forked from MISP/misp-modules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
threatfox.py
63 lines (48 loc) · 2.1 KB
/
threatfox.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# -*- coding: utf-8 -*-
import requests
import json
misperrors = {'error': 'Error'}
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'domain', 'url', 'email-src', 'ip-dst|port', 'ip-src|port'], 'output': ['text']}
moduleinfo = {'version': '0.1', 'author': 'Corsin Camichel', 'description': 'Module to search for an IOC on ThreatFox by abuse.ch.', 'module-type': ['hover', 'expansion']}
moduleconfig = []
API_URL = "https://threatfox-api.abuse.ch/api/v1/"
# copied from
# https://github.com/marjatech/threatfox2misp/blob/main/threatfox2misp.py
def confidence_level_to_tag(level: int) -> str:
confidence_tagging = {
0: 'misp:confidence-level="unconfident"',
10: 'misp:confidence-level="rarely-confident"',
37: 'misp:confidence-level="fairly-confident"',
63: 'misp:confidence-level="usually-confident"',
90: 'misp:confidence-level="completely-confident"',
}
confidence_tag = ""
for tag_minvalue, tag in confidence_tagging.items():
if level >= tag_minvalue:
confidence_tag = tag
return confidence_tag
def handler(q=False):
if q is False:
return False
request = json.loads(q)
ret_val = ""
for input_type in mispattributes['input']:
if input_type in request:
to_query = request[input_type]
break
else:
misperrors['error'] = "Unsupported attributes type:"
return misperrors
data = {"query": "search_ioc", "search_term": f"{to_query}"}
response = requests.post(API_URL, data=json.dumps(data))
if response.status_code == 200:
result = json.loads(response.text)
if(result["query_status"] == "ok"):
confidence_tag = confidence_level_to_tag(result["data"][0]["confidence_level"])
ret_val = {'results': [{'types': mispattributes['output'], 'values': [result["data"][0]["threat_type_desc"]], 'tags': [result["data"][0]["malware"], result["data"][0]["malware_printable"], confidence_tag]}]}
return ret_val
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo