c_meyer/KasperskyLab-TinyCheck
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some modifications, still need tests and debug

Browse Source
This commit is contained in:
Félix Aime 2021-06-08 20:11:51 +02:00
parent e0c79fa5d6
commit 73ee7a280b
4 changed files with 45 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
assets/scheme.sql
View File

@ -18,13 +18,12 @@ CREATE TABLE "whitelist" (
PRIMARY KEY("id" AUTOINCREMENT)
);
CREATE TABLE "mispinstance" (
CREATE TABLE "misp" (
"id" INTEGER UNIQUE,
"name" TEXT,
"url" TEXT NOT NULL,
"apikey" TEXT NOT NULL,
"verifycert" INTEGER NOT NULL DEFAULT 0,
"source" TEXT NOT NULL,
"added_on" NUMERIC NOT NULL,
PRIMARY KEY("id" AUTOINCREMENT)
);

19
server/backend/app/blueprints/misp.py
View File

@ -13,7 +13,7 @@ misp = MISP()
@misp_bp.route('/add', methods=['POST'])
@require_header_token
def add():
def add_instance():
"""
Parse and add a MISP instance to the database.
:return: status of the operation in JSON
@ -21,31 +21,30 @@ def add():
data = json.loads(request.data)
instance = data["data"]["instance"]
source = "backend"
res = MISP.add(instance["name"], instance["url"],
instance["key"], instance["ssl"], source)
res = MISP.add_instance(instance["name"], instance["url"],
instance["key"], instance["ssl"])
return jsonify(res)
@misp_bp.route('/delete/<misp_id>', methods=['GET'])
@require_header_token
def delete(misp_id):
def delete_instance(misp_id):
"""
Delete a MISP instance by its id to the database.
:return: status of the operation in JSON
"""
res = MISP.delete(misp_id)
res = MISP.delete_instance(misp_id)
return jsonify(res)
@misp_bp.route('/get_all', methods=['GET'])
@require_header_token
# @require_header_token
def get_all():
"""
Retreive a list of all MISP instances.
:return: list of MISP instances in JSON.
"""
res = MISP.get_all()
res = MISP.get_instances()
return jsonify({"results": [i for i in res]})
@ -68,14 +67,14 @@ def get_iocs():
@misp_bp.route('/edit', methods=['POST'])
@require_header_token
def edit():
def edit_instance():
"""
Parse and edit the desired MISP instance.
:return: status of the operation in JSON
"""
data = json.loads(request.data)
instance = data["data"]["instance"]
res = MISP.edit(instance["id"],
res = MISP.edit_instance(instance["id"],
instance["name"],
instance["url"],
instance["apikey"],

75
server/backend/app/classes/misp.py
View File

@ -18,7 +18,7 @@ class MISP(object):
return None
@staticmethod
def add(misp_name, misp_url, misp_key, misp_verifycert):
def add_instance(misp_name, misp_url, misp_key, misp_verifycert):
"""
Parse and add a MISP instance to the database.
:return: status of the operation in JSON
@ -57,7 +57,7 @@ class MISP(object):
"message": "The MISP instance name can't be empty"}
@staticmethod
def edit(misp_id, misp_name, misp_url, misp_key, misp_verifycert):
def edit_instance(misp_id, misp_name, misp_url, misp_key, misp_verifycert):
"""
Parse and edit the desired MISP instance.
:return: status of the operation in JSON
@ -134,48 +134,39 @@ class MISP(object):
misp = MISPInst.query.get(int(misp_id))
if misp is not None:
if misp.url and misp.apikey:
try:
# Connect to MISP instance and get network activity attributes.
m = PyMISP(misp.url, misp.apikey, misp.verifycert)
r = m.search("attributes", category="Network activity")
# Connect to MISP instance and get network activity attributes.
m = PyMISP(misp.url, misp.apikey, misp.verifycert)
r = m.search("attributes", category="Network activity")
for attr in r["Attribute"]:
if attr["type"] in ["ip_dst", "domain", "snort", "x509-fingerprint-sha1"]:
for attr in r["Attribute"]:
if attr["type"] in ["ip-dst", "domain", "snort", "x509-fingerprint-sha1"]:
ioc = {"value": attr["value"],
"type": None,
"tag": "suspect",
"tlp": "white"}
ioc = {"value": attr["value"],
"type": None,
"tag": "suspect",
"tlp": "white"}
# Deduce the IOC type.
if re.match(defs["iocs_types"][0]["regex"], attr["value"]):
ioc["type"] = "ipv4addr"
elif re.match(defs["iocs_types"][1]["regex"], attr["value"]):
ioc["type"] = "ipv6addr"
elif re.match(defs["iocs_types"][3]["regex"], attr["value"]):
ioc["type"] = "domain"
elif re.match(defs["iocs_types"][4]["regex"], attr["value"]):
ioc["type"] = "sha1cert"
elif "alert " in attr["value"][0:5]:
ioc["type"] = "snort"
# Deduce the IOC type.
if re.match(defs["iocs_types"][0]["regex"], attr["value"]):
ioc["type"] = "ipv4addr"
elif re.match(defs["iocs_types"][1]["regex"], attr["value"]):
ioc["type"] = "ipv6addr"
elif re.match(defs["iocs_types"][3]["regex"], attr["value"]):
ioc["type"] = "domain"
elif re.match(defs["iocs_types"][4]["regex"], attr["value"]):
ioc["type"] = "sha1cert"
elif "alert " in attr["value"][0:6]:
ioc["type"] = "snort"
else:
continue
if "Tag" in attr:
for tag in attribute['Tag']:
# Add the TLP of the IOC.
tlp = re.search(r"^(?:tlp:)(red|green|amber|white)", tag['name'])
if tlp: ioc["tlp"] = tlp.group(1)
if "Tag" in attr:
for tag in attr["Tag"]:
# Add the TLP of the IOC.
tlp = re.search(r"^(?:tlp:)(red|green|amber|white)", tag['name'].lower())
if tlp: ioc["tlp"] = tlp.group(1)
# Add possible tag.
if lower(tag["name"]) in [t["tag"] for t in defs["iocs_tags"]]:
ioc["tag"] = lower(tag["name"])
yield ioc
except:
return {"status": False,
"message": "An exception has been raised: ", sys.exc_info()[0])}
pass
else:
return {"status": False,
"message": "The URL or API key is empty."}
else:
return {"status": False,
"message": "Unknown MISP instance."}
# Add possible tag.
if tag["name"].lower() in [t["tag"] for t in defs["iocs_tags"]]:
ioc["tag"] = tag["name"].lower()
yield ioc

4
server/backend/app/db/models.py
View File

@ -23,11 +23,11 @@ class MISPInst(db.Model):
def __init__(self, name, url, key, ssl, added_on):
self.name = name
self.url = url
self.authkey = key
self.apikey = key
self.verifycert = ssl
self.added_on = added_on
db.mapper(Whitelist, db.Table('whitelist', db.metadata, autoload=True))
db.mapper(Ioc, db.Table('iocs', db.metadata, autoload=True))
db.mapper(MISP, db.Table('misp', db.metadata, autoload=True))
db.mapper(MISPInst, db.Table('misp', db.metadata, autoload=True))