def process(self, task: Task) -> None: # type: ignore
config = task.get_payload("config")
family = task.headers["family"]
dhash = config_dhash(config)
# Parse the config using iocextract library
iocs = parse(family, config)
if not iocs:
# Nothing actionable found - skip the config
return
# Upload structured data to MISP
event = MISPEvent()
event.uuid = str(uuid5(self.CONFIG_NAMESPACE, dhash))
event.add_tag(f"mwdb:family:{family}")
event.info = f"Malware configuration ({family})"
if self.mwdb_url is not None:
event.add_attribute("link", f"{self.mwdb_url}/config/{dhash}")
for o in iocs.to_misp():
event.add_object(o)
misp = ExpandedPyMISP(self.misp_url, self.misp_key, self.misp_verifycert)
misp.add_event(event)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + '/config.yml'
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader) if os.path.isfile(config_file_path) else {}
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.misp_url = get_config_variable('MISP_URL', ['misp', 'url'], config)
self.misp_key = get_config_variable('MISP_KEY', ['misp', 'key'], config)
self.misp_ssl_verify = get_config_variable('MISP_SSL_VERIFY', ['misp', 'ssl_verify'], config)
self.misp_create_report = get_config_variable('MISP_CREATE_REPORTS', ['misp', 'create_reports'], config)
self.misp_report_class = get_config_variable(
'MISP_REPORT_CLASS',
['misp', 'report_class'],
config
) or 'MISP Event'
self.misp_import_from_date = get_config_variable('MISP_IMPORT_FROM_DATE', ['misp', 'import_from_date'], config)
self.misp_import_tags = get_config_variable('MISP_IMPORT_TAGS', ['misp', 'import_tags'], config)
self.misp_interval = get_config_variable('MISP_INTERVAL', ['misp', 'interval'], config, True)
self.update_existing_data = get_config_variable(
'CONNECTOR_UPDATE_EXISTING_DATA',
['connector', 'update_existing_data'],
config
)
# Initialize MISP
self.misp = ExpandedPyMISP(url=self.misp_url, key=self.misp_key, ssl=self.misp_ssl_verify, debug=False)
def export_to_misp(user_details, report,indicators):
misp_url = user_details.get('misp_url')
misp_key = user_details.get('misp_api_key')
misp_verifycert = True
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
event = MISPEvent()
event.info = report.title
event = misp.add_event(event, pythonify=True)
print(event)
created = json.loads(event.to_json())
event_id = created.get('id')
report_id = report.id
for indicator in indicators:
indicator_value = indicator[1]
if indicator[2] == 'IP':
indicator_type = "ip-dst"
elif indicator[2] == 'Domain':
indicator_type = 'domain'
elif indicator[2] == 'Email':
indicator_type = 'email-src'
elif indicator[2] == 'CVE':
indicator_value = indicator[1].replace('_', '-')
indicator_type = 'vulnerability'
elif indicator[2] == 'MD5 Hash':
indicator_type = 'md5'
elif indicator[2] == 'SHA256 Hash':
indicator_type = 'sha256'
elif indicator[2] == 'URL':
indicator_type = 'url'
try:
misp.add_attribute(event_id,{'type':indicator_type,'value':indicator_value},pythonify=True)
except:
pass
def __init__(
self,
config_file='C:\\automation-hunting\\misp\\conf\\misp-case-provider.yaml',
debug=False):
self.misp_url = None
self.api_key = None
self.verify_cert = False
if not self.get_config_data(config_file):
raise Exception('Invalid Configuration File')
self.misp_api = ExpandedPyMISP(self.misp_url,
self.api_key,
self.verify_cert,
debug=debug)
self.add_ioc_functions = [
self.misp_api.add_ipdst, self.misp_api.add_ipsrc,
self.misp_api.add_internal_comment,
self.misp_api.add_internal_text, self.misp_api.add_email_subject,
self.misp_api.add_mutex, self.misp_api.add_filename,
self.misp_api.add_hostname, self.misp_api.add_domain,
self.misp_api.add_domain_ip, self.misp_api.add_email_src,
self.misp_api.add_email_dst, self.misp_api.add_hashes,
self.misp_api.add_object, self.misp_api.add_regkey,
self.misp_api.add_url, self.misp_api.add_user,
self.misp_api.add_useragent, self.misp_api.add_target_user
]
def init(self):
if ExpandedPyMISP is None:
raise MissingDependencyError('pymisp', '>=2.4.117.3')
# Initialize MISP connection
self.misp = ExpandedPyMISP(self.misp_url, self.misp_key,
self.http_verify_cert)
def __init__(self,
misp_url,
misp_key,
verifycert,
config,
offline=False,
urlsonly=False):
self.offline = offline
if not self.offline:
self.misp = ExpandedPyMISP(misp_url,
misp_key,
verifycert,
debug=config.debug)
self.config = config
self.urlsonly = urlsonly
if not hasattr(self.config, 'enable_dns'):
setattr(self.config, 'enable_dns', True)
if self.urlsonly is False:
setattr(self.config, 'enable_dns', False)
self.debug = self.config.debug
self.config_from_email_body = {}
if not hasattr(self.config, 'ignore_nullsize_attachments'):
setattr(self.config, 'ignore_nullsize_attachments', False)
self.ignore_nullsize_attachments = self.config.ignore_nullsize_attachments
# Init Faup
self.f = Faup()
self.sightings_to_add = []
class MISP():
def __init__(self):
self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
self.tags = self.misp.tags()
self.tie = TIE()
def get_event(self):
try:
events = self.misp.search(tags=misp_tag)
for event in events:
for attributes in event['Event']['Attribute']:
if attributes['type'] == 'md5':
print('STATUS: Found MD5 {0} in Event {1}. Trying to set external reputation.'
.format(str(attributes['value']),str(event['Event']['id'])))
self.tie.set_rep(event['Event']['id'], attributes['value'])
for objects in event['Event']['Object']:
for attributes in objects['Attribute']:
if attributes['type'] == 'md5':
print('STATUS: Found MD5 {0} in Event {1}. Trying to set external reputation.'
.format(str(attributes['value']), str(event['Event']['id'])))
self.tie.set_rep(event['Event']['id'], attributes['value'])
self.misp.untag(event['Event']['uuid'], misp_tag)
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
print('ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}'
.format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
error=str(e)))
def __init__(self):
self.misp = ExpandedPyMISP(misp_url, misp_key, False)
self.headers = {
'Authorization': misp_key,
'Accept': 'application/xml',
'User-Agent': 'PyMISP'
}
def submit_tf_update(misp: ExpandedPyMISP, attributes: list) -> MISPEvent:
"""
create/update abuse.ch MISP-Event and append the new attributes
"""
eventinfo = event_info_template.format(
datetime.now().strftime(info_dateformat))
# logging.debug(eventinfo)
events = misp.search(controller='events',
eventinfo=eventinfo,
org=1,
pythonify=True)
if events: # current event exists already
event = events[0]
else: # create a new event
event = MISPEvent()
event.distribution = event_distribution
event.threat_level_id = event_threat_level
event.analysis = 2
event.info = eventinfo
for tag in tagging:
event.add_tag(tag)
event = misp.add_event(event, pythonify=True)
for att in attributes:
event.add_attribute(**att)
event.published = autopublish
return misp.update_event(event)
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + '/config.yml'
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader
) if os.path.isfile(config_file_path) else {}
self.helper = OpenCTIConnectorHelper(config)
# Extra config
self.misp_url = os.getenv('MISP_URL') or config.get('misp',
{}).get('url')
self.misp_key = os.getenv('MISP_KEY') or config.get('misp',
{}).get('key')
self.misp_tag = os.getenv('MISP_TAG') or config.get('misp',
{}).get('tag')
self.misp_untag_event = os.getenv('MISP_UNTAG_EVENT') or config.get(
'misp', {}).get('untag_event')
self.misp_imported_tag = os.getenv('MISP_IMPORTED_TAG') or config.get(
'misp', {}).get('imported_tag')
self.misp_filter_on_imported_tag = os.getenv(
'MISP_FILTER_ON_IMPORTED_TAG') or config.get(
'misp', {}).get('filter_on_imported_tag')
self.misp_interval = os.getenv('MISP_INTERVAL') or config.get(
'misp', {}).get('interval')
# Initialize MISP
self.misp = ExpandedPyMISP(url=self.misp_url,
key=self.misp_key,
ssl=False,
debug=False)
def __init__(self, source):
"""" MISPE exports borked keys to MISP along with
the certificates that use these keys, and the TLS session
in which they appear.
:type source: an attack, or a datastore"""
super().__init__()
self.name = 'MISP exporter'
self.url = self.config['CREDENTIALS']['URL']
self.key = self.config['CREDENTIALS']['KEY']
self.ssl = self.config['CREDENTIALS'].getboolean('SSL')
self.misp = ExpandedPyMISP(self.url, self.key, self.ssl)
tags = [{
"colour": "#ffffff",
"name": "tlp:white"
}, {
"colour": "#ff00ff",
"name": "d4-crypto-feed"
}]
self.daily = self.config['FEEDGENERATOR'].getboolean('DAILY')
self.generator = FeedGenerator(self.config, tags)
self.misp.toggle_global_pythonify()
# Depending on the type of source
self.source = source
process = self.switcher(str(type(self.source)).split("."))
process()
def __init__(self,
host: str,
token: str,
protocol: str,
verify_tls: bool,
sharing_group: str,
publish: bool = False):
self.host = host
self.token = token
self.protocol = protocol
self.verify_tls = verify_tls
self.misp: ExpandedPyMISP
self.sharing_group = sharing_group
self.publish = publish
try:
self.misp = ExpandedPyMISP(f'{self.protocol}://{self.host}',
self.token,
ssl=self.verify_tls,
tool='dissector')
except PyMISPError:
LOGGER.critical(
f'Could not connect to MISP instance at "{self.protocol}://{self.host}".'
)
self.misp = None
def __init__(self, query):
self.misp = ExpandedPyMISP(misp_url, misp_key, ssl=misp_verify, debug=False)
self.misp_tag = misp_tag
self.tags = self.misp.tags()
self.query = query
self.mainfile = query['Summary']['Subject']['Name']
self.attributes = []
def _connect(self):
self.debug_print('URL: {}'.format(self.misp_param['url']))
self.debug_print('authkey: {}'.format(self.misp_param['authkey']))
self.misp = ExpandedPyMISP(self.misp_param['url'],
self.misp_param['authkey'],
ssl=False,
debug=False)
self._registered_tags = self.misp.tags()
def __init__(self):
# Get configuration
config_file_path = os.path.dirname(
os.path.abspath(__file__)) + '/config.yml'
self.config = dict()
if os.path.isfile(config_file_path):
config = yaml.load(open(config_file_path), Loader=yaml.FullLoader)
self.config_rabbitmq = config['rabbitmq']
self.config['name'] = config['misp']['name']
self.config['confidence_level'] = config['misp'][
'confidence_level']
self.config['url'] = config['misp']['url']
self.config['key'] = config['misp']['key']
self.config['tag'] = config['misp']['tag'] if 'tag' in config[
'misp'] else None
self.config['untag_event'] = config['misp'][
'untag_event'] if 'untag_event' in config['misp'] else None
self.config['imported_tag'] = config['misp']['imported_tag']
self.config['filter_on_imported_tag'] = config['misp'][
'filter_on_imported_tag']
self.config['interval'] = config['misp']['interval']
self.config['log_level'] = config['misp']['log_level']
else:
self.config_rabbitmq = dict()
self.config_rabbitmq['hostname'] = os.getenv(
'RABBITMQ_HOSTNAME', 'localhost')
self.config_rabbitmq['port'] = os.getenv('RABBITMQ_PORT', 5672)
self.config_rabbitmq['username'] = os.getenv(
'RABBITMQ_USERNAME', 'guest')
self.config_rabbitmq['password'] = os.getenv(
'RABBITMQ_PASSWORD', 'guest')
self.config['name'] = os.getenv('MISP_NAME', 'MISP')
self.config['confidence_level'] = int(
os.getenv('MISP_CONFIDENCE_LEVEL', 3))
self.config['url'] = os.getenv('MISP_URL', 'http://localhost')
self.config['key'] = os.getenv('MISP_KEY', 'ChangeMe')
self.config['tag'] = os.getenv('MISP_TAG', None)
self.config['untag_event'] = os.getenv('MISP_UNTAG_EVENT',
None) == "true"
self.config['imported_tag'] = os.getenv('MISP_IMPORTED_TAG',
'OpenCTI: Imported')
self.config['filter_on_imported_tag'] = os.getenv(
'MISP_FILTER_ON_IMPORTED_TAG', "true") == "true"
self.config['interval'] = os.getenv('MISP_INTERVAL', 5)
self.config['log_level'] = os.getenv('MISP_LOG_LEVEL', 'info')
# Initialize OpenCTI Connector
connector_identifier = ''.join(e for e in self.config['name']
if e.isalnum())
self.opencti_connector_helper = OpenCTIConnectorHelper(
connector_identifier.lower(), self.config, self.config_rabbitmq,
self.config['log_level'])
# Initialize MISP
self.misp = ExpandedPyMISP(url=self.config['url'],
key=self.config['key'],
ssl=False,
debug=False)
def __init__(self):
parser = ConfigParser()
parser.read("config/misp_key.ini")
misp_url = parser.get("MISP_KEY_INFO", "misp_url")
misp_key = parser.get("MISP_KEY_INFO", "misp_key")
misp_verifycert = False
#connect to MISP
self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
def run(self, conf, args, plugins):
server = ExpandedPyMISP(conf['Misp']['url'], conf['Misp']['key'],
not args.no_tls)
if args.list:
# List events
events = server.events(pythonify=True)
for event in sorted(events, key=lambda x: x.id):
print("%i : %s" % (event.id, event.info))
elif args.event is not None:
event = server.get_event(args.event, pythonify=True)
if args.attr is None and args.type is None:
if args.raw:
for a in event.attributes:
print(a.value)
else:
print("Event {} : {}".format(event.id, event.info))
print("Tags : {}".format(", ".join(
map(lambda x: str(x.name), event.tags))))
print("{} Attributes including:".format(
len(event.attributes)))
attrs = Counter(map(lambda x: x.type, event.attributes))
attrs_ids = Counter(
map(lambda x: x.type,
filter(lambda x: x.to_ids, event.attributes)))
for type in attrs:
print("- %i %s (%i for detection)" %
(attrs[type], type, attrs_ids[type]))
else:
if args.type is not None:
# Display all attributes from this type
for attr in event.attributes:
if attr.type == args.type:
if args.raw:
print("%s" % attr.value)
else:
print("{:20}{:10}{:40}{}{}".format(
attr.category, attr.type, attr.value,
attr.comment, attr.to_ids))
elif args.attr is not None:
# search by attribute value
for attr in event.attributes:
if args.attr in str(attr.value):
print("%s\t%s\t%s\t%s\t%s" %
(attr.category, attr.type, attr.value,
attr.comment, attr.to_ids))
elif args.attr is not None:
res = server.search('attributes', value=args.attr)
if len(res['Attribute']) == 0:
print("Search %s: no results" % args.attr)
else:
print("Search %s, result founds" % args.attr)
for attr in res['Attribute']:
print('{} - {}'.format(attr['Event']['id'],
attr['Event']['info']))
else:
self.parser.print_help()
def init(self):
if sys.version_info < (3, 6):
raise ValueError('This bot requires Python >= 3.6.')
if ExpandedPyMISP is None:
raise MissingDependencyError('pymisp', '>=2.4.117.3')
# Initialize MISP connection
self.misp = ExpandedPyMISP(self.parameters.misp_url,
self.parameters.misp_key,
self.parameters.http_verify_cert)
def _get_events():
misp = ExpandedPyMISP(config.misp_domain, config.misp_key, config.misp_verifycert)
if len(config.misp_event_filters) == 0:
return [event['Event'] for event in misp.search(controller='events', return_format='json')]
events_for_each_filter = [
[event['Event'] for event in misp.search(controller='events', return_format='json', **config.misp_event_filters)]
]
event_ids_for_each_filter = [set(event['id'] for event in events) for events in events_for_each_filter]
event_ids_intersection = reduce((lambda x, y: x & y), event_ids_for_each_filter)
return [event for event in events_for_each_filter[0] if event['id'] in event_ids_intersection]
class MISPCollectorBot(CollectorBot):
def init(self):
if PyMISP is None and import_fail_reason == 'syntax':
raise MissingDependencyError(
"pymisp",
version='>=2.4.36,<=2.4.119.1',
additional_text="Python versions below 3.6 are "
"only supported by pymisp <= 2.4.119.1.")
elif PyMISP is None:
raise MissingDependencyError("pymisp")
if hasattr(self.parameters, 'misp_verify'):
self.parameters.http_verify_cert = self.parameters.misp_verify
warnings.warn(
"The parameter 'misp_verify' is deprecated in favor of"
"'http_verify_cert'.", DeprecationWarning)
# Initialize MISP connection
self.misp = PyMISP(self.parameters.misp_url, self.parameters.misp_key,
self.parameters.http_verify_cert)
def process(self):
# Grab the events from MISP
misp_result = self.misp.search(
tags=self.parameters.misp_tag_to_process)
# Process the response and events
# Compatibility with old pymisp versions before 2019:
if 'response' in misp_result:
misp_result = misp_result['response']
# Extract the MISP event details
for e in misp_result:
misp_event = e['Event']
# Send the results to the parser
report = self.new_report()
report.add('raw', json.dumps(misp_event, sort_keys=True))
report.add('feed.url', self.parameters.misp_url)
self.send_message(report)
# Finally, update the tags on the MISP events.
for e in misp_result:
misp_event = e['Event']
if hasattr(self.parameters, 'misp_tag_processed'):
# Add a 'processed' tag to the event
self.misp.tag(misp_event['uuid'],
self.parameters.misp_tag_processed)
# Remove the 'to be processed' tag
self.misp.untag(misp_event['uuid'],
self.parameters.misp_tag_to_process)
def create_sync_user(self, organisation):
sync_org = self.site_admin_connector.add_organisation(organisation)
short_org_name = sync_org.name.lower().replace(' ', '-')
user = MISPUser()
user.email = f"sync_user@{short_org_name}.local"
user.org_id = sync_org.id
user.role_id = 5 # Org admin
sync_user = self.site_admin_connector.add_user(user)
sync_user_connector = ExpandedPyMISP(self.site_admin_connector.root_url, sync_user.authkey, ssl=False, debug=False)
sync_server_config = sync_user_connector.get_sync_config(pythonify=True)
self.sync.append((sync_org, sync_user, sync_server_config))
def __init__(self,
misp_url,
misp_key,
misp_verify_cert=False,
tag_toProcess='MAC_toProcess',
tag_processed='MAC_processed',
):
# Initialize MISP connection
self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verify_cert)
self.tag_toProcess = tag_toProcess
self.tag_processed = tag_processed
def save(self):
site_id = self.validated_data['id']
site = Site.objects.get(pk=site_id)
# Check if there is already an Event
if DnsTwisted.objects.filter(domain_name=site.domain_name):
dns_twisted = DnsTwisted.objects.get(domain_name=site.domain_name)
if site.misp_event_id is None:
site.misp_event_id = dns_twisted.misp_event_id
# Save the case id in database
Site.objects.filter(pk=site.pk).update(
misp_event_id=dns_twisted.misp_event_id)
# Test MISP instance connection
try:
requests.get(settings.MISP_URL, verify=settings.MISP_VERIFY_SSL)
except requests.exceptions.SSLError as e:
print(str(timezone.now()) + " - ", e)
raise AuthenticationFailed("SSL Error: " + settings.MISP_URL)
except requests.exceptions.RequestException as e:
print(str(timezone.now()) + " - ", e)
raise NotFound("Not Found: " + settings.MISP_URL)
misp_api = ExpandedPyMISP(settings.MISP_URL, settings.MISP_KEY,
settings.MISP_VERIFY_SSL)
if site.misp_event_id is not None:
# If the event already exist, then we update IOCs
update_attributes(misp_api, site)
else:
# If the event does not exist, then we create it
# Prepare MISP Event
event = MISPEvent()
event.distribution = 0
event.threat_level_id = 2
event.analysis = 0
event.info = "Suspicious domain name " + site.domain_name
event.tags = create_misp_tags(misp_api)
# Create MISP Event
print(str(timezone.now()) + " - " + 'Create MISP Event')
print('-----------------------------')
event = misp_api.add_event(event, pythonify=True)
# Store Event Id in database
Site.objects.filter(pk=site.pk).update(misp_event_id=event.id)
if DnsTwisted.objects.filter(domain_name=site.domain_name):
DnsTwisted.objects.filter(domain_name=site.domain_name).update(
misp_event_id=event.id)
# Create MISP Attributes
create_attributes(misp_api, event.id, site)
def init(self):
if ExpandedPyMISP is None:
raise ValueError('Could not import pymisp. Please install it.')
# Initialize MISP connection
self.misp = ExpandedPyMISP(self.parameters.misp_url,
self.parameters.misp_key,
self.parameters.misp_verify)
# Handle the InsecureRequestWarning
if not self.parameters.misp_verify: urllib3.disable_warnings()
self.logger.info ("Connected to MISP")
class MISPCollectorBot(CollectorBot):
"""Collect events from a MISP server"""
misp_key: str = "<insert MISP Authkey>"
misp_tag_processed: str = None
misp_tag_to_process: str = "<insert MISP tag for events to be processed>"
misp_url: str = "<insert url of MISP server (with trailing '/')>"
rate_limit: int = 3600
def init(self):
if PyMISP is None:
raise MissingDependencyError("pymisp")
if hasattr(self, 'misp_verify'):
self.http_verify_cert = self.misp_verify
warnings.warn(
"The parameter 'misp_verify' is deprecated in favor of"
"'http_verify_cert'.", DeprecationWarning)
# Initialize MISP connection
self.misp = PyMISP(self.misp_url, self.misp_key, self.http_verify_cert)
def process(self):
# Grab the events from MISP
misp_result = self.misp.search(tags=self.misp_tag_to_process)
# Process the response and events
# Compatibility with old pymisp versions before 2019:
if 'response' in misp_result:
misp_result = misp_result['response']
# Extract the MISP event details
for e in misp_result:
misp_event = e['Event']
# Send the results to the parser
report = self.new_report()
report.add('raw', json.dumps(misp_event, sort_keys=True))
report.add('feed.url', self.misp_url)
self.send_message(report)
# Finally, update the tags on the MISP events.
for e in misp_result:
misp_event = e['Event']
if self.misp_tag_processed is not None:
# Add a 'processed' tag to the event
self.misp.tag(misp_event['uuid'], self.misp_tag_processed)
# Remove the 'to be processed' tag
self.misp.untag(misp_event['uuid'], self.misp_tag_to_process)
def __init__(self,
misp_key,
misp_url,
misp_verify_cert,
siem_mode=False,
debugon=False):
self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verify_cert,
debugon)
self.debugon = debugon
if siem_mode:
self.siem_mode = True
self.separator = ","
self.use_headers = True
self.use_filename_regex = False
def get_misp_data(
refSet_etype): #this function will get misp data for last 1 day)
global network_ip, network_domain
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
result = misp.search(publish_timestamp="5d", pythonify=True)
network_ip = []
network_domain = []
s = ""
if not result:
print('No results for that time period')
exit(0)
for r in result:
s = r.to_json()
json_data = json.loads(s)
for attribute in json_data["Event"]["Attribute"]:
iocs = attribute["value"]
if attribute["type"] in ("ip-src", "ip-dst"):
network_ip.append(iocs)
elif attribute["type"] in ("domain", "url"):
network_domain.append(iocs)
else:
continue
if refSet_etype == "IP":
ingest_ip_data = json.dumps(network_ip)
ioc_ip_count = len(network_ip)
print(
time.strftime("%H:%M:%S") + " -- " +
"Trying to clean the IOCs to IP address, as " + qradar_ref_set +
" element type = IP")
print(
time.strftime("%H:%M:%S") + " -- " + "(Success) Extracted " +
str(ioc_ip_count) + " IPs from initial import.")
qradar_post_IP(ingest_ip_data, ioc_ip_count)
else:
ingest_domain_data = json.dumps(network_domain)
ioc_domain_count = len(network_domain)
print(
time.strftime("%H:%M:%S") + " -- " +
"Trying to clean the IOCs to Domain, as " + qradar_ref_set +
" element type = AlphaNumeric")
print(
time.strftime("%H:%M:%S") + " -- " + "(Success) Extracted " +
str(ioc_domain_count) + " Domains from initial import.")
qradar_post_all(ingest_domain_data, ioc_domain_count)
def get_misp_instance():
print('*******get misp instance()********')
"""
:return: MISP Instance
:rtype: PyMISP
"""
# Proxy settings are taken from the config file and converted to a dict.
if PySilo_settings.USE_MISP_PROXY:
misp_proxies = {
'http': str(PySilo_settings.proxy_address),
'https': str(PySilo_settings.proxy_address)
}
else:
misp_proxies = {}
try:
# URL of the MISP instance, API key and SSL certificate validation are taken from the config file.
return ExpandedPyMISP(PySilo_settings.misp_url, PySilo_settings.misp_key, PySilo_settings.misp_verifycert,
proxies=misp_proxies)
#return PyMISP(PySilo_settings.misp_url, PySilo_settings.misp_key, PySilo_settings.misp_verifycert,
# proxies=misp_proxies)
except Exception:
PySilo_settings.logger.debug('Unexpected error in MISP init: %s', sys.exc_info())
return False
class Misp(Threat):
def __init__(self):
parser = ConfigParser()
parser.read("config/misp_key.ini")
misp_url = parser.get("MISP_KEY_INFO", "misp_url")
misp_key = parser.get("MISP_KEY_INFO", "misp_key")
misp_verifycert = False
#connect to MISP
self.misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
#set new event to MISP
def set_event(self):
pass
#return list attributes with correct type hash
def get_hash_attributes(self, type_hash):
try:
#search list events is published
events = self.misp.search(published=True)
#create list to add new threat objects
list_hash = []
for event in events:
for attribute in event['Event']['Attribute']:
#check all attribute has type is equal with type hash
if attribute['type'] == type_hash:
#display info attribute
print('STATUS: Found {0} {1} in Event {2}.'.format(
type_hash, str(attribute['value']),
str(event['Event']['id'])))
#add new threat object to list
list_hash.append(
Threat(str(attribute['value']),
str(event['Event']['id'])))
for objects in event['Event']['Object']:
for attribute in objects['Attribute']:
#check all attribute has type is equal with type hash
if attribute['type'] == type_hash:
#display info attribute
print('STATUS: Found {0} {1} in Event {2}.'.format(
type_hash, str(attribute['value']),
str(event['Event']['id'])))
#add new threat object to list
list_hash.append(
Threat(str(attribute['value']),
str(event['Event']['id'])))
return list_hash
except Exception as e:
exc_tb = sys.exc_info()
print(
'ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}'
.format(location=__name__,
funct_name=sys._getframe().f_code.co_name,
line_no=exc_tb.tb_lineno,
error=str(e)))
return None
class MISPExpertBot(Bot):
def init(self):
if ExpandedPyMISP is None:
raise MissingDependencyError('pymisp', '>=2.4.117.3')
# Initialize MISP connection
self.misp = ExpandedPyMISP(self.parameters.misp_url,
self.parameters.misp_key,
self.parameters.http_verify_cert)
def process(self):
event = self.receive_message()
if 'source.ip' in event:
# Grab the attributes from MISP
# TODO: Run the query in reverse order (new->old)
misp_result = self.misp.search('attributes',
value=event['source.ip'],
page=1,
limit=1,
pythonify=True)
if misp_result:
attribute = misp_result[0]
# Process the response
event.add('misp.attribute_uuid', attribute.uuid)
event.add('misp.event_uuid', attribute.Event.uuid)
self.send_message(event)
self.acknowledge_message()
if not args.fieldnames:
has_fieldnames = True
else:
has_fieldnames = args.skip_fieldnames
csv_loader = CSVLoader(template_name=args.object_name, csv_path=args.path,
fieldnames=args.fieldnames, has_fieldnames=has_fieldnames)
objects = csv_loader.load()
if args.dump:
for o in objects:
print(o.to_json())
else:
if offline:
print('You are in offline mode, quitting.')
else:
misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
if args.new_event:
event = MISPEvent()
event.info = args.new_event
for o in objects:
event.add_object(**o)
new_event = misp.add_event(event)
if isinstance(new_event, str):
print(new_event)
elif 'id' in new_event:
print(f'Created new event {new_event.id}')
else:
print('Something went wrong:')
print(new_event)
else:
for o in objects:
from pymisp import ExpandedPyMISP
from keys import misp_url, misp_key, misp_verifycert
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Get MISP stuff as CSV.')
parser.add_argument("-e", "--event_id", help="Event ID to fetch. Without it, it will fetch the whole database.")
parser.add_argument("-a", "--attribute", nargs='+', help="Attribute column names")
parser.add_argument("-o", "--object_attribute", nargs='+', help="Object attribute column names")
parser.add_argument("-t", "--misp_types", nargs='+', help="MISP types to fetch (ip-src, hostname, ...)")
parser.add_argument("-c", "--context", action='store_true', help="Add event level context (tags...)")
parser.add_argument("-f", "--outfile", help="Output file to write the CSV.")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, debug=True)
attr = []
if args.attribute:
attr += args.attribute
if args.object_attribute:
attr += args.object_attribute
if not attr:
attr = None
print(args.context)
response = pymisp.search(return_format='csv', eventid=args.event_id, requested_attributes=attr,
type_attribute=args.misp_types, include_context=args.context)
if args.outfile:
with open(args.outfile, 'w') as f:
f.write(response)
else:
