forked from MISP/misp-modules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
intel471.py
executable file
·61 lines (49 loc) · 2.08 KB
/
intel471.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import json
from pyintel471 import PyIntel471
misperrors = {'error': 'Error'}
mispattributes = {'input': ['hostname', 'domain', 'url', 'ip-src', 'ip-dst', 'email-src',
'email-dst', 'target-email', 'whois-registrant-email',
'whois-registrant-name', 'md5', 'sha1', 'sha256'], 'output': ['freetext']}
moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot', 'description': 'Module to access Intel 471',
'module-type': ['hover', 'expansion']}
moduleconfig = ['email', 'authkey']
def cleanup(response):
'''The entries have uids that will be recognised as hashes when they shouldn't'''
j = response.json()
if j['iocTotalCount'] == 0:
return 'Nothing has been found.'
for ioc in j['iocs']:
ioc.pop('uid')
if ioc['links']['actorTotalCount'] > 0:
for actor in ioc['links']['actors']:
actor.pop('uid')
if ioc['links']['reportTotalCount'] > 0:
for report in ioc['links']['reports']:
report.pop('uid')
return json.dumps(j, indent=2)
def handler(q=False):
if q is False:
return False
request = json.loads(q)
for input_type in mispattributes['input']:
if input_type in request:
to_query = request[input_type]
break
else:
misperrors['error'] = "Unsupported attributes type"
return misperrors
if (request.get('config')):
if (request['config'].get('email') is None) or (request['config'].get('authkey') is None):
misperrors['error'] = 'Intel 471 authentication is missing'
return misperrors
intel471 = PyIntel471(email=request['config'].get('email'), authkey=request['config'].get('authkey'))
ioc_filters = intel471.iocs_filters(ioc=to_query)
res = intel471.iocs(filters=ioc_filters)
to_return = cleanup(res)
r = {'results': [{'types': mispattributes['output'], 'values': to_return}]}
return r
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo