Add initial mako support #38
Conversation
|
src/model.py
Outdated
| for key in self.rsa_keys: | ||
| obj = model.ExtractorModel.Encryption( | ||
| algorithm="rsa", | ||
| public_key=str((key.n, key.e)), |
There was a problem hiding this comment.
What is the recommended way to serialize a RSA public key? As far as I can see, I can only pass str
src/model.py
Outdated
| public_key=str((key.n, key.e)), | ||
| ) | ||
| if key.d: | ||
| obj.key = str((key.n, key.d)) |
There was a problem hiding this comment.
same question goes here
| output.encryption.append( | ||
| model.ExtractorModel.Encryption( | ||
| algorithm=curve.t, # for example, "ecdsa_pub_p384" | ||
| public_key=str((curve.x, curve.y)), |
| for curve in self.ecdsa_curves: | ||
| output.encryption.append( | ||
| model.ExtractorModel.Encryption( | ||
| algorithm=curve.t, # for example, "ecdsa_pub_p384" |
There was a problem hiding this comment.
Is there a convention for naming this types (we don't have an enum ourselves, though we map ecdsa_pub_p384 to something that MISP wants)
There was a problem hiding this comment.
So far I don't believe we have a naming convention for the algorithm field
| output.encryption.append( | ||
| model.ExtractorModel.Encryption( | ||
| algorithm=key[0], | ||
| key=key[1], |
| return "c2" | ||
| elif location_type == LocationType.DOWNLOAD_URL: | ||
| return "download" | ||
| elif location_type in [LocationType.OTHER, LocationType.PEER]: |
There was a problem hiding this comment.
No way to add a peer I think (it's not useful nowadays anyway)
| ) | ||
| ) | ||
| else: | ||
| output.tcp.append( |
There was a problem hiding this comment.
We don't keep track of connection type for non-http connections, sadly. But I can't think of a situation where this was not TCP
| output.paths.append(filename) | ||
|
|
||
| # Not supported by Maco | ||
| # for email in self.emails_to + self.emails_from: |
There was a problem hiding this comment.
For example, for credentials stealing
| # output.emails.append(email) | ||
|
|
||
| # Not supported by Maco | ||
| # for message in self.ransom_messages: |
There was a problem hiding this comment.
Perhaps this could be something added to decoded_strings field or perhaps we should introduce a body field to the SMTP model to maintain the context of the string as being a ransomware-related to an email?
| output.mutex.append(mutex) | ||
|
|
||
| for filename in self.dropped_filenames: | ||
| output.paths.append(filename) |
There was a problem hiding this comment.
I think i'm not adhering to the spirit of this field - we only store filenames, not complete paths.
| mwdblib>=3.3.0 | ||
| maco |
There was a problem hiding this comment.
| maco | |
| maco-model |
Might be better to use the maco-model package since it only contains the Pydantic models which is the only part in use in this feature.
Module structure is the same as the full package so you won't have to update the imports 😁
| # Not supported by Maco | ||
| # for email in self.emails_to + self.emails_from: | ||
| # output.emails.append(email) |
There was a problem hiding this comment.
Would this be covered under the smtp field for emails?
No description provided.