From 73ee7a280bb43d15e5541dd95e2f0a9f45b149ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Aime?= Date: Tue, 8 Jun 2021 20:11:51 +0200 Subject: [PATCH] Some modifications, still need tests and debug --- assets/scheme.sql | 3 +- server/backend/app/blueprints/misp.py | 19 ++++--- server/backend/app/classes/misp.py | 75 ++++++++++++--------------- server/backend/app/db/models.py | 4 +- 4 files changed, 45 insertions(+), 56 deletions(-) diff --git a/assets/scheme.sql b/assets/scheme.sql index ec8e9d9..d51bdd9 100644 --- a/assets/scheme.sql +++ b/assets/scheme.sql @@ -18,13 +18,12 @@ CREATE TABLE "whitelist" ( PRIMARY KEY("id" AUTOINCREMENT) ); -CREATE TABLE "mispinstance" ( +CREATE TABLE "misp" ( "id" INTEGER UNIQUE, "name" TEXT, "url" TEXT NOT NULL, "apikey" TEXT NOT NULL, "verifycert" INTEGER NOT NULL DEFAULT 0, - "source" TEXT NOT NULL, "added_on" NUMERIC NOT NULL, PRIMARY KEY("id" AUTOINCREMENT) ); diff --git a/server/backend/app/blueprints/misp.py b/server/backend/app/blueprints/misp.py index 2f627fc..8686bb5 100644 --- a/server/backend/app/blueprints/misp.py +++ b/server/backend/app/blueprints/misp.py @@ -13,7 +13,7 @@ misp = MISP() @misp_bp.route('/add', methods=['POST']) @require_header_token -def add(): +def add_instance(): """ Parse and add a MISP instance to the database. :return: status of the operation in JSON @@ -21,31 +21,30 @@ def add(): data = json.loads(request.data) instance = data["data"]["instance"] - source = "backend" - res = MISP.add(instance["name"], instance["url"], - instance["key"], instance["ssl"], source) + res = MISP.add_instance(instance["name"], instance["url"], + instance["key"], instance["ssl"]) return jsonify(res) @misp_bp.route('/delete/', methods=['GET']) @require_header_token -def delete(misp_id): +def delete_instance(misp_id): """ Delete a MISP instance by its id to the database. :return: status of the operation in JSON """ - res = MISP.delete(misp_id) + res = MISP.delete_instance(misp_id) return jsonify(res) @misp_bp.route('/get_all', methods=['GET']) -@require_header_token +# @require_header_token def get_all(): """ Retreive a list of all MISP instances. :return: list of MISP instances in JSON. """ - res = MISP.get_all() + res = MISP.get_instances() return jsonify({"results": [i for i in res]}) @@ -68,14 +67,14 @@ def get_iocs(): @misp_bp.route('/edit', methods=['POST']) @require_header_token -def edit(): +def edit_instance(): """ Parse and edit the desired MISP instance. :return: status of the operation in JSON """ data = json.loads(request.data) instance = data["data"]["instance"] - res = MISP.edit(instance["id"], + res = MISP.edit_instance(instance["id"], instance["name"], instance["url"], instance["apikey"], diff --git a/server/backend/app/classes/misp.py b/server/backend/app/classes/misp.py index 4cf3cce..7634514 100644 --- a/server/backend/app/classes/misp.py +++ b/server/backend/app/classes/misp.py @@ -18,7 +18,7 @@ class MISP(object): return None @staticmethod - def add(misp_name, misp_url, misp_key, misp_verifycert): + def add_instance(misp_name, misp_url, misp_key, misp_verifycert): """ Parse and add a MISP instance to the database. :return: status of the operation in JSON @@ -57,7 +57,7 @@ class MISP(object): "message": "The MISP instance name can't be empty"} @staticmethod - def edit(misp_id, misp_name, misp_url, misp_key, misp_verifycert): + def edit_instance(misp_id, misp_name, misp_url, misp_key, misp_verifycert): """ Parse and edit the desired MISP instance. :return: status of the operation in JSON @@ -134,48 +134,39 @@ class MISP(object): misp = MISPInst.query.get(int(misp_id)) if misp is not None: if misp.url and misp.apikey: - try: - # Connect to MISP instance and get network activity attributes. - m = PyMISP(misp.url, misp.apikey, misp.verifycert) - r = m.search("attributes", category="Network activity") + # Connect to MISP instance and get network activity attributes. + m = PyMISP(misp.url, misp.apikey, misp.verifycert) + r = m.search("attributes", category="Network activity") - for attr in r["Attribute"]: - if attr["type"] in ["ip_dst", "domain", "snort", "x509-fingerprint-sha1"]: + for attr in r["Attribute"]: + if attr["type"] in ["ip-dst", "domain", "snort", "x509-fingerprint-sha1"]: - ioc = {"value": attr["value"], - "type": None, - "tag": "suspect", - "tlp": "white"} + ioc = {"value": attr["value"], + "type": None, + "tag": "suspect", + "tlp": "white"} - # Deduce the IOC type. - if re.match(defs["iocs_types"][0]["regex"], attr["value"]): - ioc["type"] = "ipv4addr" - elif re.match(defs["iocs_types"][1]["regex"], attr["value"]): - ioc["type"] = "ipv6addr" - elif re.match(defs["iocs_types"][3]["regex"], attr["value"]): - ioc["type"] = "domain" - elif re.match(defs["iocs_types"][4]["regex"], attr["value"]): - ioc["type"] = "sha1cert" - elif "alert " in attr["value"][0:5]: - ioc["type"] = "snort" + # Deduce the IOC type. + if re.match(defs["iocs_types"][0]["regex"], attr["value"]): + ioc["type"] = "ipv4addr" + elif re.match(defs["iocs_types"][1]["regex"], attr["value"]): + ioc["type"] = "ipv6addr" + elif re.match(defs["iocs_types"][3]["regex"], attr["value"]): + ioc["type"] = "domain" + elif re.match(defs["iocs_types"][4]["regex"], attr["value"]): + ioc["type"] = "sha1cert" + elif "alert " in attr["value"][0:6]: + ioc["type"] = "snort" + else: + continue - if "Tag" in attr: - for tag in attribute['Tag']: - # Add the TLP of the IOC. - tlp = re.search(r"^(?:tlp:)(red|green|amber|white)", tag['name']) - if tlp: ioc["tlp"] = tlp.group(1) + if "Tag" in attr: + for tag in attr["Tag"]: + # Add the TLP of the IOC. + tlp = re.search(r"^(?:tlp:)(red|green|amber|white)", tag['name'].lower()) + if tlp: ioc["tlp"] = tlp.group(1) - # Add possible tag. - if lower(tag["name"]) in [t["tag"] for t in defs["iocs_tags"]]: - ioc["tag"] = lower(tag["name"]) - yield ioc - except: - return {"status": False, - "message": "An exception has been raised: ", sys.exc_info()[0])} - pass - else: - return {"status": False, - "message": "The URL or API key is empty."} - else: - return {"status": False, - "message": "Unknown MISP instance."} + # Add possible tag. + if tag["name"].lower() in [t["tag"] for t in defs["iocs_tags"]]: + ioc["tag"] = tag["name"].lower() + yield ioc diff --git a/server/backend/app/db/models.py b/server/backend/app/db/models.py index c429da8..cfa33ae 100644 --- a/server/backend/app/db/models.py +++ b/server/backend/app/db/models.py @@ -23,11 +23,11 @@ class MISPInst(db.Model): def __init__(self, name, url, key, ssl, added_on): self.name = name self.url = url - self.authkey = key + self.apikey = key self.verifycert = ssl self.added_on = added_on db.mapper(Whitelist, db.Table('whitelist', db.metadata, autoload=True)) db.mapper(Ioc, db.Table('iocs', db.metadata, autoload=True)) -db.mapper(MISP, db.Table('misp', db.metadata, autoload=True)) +db.mapper(MISPInst, db.Table('misp', db.metadata, autoload=True))