac vendor information.
+* [MALWAREbazaar](misp_modules/modules/expansion/malwarebazaar.py) - an expansion module to query MALWAREbazaar with some payload.
 * [ocr-enrich](misp_modules/modules/expansion/ocr_enrich.py) - an enrichment module to get OCRized data from images into MISP.
 * [ods-enrich](misp_modules/modules/expansion/ods_enrich.py) - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).
 * [odt-enrich](misp_modules/modules/expansion/odt_enrich.py) - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).

README.md

@@ -95,6 +95,7 @@ sparqlwrapper==1.8.5
 stix2-patterns==1.3.0
 tabulate==0.8.7
 tornado==6.0.4
+trustar==0.3.28
 url-normalize==1.4.1
 urlarchiver==0.2
 urllib3==1.25.8

REQUIREMENTS

@@ -715,6 +715,22 @@ Module to access Macvendors API.
 
 -----
 
+#### [malwarebazaar](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/malwarebazaar.py)
+
+Query the MALWAREbazaar API to get additional information about the input hash attribute.
+- **features**:
+>The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.
+>
+>The module is using the new format of modules able to return object since the result is one or multiple MISP object(s).
+- **input**:
+>A hash attribute (md5, sha1 or sha256).
+- **output**:
+>File object(s) related to the input attribute found on MALWAREbazaar databases.
+- **references**:
+>https://bazaar.abuse.ch/
+
+-----
+
 #### [ocr-enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/ocr-enrich.py)
 
 Module to process some optical character recognition on pictures.
@@ -1168,6 +1184,35 @@ Module to get information from ThreatMiner.
 
 -----
 
+#### [trustar_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/trustar_enrich.py)
+
+<img src=logos/trustar.png height=60>
+
+Module to get enrich indicators with TruSTAR.
+- **features**:
+>This module enriches MISP attributes with scoring and metadata from TruSTAR.
+>
+>The TruSTAR indicator summary is appended to the attributes along with links to any associated reports.
+- **input**:
+>Any of the following MISP attributes:
+>- btc
+>- domain
+>- email-src
+>- filename
+>- hostname
+>- ip-src
+>- ip-dst
+>- md5
+>- sha1
+>- sha256
+>- url
+- **output**:
+>MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.
+- **references**:
+>https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html
+
+-----
+
 #### [urlhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlhaus.py)
 
 <img src=logos/urlhaus.png height=60>

doc/README.md

@@ -0,0 +1,8 @@
+{
+    "description": "Query the MALWAREbazaar API to get additional information about the input hash attribute.",
+    "requirements": [],
+    "input": "A hash attribute (md5, sha1 or sha256).",
+    "output": "File object(s) related to the input attribute found on MALWAREbazaar databases.",
+    "references": ["https://bazaar.abuse.ch/"],
+    "features": "The module takes a hash attribute as input and queries MALWAREbazaar's API to fetch additional data about it. The result, if the payload is known on the databases, is at least one file object describing the file the input hash is related to.\n\nThe module is using the new format of modules able to return object since the result is one or multiple MISP object(s)."
+}

doc/expansion/malwarebazaar.json

@@ -0,0 +1,8 @@
+{
+    "description": "Module to get enrich indicators with TruSTAR.",
+    "logo": "logos/trustar.png",
+    "input": "Any of the following MISP attributes:\n- btc\n- domain\n- email-src\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- url",
+    "output": "MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.",
+    "references": ["https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html"],
+    "features": "This module enriches MISP attributes with scoring and metadata from TruSTAR.\n\nThe TruSTAR indicator summary is appended to the attributes along with links to any associated reports."
+}

doc/expansion/trustar_enrich.json

@@ -1,6 +1,7 @@
 from . import _vmray  # noqa
 import os
 import sys
+
 sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3])))
 
 __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'circl_passivessl',
@@ -15,5 +16,6 @@
            'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
            'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
            'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
-           'assemblyline_submit', 'assemblyline_query', 'ransomcoindb',
-           'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich']
+           'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
+           'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich',
+           'trustar_enrich']

doc/logos/trustar.png

@@ -44,6 +44,10 @@ def parse(self):
             self.result = {'error': 'Not found'}
             return
 
+        if 'error' in results:
+            self.result = {'error': results['error']}
+            return
+
         for ip_address, certificates in results.items():
             ip_uuid = self._handle_ip_attribute(ip_address)
             for certificate in certificates['certificates']:

misp_modules/modules/expansion/__init__.py

@@ -0,0 +1,52 @@
+import json
+import requests
+from pymisp import MISPEvent, MISPObject
+
+mispattributes = {'input': ['md5', 'sha1', 'sha256'],
+                  'format': 'misp_standard'}
+moduleinfo = {'version': '0.1', 'author': 'Christian Studer',
+              'description': 'Query Malware Bazaar to get additional information about the input hash.',
+              'module-type': ['expansion', 'hover']}
+moduleconfig = []
+
+
+def parse_response(response):
+    mapping = {'file_name': {'type': 'filename', 'object_relation': 'filename'},
+               'file_size': {'type': 'size-in-bytes', 'object_relation': 'size-in-bytes'},
+               'file_type_mime': {'type': 'mime-type', 'object_relation': 'mimetype'},
+               'md5_hash': {'type': 'md5', 'object_relation': 'md5'},
+               'sha1_hash': {'type': 'sha1', 'object_relation': 'sha1'},
+               'sha256_hash': {'type': 'sha256', 'object_relation': 'sha256'},
+               'ssdeep': {'type': 'ssdeep', 'object_relation': 'ssdeep'}}
+    misp_event = MISPEvent()
+    for data in response:
+        misp_object = MISPObject('file')
+        for feature, attribute in mapping.items():
+            if feature in data:
+                misp_attribute = {'value': data[feature]}
+                misp_attribute.update(attribute)
+                misp_object.add_attribute(**misp_attribute)
+        misp_event.add_object(**misp_object)
+    return {'results': {'Object': [json.loads(misp_object.to_json()) for misp_object in misp_event.objects]}}
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    attribute = request['attribute']
+    url = 'https://mb-api.abuse.ch/api/v1/'
+    response = requests.post(url, data={'query': 'get_info', 'hash': attribute['value']}).json()
+    query_status = response['query_status']
+    if query_status == 'ok':
+        return parse_response(response['data'])
+    return {'error': 'Hash not found on MALWAREbazzar' if query_status == 'hash_not_found' else f'Problem encountered during the query: {query_status}'}
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo

misp_modules/modules/expansion/circl_passivessl.py

@@ -88,18 +88,18 @@ def handler(q=False):
     else:
         misperrors['error'] = "Unsupported attributes type"
         return misperrors
-    listed = []
-    info = []
+    listeds = []
+    infos = []
     ipRev = '.'.join(ip.split('.')[::-1])
     for rbl in rbls:
         query = '{}.{}'.format(ipRev, rbl)
         try:
             txt = resolver.query(query, 'TXT')
-            listed.append(query)
-            info.append([str(t) for t in txt])
+            listeds.append(query)
+            infos.append([str(t) for t in txt])
         except Exception:
             continue
-    result = "\n".join(["{}: {}".format(l, "  -  ".join(i)) for l, i in zip(listed, info)])
+    result = "\n".join([f"{listed}: {'  -  '.join(info)}" for listed, info in zip(listeds, infos)])
     if not result:
         return {'error': 'No data found by querying known RBLs'}
     return {'results': [{'types': mispattributes.get('output'), 'values': result}]}

misp_modules/modules/expansion/malwarebazaar.py

@@ -12,7 +12,7 @@
 moduleinfo = {'version': '0.1', 'author': 'Christian Studer', 'module-type': ['expansion', 'hover'],
               'description': 'An expansion hover module to display the result of sigma queries.'}
 moduleconfig = []
-sigma_targets = ('es-dsl', 'es-qs', 'graylog', 'kibana', 'xpack-watcher', 'logpoint', 'splunk', 'grep', 'wdatp', 'splunkxml', 'arcsight', 'qualys')
+sigma_targets = ('es-dsl', 'es-qs', 'graylog', 'kibana', 'xpack-watcher', 'logpoint', 'splunk', 'grep', 'mdatp', 'splunkxml', 'arcsight', 'qualys')
 
 
 def handler(q=False):

misp_modules/modules/expansion/rbl.py

@@ -0,0 +1,133 @@
+import json
+import pymisp
+from pymisp import MISPAttribute, MISPEvent, MISPObject
+from trustar import TruStar
+
+misperrors = {'error': "Error"}
+mispattributes = {
+    'input': ["btc", "domain", "email-src", "filename", "hostname", "ip-src", "ip-dst", "malware-type", "md5", "sha1",
+              "sha256", "url"], 'format': 'misp_standard'}
+
+moduleinfo = {'version': "0.1", 'author': "Jesse Hedden",
+              'description': "Enrich data with TruSTAR",
+              'module-type': ["hover", "expansion"]}
+
+moduleconfig = ["user_api_key", "user_api_secret", "enclave_ids"]
+
+MAX_PAGE_SIZE = 100  # Max allowable page size returned from /1.3/indicators/summaries endpoint
+
+
+class TruSTARParser:
+    ENTITY_TYPE_MAPPINGS = {
+        'BITCOIN_ADDRESS': "btc",
+        'CIDR_BLOCK': "ip-src",
+        'CVE': "vulnerability",
+        'URL': "url",
+        'EMAIL_ADDRESS': "email-src",
+        'SOFTWARE': "filename",
+        'IP': "ip-src",
+        'MALWARE': "malware-type",
+        'MD5': "md5",
+        'REGISTRY_KEY': "regkey",
+        'SHA1': "sha1",
+        'SHA256': "sha256"
+    }
+
+    REPORT_BASE_URL = "https://station.trustar.co/constellation/reports/{}"
+
+    CLIENT_METATAG = "MISP-{}".format(pymisp.__version__)
+
+    def __init__(self, attribute, config):
+        config['enclave_ids'] = config.get('enclave_ids', "").strip().split(',')
+        config['client_metatag'] = self.CLIENT_METATAG
+        self.ts_client = TruStar(config=config)
+
+        self.misp_event = MISPEvent()
+        self.misp_attribute = MISPAttribute()
+        self.misp_attribute.from_dict(**attribute)
+        self.misp_event.add_attribute(**self.misp_attribute)
+
+    def get_results(self):
+        """
+        Returns the MISP Event enriched with TruSTAR indicator summary data.
+        """
+        event = json.loads(self.misp_event.to_json())
+        results = {key: event[key] for key in ('Attribute', 'Object') if (key in event and event[key])}
+        return {'results': results}
+
+    def generate_trustar_links(self, entity_value):
+        """
+        Generates links to TruSTAR reports if they exist.
+
+        :param entity_value: <str> Value of entity.
+        """
+        report_links = list()
+        trustar_reports = self.ts_client.search_reports(entity_value)
+        for report in trustar_reports:
+            report_links.append(self.REPORT_BASE_URL.format(report.id))
+
+        return report_links
+
+    def parse_indicator_summary(self, summaries):
+        """
+        Converts a response from the TruSTAR /1.3/indicators/summaries endpoint
+        a MISP trustar_report object and adds the summary data and links as attributes.
+
+        :param summaries: <generator> A TruSTAR Python SDK Page.generator object for generating
+                          indicator summaries pages.
+        """
+
+        for summary in summaries:
+            trustar_obj = MISPObject('trustar_report')
+            indicator_type = summary.indicator_type
+            indicator_value = summary.value
+            if indicator_type in self.ENTITY_TYPE_MAPPINGS:
+                trustar_obj.add_attribute(indicator_type, attribute_type=self.ENTITY_TYPE_MAPPINGS[indicator_type],
+                                          value=indicator_value)
+                trustar_obj.add_attribute("INDICATOR_SUMMARY", attribute_type="text",
+                                          value=json.dumps(summary.to_dict(), sort_keys=True, indent=4))
+                report_links = self.generate_trustar_links(indicator_value)
+                for link in report_links:
+                    trustar_obj.add_attribute("REPORT_LINK", attribute_type="link", value=link)
+                self.misp_event.add_object(**trustar_obj)
+
+
+def handler(q=False):
+    """
+    MISP handler function. A user's API key and secret will be retrieved from the MISP
+    request and used to create a TruSTAR API client. If enclave IDs are provided, only
+    those enclaves will be queried for data. Otherwise, all of the enclaves a user has
+    access to will be queried.
+    """
+
+    if q is False:
+        return False
+
+    request = json.loads(q)
+
+    config = request.get('config', {})
+    if not config.get('user_api_key') or not config.get('user_api_secret'):
+        misperrors['error'] = "Your TruSTAR API key and secret are required for indicator enrichment."
+        return misperrors
+
+    attribute = request['attribute']
+    trustar_parser = TruSTARParser(attribute, config)
+
+    try:
+        summaries = list(
+            trustar_parser.ts_client.get_indicator_summaries([attribute['value']], page_size=MAX_PAGE_SIZE))
+    except Exception as e:
+        misperrors['error'] = "Unable to retrieve TruSTAR summary data: {}".format(e)
+        return misperrors
+
+    trustar_parser.parse_indicator_summary(summaries)
+    return trustar_parser.get_results()
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo

misp_modules/modules/expansion/sigma_queries.py

@@ -244,11 +244,11 @@ def __any_mandatory_misp_field(header):
 
 
 def __special_parsing(data, delimiter):
-    return list(tuple(l.strip() for l in line[0].split(delimiter)) for line in csv.reader(io.TextIOWrapper(io.BytesIO(data.encode()), encoding='utf-8')) if line and not line[0].startswith('#'))
+    return list(tuple(part.strip() for part in line[0].split(delimiter)) for line in csv.reader(io.TextIOWrapper(io.BytesIO(data.encode()), encoding='utf-8')) if line and not line[0].startswith('#'))
 
 
 def __standard_parsing(data):
-    return list(tuple(l.strip() for l in line) for line in csv.reader(io.TextIOWrapper(io.BytesIO(data.encode()), encoding='utf-8')) if line and not line[0].startswith('#'))
+    return list(tuple(part.strip() for part in line) for line in csv.reader(io.TextIOWrapper(io.BytesIO(data.encode()), encoding='utf-8')) if line and not line[0].startswith('#'))
 
 
 def handler(q=False):

misp_modules/modules/expansion/trustar_enrich.py

@@ -99,7 +99,7 @@ def handler(q=False):
             results = process_analysis_json(json.loads(data.decode('utf-8')))
         except ValueError:
             log.warning('MISP modules {0} failed: uploaded file is not a zip or json file.'.format(request['module']))
-            return {'error': 'Uploaded file is not a zip or json file.'.format(request['module'])}
+            return {'error': 'Uploaded file is not a zip or json file.'}
             pass
     # keep only unique entries based on the value field
     results = list({v['values']: v for v in results}.values())