From b175d7297b8007e5534267ffcf41d66ebc7669e1 Mon Sep 17 00:00:00 2001 From: Cristina Ascari Date: Wed, 23 Oct 2024 11:56:02 +0200 Subject: [PATCH] fixes analyzer mappings --- .../migrations/0124_data_mapping.py | 44 +++++++++++++++---- .../observable_analyzers/crowdsec.py | 13 +----- .../observable_analyzers/greynoiseintel.py | 42 +++++++++++++++++- 3 files changed, 76 insertions(+), 23 deletions(-) diff --git a/api_app/analyzers_manager/migrations/0124_data_mapping.py b/api_app/analyzers_manager/migrations/0124_data_mapping.py index 7f04cc5b6..384b3a8fd 100644 --- a/api_app/analyzers_manager/migrations/0124_data_mapping.py +++ b/api_app/analyzers_manager/migrations/0124_data_mapping.py @@ -22,10 +22,10 @@ def migrate_maxmind(apps, schema_editor): if not ac: return ac.mapping_data_model = { - "country_code": "country.iso_code", - "registered_country_code": "registered_country_code.iso_code", - "asn": "autonomous_system_number", - "isp": "autonomous_system_organization", + "country.iso_code": "country_code", + "registered_country_code.iso_code": "registered_country_code", + "autonomous_system_number": "asn", + "autonomous_system_organization": "isp", } ac.save() @@ -36,11 +36,11 @@ def migrate_abuse_ipdb(apps, schema_editor): if not ac: return ac.mapping_data_model = { - "country_code": "data.countryCode", - "external_references": "permalink", - "resolutions": "data.hostnames", - "isp": "data.isp", - "tags": "categories_found", + "data.countryCode": "country_code", + "permalink": "external_references", + "data.hostnames": "resolutions", + "data.isp": "isp", + "categories_found": "tags", } ac.save() @@ -68,6 +68,30 @@ def migrate_circl_passive_ssl(apps, schema_editor): ac.save() +def migrate_crowdsec(apps, schema_editor): + AnalyzerConfig = apps.get_model("analyzers_manager", "AnalyzerConfig") + ac = AnalyzerConfig.objects.filter(name="Crowdsec").first() + if not ac: + return + ac.mapping_data_model = { + "references.references": "external_references", + "link": "external_references", + } + ac.save() + + +def migrate_greynoise_community(apps, schema_editor): + AnalyzerConfig = apps.get_model("analyzers_manager", "AnalyzerConfig") + ac = AnalyzerConfig.objects.filter(name="GreyNoiseCommunity").first() + if not ac: + return + ac.mapping_data_model = { + "name": "org_name", + "link": "external_references", + } + ac.save() + + class Migration(migrations.Migration): dependencies = [ @@ -80,4 +104,6 @@ class Migration(migrations.Migration): migrations.RunPython(migrate_urlhaus, migrations.RunPython.noop), migrations.RunPython(migrate_bgp_ranking, migrations.RunPython.noop), migrations.RunPython(migrate_circl_passive_ssl, migrations.RunPython.noop), + migrations.RunPython(migrate_crowdsec, migrations.RunPython.noop), + migrations.RunPython(migrate_greynoise_community, migrations.RunPython.noop), ] diff --git a/api_app/analyzers_manager/observable_analyzers/crowdsec.py b/api_app/analyzers_manager/observable_analyzers/crowdsec.py index 92b01ddb5..9dbf3ac08 100644 --- a/api_app/analyzers_manager/observable_analyzers/crowdsec.py +++ b/api_app/analyzers_manager/observable_analyzers/crowdsec.py @@ -33,7 +33,7 @@ def run(self): def _do_create_data_model(self): return super()._do_create_data_model() and not self.report.report.get( - "not_fount", False + "not_found", False ) def _update_data_model(self, data_model): @@ -41,17 +41,6 @@ def _update_data_model(self, data_model): self.report: AnalyzerReport super()._update_data_model(data_model) - external_refs = [] - link = self.report.report.get("link", None) - if link: - external_refs.append(link) - references = self.report.report.get("references", []) - for reference in references: - refs = reference.get("references", []) - external_refs.extend(refs) - external_references = getattr(data_model, "external_references") - external_references.set(external_refs) - highest_total_score = max( [ values["total"] diff --git a/api_app/analyzers_manager/observable_analyzers/greynoiseintel.py b/api_app/analyzers_manager/observable_analyzers/greynoiseintel.py index afae194a4..1a30ca6d9 100644 --- a/api_app/analyzers_manager/observable_analyzers/greynoiseintel.py +++ b/api_app/analyzers_manager/observable_analyzers/greynoiseintel.py @@ -70,10 +70,48 @@ def run(self): return response def _do_create_data_model(self): - return super()._do_create_data_model() and not self.report.report.get( - "not_fount", False + return super()._do_create_data_model() and ( + self.report.report.get("riot", False) + or self.report.report.get("noise", False) ) + def _update_data_model(self, data_model): + from api_app.analyzers_manager.models import AnalyzerReport + + super()._update_data_model(data_model) + classification = self.report.report.get("classification", None) + riot = self.report.report.get("riot", None) + noise = self.report.report.get("noise", None) + if classification: + classification.lower() + self.report: AnalyzerReport + if ( + classification + == self.report.data_model_class.EVALUATIONS.MALICIOUS.value + ): + if not noise: + logger.error("malicious IP is not a noise!?! How is this possible") + data_model.evaluation = ( + self.report.data_model_class.EVALUATIONS.MALICIOUS.value + ) + elif classification == "unknown": + if riot: + data_model.evaluation = ( + self.report.data_model_class.EVALUATIONS.INFO.value + ) + elif noise: + data_model.evaluation = ( + self.report.data_model_class.EVALUATIONS.MALICIOUS.value + ) + elif classification == "benign": + data_model.evaluation = ( + self.report.data_model_class.EVALUATIONS.FALSE_POSITIVE.value + ) + else: + logger.error( + f"there should not be other types of classification. Classification found: {classification}" + ) + @classmethod def _monkeypatch(cls): patches = [