MISP/SkillAegis
MISP/SkillAegis
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

new: [backend:exercies] Added equals_any comparison operator and improved scamcall

Browse source
This commit is contained in:
Sami Mokaddem 2024-07-02 12:13:41 +02:00
parent bbfba0d6e4
commit 618b417715
3 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
exercise.py
View file

@ -217,7 +217,7 @@ def get_model_action(data: dict):
def is_accepted_query(data: dict) -> bool: def is_accepted_query(data: dict) -> bool:
model, action = get_model_action(data) model, action = get_model_action(data)
if model in ['Event', 'Attribute', 'Object', 'Tag',]: if model in ['Event', 'Attribute', 'Object', 'Tag',]:
if action in ['add', 'edit', 'delete', 'publish']: if action in ['add', 'edit', 'delete', 'publish', 'tag']:
# # improved condition below. It blocks some queries # # improved condition below. It blocks some queries
# if data['Log']['change'].startswith('attribute_count'): # if data['Log']['change'].startswith('attribute_count'):
# return False # return False

8
exercises/scam-call-encoding.json
View file

@ -169,7 +169,7 @@
"inject_uuid": "4c242d49-fcf7-4c76-974b-6d5983c0eff9", "inject_uuid": "4c242d49-fcf7-4c76-974b-6d5983c0eff9",
"reporting_callback": [], "reporting_callback": [],
"requirements": { "requirements": {
"inject_uuid": "" "inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
}, },
"sequence": { "sequence": {
"completion_trigger": [ "completion_trigger": [
@ -340,7 +340,7 @@
} }
}, },
{ {
".Event.Object[].Attribute[] | select((.type == \"domain\")).value": { ".Event.Object[].Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": {
"extract_type": "all", "extract_type": "all",
"comparison": "equals", "comparison": "equals",
"values": [ "values": [
@ -454,8 +454,8 @@
} }
}, },
{ {
".Event.Object[] | select((.name == \"domain-ip\")).distribution": { ".Event.Object[] | select((.name == \"person\")).distribution": {
"comparison": "contains", "comparison": "equals_any",
"values": [ "values": [
"0", "0",
"1", "1",

2
inject_evaluator.py
View file

@ -46,6 +46,8 @@ def eval_condition_str(evaluation_config: dict, data_to_validate: str) -> bool:
return len(intersection) == len(values_set) return len(intersection) == len(values_set)
elif comparison_type == 'equals': elif comparison_type == 'equals':
return data_to_validate == values[0] return data_to_validate == values[0]
elif comparison_type == 'equals_any':
return data_to_validate in values
elif comparison_type == 'regex': elif comparison_type == 'regex':
return re.fullmatch(values[0], data_to_validate) return re.fullmatch(values[0], data_to_validate)
elif comparison_type == 'count': elif comparison_type == 'count':