mirror of
https://github.com/ail-project/ail-framework.git
synced 2024-11-23 06:37:15 +00:00
chg: [add MISP import] correlation
TODO: create correlation
This commit is contained in:
parent
73f98c0897
commit
6bbcef024b
5 changed files with 109 additions and 123 deletions
|
@ -67,7 +67,7 @@ def unpack_item_obj(map_uuid_global_id, misp_obj):
|
||||||
res = Item.create_item(obj_id, obj_meta, io_content)
|
res = Item.create_item(obj_id, obj_meta, io_content)
|
||||||
print(res)
|
print(res)
|
||||||
|
|
||||||
map_uuid_global_id[misp_obj.uuid] = get_global_id('item', obj_id, io_content)
|
map_uuid_global_id[misp_obj.uuid] = get_global_id('item', obj_id)
|
||||||
|
|
||||||
def get_obj_relationship(misp_obj):
|
def get_obj_relationship(misp_obj):
|
||||||
for item in misp_obj.ObjectReference:
|
for item in misp_obj.ObjectReference:
|
||||||
|
@ -87,29 +87,33 @@ def unpack_obj_pgp(map_uuid_global_id, misp_obj):
|
||||||
elif obj_attr.object_relation == 'user-id-email':
|
elif obj_attr.object_relation == 'user-id-email':
|
||||||
obj_subtype = 'mail'
|
obj_subtype = 'mail'
|
||||||
|
|
||||||
|
if obj_id and obj_subtype:
|
||||||
obj_meta = get_object_metadata(misp_obj)
|
obj_meta = get_object_metadata(misp_obj)
|
||||||
if obj_id and io_content:
|
res = Pgp.pgp.create_correlation(obj_subtype, obj_id, obj_meta)
|
||||||
res = Pgp.pgp.create_item(obj_subtype, obj_id, obj_meta)
|
|
||||||
print(res)
|
print(res)
|
||||||
|
|
||||||
map_uuid_global_id[misp_obj.uuid] = get_global_id('pgp', obj_id, obj_subtype=obj_subtype)
|
map_uuid_global_id[misp_obj.uuid] = get_global_id('pgp', obj_id, obj_subtype=obj_subtype)
|
||||||
|
|
||||||
get_obj_relationship(misp_obj)
|
#get_obj_relationship(misp_obj)
|
||||||
|
|
||||||
def unpack_obj_cryptocurrency(map_uuid_global_id, misp_obj):
|
def unpack_obj_cryptocurrency(map_uuid_global_id, misp_obj):
|
||||||
obj_id = None
|
obj_id = None
|
||||||
crypto_symbol = None
|
obj_subtype = None
|
||||||
for attribute in misp_obj.attributes:
|
for attribute in misp_obj.attributes:
|
||||||
if attribute.object_relation == 'address':
|
if attribute.object_relation == 'address': # # TODO: handle xmr address field
|
||||||
obj_id = attribute.value
|
obj_id = attribute.value
|
||||||
elif attribute.object_relation == 'symbol':
|
elif attribute.object_relation == 'symbol':
|
||||||
pass
|
obj_subtype = Cryptocurrency.get_cryptocurrency_type(attribute.value)
|
||||||
|
|
||||||
|
|
||||||
|
# valid cryptocurrency type
|
||||||
|
if obj_subtype and obj_id:
|
||||||
|
print('crypto')
|
||||||
|
print(obj_id)
|
||||||
|
print(obj_subtype)
|
||||||
|
|
||||||
obj_meta = get_object_metadata(misp_obj)
|
obj_meta = get_object_metadata(misp_obj)
|
||||||
if obj_id and io_content:
|
print(obj_meta)
|
||||||
res = Pgp.pgp.create_item(obj_subtype, obj_id, obj_meta)
|
res = Cryptocurrency.cryptocurrency.create_correlation(obj_subtype, obj_id, obj_meta)
|
||||||
print(res)
|
print(res)
|
||||||
|
|
||||||
map_uuid_global_id[misp_obj.uuid] = get_global_id('pgp', obj_id, obj_subtype=obj_subtype)
|
map_uuid_global_id[misp_obj.uuid] = get_global_id('pgp', obj_id, obj_subtype=obj_subtype)
|
||||||
|
@ -155,4 +159,5 @@ if __name__ == '__main__':
|
||||||
|
|
||||||
# misp = PyMISP('https://127.0.0.1:8443/', 'uXgcN42b7xuL88XqK5hubwD8Q8596VrrBvkHQzB0', False)
|
# misp = PyMISP('https://127.0.0.1:8443/', 'uXgcN42b7xuL88XqK5hubwD8Q8596VrrBvkHQzB0', False)
|
||||||
|
|
||||||
import_objs_from_file('test_import_item.json')
|
#import_objs_from_file('test_import_item.json')
|
||||||
|
import_objs_from_file('test_export.json')
|
||||||
|
|
|
@ -9,7 +9,6 @@ from hashlib import sha256
|
||||||
|
|
||||||
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages'))
|
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages'))
|
||||||
import correlation
|
import correlation
|
||||||
import Item
|
|
||||||
|
|
||||||
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'lib/'))
|
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'lib/'))
|
||||||
import ConfigLoader
|
import ConfigLoader
|
||||||
|
@ -56,39 +55,6 @@ def get_cryptocurrency(request_dict, cryptocurrency_type):
|
||||||
|
|
||||||
return cryptocurrency.get_correlation(request_dict, cryptocurrency_type, field_name)
|
return cryptocurrency.get_correlation(request_dict, cryptocurrency_type, field_name)
|
||||||
|
|
||||||
# # TODO: refractor/move me in Correlation
|
|
||||||
def save_cryptocurrency_data(cryptocurrency_name, date, item_path, cryptocurrency_address):
|
|
||||||
# create basic medata
|
|
||||||
if not r_serv_metadata.exists('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address)):
|
|
||||||
r_serv_metadata.hset('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'first_seen', date)
|
|
||||||
r_serv_metadata.hset('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'last_seen', date)
|
|
||||||
else:
|
|
||||||
last_seen = r_serv_metadata.hget('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'last_seen')
|
|
||||||
if not last_seen:
|
|
||||||
r_serv_metadata.hset('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'last_seen', date)
|
|
||||||
else:
|
|
||||||
if int(last_seen) < int(date):
|
|
||||||
r_serv_metadata.hset('cryptocurrency_metadata_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), 'last_seen', date)
|
|
||||||
|
|
||||||
## global set
|
|
||||||
# item
|
|
||||||
r_serv_metadata.sadd('set_cryptocurrency_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), item_path)
|
|
||||||
|
|
||||||
# daily
|
|
||||||
r_serv_metadata.hincrby('cryptocurrency:{}:{}'.format(cryptocurrency_name, date), cryptocurrency_address, 1)
|
|
||||||
|
|
||||||
# all type
|
|
||||||
r_serv_metadata.zincrby('cryptocurrency_all:{}'.format(cryptocurrency_name), cryptocurrency_address, 1)
|
|
||||||
|
|
||||||
## object_metadata
|
|
||||||
# item
|
|
||||||
r_serv_metadata.sadd('item_cryptocurrency_{}:{}'.format(cryptocurrency_name, item_path), cryptocurrency_address)
|
|
||||||
|
|
||||||
# domain
|
|
||||||
if Item.is_crawled(item_path): # # TODO: use save_domain_correlation
|
|
||||||
domain = Item.get_item_domain(item_path)
|
|
||||||
r_serv_metadata.sadd('domain_cryptocurrency_{}:{}'.format(cryptocurrency_name, domain), cryptocurrency_address)
|
|
||||||
r_serv_metadata.sadd('set_domain_cryptocurrency_{}:{}'.format(cryptocurrency_name, cryptocurrency_address), domain)
|
|
||||||
|
|
||||||
def get_cryptocurrency_symbol(crypto_type):
|
def get_cryptocurrency_symbol(crypto_type):
|
||||||
if crypto_type=='bitcoin':
|
if crypto_type=='bitcoin':
|
||||||
|
|
|
@ -129,15 +129,32 @@ def validate_str_date(str_date, separator=''):
|
||||||
except TypeError:
|
except TypeError:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def sanitise_date_range(date_from, date_to, separator=''):
|
def sanitise_date_range(date_from, date_to, separator='', date_type='str'):
|
||||||
'''
|
'''
|
||||||
Check/Return a correct date_form and date_to
|
Check/Return a correct date_form and date_to
|
||||||
'''
|
'''
|
||||||
|
if not date_from and date_to:
|
||||||
|
date_from = date_to
|
||||||
|
elif not date_to and date_from:
|
||||||
|
date_to = date_from
|
||||||
|
|
||||||
|
if date_type=='str':
|
||||||
if not validate_str_date(date_from, separator=separator):
|
if not validate_str_date(date_from, separator=separator):
|
||||||
date_from = datetime.date.today().strftime("%Y%m%d")
|
date_from = datetime.date.today().strftime("%Y%m%d")
|
||||||
if not validate_str_date(date_to, separator=separator):
|
if not validate_str_date(date_to, separator=separator):
|
||||||
date_to = datetime.date.today().strftime("%Y%m%d")
|
date_to = datetime.date.today().strftime("%Y%m%d")
|
||||||
|
else: # datetime
|
||||||
|
if isinstance(date_from, datetime.datetime):
|
||||||
|
date_from = date_from.strftime("%Y%m%d")
|
||||||
|
else:
|
||||||
|
date_from = datetime.date.today().strftime("%Y%m%d")
|
||||||
|
if isinstance(date_to, datetime.datetime):
|
||||||
|
date_to = date_to.strftime("%Y%m%d")
|
||||||
|
else:
|
||||||
|
date_to = datetime.date.today().strftime("%Y%m%d")
|
||||||
|
|
||||||
if int(date_from) > int(date_to):
|
if int(date_from) > int(date_to):
|
||||||
|
res = date_from
|
||||||
date_from = date_to
|
date_from = date_to
|
||||||
|
date_to = res
|
||||||
return {"date_from": date_from, "date_to": date_to}
|
return {"date_from": date_from, "date_to": date_to}
|
||||||
|
|
|
@ -7,7 +7,6 @@ import redis
|
||||||
|
|
||||||
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages'))
|
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages'))
|
||||||
import correlation
|
import correlation
|
||||||
import Item
|
|
||||||
|
|
||||||
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'lib/'))
|
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'lib/'))
|
||||||
import ConfigLoader
|
import ConfigLoader
|
||||||
|
@ -27,36 +26,3 @@ def get_pgp(request_dict, pgp_type):
|
||||||
field_name = request_dict.get(pgp_type)
|
field_name = request_dict.get(pgp_type)
|
||||||
|
|
||||||
return pgpdump.get_correlation(request_dict, pgp_type, field_name)
|
return pgpdump.get_correlation(request_dict, pgp_type, field_name)
|
||||||
|
|
||||||
def save_pgp_data(type_pgp, date, item_path, data):
|
|
||||||
# create basic medata
|
|
||||||
if not serv_metadata.exists('pgpdump_metadata_{}:{}'.format(type_pgp, data)):
|
|
||||||
serv_metadata.hset('pgpdump_metadata_{}:{}'.format(type_pgp, data), 'first_seen', date)
|
|
||||||
serv_metadata.hset('pgpdump_metadata_{}:{}'.format(type_pgp, data), 'last_seen', date)
|
|
||||||
else:
|
|
||||||
last_seen = serv_metadata.hget('pgpdump_metadata_{}:{}'.format(type_pgp, data), 'last_seen')
|
|
||||||
if not last_seen:
|
|
||||||
serv_metadata.hset('pgpdump_metadata_{}:{}'.format(type_pgp, data), 'last_seen', date)
|
|
||||||
else:
|
|
||||||
if int(last_seen) < int(date):
|
|
||||||
serv_metadata.hset('pgpdump_metadata_{}:{}'.format(type_pgp, data), 'last_seen', date)
|
|
||||||
|
|
||||||
# global set
|
|
||||||
serv_metadata.sadd('set_pgpdump_{}:{}'.format(type_pgp, data), item_path)
|
|
||||||
|
|
||||||
# daily
|
|
||||||
serv_metadata.hincrby('pgpdump:{}:{}'.format(type_pgp, date), data, 1)
|
|
||||||
|
|
||||||
# all type
|
|
||||||
serv_metadata.zincrby('pgpdump_all:{}'.format(type_pgp), data, 1)
|
|
||||||
|
|
||||||
## object_metadata
|
|
||||||
# paste
|
|
||||||
serv_metadata.sadd('item_pgpdump_{}:{}'.format(type_pgp, item_path), data)
|
|
||||||
|
|
||||||
|
|
||||||
# domain object
|
|
||||||
if Item.is_crawled(item_path):
|
|
||||||
domain = Item.get_item_domain(item_path)
|
|
||||||
serv_metadata.sadd('domain_pgpdump_{}:{}'.format(type_pgp, domain), data)
|
|
||||||
serv_metadata.sadd('set_domain_pgpdump_{}:{}'.format(type_pgp, data), domain)
|
|
||||||
|
|
|
@ -10,6 +10,8 @@ import ConfigLoader
|
||||||
|
|
||||||
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages/'))
|
sys.path.append(os.path.join(os.environ['AIL_BIN'], 'packages/'))
|
||||||
import Date
|
import Date
|
||||||
|
import Item
|
||||||
|
import Tag
|
||||||
|
|
||||||
config_loader = ConfigLoader.ConfigLoader()
|
config_loader = ConfigLoader.ConfigLoader()
|
||||||
r_serv_metadata = config_loader.get_redis_conn("ARDB_Metadata")
|
r_serv_metadata = config_loader.get_redis_conn("ARDB_Metadata")
|
||||||
|
@ -47,11 +49,31 @@ class Correlation(object):
|
||||||
else:
|
else:
|
||||||
return []
|
return []
|
||||||
|
|
||||||
def _get_metadata(self, correlation_type, field_name):
|
def get_correlation_first_seen(self, subtype, obj_id, r_int=False):
|
||||||
|
res = r_serv_metadata.hget('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'first_seen')
|
||||||
|
if r_int:
|
||||||
|
if res:
|
||||||
|
return int(res)
|
||||||
|
else:
|
||||||
|
return 99999999
|
||||||
|
else:
|
||||||
|
return res
|
||||||
|
|
||||||
|
def get_correlation_last_seen(self, subtype, obj_id, r_int=False):
|
||||||
|
res = r_serv_metadata.hget('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'last_seen')
|
||||||
|
if r_int:
|
||||||
|
if res:
|
||||||
|
return int(res)
|
||||||
|
else:
|
||||||
|
return 0
|
||||||
|
else:
|
||||||
|
return res
|
||||||
|
|
||||||
|
def _get_metadata(self, subtype, obj_id):
|
||||||
meta_dict = {}
|
meta_dict = {}
|
||||||
meta_dict['first_seen'] = r_serv_metadata.hget('{}_metadata_{}:{}'.format(self.correlation_name, correlation_type, field_name), 'first_seen')
|
meta_dict['first_seen'] = self.get_correlation_first_seen(subtype, obj_id)
|
||||||
meta_dict['last_seen'] = r_serv_metadata.hget('{}_metadata_{}:{}'.format(self.correlation_name, correlation_type, field_name), 'last_seen')
|
meta_dict['last_seen'] = self.get_correlation_last_seen(subtype, obj_id)
|
||||||
meta_dict['nb_seen'] = r_serv_metadata.scard('set_{}_{}:{}'.format(self.correlation_name, correlation_type, field_name))
|
meta_dict['nb_seen'] = r_serv_metadata.scard('set_{}_{}:{}'.format(self.correlation_name, subtype, obj_id))
|
||||||
return meta_dict
|
return meta_dict
|
||||||
|
|
||||||
def get_metadata(self, correlation_type, field_name, date_format='str_date'):
|
def get_metadata(self, correlation_type, field_name, date_format='str_date'):
|
||||||
|
@ -276,17 +298,18 @@ class Correlation(object):
|
||||||
correlation_obj[correlation_object] = res
|
correlation_obj[correlation_object] = res
|
||||||
return correlation_obj
|
return correlation_obj
|
||||||
|
|
||||||
def update_correlation_daterange(self, subtype, obj_id, date): # # TODO: update fisrt_seen
|
def update_correlation_daterange(self, subtype, obj_id, date):
|
||||||
|
date = int(date)
|
||||||
# obj_id don't exit
|
# obj_id don't exit
|
||||||
if not r_serv_metadata.exists('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id)):
|
if not r_serv_metadata.exists('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id)):
|
||||||
r_serv_metadata.hset('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'first_seen', date)
|
r_serv_metadata.hset('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'first_seen', date)
|
||||||
r_serv_metadata.hset('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'last_seen', date)
|
r_serv_metadata.hset('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'last_seen', date)
|
||||||
else:
|
else:
|
||||||
last_seen = r_serv_metadata.hget('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'last_seen')
|
first_seen = self.get_correlation_last_seen(subtype, obj_id, r_int=True)
|
||||||
if not last_seen:
|
last_seen = self.get_correlation_first_seen(subtype, obj_id, r_int=True)
|
||||||
r_serv_metadata.hset('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'last_seen', date)
|
if date < first_seen:
|
||||||
else:
|
r_serv_metadata.hset('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'first_seen', date)
|
||||||
if int(last_seen) < int(date):
|
if date > last_seen:
|
||||||
r_serv_metadata.hset('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'last_seen', date)
|
r_serv_metadata.hset('{}_metadata_{}:{}'.format(self.correlation_name, subtype, obj_id), 'last_seen', date)
|
||||||
|
|
||||||
def save_item_correlation(self, subtype, date, obj_id, item_id, item_date):
|
def save_item_correlation(self, subtype, date, obj_id, item_id, item_date):
|
||||||
|
@ -305,28 +328,37 @@ class Correlation(object):
|
||||||
# item
|
# item
|
||||||
r_serv_metadata.sadd('item_{}_{}:{}'.format(self.correlation_name, subtype, item_id), obj_id)
|
r_serv_metadata.sadd('item_{}_{}:{}'.format(self.correlation_name, subtype, item_id), obj_id)
|
||||||
|
|
||||||
def save_domain_correlation(self, domain, correlation_type, correlation_value):
|
# domain
|
||||||
r_serv_metadata.sadd('domain_{}_{}:{}'.format(self.correlation_name, correlation_type, domain), correlation_value)
|
if Item.is_crawled(item_id):
|
||||||
r_serv_metadata.sadd('set_domain_{}_{}:{}'.format(self.correlation_name, correlation_type, correlation_value), domain)
|
domain = Item.get_item_domain(item_id)
|
||||||
|
self.save_domain_correlation(domain, subtype, obj_id)
|
||||||
|
|
||||||
|
def save_domain_correlation(self, domain, subtype, obj_id):
|
||||||
|
r_serv_metadata.sadd('domain_{}_{}:{}'.format(self.correlation_name, subtype, domain), obj_id)
|
||||||
|
r_serv_metadata.sadd('set_domain_{}_{}:{}'.format(self.correlation_name, subtype, obj_id), domain)
|
||||||
|
|
||||||
|
|
||||||
def save_correlation(self, subtype, obj_id): # # TODO: add first_seen/last_seen
|
def save_correlation(self, subtype, obj_id, date_range):
|
||||||
r_serv_metadata.zincrby('{}_all:{}'.format(self.correlation_name, subtype), obj_id, 0)
|
r_serv_metadata.zincrby('{}_all:{}'.format(self.correlation_name, subtype), obj_id, 0)
|
||||||
|
self.update_correlation_daterange(subtype, obj_id, date_range['date_from'])
|
||||||
|
if date_range['date_from'] != date_range['date_to']:
|
||||||
|
self.update_correlation_daterange(subtype, obj_id, date_range['date_to'])
|
||||||
|
return True
|
||||||
|
|
||||||
def create_correlation(self, subtype, obj_id, obj_meta):
|
def create_correlation(self, subtype, obj_id, obj_meta):
|
||||||
res = self.sanythise_correlation_types(correlation_type, r_boolean=True)
|
res = self.sanythise_correlation_types([subtype], r_boolean=True)
|
||||||
if not res:
|
if not res:
|
||||||
print('invalid subtype')
|
print('invalid subtype')
|
||||||
return False
|
return False
|
||||||
|
first_seen = obj_meta.get('first_seen', None)
|
||||||
if not exist_correlation(subtype, obj_id):
|
last_seen = obj_meta.get('last_seen', None)
|
||||||
res = save_correlation(subtype, obj_id)
|
date_range = Date.sanitise_date_range(first_seen, last_seen, separator='', date_type='datetime')
|
||||||
if res:
|
print(date_range)
|
||||||
if 'tags' in obj_metadata:
|
res = self.save_correlation(subtype, obj_id, date_range)
|
||||||
|
if res and 'tags' in obj_meta:
|
||||||
# # TODO: handle mixed tags: taxonomies and Galaxies
|
# # TODO: handle mixed tags: taxonomies and Galaxies
|
||||||
Tag.api_add_obj_tags(tags=obj_metadata['tags'], object_id=obj_id, object_type=self.get_correlation_obj_type())
|
Tag.api_add_obj_tags(tags=obj_meta['tags'], object_id=obj_id, object_type=self.get_correlation_obj_type())
|
||||||
return True
|
return True
|
||||||
return False
|
|
||||||
|
|
||||||
######## API EXPOSED ########
|
######## API EXPOSED ########
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue