c_meyer/KasperskyLab-TinyCheck
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Some modifications, still need tests and debug

Browse Source
This commit is contained in:
Félix Aime 2021-06-08 20:11:51 +02:00
parent e0c79fa5d6
commit 73ee7a280b
4 changed files with 45 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
assets/scheme.sql
View File

@ -18,13 +18,12 @@ CREATE TABLE "whitelist" (
PRIMARY KEY("id" AUTOINCREMENT) PRIMARY KEY("id" AUTOINCREMENT)
); );
CREATE TABLE "mispinstance" ( CREATE TABLE "misp" (
"id" INTEGER UNIQUE, "id" INTEGER UNIQUE,
"name" TEXT, "name" TEXT,
"url" TEXT NOT NULL, "url" TEXT NOT NULL,
"apikey" TEXT NOT NULL, "apikey" TEXT NOT NULL,
"verifycert" INTEGER NOT NULL DEFAULT 0, "verifycert" INTEGER NOT NULL DEFAULT 0,
"source" TEXT NOT NULL,
"added_on" NUMERIC NOT NULL, "added_on" NUMERIC NOT NULL,
PRIMARY KEY("id" AUTOINCREMENT) PRIMARY KEY("id" AUTOINCREMENT)
); );

19
server/backend/app/blueprints/misp.py
View File

@ -13,7 +13,7 @@ misp = MISP()
@misp_bp.route('/add', methods=['POST']) @misp_bp.route('/add', methods=['POST'])
@require_header_token @require_header_token
def add(): def add_instance():
""" """
Parse and add a MISP instance to the database. Parse and add a MISP instance to the database.
:return: status of the operation in JSON :return: status of the operation in JSON
@ -21,31 +21,30 @@ def add():
data = json.loads(request.data) data = json.loads(request.data)
instance = data["data"]["instance"] instance = data["data"]["instance"]
source = "backend" res = MISP.add_instance(instance["name"], instance["url"],
res = MISP.add(instance["name"], instance["url"], instance["key"], instance["ssl"])
instance["key"], instance["ssl"], source)
return jsonify(res) return jsonify(res)
@misp_bp.route('/delete/<misp_id>', methods=['GET']) @misp_bp.route('/delete/<misp_id>', methods=['GET'])
@require_header_token @require_header_token
def delete(misp_id): def delete_instance(misp_id):
""" """
Delete a MISP instance by its id to the database. Delete a MISP instance by its id to the database.
:return: status of the operation in JSON :return: status of the operation in JSON
""" """
res = MISP.delete(misp_id) res = MISP.delete_instance(misp_id)
return jsonify(res) return jsonify(res)
@misp_bp.route('/get_all', methods=['GET']) @misp_bp.route('/get_all', methods=['GET'])
@require_header_token # @require_header_token
def get_all(): def get_all():
""" """
Retreive a list of all MISP instances. Retreive a list of all MISP instances.
:return: list of MISP instances in JSON. :return: list of MISP instances in JSON.
""" """
res = MISP.get_all() res = MISP.get_instances()
return jsonify({"results": [i for i in res]}) return jsonify({"results": [i for i in res]})
@ -68,14 +67,14 @@ def get_iocs():
@misp_bp.route('/edit', methods=['POST']) @misp_bp.route('/edit', methods=['POST'])
@require_header_token @require_header_token
def edit(): def edit_instance():
""" """
Parse and edit the desired MISP instance. Parse and edit the desired MISP instance.
:return: status of the operation in JSON :return: status of the operation in JSON
""" """
data = json.loads(request.data) data = json.loads(request.data)
instance = data["data"]["instance"] instance = data["data"]["instance"]
res = MISP.edit(instance["id"], res = MISP.edit_instance(instance["id"],
instance["name"], instance["name"],
instance["url"], instance["url"],
instance["apikey"], instance["apikey"],

75
server/backend/app/classes/misp.py
View File

@ -18,7 +18,7 @@ class MISP(object):
return None return None
@staticmethod @staticmethod
def add(misp_name, misp_url, misp_key, misp_verifycert): def add_instance(misp_name, misp_url, misp_key, misp_verifycert):
""" """
Parse and add a MISP instance to the database. Parse and add a MISP instance to the database.
:return: status of the operation in JSON :return: status of the operation in JSON
@ -57,7 +57,7 @@ class MISP(object):
"message": "The MISP instance name can't be empty"} "message": "The MISP instance name can't be empty"}
@staticmethod @staticmethod
def edit(misp_id, misp_name, misp_url, misp_key, misp_verifycert): def edit_instance(misp_id, misp_name, misp_url, misp_key, misp_verifycert):
""" """
Parse and edit the desired MISP instance. Parse and edit the desired MISP instance.
:return: status of the operation in JSON :return: status of the operation in JSON
@ -134,48 +134,39 @@ class MISP(object):
misp = MISPInst.query.get(int(misp_id)) misp = MISPInst.query.get(int(misp_id))
if misp is not None: if misp is not None:
if misp.url and misp.apikey: if misp.url and misp.apikey:
try: # Connect to MISP instance and get network activity attributes.
# Connect to MISP instance and get network activity attributes. m = PyMISP(misp.url, misp.apikey, misp.verifycert)
m = PyMISP(misp.url, misp.apikey, misp.verifycert) r = m.search("attributes", category="Network activity")
r = m.search("attributes", category="Network activity")
for attr in r["Attribute"]: for attr in r["Attribute"]:
if attr["type"] in ["ip_dst", "domain", "snort", "x509-fingerprint-sha1"]: if attr["type"] in ["ip-dst", "domain", "snort", "x509-fingerprint-sha1"]:
ioc = {"value": attr["value"], ioc = {"value": attr["value"],
"type": None, "type": None,
"tag": "suspect", "tag": "suspect",
"tlp": "white"} "tlp": "white"}
# Deduce the IOC type. # Deduce the IOC type.
if re.match(defs["iocs_types"][0]["regex"], attr["value"]): if re.match(defs["iocs_types"][0]["regex"], attr["value"]):
ioc["type"] = "ipv4addr" ioc["type"] = "ipv4addr"
elif re.match(defs["iocs_types"][1]["regex"], attr["value"]): elif re.match(defs["iocs_types"][1]["regex"], attr["value"]):
ioc["type"] = "ipv6addr" ioc["type"] = "ipv6addr"
elif re.match(defs["iocs_types"][3]["regex"], attr["value"]): elif re.match(defs["iocs_types"][3]["regex"], attr["value"]):
ioc["type"] = "domain" ioc["type"] = "domain"
elif re.match(defs["iocs_types"][4]["regex"], attr["value"]): elif re.match(defs["iocs_types"][4]["regex"], attr["value"]):
ioc["type"] = "sha1cert" ioc["type"] = "sha1cert"
elif "alert " in attr["value"][0:5]: elif "alert " in attr["value"][0:6]:
ioc["type"] = "snort" ioc["type"] = "snort"
else:
continue
if "Tag" in attr: if "Tag" in attr:
for tag in attribute['Tag']: for tag in attr["Tag"]:
# Add the TLP of the IOC. # Add the TLP of the IOC.
tlp = re.search(r"^(?:tlp:)(red|green|amber|white)", tag['name']) tlp = re.search(r"^(?:tlp:)(red|green|amber|white)", tag['name'].lower())
if tlp: ioc["tlp"] = tlp.group(1) if tlp: ioc["tlp"] = tlp.group(1)
# Add possible tag. # Add possible tag.
if lower(tag["name"]) in [t["tag"] for t in defs["iocs_tags"]]: if tag["name"].lower() in [t["tag"] for t in defs["iocs_tags"]]:
ioc["tag"] = lower(tag["name"]) ioc["tag"] = tag["name"].lower()
yield ioc yield ioc
except:
return {"status": False,
"message": "An exception has been raised: ", sys.exc_info()[0])}
pass
else:
return {"status": False,
"message": "The URL or API key is empty."}
else:
return {"status": False,
"message": "Unknown MISP instance."}

4
server/backend/app/db/models.py
View File

@ -23,11 +23,11 @@ class MISPInst(db.Model):
def __init__(self, name, url, key, ssl, added_on): def __init__(self, name, url, key, ssl, added_on):
self.name = name self.name = name
self.url = url self.url = url
self.authkey = key self.apikey = key
self.verifycert = ssl self.verifycert = ssl
self.added_on = added_on self.added_on = added_on
db.mapper(Whitelist, db.Table('whitelist', db.metadata, autoload=True)) db.mapper(Whitelist, db.Table('whitelist', db.metadata, autoload=True))
db.mapper(Ioc, db.Table('iocs', db.metadata, autoload=True)) db.mapper(Ioc, db.Table('iocs', db.metadata, autoload=True))
db.mapper(MISP, db.Table('misp', db.metadata, autoload=True)) db.mapper(MISPInst, db.Table('misp', db.metadata, autoload=True))