NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit35587fa

committed

IOC`s fix mapping and hash types

1 parentc6cbbe7 commit35587faCopy full SHA for 35587fa

File tree

6 files changed

+46

-58

lines changed

siem-converter/app/converter
- backends
  - graylog/mappings
    - graylog_cti.py
  - microsoft/mappings
    - microsoft_sentinel_cti.py
- core
  - parser_cti.py
  - render_cti.py
- cti_converter.py
- tools
  - const.py

6 files changed

+46

-58

lines changed

`‎siem-converter/app/converter/backends/graylog/mappings/graylog_cti.py‎`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,12 @@`
`1`	`1`	`DEFAULT_GRAYLOG_MAPPING= {`
`2`		`-"SourceIP":"sourceAddress",`
`3`		`-"DestinationIP":"destinationAddress",`
`4`		`-"Domain":"destinationDnsDomain",`
`5`		`-"URL":"requestUrl",`
`6`		`-"HashMd5":"fileHash",`
`7`		`-"HashSha1":"fileHash",`
`8`		`-"HashSha256":"fileHash",`
`9`		`-"HashSha512":"fileHash",`
	`2`	`+"SourceIP":"source.ip",`
	`3`	`+"DestinationIP":"destination.ip",`
	`4`	`+"Domain":"destination.domain",`
	`5`	`+"URL":"url.original",`
	`6`	`+"HashMd5":"file.hash.md5",`
	`7`	`+"HashSha1":"file.hash.sha1",`
	`8`	`+"HashSha256":"file.hash.sha256",`
	`9`	`+"HashSha512":"file.hash.sha512",`
`10`	`10`	`"Emails":"emails",`
`11`	`11`	`"Files":"filePath"`
`12`	`12`	`}`

`‎siem-converter/app/converter/backends/microsoft/mappings/microsoft_sentinel_cti.py‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,12 @@`
`1`	`1`	`DEFAULT_MICROSOFT_SENTINEL_MAPPING= {`
`2`		`-"DestinationIP":"DestinationIP",`
	`2`	`+"DestinationIP":"DestinationIp",`
`3`	`3`	`"SourceIP":"SourceIp",`
`4`	`4`	`"HashSha512":"FileHashSha512",`
`5`	`5`	`"HashSha256":"FileHashSha256",`
`6`	`6`	`"HashMd5":"FileHashMd5",`
`7`	`7`	`"Emails":"SenderFromAddress",`
`8`	`8`	`"Domain":"DestinationHostname",`
`9`	`9`	`"HashSha1":"FileHashSha1",`
`10`		`-"Files":"FileName",`
	`10`	`+"Files":"TargetFileName",`
`11`	`11`	`"URL":"URL"`
`12`	`12`	`}`

`‎siem-converter/app/converter/core/parser_cti.py‎`

Lines changed: 17 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,23 +5,29 @@`
`5`	`5`	`frompydanticimportBaseModel`
`6`	`6`
`7`	`7`	`fromapp.converter.core.exceptions.iocsimportIocsLimitExceededException,EmptyIOCSException`
`8`		`-fromapp.converter.tools.constimportIP_IOC_REGEXP_PATTERN,DOMAIN_IOC_REGEXP_PATTERN,URL_IOC_REGEXP_PATTERN,\`
`9`		`-hash_regexes,IOCType,HashType,IocParsingRule`
	`8`	`+fromapp.converter.tools.constimportIP_IOC_REGEXP_PATTERN,DOMAIN_IOC_REGEXP_PATTERN,URL_IOC_REGEXP_PATTERN,\`
	`9`	`+hash_regexes,IOCType,HashType,IocParsingRule,HASH_MAP`
`10`	`10`
`11`	`11`
`12`	`12`	`classIocs(BaseModel):`
`13`	`13`	`ip:list[str]= []`
`14`	`14`	`url:list[str]= []`
`15`	`15`	`domain:list[str]= []`
`16`		`-hash:list[str]=[]`
	`16`	`+hash_dict:dict={}`
`17`	`17`
`18`	`18`	`defget_total_count(self)->int:`
`19`		`-returnlen(self.ip)+len(self.url)+len(self.domain)+len(self.hash)`
	`19`	`+hash_len=0`
	`20`	`+forvalueinself.hash_dict.values():`
	`21`	`+hash_len+=len(value)`
	`22`	`+returnlen(self.ip)+len(self.url)+len(self.domain)+hash_len`
`20`	`23`
`21`	`24`	`defreturn_iocs(self)->dict:`
`22`		`-ifall(notvalueforvaluein [self.ip,self.url,self.domain,self.hash]):`
	`25`	`+ifall(notvalueforvaluein [self.ip,self.url,self.domain,self.hash_dict]):`
`23`	`26`	`raiseEmptyIOCSException()`
`24`		`-return {"ip":self.ip,"url":self.url,"domain":self.domain,"hash":self.hash}`
	`27`	`+result= {"DestinationIP":self.ip,"URL":self.url,"Domain":self.domain}`
	`28`	`+forkey,valueinself.hash_dict.items():`
	`29`	`+result[HASH_MAP[key]]=value`
	`30`	`+returnresult`
`25`	`31`
`26`	`32`
`27`	`33`	`classCTIParser:`
`@@ -47,7 +53,7 @@ def get_iocs_from_string(`
`47`	`53`	`ifnotinclude_hash_types:`
`48`	`54`	`include_hash_types=list(hash_regexes.keys())`
`49`	`55`	`forhash_typeininclude_hash_types:`
`50`		`-iocs.hash.extend(self._find_all_str_by_regex(string,hash_regexes[hash_type]))`
	`56`	`+iocs.hash_dict[hash_type]=self._find_all_str_by_regex(string,hash_regexes[hash_type])`
`51`	`57`	`iocs=self.remove_duplicates(iocs)`
`52`	`58`	`iocs=self.remove_exceptions(iocs,exceptions)`
`53`	`59`	`ifioc_parsing_rulesisNoneor"remove_private_and_reserved_ips"inioc_parsing_rules:`
`@@ -69,14 +75,16 @@ def remove_duplicates(self, iocs):`
`69`	`75`	`iocs.ip=self._remove_duplicates_from_list(iocs.ip)`
`70`	`76`	`iocs.domain=self._remove_duplicates_from_list(iocs.domain)`
`71`	`77`	`iocs.url=self._remove_duplicates_from_list(iocs.url)`
`72`		`-iocs.hash=self._remove_duplicates_from_list(iocs.hash)`
	`78`	`+forkey,valueiniocs.hash_dict.items():`
	`79`	`+iocs.hash_dict[key]=self._remove_duplicates_from_list(value)`
`73`	`80`	`returniocs`
`74`	`81`
`75`	`82`	`defremove_exceptions(self,iocs,exceptions=None):`
`76`	`83`	`iocs.ip=self._remove_exceptions(iocs.ip,exceptions)`
`77`	`84`	`iocs.domain=self._remove_exceptions(iocs.domain,exceptions)`
`78`	`85`	`iocs.url=self._remove_exceptions(iocs.url,exceptions)`
`79`		`-iocs.hash=self._remove_exceptions(iocs.hash,exceptions)`
	`86`	`+forkey,valueiniocs.hash_dict.items():`
	`87`	`+iocs.hash_dict[key]=self._remove_exceptions(value,exceptions)`
`80`	`88`	`returniocs`
`81`	`89`
`82`	`90`	`@staticmethod`

`‎siem-converter/app/converter/core/render_cti.py‎`

Lines changed: 4 additions & 25 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,9 +34,6 @@ class RenderCTI:`
`34`	`34`	`final_result_for_one:str="union * \| where {result}\n"`
`35`	`35`	`default_mapping=None`
`36`	`36`
`37`		`-defget_default_mapping(self,include_source_ip=False):`
`38`		`-returnself.prepare_mapping(self.default_mapping,include_source_ip)`
`39`		`-`
`40`	`37`	`defcreate_field_value(self,field:str,value:str,generic_field:str):`
`41`	`38`	`returnself.data_map.format(key=field,value=value)`
`42`	`39`
`@@ -53,35 +50,17 @@ def render(self, data: List[List[IocsChunkValue]]) -> list[str]:`
`53`	`50`	`defcollect_data_values(self,chunk):`
`54`	`51`	`data_values= []`
`55`	`52`	`key_chunk= []`
`56`		`-processing_key=chunk[0].generic_field`
	`53`	`+processing_key=chunk[0].platform_field`
`57`	`54`	`forvalueinchunk:`
`58`		`-ifprocessing_key!=value.generic_field:`
	`55`	`+ifprocessing_key!=value.platform_field:`
`59`	`56`	`data_values.append(self.or_group.format(or_group=self.or_operator.join(key_chunk),`
`60`	`57`	`processing_key=processing_key))`
`61`	`58`	`key_chunk= []`
`62`		`-processing_key=value.generic_field`
`63`		`-key_chunk.append(self.create_field_value(field=value.generic_field,`
	`59`	`+processing_key=value.platform_field`
	`60`	`+key_chunk.append(self.create_field_value(field=value.platform_field,`
`64`	`61`	`value=value.value,`
`65`	`62`	`generic_field=value.generic_field))`
`66`	`63`	`ifkey_chunk:`
`67`	`64`	`data_values.append(`
`68`	`65`	`self.or_group.format(or_group=self.or_operator.join(key_chunk),processing_key=processing_key))`
`69`	`66`	`returndata_values`
`70`		`-`
`71`		`-defprepare_mapping(self,mapping:dict,include_source_ip:bool=False)->dict:`
`72`		`-m= {`
`73`		`-"DestinationIP":"ip",`
`74`		`-"Domain":"domain",`
`75`		`-"URL":"url",`
`76`		`-"HashMd5":"hash",`
`77`		`-"HashSha1":"hash",`
`78`		`-"HashSha256":"hash",`
`79`		`-"HashSha512":"hash",`
`80`		`- }`
`81`		`-ifinclude_source_ip:`
`82`		`-m["SourceIP"]="ip"`
`83`		`-res= {}`
`84`		`-forkey,new_field_nameinmapping.items():`
`85`		`-ifkeyinm:`
`86`		`-res[new_field_name]=m[key]`
`87`		`-returnres`

`‎siem-converter/app/converter/cti_converter.py‎`

Lines changed: 8 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,14 +17,8 @@ def __init__(self):`
`17`	`17`	`self.logger=logging.getLogger("cti_converter")`
`18`	`18`	`self.parser=CTIParser()`
`19`	`19`
`20`		`-def_reverse_mapping(self,platform:CTIPlatform,data:Dict[str,List[str]],`
`21`		`-include_source_ip:bool=False)->Dict[str,str]:`
`22`		`-mapping:Dict=self.renders.get(platform.name).get_default_mapping(include_source_ip)`
`23`		`-reverse_mapping= {}`
`24`		`-forplatform_field,generic_fieldinmapping.items():`
`25`		`-ifdata.get(generic_field):`
`26`		`-reverse_mapping.update({generic_field:platform_field})`
`27`		`-returnreverse_mapping`
	`20`	`+def_get_render_mapping(self,platform:CTIPlatform,include_source_ip:bool=False)->Dict[str,str]:`
	`21`	`+returnself.renders.get(platform.name).default_mapping`
`28`	`22`
`29`	`23`	`@handle_translation_exceptions`
`30`	`24`	`def__parse_iocs_from_string(self,text:str,include_ioc_types:list=None,include_hash_types:list=None,`
`@@ -39,11 +33,10 @@ def __parse_iocs_from_string(self, text: str, include_ioc_types: list = None, in`
`39`	`33`	`@handle_translation_exceptions`
`40`	`34`	`def__render_translation(self,parsed_data:dict,platform_data:CTIPlatform,iocs_per_query:int,`
`41`	`35`	`include_source_ip:bool=False)->List[str]:`
`42`		`-reverse_mapping=self._reverse_mapping(data=parsed_data,`
`43`		`-include_source_ip=include_source_ip,platform=platform_data)`
	`36`	`+mapping=self._get_render_mapping(platform=platform_data,include_source_ip=include_source_ip)`
`44`	`37`	`platform=self.renders.get(platform_data.name)`
`45`	`38`	`platform_generation=self.generate(data=parsed_data,platform=platform,iocs_per_query=iocs_per_query,`
`46`		`-mapping=reverse_mapping)`
	`39`	`+mapping=mapping)`
`47`	`40`	`returnplatform_generation`
`48`	`41`
`49`	`42`	`defconvert(self,text:str,`
`@@ -73,9 +66,10 @@ def _get_iocs_chunk(chunks_size: int, data: Dict[str, List[str]],`
`73`	`66`	`result= []`
`74`	`67`	`forgeneric_field,iocs_listindata.items():`
`75`	`68`	`foriociniocs_list:`
`76`		`-result.append(IocsChunkValue(generic_field=generic_field,`
`77`		`-platform_field=mapping.get(generic_field,generic_field),`
`78`		`-value=ioc))`
	`69`	`+ifmapping.get(generic_field):`
	`70`	`+result.append(IocsChunkValue(generic_field=generic_field,`
	`71`	`+platform_field=mapping[generic_field],`
	`72`	`+value=ioc))`
`79`	`73`	`return [result[i:i+chunks_size]foriinrange(0,len(result),chunks_size)]`
`80`	`74`
`81`	`75`	`defgenerate(self,platform:RenderCTI,iocs_per_query,data:Dict[str,List[str]],`

`‎siem-converter/app/converter/tools/const.py‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,13 @@`
`10`	`10`	`"replace_dots","remove_private_and_reserved_ips","replace_hxxp"`
`11`	`11`	`]`
`12`	`12`
	`13`	`+HASH_MAP= {`
	`14`	`+"md5":"HashMd5",`
	`15`	`+"sha1":"HashSha1",`
	`16`	`+"sha256":"HashSha256",`
	`17`	`+"sha512":"HashSha512"`
	`18`	`+}`
	`19`	`+`
`13`	`20`	`hash_regexes= {`
`14`	`21`	`"md5":r"(?:^\|[\s\/\[(\"',;{>\|])([A-Fa-f0-9]{32})(?=[\s)\]\"',;\n<\|]\|$)",`
`15`	`22`	`"sha1":r"(?:^\|[\s\/\[(\"',;{>\|])([A-Fa-f0-9]{40})(?=[\s)\]\"',;\n<\|]\|$)",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit35587fa

File tree

6 files changed

6 files changed

`‎siem-converter/app/converter/backends/graylog/mappings/graylog_cti.py‎`

`‎siem-converter/app/converter/backends/microsoft/mappings/microsoft_sentinel_cti.py‎`

`‎siem-converter/app/converter/core/parser_cti.py‎`

`‎siem-converter/app/converter/core/render_cti.py‎`

`‎siem-converter/app/converter/cti_converter.py‎`

`‎siem-converter/app/converter/tools/const.py‎`

0 commit comments