def process(self, task: Task) -> None: # type: ignore config = task.get_payload("config") family = task.headers["family"] dhash = config_dhash(config) # Parse the config using iocextract library iocs = parse(family, config) if not iocs: # Nothing actionable found - skip the config return # Upload structured data to MISP event = MISPEvent() event.uuid = str(uuid5(self.CONFIG_NAMESPACE, dhash)) event.add_tag(f"mwdb:family:{family}") event.info = f"Malware configuration ({family})" if self.mwdb_url is not None: event.add_attribute("link", f"{self.mwdb_url}/config/{dhash}") for o in iocs.to_misp(): event.add_object(o) misp = ExpandedPyMISP(self.misp_url, self.misp_key, self.misp_verifycert) misp.add_event(event)
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname(os.path.abspath(__file__)) + '/config.yml' config = yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {} self.helper = OpenCTIConnectorHelper(config) # Extra config self.misp_url = get_config_variable('MISP_URL', ['misp', 'url'], config) self.misp_key = get_config_variable('MISP_KEY', ['misp', 'key'], config) self.misp_ssl_verify = get_config_variable('MISP_SSL_VERIFY', ['misp', 'ssl_verify'], config) self.misp_create_report = get_config_variable('MISP_CREATE_REPORTS', ['misp', 'create_reports'], config) self.misp_report_class = get_config_variable( 'MISP_REPORT_CLASS', ['misp', 'report_class'], config ) or 'MISP Event' self.misp_import_from_date = get_config_variable('MISP_IMPORT_FROM_DATE', ['misp', 'import_from_date'], config) self.misp_import_tags = get_config_variable('MISP_IMPORT_TAGS', ['misp', 'import_tags'], config) self.misp_interval = get_config_variable('MISP_INTERVAL', ['misp', 'interval'], config, True) self.update_existing_data = get_config_variable( 'CONNECTOR_UPDATE_EXISTING_DATA', ['connector', 'update_existing_data'], config ) # Initialize MISP self.misp = ExpandedPyMISP(url=self.misp_url, key=self.misp_key, ssl=self.misp_ssl_verify, debug=False)
def export_to_misp(user_details, report,indicators): misp_url = user_details.get('misp_url') misp_key = user_details.get('misp_api_key') misp_verifycert = True misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) event = MISPEvent() event.info = report.title event = misp.add_event(event, pythonify=True) print(event) created = json.loads(event.to_json()) event_id = created.get('id') report_id = report.id for indicator in indicators: indicator_value = indicator[1] if indicator[2] == 'IP': indicator_type = "ip-dst" elif indicator[2] == 'Domain': indicator_type = 'domain' elif indicator[2] == 'Email': indicator_type = 'email-src' elif indicator[2] == 'CVE': indicator_value = indicator[1].replace('_', '-') indicator_type = 'vulnerability' elif indicator[2] == 'MD5 Hash': indicator_type = 'md5' elif indicator[2] == 'SHA256 Hash': indicator_type = 'sha256' elif indicator[2] == 'URL': indicator_type = 'url' try: misp.add_attribute(event_id,{'type':indicator_type,'value':indicator_value},pythonify=True) except: pass
def __init__( self, config_file='C:\\automation-hunting\\misp\\conf\\misp-case-provider.yaml', debug=False): self.misp_url = None self.api_key = None self.verify_cert = False if not self.get_config_data(config_file): raise Exception('Invalid Configuration File') self.misp_api = ExpandedPyMISP(self.misp_url, self.api_key, self.verify_cert, debug=debug) self.add_ioc_functions = [ self.misp_api.add_ipdst, self.misp_api.add_ipsrc, self.misp_api.add_internal_comment, self.misp_api.add_internal_text, self.misp_api.add_email_subject, self.misp_api.add_mutex, self.misp_api.add_filename, self.misp_api.add_hostname, self.misp_api.add_domain, self.misp_api.add_domain_ip, self.misp_api.add_email_src, self.misp_api.add_email_dst, self.misp_api.add_hashes, self.misp_api.add_object, self.misp_api.add_regkey, self.misp_api.add_url, self.misp_api.add_user, self.misp_api.add_useragent, self.misp_api.add_target_user ]
def init(self): if ExpandedPyMISP is None: raise MissingDependencyError('pymisp', '>=2.4.117.3') # Initialize MISP connection self.misp = ExpandedPyMISP(self.misp_url, self.misp_key, self.http_verify_cert)
def __init__(self, misp_url, misp_key, verifycert, config, offline=False, urlsonly=False): self.offline = offline if not self.offline: self.misp = ExpandedPyMISP(misp_url, misp_key, verifycert, debug=config.debug) self.config = config self.urlsonly = urlsonly if not hasattr(self.config, 'enable_dns'): setattr(self.config, 'enable_dns', True) if self.urlsonly is False: setattr(self.config, 'enable_dns', False) self.debug = self.config.debug self.config_from_email_body = {} if not hasattr(self.config, 'ignore_nullsize_attachments'): setattr(self.config, 'ignore_nullsize_attachments', False) self.ignore_nullsize_attachments = self.config.ignore_nullsize_attachments # Init Faup self.f = Faup() self.sightings_to_add = []
class MISP(): def __init__(self): self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) self.tags = self.misp.tags() self.tie = TIE() def get_event(self): try: events = self.misp.search(tags=misp_tag) for event in events: for attributes in event['Event']['Attribute']: if attributes['type'] == 'md5': print('STATUS: Found MD5 {0} in Event {1}. Trying to set external reputation.' .format(str(attributes['value']),str(event['Event']['id']))) self.tie.set_rep(event['Event']['id'], attributes['value']) for objects in event['Event']['Object']: for attributes in objects['Attribute']: if attributes['type'] == 'md5': print('STATUS: Found MD5 {0} in Event {1}. Trying to set external reputation.' .format(str(attributes['value']), str(event['Event']['id']))) self.tie.set_rep(event['Event']['id'], attributes['value']) self.misp.untag(event['Event']['uuid'], misp_tag) except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}' .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
def __init__(self): self.misp = ExpandedPyMISP(misp_url, misp_key, False) self.headers = { 'Authorization': misp_key, 'Accept': 'application/xml', 'User-Agent': 'PyMISP' }
def submit_tf_update(misp: ExpandedPyMISP, attributes: list) -> MISPEvent: """ create/update abuse.ch MISP-Event and append the new attributes """ eventinfo = event_info_template.format( datetime.now().strftime(info_dateformat)) # logging.debug(eventinfo) events = misp.search(controller='events', eventinfo=eventinfo, org=1, pythonify=True) if events: # current event exists already event = events[0] else: # create a new event event = MISPEvent() event.distribution = event_distribution event.threat_level_id = event_threat_level event.analysis = 2 event.info = eventinfo for tag in tagging: event.add_tag(tag) event = misp.add_event(event, pythonify=True) for att in attributes: event.add_attribute(**att) event.published = autopublish return misp.update_event(event)
def __init__(self): # Instantiate the connector helper from config config_file_path = os.path.dirname( os.path.abspath(__file__)) + '/config.yml' config = yaml.load(open(config_file_path), Loader=yaml.FullLoader ) if os.path.isfile(config_file_path) else {} self.helper = OpenCTIConnectorHelper(config) # Extra config self.misp_url = os.getenv('MISP_URL') or config.get('misp', {}).get('url') self.misp_key = os.getenv('MISP_KEY') or config.get('misp', {}).get('key') self.misp_tag = os.getenv('MISP_TAG') or config.get('misp', {}).get('tag') self.misp_untag_event = os.getenv('MISP_UNTAG_EVENT') or config.get( 'misp', {}).get('untag_event') self.misp_imported_tag = os.getenv('MISP_IMPORTED_TAG') or config.get( 'misp', {}).get('imported_tag') self.misp_filter_on_imported_tag = os.getenv( 'MISP_FILTER_ON_IMPORTED_TAG') or config.get( 'misp', {}).get('filter_on_imported_tag') self.misp_interval = os.getenv('MISP_INTERVAL') or config.get( 'misp', {}).get('interval') # Initialize MISP self.misp = ExpandedPyMISP(url=self.misp_url, key=self.misp_key, ssl=False, debug=False)
def __init__(self, source): """" MISPE exports borked keys to MISP along with the certificates that use these keys, and the TLS session in which they appear. :type source: an attack, or a datastore""" super().__init__() self.name = 'MISP exporter' self.url = self.config['CREDENTIALS']['URL'] self.key = self.config['CREDENTIALS']['KEY'] self.ssl = self.config['CREDENTIALS'].getboolean('SSL') self.misp = ExpandedPyMISP(self.url, self.key, self.ssl) tags = [{ "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#ff00ff", "name": "d4-crypto-feed" }] self.daily = self.config['FEEDGENERATOR'].getboolean('DAILY') self.generator = FeedGenerator(self.config, tags) self.misp.toggle_global_pythonify() # Depending on the type of source self.source = source process = self.switcher(str(type(self.source)).split(".")) process()
def __init__(self, host: str, token: str, protocol: str, verify_tls: bool, sharing_group: str, publish: bool = False): self.host = host self.token = token self.protocol = protocol self.verify_tls = verify_tls self.misp: ExpandedPyMISP self.sharing_group = sharing_group self.publish = publish try: self.misp = ExpandedPyMISP(f'{self.protocol}://{self.host}', self.token, ssl=self.verify_tls, tool='dissector') except PyMISPError: LOGGER.critical( f'Could not connect to MISP instance at "{self.protocol}://{self.host}".' ) self.misp = None
def __init__(self, query): self.misp = ExpandedPyMISP(misp_url, misp_key, ssl=misp_verify, debug=False) self.misp_tag = misp_tag self.tags = self.misp.tags() self.query = query self.mainfile = query['Summary']['Subject']['Name'] self.attributes = []
def _connect(self): self.debug_print('URL: {}'.format(self.misp_param['url'])) self.debug_print('authkey: {}'.format(self.misp_param['authkey'])) self.misp = ExpandedPyMISP(self.misp_param['url'], self.misp_param['authkey'], ssl=False, debug=False) self._registered_tags = self.misp.tags()
def __init__(self): # Get configuration config_file_path = os.path.dirname( os.path.abspath(__file__)) + '/config.yml' self.config = dict() if os.path.isfile(config_file_path): config = yaml.load(open(config_file_path), Loader=yaml.FullLoader) self.config_rabbitmq = config['rabbitmq'] self.config['name'] = config['misp']['name'] self.config['confidence_level'] = config['misp'][ 'confidence_level'] self.config['url'] = config['misp']['url'] self.config['key'] = config['misp']['key'] self.config['tag'] = config['misp']['tag'] if 'tag' in config[ 'misp'] else None self.config['untag_event'] = config['misp'][ 'untag_event'] if 'untag_event' in config['misp'] else None self.config['imported_tag'] = config['misp']['imported_tag'] self.config['filter_on_imported_tag'] = config['misp'][ 'filter_on_imported_tag'] self.config['interval'] = config['misp']['interval'] self.config['log_level'] = config['misp']['log_level'] else: self.config_rabbitmq = dict() self.config_rabbitmq['hostname'] = os.getenv( 'RABBITMQ_HOSTNAME', 'localhost') self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672) self.config_rabbitmq['username'] = os.getenv( 'RABBITMQ_USERNAME', 'guest') self.config_rabbitmq['password'] = os.getenv( 'RABBITMQ_PASSWORD', 'guest') self.config['name'] = os.getenv('MISP_NAME', 'MISP') self.config['confidence_level'] = int( os.getenv('MISP_CONFIDENCE_LEVEL', 3)) self.config['url'] = os.getenv('MISP_URL', 'http://localhost') self.config['key'] = os.getenv('MISP_KEY', 'ChangeMe') self.config['tag'] = os.getenv('MISP_TAG', None) self.config['untag_event'] = os.getenv('MISP_UNTAG_EVENT', None) == "true" self.config['imported_tag'] = os.getenv('MISP_IMPORTED_TAG', 'OpenCTI: Imported') self.config['filter_on_imported_tag'] = os.getenv( 'MISP_FILTER_ON_IMPORTED_TAG', "true") == "true" self.config['interval'] = os.getenv('MISP_INTERVAL', 5) self.config['log_level'] = os.getenv('MISP_LOG_LEVEL', 'info') # Initialize OpenCTI Connector connector_identifier = ''.join(e for e in self.config['name'] if e.isalnum()) self.opencti_connector_helper = OpenCTIConnectorHelper( connector_identifier.lower(), self.config, self.config_rabbitmq, self.config['log_level']) # Initialize MISP self.misp = ExpandedPyMISP(url=self.config['url'], key=self.config['key'], ssl=False, debug=False)
def __init__(self): parser = ConfigParser() parser.read("config/misp_key.ini") misp_url = parser.get("MISP_KEY_INFO", "misp_url") misp_key = parser.get("MISP_KEY_INFO", "misp_key") misp_verifycert = False #connect to MISP self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
def run(self, conf, args, plugins): server = ExpandedPyMISP(conf['Misp']['url'], conf['Misp']['key'], not args.no_tls) if args.list: # List events events = server.events(pythonify=True) for event in sorted(events, key=lambda x: x.id): print("%i : %s" % (event.id, event.info)) elif args.event is not None: event = server.get_event(args.event, pythonify=True) if args.attr is None and args.type is None: if args.raw: for a in event.attributes: print(a.value) else: print("Event {} : {}".format(event.id, event.info)) print("Tags : {}".format(", ".join( map(lambda x: str(x.name), event.tags)))) print("{} Attributes including:".format( len(event.attributes))) attrs = Counter(map(lambda x: x.type, event.attributes)) attrs_ids = Counter( map(lambda x: x.type, filter(lambda x: x.to_ids, event.attributes))) for type in attrs: print("- %i %s (%i for detection)" % (attrs[type], type, attrs_ids[type])) else: if args.type is not None: # Display all attributes from this type for attr in event.attributes: if attr.type == args.type: if args.raw: print("%s" % attr.value) else: print("{:20}{:10}{:40}{}{}".format( attr.category, attr.type, attr.value, attr.comment, attr.to_ids)) elif args.attr is not None: # search by attribute value for attr in event.attributes: if args.attr in str(attr.value): print("%s\t%s\t%s\t%s\t%s" % (attr.category, attr.type, attr.value, attr.comment, attr.to_ids)) elif args.attr is not None: res = server.search('attributes', value=args.attr) if len(res['Attribute']) == 0: print("Search %s: no results" % args.attr) else: print("Search %s, result founds" % args.attr) for attr in res['Attribute']: print('{} - {}'.format(attr['Event']['id'], attr['Event']['info'])) else: self.parser.print_help()
def init(self): if sys.version_info < (3, 6): raise ValueError('This bot requires Python >= 3.6.') if ExpandedPyMISP is None: raise MissingDependencyError('pymisp', '>=2.4.117.3') # Initialize MISP connection self.misp = ExpandedPyMISP(self.parameters.misp_url, self.parameters.misp_key, self.parameters.http_verify_cert)
def _get_events(): misp = ExpandedPyMISP(config.misp_domain, config.misp_key, config.misp_verifycert) if len(config.misp_event_filters) == 0: return [event['Event'] for event in misp.search(controller='events', return_format='json')] events_for_each_filter = [ [event['Event'] for event in misp.search(controller='events', return_format='json', **config.misp_event_filters)] ] event_ids_for_each_filter = [set(event['id'] for event in events) for events in events_for_each_filter] event_ids_intersection = reduce((lambda x, y: x & y), event_ids_for_each_filter) return [event for event in events_for_each_filter[0] if event['id'] in event_ids_intersection]
class MISPCollectorBot(CollectorBot): def init(self): if PyMISP is None and import_fail_reason == 'syntax': raise MissingDependencyError( "pymisp", version='>=2.4.36,<=2.4.119.1', additional_text="Python versions below 3.6 are " "only supported by pymisp <= 2.4.119.1.") elif PyMISP is None: raise MissingDependencyError("pymisp") if hasattr(self.parameters, 'misp_verify'): self.parameters.http_verify_cert = self.parameters.misp_verify warnings.warn( "The parameter 'misp_verify' is deprecated in favor of" "'http_verify_cert'.", DeprecationWarning) # Initialize MISP connection self.misp = PyMISP(self.parameters.misp_url, self.parameters.misp_key, self.parameters.http_verify_cert) def process(self): # Grab the events from MISP misp_result = self.misp.search( tags=self.parameters.misp_tag_to_process) # Process the response and events # Compatibility with old pymisp versions before 2019: if 'response' in misp_result: misp_result = misp_result['response'] # Extract the MISP event details for e in misp_result: misp_event = e['Event'] # Send the results to the parser report = self.new_report() report.add('raw', json.dumps(misp_event, sort_keys=True)) report.add('feed.url', self.parameters.misp_url) self.send_message(report) # Finally, update the tags on the MISP events. for e in misp_result: misp_event = e['Event'] if hasattr(self.parameters, 'misp_tag_processed'): # Add a 'processed' tag to the event self.misp.tag(misp_event['uuid'], self.parameters.misp_tag_processed) # Remove the 'to be processed' tag self.misp.untag(misp_event['uuid'], self.parameters.misp_tag_to_process)
def create_sync_user(self, organisation): sync_org = self.site_admin_connector.add_organisation(organisation) short_org_name = sync_org.name.lower().replace(' ', '-') user = MISPUser() user.email = f"sync_user@{short_org_name}.local" user.org_id = sync_org.id user.role_id = 5 # Org admin sync_user = self.site_admin_connector.add_user(user) sync_user_connector = ExpandedPyMISP(self.site_admin_connector.root_url, sync_user.authkey, ssl=False, debug=False) sync_server_config = sync_user_connector.get_sync_config(pythonify=True) self.sync.append((sync_org, sync_user, sync_server_config))
def __init__(self, misp_url, misp_key, misp_verify_cert=False, tag_toProcess='MAC_toProcess', tag_processed='MAC_processed', ): # Initialize MISP connection self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verify_cert) self.tag_toProcess = tag_toProcess self.tag_processed = tag_processed
def save(self): site_id = self.validated_data['id'] site = Site.objects.get(pk=site_id) # Check if there is already an Event if DnsTwisted.objects.filter(domain_name=site.domain_name): dns_twisted = DnsTwisted.objects.get(domain_name=site.domain_name) if site.misp_event_id is None: site.misp_event_id = dns_twisted.misp_event_id # Save the case id in database Site.objects.filter(pk=site.pk).update( misp_event_id=dns_twisted.misp_event_id) # Test MISP instance connection try: requests.get(settings.MISP_URL, verify=settings.MISP_VERIFY_SSL) except requests.exceptions.SSLError as e: print(str(timezone.now()) + " - ", e) raise AuthenticationFailed("SSL Error: " + settings.MISP_URL) except requests.exceptions.RequestException as e: print(str(timezone.now()) + " - ", e) raise NotFound("Not Found: " + settings.MISP_URL) misp_api = ExpandedPyMISP(settings.MISP_URL, settings.MISP_KEY, settings.MISP_VERIFY_SSL) if site.misp_event_id is not None: # If the event already exist, then we update IOCs update_attributes(misp_api, site) else: # If the event does not exist, then we create it # Prepare MISP Event event = MISPEvent() event.distribution = 0 event.threat_level_id = 2 event.analysis = 0 event.info = "Suspicious domain name " + site.domain_name event.tags = create_misp_tags(misp_api) # Create MISP Event print(str(timezone.now()) + " - " + 'Create MISP Event') print('-----------------------------') event = misp_api.add_event(event, pythonify=True) # Store Event Id in database Site.objects.filter(pk=site.pk).update(misp_event_id=event.id) if DnsTwisted.objects.filter(domain_name=site.domain_name): DnsTwisted.objects.filter(domain_name=site.domain_name).update( misp_event_id=event.id) # Create MISP Attributes create_attributes(misp_api, event.id, site)
def init(self): if ExpandedPyMISP is None: raise ValueError('Could not import pymisp. Please install it.') # Initialize MISP connection self.misp = ExpandedPyMISP(self.parameters.misp_url, self.parameters.misp_key, self.parameters.misp_verify) # Handle the InsecureRequestWarning if not self.parameters.misp_verify: urllib3.disable_warnings() self.logger.info ("Connected to MISP")
class MISPCollectorBot(CollectorBot): """Collect events from a MISP server""" misp_key: str = "<insert MISP Authkey>" misp_tag_processed: str = None misp_tag_to_process: str = "<insert MISP tag for events to be processed>" misp_url: str = "<insert url of MISP server (with trailing '/')>" rate_limit: int = 3600 def init(self): if PyMISP is None: raise MissingDependencyError("pymisp") if hasattr(self, 'misp_verify'): self.http_verify_cert = self.misp_verify warnings.warn( "The parameter 'misp_verify' is deprecated in favor of" "'http_verify_cert'.", DeprecationWarning) # Initialize MISP connection self.misp = PyMISP(self.misp_url, self.misp_key, self.http_verify_cert) def process(self): # Grab the events from MISP misp_result = self.misp.search(tags=self.misp_tag_to_process) # Process the response and events # Compatibility with old pymisp versions before 2019: if 'response' in misp_result: misp_result = misp_result['response'] # Extract the MISP event details for e in misp_result: misp_event = e['Event'] # Send the results to the parser report = self.new_report() report.add('raw', json.dumps(misp_event, sort_keys=True)) report.add('feed.url', self.misp_url) self.send_message(report) # Finally, update the tags on the MISP events. for e in misp_result: misp_event = e['Event'] if self.misp_tag_processed is not None: # Add a 'processed' tag to the event self.misp.tag(misp_event['uuid'], self.misp_tag_processed) # Remove the 'to be processed' tag self.misp.untag(misp_event['uuid'], self.misp_tag_to_process)
def __init__(self, misp_key, misp_url, misp_verify_cert, siem_mode=False, debugon=False): self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verify_cert, debugon) self.debugon = debugon if siem_mode: self.siem_mode = True self.separator = "," self.use_headers = True self.use_filename_regex = False
def get_misp_data( refSet_etype): #this function will get misp data for last 1 day) global network_ip, network_domain misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) result = misp.search(publish_timestamp="5d", pythonify=True) network_ip = [] network_domain = [] s = "" if not result: print('No results for that time period') exit(0) for r in result: s = r.to_json() json_data = json.loads(s) for attribute in json_data["Event"]["Attribute"]: iocs = attribute["value"] if attribute["type"] in ("ip-src", "ip-dst"): network_ip.append(iocs) elif attribute["type"] in ("domain", "url"): network_domain.append(iocs) else: continue if refSet_etype == "IP": ingest_ip_data = json.dumps(network_ip) ioc_ip_count = len(network_ip) print( time.strftime("%H:%M:%S") + " -- " + "Trying to clean the IOCs to IP address, as " + qradar_ref_set + " element type = IP") print( time.strftime("%H:%M:%S") + " -- " + "(Success) Extracted " + str(ioc_ip_count) + " IPs from initial import.") qradar_post_IP(ingest_ip_data, ioc_ip_count) else: ingest_domain_data = json.dumps(network_domain) ioc_domain_count = len(network_domain) print( time.strftime("%H:%M:%S") + " -- " + "Trying to clean the IOCs to Domain, as " + qradar_ref_set + " element type = AlphaNumeric") print( time.strftime("%H:%M:%S") + " -- " + "(Success) Extracted " + str(ioc_domain_count) + " Domains from initial import.") qradar_post_all(ingest_domain_data, ioc_domain_count)
def get_misp_instance(): print('*******get misp instance()********') """ :return: MISP Instance :rtype: PyMISP """ # Proxy settings are taken from the config file and converted to a dict. if PySilo_settings.USE_MISP_PROXY: misp_proxies = { 'http': str(PySilo_settings.proxy_address), 'https': str(PySilo_settings.proxy_address) } else: misp_proxies = {} try: # URL of the MISP instance, API key and SSL certificate validation are taken from the config file. return ExpandedPyMISP(PySilo_settings.misp_url, PySilo_settings.misp_key, PySilo_settings.misp_verifycert, proxies=misp_proxies) #return PyMISP(PySilo_settings.misp_url, PySilo_settings.misp_key, PySilo_settings.misp_verifycert, # proxies=misp_proxies) except Exception: PySilo_settings.logger.debug('Unexpected error in MISP init: %s', sys.exc_info()) return False
class Misp(Threat): def __init__(self): parser = ConfigParser() parser.read("config/misp_key.ini") misp_url = parser.get("MISP_KEY_INFO", "misp_url") misp_key = parser.get("MISP_KEY_INFO", "misp_key") misp_verifycert = False #connect to MISP self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) #set new event to MISP def set_event(self): pass #return list attributes with correct type hash def get_hash_attributes(self, type_hash): try: #search list events is published events = self.misp.search(published=True) #create list to add new threat objects list_hash = [] for event in events: for attribute in event['Event']['Attribute']: #check all attribute has type is equal with type hash if attribute['type'] == type_hash: #display info attribute print('STATUS: Found {0} {1} in Event {2}.'.format( type_hash, str(attribute['value']), str(event['Event']['id']))) #add new threat object to list list_hash.append( Threat(str(attribute['value']), str(event['Event']['id']))) for objects in event['Event']['Object']: for attribute in objects['Attribute']: #check all attribute has type is equal with type hash if attribute['type'] == type_hash: #display info attribute print('STATUS: Found {0} {1} in Event {2}.'.format( type_hash, str(attribute['value']), str(event['Event']['id']))) #add new threat object to list list_hash.append( Threat(str(attribute['value']), str(event['Event']['id']))) return list_hash except Exception as e: exc_tb = sys.exc_info() print( 'ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}' .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e))) return None
class MISPExpertBot(Bot): def init(self): if ExpandedPyMISP is None: raise MissingDependencyError('pymisp', '>=2.4.117.3') # Initialize MISP connection self.misp = ExpandedPyMISP(self.parameters.misp_url, self.parameters.misp_key, self.parameters.http_verify_cert) def process(self): event = self.receive_message() if 'source.ip' in event: # Grab the attributes from MISP # TODO: Run the query in reverse order (new->old) misp_result = self.misp.search('attributes', value=event['source.ip'], page=1, limit=1, pythonify=True) if misp_result: attribute = misp_result[0] # Process the response event.add('misp.attribute_uuid', attribute.uuid) event.add('misp.event_uuid', attribute.Event.uuid) self.send_message(event) self.acknowledge_message()
if not args.fieldnames: has_fieldnames = True else: has_fieldnames = args.skip_fieldnames csv_loader = CSVLoader(template_name=args.object_name, csv_path=args.path, fieldnames=args.fieldnames, has_fieldnames=has_fieldnames) objects = csv_loader.load() if args.dump: for o in objects: print(o.to_json()) else: if offline: print('You are in offline mode, quitting.') else: misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert) if args.new_event: event = MISPEvent() event.info = args.new_event for o in objects: event.add_object(**o) new_event = misp.add_event(event) if isinstance(new_event, str): print(new_event) elif 'id' in new_event: print(f'Created new event {new_event.id}') else: print('Something went wrong:') print(new_event) else: for o in objects:
from pymisp import ExpandedPyMISP from keys import misp_url, misp_key, misp_verifycert if __name__ == '__main__': parser = argparse.ArgumentParser(description='Get MISP stuff as CSV.') parser.add_argument("-e", "--event_id", help="Event ID to fetch. Without it, it will fetch the whole database.") parser.add_argument("-a", "--attribute", nargs='+', help="Attribute column names") parser.add_argument("-o", "--object_attribute", nargs='+', help="Object attribute column names") parser.add_argument("-t", "--misp_types", nargs='+', help="MISP types to fetch (ip-src, hostname, ...)") parser.add_argument("-c", "--context", action='store_true', help="Add event level context (tags...)") parser.add_argument("-f", "--outfile", help="Output file to write the CSV.") args = parser.parse_args() pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, debug=True) attr = [] if args.attribute: attr += args.attribute if args.object_attribute: attr += args.object_attribute if not attr: attr = None print(args.context) response = pymisp.search(return_format='csv', eventid=args.event_id, requested_attributes=attr, type_attribute=args.misp_types, include_context=args.context) if args.outfile: with open(args.outfile, 'w') as f: f.write(response) else: