This repository has been archived by the owner on Mar 19, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmispwarninglists.py
executable file
·96 lines (80 loc) · 3.07 KB
/
mispwarninglists.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env python
import io
import json
import requests
from cortexutils.analyzer import Analyzer
from cortexutils.extractor import Extractor
from glob import glob
from os.path import exists
class MISPWarninglistsAnalyzer(Analyzer):
"""
This analyzer compares given data to the MISP warning lists obtainable via
https://github.com/MISP/misp-warninglists.
Configuration options are:
```
MISPWarningLists {
path = "/path/to/misp-warninglists/repository" # Default: "misp-warninglists"
}
```
"""
def __init__(self):
Analyzer.__init__(self)
self.data = self.get_data()
self.path = self.get_param('config.path', 'misp-warninglists')
if not exists(self.path):
self.error('Path to misp-warninglists does not exist.')
self.warninglists = self.readwarninglists()
def readwarninglists(self):
files = glob('{}/lists/*/*.json'.format(self.path))
listcontent = []
for file in files:
with io.open(file, 'r') as fh:
content = json.loads(fh.read())
values = Extractor().check_iterable(content.get('list', []))
obj = {
"name": content.get('name', 'Unknown'),
"values": [value['value'] for value in values],
"dataTypes": [value['type'] for value in values]
}
listcontent.append(obj)
return listcontent
def lastlocalcommit(self):
try:
with io.open('{}/.git/refs/heads/master'.format(self.path), 'r') as fh:
return fh.read().strip('\n')
except Exception as e:
return 'Error: could not get local commit hash ({}).'.format(e)
@staticmethod
def lastremotecommit():
url = 'https://api.github.com/repos/misp/misp-warninglists/branches/master'
try:
result_dict = requests.get(url).json()
return result_dict['commit']['sha']
except Exception as e:
return 'Error: could not get remote commit hash ({}).'.format(e)
def run(self):
results = []
for list in self.warninglists:
if self.data_type not in list.get('dataTypes'):
continue
if self.data in list.get('values', []):
results.append({
"name": list.get('name')
})
self.report({
"results": results,
"is_uptodate": self.lastlocalcommit() == self.lastremotecommit()
})
def summary(self, raw):
taxonomies = []
if len(raw['results']) > 0:
taxonomies.append(self.build_taxonomy('suspicious', 'MISP', 'Warninglists', 'Potential fp'))
else:
taxonomies.append(self.build_taxonomy('info', 'MISP', 'Warninglists', 'No hits'))
if not raw.get('is_uptodate', False):
taxonomies.append(self.build_taxonomy('info', 'MISP', 'Warninglists', 'Outdated'))
return {
"taxonomies": taxonomies
}
if __name__ == '__main__':
MISPWarninglistsAnalyzer().run()