def load_stix(stix, distribution=3, threat_level_id=2, analysis=0):
'''Returns a MISPEvent object from a STIX package'''
if not has_misp_stix_converter:
raise Exception('You need to install misp_stix_converter: pip install git+https://github.com/MISP/MISP-STIX-Converter.git')
stix = convert.load_stix(stix)
return buildEvent(stix, distribution=distribution,
threat_level_id=threat_level_id, analysis=analysis)
def STIXtoMISP(stix, mispAPI, **kwargs):
"""Function to convert from something stixxy
( as we have 3 possible representations )
to something mispy. Specifically JSON. Because XML is satan.
:param stix: Something stixxy.
"""
log.info("Converting a package from STIX to MISP...")
stixPackage = load_stix(stix)
# Ok by now we should have a proper STIX object.
log.debug("Package loaded")
# We'll try to extract a filename
filename = "STIX_File.xml"
if isinstance(stix, str) and "\n" not in stix:
# It's probably just a filename
filename = stix
elif hasattr(stix, "name"):
# Steal this one!
filename = stix.name
elif hasattr(stixPackage, "stix_header"):
# Well it has a header, maybe we can steal it
if stixPackage.stix_header:
if stixPackage.stix_header.title not in ["", None]:
filename = stixPackage.stix_header.title + ".xml"
log.debug("Using filename %s", filename)
misp_event = buildMISPAttribute.buildEvent(stixPackage, **kwargs)
log.debug("Encoding to b64...")
b64Pkg = base64.b64encode(stixPackage.to_xml()).decode("utf-8")
log.debug("Attaching original document...")
misp_event.add_attribute(type="attachment", value=filename, data=b64Pkg)
if misp_event.attributes:
log.debug("Attributes exist. Pushing...")
if mispAPI:
event = json.dumps(misp_event, cls=MISPEncode)
event["published"] = kwargs.pop('published', True)
response = mispAPI.add_event(event)
if response.get('errors'):
raise Exception("PACKAGE: {}\nERROR: {}".format(
json.dumps(misp_event, cls=MISPEncode),
response.get('errors')))
return response
else:
return True
else:
log.warning("No attributes found, ignoring.")
def STIXtoMISP(stix, mispAPI, **kwargs):
"""
Function to convert from something stixxy ( as we have 3 possible representations )
to something mispy. Specifically JSON. Because XML is satan.
:param stix: Something stixxy.
"""
log.info("Converting a package from STIX to MISP...")
stix = load_stix(stix)
# Ok by now we should have a proper STIX object.
misp_event = buildMISPAttribute.buildEvent(stix, **kwargs)
if misp_event.attributes:
response = mispAPI.add_event(
json.dumps(misp_event, cls=mispevent.EncodeUpdate))
if response.get('errors'):
# FIXME *maybe* we want to raise a thing there....
pass
# raise Exception(response.get('errors'))
return response
def STIXtoMISP(stix, mispAPI, **kwargs):
"""Function to convert from something stixxy ( as we have 3 possible representations )
to something mispy. Specifically JSON. Because XML is satan.
:param stix: Something stixxy.
"""
log.info("Converting a package from STIX to MISP...")
stixPackage = load_stix(stix)
# Ok by now we should have a proper STIX object.
# We'll try to extract a filename
filename = "STIX_File.xml"
if isinstance(stix, str) and "\n" not in stix:
# It's probably just a filename
filename = stix
elif hasattr(stix, "name"):
# Steal this one!
filename = stix.name
elif hasattr(stixPackage, "stix_header"):
# Well it has a header, maybe we can steal it
if stixPackage.stix_header:
if stixPackage.stix_header.title not in ["", None]:
filename = stixPackage.stix_header.title + ".xml"
misp_event = buildMISPAttribute.buildEvent(stixPackage, **kwargs)
b64Pkg = base64.b64encode(stixPackage.to_xml()).decode("utf-8")
misp_event.add_attribute(type="attachment", value=filename, data=b64Pkg)
if misp_event.attributes:
response = mispAPI.add_event(
json.dumps(misp_event, cls=mispevent.EncodeUpdate))
if response.get('errors'):
raise Exception("PACKAGE: {}\nERROR: {}".format(
json.dumps(misp_event, cls=mispevent.EncodeUpdate),
response.get('errors')))
return response
def post_stix(manager, content_block, collection_ids, service_id):
'''
Callback function for when our taxii server gets new data
Will convert it to a MISPEvent and push to the server
'''
# Load the package
log.info("Posting STIX...")
block = content_block.content
if isinstance(block, bytes):
block = block.decode()
package = convert.load_stix(StringIO(block))
# Building event obj
distribution = 3
threat_level_id = 2
analysis = 0
misp_event = buildMISPAttribute.buildEvent(package,
distribution=distribution,
threat_level_id=threat_level_id,
analysis=analysis)
log.info("STIX loaded succesfully. Let's go!")
evaluatePackage = detect_title(package)
tlp = detect_tlp(package)
source = detect_source(package)
title = evaluatePackage[0]
detectable = evaluatePackage[1]
if detectable == 1:
search = searchEvent(title)
if search == 0:
# New Event!
b64Pkg = base64.b64encode(package.to_xml()).decode("utf-8")
if misp_event.attributes:
filename = title + ".xml"
misp_event.add_attribute(type="attachment",
value=filename,
data=b64Pkg)
if tlp:
misp_event.add_tag("tlp:" + tlp['color'])
misp_event.add_tag("Marking_Controlled_Structure:" +
tlp['marking'])
if source:
misp_event.add_tag("source:" + source)
for attribItems in misp_event.attributes:
attribItems.distribution = distribution
response = MISP.add_event(
json.dumps(misp_event, cls=MISPEncode))
if response.get('errors'):
raise Exception("PACKAGE: {}\nERROR: {}".format(
json.dumps(misp_event, cls=MISPEncode),
response.get('errors')))
else:
MISP.fast_publish(response["Event"]["id"])
else:
log.info("No attributes detected")
else:
myeventid = search
# Just the library default!
# Edit if you need
distribution = 3
threat_level_id = 2
analysis = 0
buildattribute = buildMISPAttribute.buildEvent(
package,
distribution=distribution,
threat_level_id=threat_level_id,
analysis=analysis)
items = [x for x in buildattribute.attributes]
for attrib in items:
searchatt = MISP.search("attributes",
values=str(sanitizer(attrib.value)),
type_attribute=str(attrib.type),
eventid=myeventid)
if searchatt["response"] != []:
log.info("%s is a duplicate, we'll ignore it.",
attrib.value)
buildattribute.attributes.pop([
x.value for x in buildattribute.attributes
].index(attrib.value))
else:
log.info("%s is unique, we'll keep it", attrib.value)
attrib.distribution = distribution
if (len(buildattribute.attributes) > 0):
b64Pkg = base64.b64encode(package.to_xml()).decode("utf-8")
updatetimestamp = mytimestamp()
filename = title + "_" + updatetimestamp + ".xml"
misp_event.add_attribute(type="attachment",
value=filename,
data=b64Pkg)
if tlp:
misp_event.add_tag("tlp:" + tlp['color'])
misp_event.add_tag("Marking_Controlled_Structure:" +
tlp['marking'])
if source:
misp_event.add_tag("source:" + source)
MISP.update_event(myeventid,
json.dumps(misp_event, cls=MISPEncode))
MISP.fast_publish(myeventid)
log.info("Updating event: " + myeventid)
else:
log.info("Nothing to update for event: " + myeventid)
else:
log.info("Event undetectable. Will be used old style import!")
values = [x.value for x in misp_event.attributes]
log.info("Extracted %s", values)
for attrib in values:
log.info("Checking for existence of %s", attrib)
search = MISP.search("attributes", values=str(sanitizer(attrib)))
if search["response"] != []:
# This means we have it!
log.info("%s is a duplicate, we'll ignore it.", attrib)
misp_event.attributes.pop(
[x.value for x in misp_event.attributes].index(attrib))
else:
log.info("%s is unique, we'll keep it", attrib)
# Push the event to MISP
# TODO: There's probably a proper method to do this rather than json_full
# But I don't wanna read docs
if (len(misp_event.attributes) > 0):
log.info("Uploading event to MISP with attributes %s",
[x.value for x in misp_event.attributes])
MISP.add_event(misp_event)
else:
log.info("No attributes, not bothering.")