def misp(self, option, verbose=False, submit=False):
if option == 'download_all':
for event in self._get_local_events(os.path.join(self.cur_path, 'misp_events')):
self._download_hashes(MispEvent(event), False)
return
if not __sessions__.is_attached_misp():
return
if option == 'hashes':
ehashes, shashes = __sessions__.current.misp_event.get_all_hashes()
to_scan = sorted(ehashes + shashes, key=len)
while to_scan:
h = to_scan.pop()
response = self.scan(h, verbose)
if response and not isinstance(response, bool):
to_scan = [eh for eh in to_scan if eh not in response]
elif option == 'download':
self._download_hashes(__sessions__.current.misp_event, verbose)
elif option == "ips":
ips = __sessions__.current.misp_event.get_all_ips()
for ip in ips:
self.pdns_ip(ip, verbose)
elif option == "domains":
domains = __sessions__.current.misp_event.get_all_domains()
for d in domains:
self.pdns_domain(d, verbose)
elif option == "urls":
urls = __sessions__.current.misp_event.get_all_urls()
for u in urls:
self.url(u, verbose, submit)
def add_file(obj, tags=None):
if get_sample_path(obj.sha256):
self.log('warning', "Skip, file \"{0}\" appears to be already stored".format(obj.name))
return False
if __sessions__.is_attached_misp(quiet=True):
if tags is not None:
tags += ',misp:{}'.format(__sessions__.current.misp_event.event.id)
else:
tags = 'misp:{}'.format(__sessions__.current.misp_event.event.id)
# Try to store file object into database.
status = db.add(obj=obj, tags=tags)
if status:
# If succeeds, store also in the local repository.
# If something fails in the database (for example unicode strings)
# we don't want to have the binary lying in the repository with no
# associated database record.
new_path = store_sample(obj)
self.log("success", "Stored file \"{0}\" to {1}".format(obj.name, new_path))
else:
return False
# Delete the file if requested to do so.
if args.delete:
try:
os.unlink(obj.path)
except Exception as e:
self.log('warning', "Failed deleting file: {0}".format(e))
return True
def store(self):
try:
event_path = os.path.join(self.cur_path, 'misp_events')
if not os.path.exists(event_path):
os.mkdir(event_path)
if self.args.list:
header = ['Event ID', 'Title']
rows = []
for eid, path, title in self._get_local_events(event_path):
rows.append((eid, title))
self.log('table', dict(header=header, rows=sorted(rows, key=lambda i: (int(i[0])))))
elif self.args.update:
for eid, path, title in self._get_local_events(event_path):
event = self.misp.get(eid)
with open(path, 'w') as f:
f.write(json.dumps(event))
self.log('success', '{} updated successfully.'.format(eid))
elif self.args.delete:
path = os.path.join(event_path, '{}.json'.format(self.args.delete))
if os.path.exists(path):
os.remove(path)
self.log('success', '{} removed successfully.'.format(self.args.delete))
else:
self.log('error', '{} does not exists.'.format(self.args.delete))
elif self.args.open:
path = os.path.join(event_path, '{}.json'.format(self.args.open))
if os.path.exists(path):
e_json = json.loads(open(path, 'r').read())
__sessions__.new(misp_event=MispEvent(e_json))
else:
self.log('error', '{} does not exists.'.format(self.args.open))
elif __sessions__.is_attached_misp():
self._dump(__sessions__.current.misp_event.event)
except IOError as e:
self.log('error', e.strerror)
def _dump(self, event=None):
event_path = os.path.join(self.cur_path, 'misp_events')
if not os.path.exists(event_path):
os.makedirs(event_path)
if not event:
to_dump = __sessions__.current.misp_event.event
elif isinstance(event, MISPEvent):
to_dump = event
else:
to_dump = MISPEvent()
to_dump.load(event)
if to_dump.id:
filename = str(to_dump.id)
elif (__sessions__.is_attached_misp(True) and
__sessions__.current.misp_event.current_dump_file):
filename = __sessions__.current.misp_event.current_dump_file
else:
i = 1
while True:
filename = 'new_event_{}.json'.format(i)
if not os.path.exists(os.path.join(event_path, filename)):
break
i += 1
path = os.path.join(event_path, filename)
with open(path, 'w') as f:
f.write(to_dump.to_json())
self.log('success', '{} stored successfully.'.format(filename.rstrip('.json')))
return filename
def _get_eventid(self, quiet=False):
if vars(self.args).get('event'):
return self.args.event
else:
# Get current event ID if possible
if not __sessions__.is_attached_misp(quiet):
return None
return __sessions__.current.misp_event.event.id
def misp(self, option):
if not __sessions__.is_attached_misp():
return
if option == 'ips':
ips = __sessions__.current.misp_event.get_all_ips()
for ip in ips:
self.query_ip(ip)
def misp(self, option, verbose=False):
if not __sessions__.is_attached_misp():
return
if option == 'ips':
ips = __sessions__.current.misp_event.get_all_ips()
for ip in ips:
self.query(ip, verbose)
elif option == 'domains':
domains = __sessions__.current.misp_event.get_all_domains()
for d in domains:
self.query(d, verbose)
def _display_tmp_files(self):
cureid = None
if __sessions__.is_attached_misp(True):
cureid = __sessions__.current.misp_event.event.id
header = ['Sample ID', 'Current', 'Event ID', 'Filename']
rows = []
i = 0
tmp_samples = self._load_tmp_samples()
if len(tmp_samples) == 0:
self.log('warning', 'No temporary samples available.')
return
for eid, path, name in tmp_samples:
if eid == cureid:
rows.append((i, '*', eid, name))
else:
rows.append((i, '', eid, name))
i += 1
self.log('table', dict(header=header, rows=rows))
def _display_tmp_files(self):
cureid = None
if __sessions__.is_attached_misp(True):
cureid = self._get_eventid()
header = ["Sample ID", "Current", "Event ID", "Filename"]
rows = []
i = 0
tmp_samples = self._load_tmp_samples()
if len(tmp_samples) == 0:
self.log("warning", "No temporary samples available.")
return
for eid, path, name in tmp_samples:
if eid == cureid:
rows.append((i, "*", eid, name))
else:
rows.append((i, "", eid, name))
i += 1
self.log("table", dict(header=header, rows=rows))
def download(self, filehash, open_session=True, force_eid=None, verbose=True):
# FIXME: private and intel API are inconsistent to save a file.
samples_path = os.path.join(self.cur_path, 'vt_samples')
if __sessions__.is_attached_misp(True):
samples_path = os.path.join(samples_path, __sessions__.current.misp_event.event.id)
elif force_eid:
samples_path = os.path.join(samples_path, force_eid)
if not os.path.exists(samples_path):
os.makedirs(samples_path)
filename = os.path.join(samples_path, filehash)
if os.path.exists(filename):
self.log('info', '{} has already been downloaded.'.format(filehash))
return
if cfg.virustotal.virustotal_has_private_key:
response = self.vt.get_file(filehash)
if not self._has_fail(response):
with open(filename, 'w') as f:
f.write(response)
else:
return
elif cfg.virustotal.virustotal_has_intel_key:
response = self.vt_intel.get_file(filehash, samples_path)
if self._has_fail(response):
return
else:
self.log('error', 'This command requires virustotal private ot intelligence API key')
return
if open_session:
return __sessions__.new(filename)
self.log('success', 'Successfully downloaded {}'.format(filehash))
if verbose:
self._display_tmp_files()
def run(self):
super(VirusTotal, self).run()
if self.args is None:
return
if not HAVE_VT:
self.log('error', "Missing dependency, install virustotal-api (`pip install virustotal-api`)")
return
to_search = None
path_to_submit = None
if self.args.misp:
self.misp(self.args.misp, self.args.verbose, self.args.submit)
elif self.args.ip:
self.pdns_ip(self.args.ip, self.args.verbose)
elif self.args.domain:
self.pdns_domain(self.args.domain, self.args.verbose)
elif self.args.url:
self.url(self.args.url, self.args.verbose, self.args.submit)
elif self.args.download_list:
self._display_tmp_files()
elif self.args.download_open is not None:
tmp_samples = self._load_tmp_samples()
try:
eid, path, name = tmp_samples[self.args.download_open]
if eid:
if __sessions__.is_attached_misp(quiet=True):
if __sessions__.current.misp_event.event.id != int(eid):
self.log('warning', 'You opened a sample related to a MISP event different than the one you are currently connected to: {}.'.format(eid))
else:
self.log('success', 'You opened a sample related to the current MISP event.')
else:
self.log('warning', 'This samples is linked to the MISP event {eid}. You may want to run misp pull {eid}'.format(eid=eid))
return __sessions__.new(path)
except IndexError:
self.log('error', 'Invalid id, please use virustotal -dl.')
elif self.args.download_open_name is not None:
tmp_samples = self._load_tmp_samples()
try:
for tmp_sample in tmp_samples:
eid, path, name = tmp_sample
if name == self.args.download_open_name:
if eid:
if __sessions__.is_attached_misp(quiet=True):
if __sessions__.current.misp_event.event.id != int(eid):
self.log('warning', 'You opened a sample related to a MISP event different than the one you are currently connected to: {}.'.format(eid))
else:
self.log('success', 'You opened a sample related to the current MISP event.')
else:
self.log('warning', 'This samples is linked to the MISP event {eid}. You may want to run misp pull {eid}'.format(eid=eid))
return __sessions__.new(path)
except IndexError:
self.log('error', 'Invalid id, please use virustotal -dl.')
elif self.args.download_delete is not None:
if self.args.download_delete == 'all':
samples_path = os.path.join(self.cur_path, 'vt_samples')
if os.path.exists(samples_path):
shutil.rmtree(samples_path)
self.log('success', 'Successfully removed {}'.format(samples_path))
else:
self.log('error', '{} does not exists'.format(samples_path))
else:
tmp_samples = self._load_tmp_samples()
try:
eid, path, name = tmp_samples[int(self.args.download_delete)]
os.remove(path)
self.log('success', 'Successfully removed {}'.format(path))
except:
self.log('error', 'Invalid id, please use virustotal -dl.')
elif self.args.search:
to_search = self.args.search
elif __sessions__.is_attached_file():
to_search = __sessions__.current.file.md5
if self.args.submit and __sessions__.is_attached_file():
path_to_submit = __sessions__.current.file.path
if to_search:
self.scan(to_search, self.args.verbose, self.args.submit, path_to_submit)
if self.args.download:
self.download(to_search, self.args.verbose)
if self.args.comment:
response = self.vt.put_comments(to_search, ' '.join(self.args.comment))
if not self._has_fail(response):
self.log('info', ("{}: {}".format(bold("VirusTotal message"), response['results']['verbose_msg'])))
def run(self):
super(VirusTotal, self).run()
if self.args is None:
return
if not HAVE_VT:
self.log('error', "Missing dependency, install virustotal-api (`pip install virustotal-api`)")
return
to_search = None
path_to_submit = None
if self.args.misp:
self.misp(self.args.misp, self.args.verbose, self.args.submit)
elif self.args.ip:
self.pdns_ip(self.args.ip, self.args.verbose)
elif self.args.domain:
self.pdns_domain(self.args.domain, self.args.verbose)
elif self.args.url:
self.url(self.args.url, self.args.verbose, self.args.submit)
elif self.args.download_list:
self._display_tmp_files()
elif self.args.download_open is not None:
tmp_samples = self._load_tmp_samples()
try:
eid, path, name = tmp_samples[self.args.download_open]
if eid:
if __sessions__.is_attached_misp(quiet=True):
if __sessions__.current.misp_event.event.id != int(eid):
self.log('warning', 'You opened a sample related to a MISP event different than the one you are currently connected to: {}.'.format(eid)) # noqa
else:
self.log('success', 'You opened a sample related to the current MISP event.')
else:
self.log('warning', 'This samples is linked to the MISP event {eid}. You may want to run misp pull {eid}'.format(eid=eid)) # noqa
return __sessions__.new(path)
except IndexError:
self.log('error', 'Invalid id, please use virustotal -dl.')
elif self.args.download_open_name is not None:
tmp_samples = self._load_tmp_samples()
try:
for tmp_sample in tmp_samples:
eid, path, name = tmp_sample
if name == self.args.download_open_name:
if eid:
if __sessions__.is_attached_misp(quiet=True):
if __sessions__.current.misp_event.event.id != int(eid):
self.log('warning', 'You opened a sample related to a MISP event different than the one you are currently connected to: {}.'.format(eid)) # noqa
else:
self.log('success', 'You opened a sample related to the current MISP event.')
else:
self.log('warning', 'This samples is linked to the MISP event {eid}. You may want to run misp pull {eid}'.format(eid=eid)) # noqa
return __sessions__.new(path)
except IndexError:
self.log('error', 'Invalid id, please use virustotal -dl.')
elif self.args.download_delete is not None:
if self.args.download_delete == 'all':
samples_path = os.path.join(self.cur_path, 'vt_samples')
if os.path.exists(samples_path):
shutil.rmtree(samples_path)
self.log('success', 'Successfully removed {}'.format(samples_path))
else:
self.log('error', '{} does not exists'.format(samples_path))
else:
tmp_samples = self._load_tmp_samples()
try:
eid, path, name = tmp_samples[int(self.args.download_delete)]
os.remove(path)
self.log('success', 'Successfully removed {}'.format(path))
except:
self.log('error', 'Invalid id, please use virustotal -dl.')
elif self.args.search:
to_search = self.args.search
elif __sessions__.is_attached_file():
to_search = __sessions__.current.file.md5
if self.args.submit and __sessions__.is_attached_file():
path_to_submit = __sessions__.current.file.path
if to_search:
self.scan(to_search, self.args.verbose, self.args.submit, path_to_submit)
if self.args.download:
self.download(to_search, self.args.verbose)
if self.args.comment:
response = self.vt.put_comments(to_search, ' '.join(self.args.comment))
if not self._has_fail(response):
self.log('info', ("{}: {}".format(bold("VirusTotal message"), response['results']['verbose_msg'])))
def run(self):
super(MISP, self).run()
if self.args is None:
return
if not HAVE_PYMISP:
self.log('error', "Missing dependency, install pymisp (`pip install pymisp`)")
return
if self.args.url is None:
self.url = cfg.misp.misp_url
else:
self.url = self.args.url
if self.args.key is None:
self.key = cfg.misp.misp_key
else:
self.key = self.args.key
if self.url is None:
self.log('error', "This command requires the URL of the MISP instance you want to query.")
return
if self.key is None:
self.log('error', "This command requires a MISP private API key.")
return
if not self.args.verify:
verify = False
else:
verify = cfg.misp.misp_verify
try:
self.misp = PyMISP(self.url, self.key, verify, 'json')
except PyMISPError as e:
self.log('error', e.message)
return
# Require an open MISP session
if self.args.subname in ['add', 'show', 'publish'] and not __sessions__.is_attached_misp():
return
# Require an open file session
if self.args.subname in ['upload'] and not __sessions__.is_attached_file():
return
try:
if self.args.subname == 'upload':
self.upload()
elif self.args.subname == 'search':
self.searchall()
elif self.args.subname == 'download':
self.download()
elif self.args.subname == 'check_hashes':
self.check_hashes()
elif self.args.subname == 'yara':
self.yara()
elif self.args.subname == 'pull':
self.pull()
elif self.args.subname == 'create_event':
self.create_event()
elif self.args.subname == 'add':
self.add()
elif self.args.subname == 'show':
self.show()
elif self.args.subname == 'open':
self.open()
elif self.args.subname == 'publish':
self.publish()
elif self.args.subname == 'version':
self.version()
elif self.args.subname == 'store':
self.store()
else:
self.log('error', "No calls defined for this command.")
except requests.exceptions.HTTPError as e:
self.log('error', e)
def tag(self):
if not HAVE_PYTAX:
self.log('error', "Missing dependency, install PyTaxonomies (`pip install git+https://github.com/MISP/PyTaxonomies.git`)")
return
try:
taxonomies = Taxonomies(manifest_path=os.path.join(self.local_dir_taxonomies, 'MANIFEST.json'))
except Exception as e:
self.log('error', 'Unable to open the taxonomies, please fix the config file ([misp] - misp_taxonomies_directory): {}'.format(e))
return
if self.args.list:
self.log('table', dict(header=['Name', 'Description'], rows=[(title, tax.description)
for title, tax in taxonomies.items()]))
elif self.args.search:
matches = taxonomies.search(self.args.search)
if not matches:
self.log('error', 'No tags matching "{}".'.format(self.args.search))
return
self.log('success', 'Tags matching "{}":'.format(self.args.search))
for t in taxonomies.search(self.args.search):
self.log('item', t)
elif self.args.details:
taxonomy = taxonomies.get(self.args.details)
if not taxonomy:
self.log('error', 'No taxonomy called "{}".'.format(self.args.details))
return
if taxonomy.description:
self.log('info', taxonomy.description)
elif taxonomy.expanded:
self.log('info', taxonomy.expanded)
if taxonomy.refs:
self.log('info', 'References:')
for r in taxonomy.refs:
self.log('item', r)
if not taxonomy.has_entries():
header = ['Description', 'Predicate', 'Machinetag']
rows = []
for p in taxonomy.predicates.values():
rows.append([p.description, p.predicate, taxonomy.make_machinetag(p)])
self.log('table', dict(header=header, rows=rows))
else:
for p in taxonomy.predicates.values():
if p.description:
self.log('info', p.description)
elif p.expanded:
self.log('info', p.expanded)
else:
self.log('info', p.predicate)
if not p.entries:
self.log('item', taxonomy.make_machinetag(p))
else:
header = ['Description', 'Predicate', 'Machinetag']
rows = []
for e in p.entries.values():
if e.description:
descr = e.description
else:
descr = e.expanded
rows.append([descr, e.value, taxonomy.make_machinetag(p, e)])
self.log('table', dict(header=header, rows=rows))
elif self.args.event:
if not __sessions__.is_attached_misp():
return
try:
taxonomies.revert_machinetag(self.args.event)
except:
self.log('error', 'Not a valid machine tag available in misp-taxonomies: "{}".'.format(self.args.event))
return
__sessions__.current.misp_event.event.add_tag(self.args.event)
self._change_event()
elif self.args.attribute:
if not __sessions__.is_attached_misp():
return
identifier, tag = self.args.attribute
try:
taxonomies.revert_machinetag(tag)
except:
self.log('error', 'Not a valid machine tag available in misp-taxonomies: "{}".'.format(tag))
return
__sessions__.current.misp_event.event.add_attribute_tag(tag, identifier)
self._change_event()
def store(self):
try:
event_path = os.path.join(self.cur_path, 'misp_events')
if not os.path.exists(event_path):
os.mkdir(event_path)
if self.args.list:
header = ['Event ID', 'Title']
rows = []
for eid, path, title in self._get_local_events(event_path):
rows.append((eid, title))
self.log('table', dict(header=header, rows=sorted(rows, key=lambda i: (int(i[0].split('_')[-1])))))
elif self.args.update:
if self.offline_mode:
self.log('error', 'Offline mode, cannot update locally stored events.')
return
for eid, path, title in self._get_local_events(event_path):
event = self.misp.get(eid)
with open(path, 'w') as f:
f.write(json.dumps(event))
self.log('success', '{} updated successfully.'.format(eid))
elif self.args.sync:
if self.offline_mode:
self.log('error', 'Offline mode, cannot synchronize locally stored events.')
return
for eid, path, title in self._get_local_events(event_path):
__sessions__.close()
event = MISPEvent()
event.load(path)
if 'new_event_' in path:
event = self.misp.add_event(json.dumps(event, cls=EncodeUpdate))
try:
self._dump(event)
os.remove(path)
except Exception as e:
self.log('error', 'Unable to create new event: {}.'.format(e))
else:
eid = event.id
try:
event = self.misp.update(event._json())
except Exception as e:
self.log('error', 'Unable to update event {}: {}.'.format(eid, e))
if self._has_error_message(event):
return
elif self.args.delete:
path = os.path.join(event_path, '{}.json'.format(self.args.delete))
if os.path.exists(path):
os.remove(path)
self.log('success', '{} removed successfully.'.format(self.args.delete))
else:
self.log('error', '{} does not exists.'.format(self.args.delete))
elif self.args.open:
filename = '{}.json'.format(self.args.open)
path = os.path.join(event_path, filename)
if os.path.exists(path):
try:
with open(path, 'r') as f:
e_json = json.load(f)
__sessions__.new(misp_event=MispEvent(e_json, self.offline_mode))
__sessions__.current.misp_event.current_dump_file = filename
except Exception as e:
self.log('error', 'Unable to open {}: {}'.format(path, e))
else:
self.log('error', '{} does not exists.'.format(self.args.open))
elif __sessions__.is_attached_misp():
self._dump()
except IOError as e:
self.log('error', e.strerror)
def run(self):
super(MISP, self).run()
if self.args is None:
return
if not HAVE_PYMISP:
self.log("error", "Missing dependency, install pymisp (`pip install pymisp`)")
return
if self.args.url is None:
self.url = cfg.misp.misp_url
else:
self.url = self.args.url
if self.args.key is None:
self.key = cfg.misp.misp_key
else:
self.key = self.args.key
if self.url is None:
self.log("error", "This command requires the URL of the MISP instance you want to query.")
return
if self.key is None:
self.log("error", "This command requires a MISP private API key.")
return
if not self.args.verify:
verify = False
else:
verify = cfg.misp.misp_verify
try:
self.misp = PyMISP(self.url, self.key, verify, "json")
except PyMISPError as e:
self.log("error", e.message)
return
# Require an open MISP session
if self.args.subname in ["add", "show", "publish"] and not __sessions__.is_attached_misp():
return
# Require an open file session
if self.args.subname in ["upload"] and not __sessions__.is_attached_file():
return
try:
if self.args.subname == "upload":
self.upload()
elif self.args.subname == "search":
self.searchall()
elif self.args.subname == "download":
self.download()
elif self.args.subname == "check_hashes":
self.check_hashes()
elif self.args.subname == "yara":
self.yara()
elif self.args.subname == "pull":
self.pull()
elif self.args.subname == "create_event":
self.create_event()
elif self.args.subname == "add":
self.add()
elif self.args.subname == "show":
self.show()
elif self.args.subname == "open":
self.open()
elif self.args.subname == "publish":
self.publish()
elif self.args.subname == "version":
self.version()
elif self.args.subname == "store":
self.store()
else:
self.log("error", "No calls defined for this command.")
except requests.exceptions.HTTPError as e:
self.log("error", e)
def run(self):
super(MISP, self).run()
if self.args is None:
return
if not HAVE_PYMISP:
self.log('error', "Missing dependency, install pymisp (`pip install pymisp`)")
return
self.offline_mode = False
if self.args.on:
self.offline_mode = False
if __sessions__.is_attached_misp(True):
__sessions__.current.misp_event.off = False
elif self.args.off or (__sessions__.is_attached_misp(True) and
__sessions__.current.misp_event.off):
self.offline_mode = True
if __sessions__.is_attached_misp(True):
__sessions__.current.misp_event.off = True
self.url = self.args.url
if self.url is None:
self.url = cfg.misp.misp_url
if self.url is None:
self.log('error', "This command requires the URL of the MISP instance you want to query.")
return
self.key = self.args.key
if self.key is None:
self.key = cfg.misp.misp_key
if self.key is None:
self.log('error', "This command requires a MISP private API key.")
return
if not self.args.verify:
verify = False
else:
verify = cfg.misp.tls_verify
# Capture default distribution and sharing group settings. Backwards compatability and empty string check
self.distribution = cfg.misp.get("misp_distribution", None)
self.distribution = None if self.distribution == "" else self.distribution
if type(self.distribution) not in (type(None), int):
self.distribution = None
self.log('info', "The distribution stored in viper config is not an integer, setting to None")
self.sharinggroup = cfg.misp.get("misp_sharinggroup", None)
self.sharinggroup = None if self.sharinggroup == "" else self.sharinggroup
if type(self.sharinggroup) not in (type(None), int):
self.sharinggroup = None
self.log('info', "The sharing group stored in viper config is not an integer, setting to None")
if not self.offline_mode:
try:
self.misp = PyMISP(self.url, self.key, ssl=verify, proxies=cfg.misp.proxies, cert=cfg.misp.cert)
except PyMISPError as e:
self.log('error', e.message)
return
# Require an open MISP session
if self.args.subname in ['add_hashes', 'add', 'show', 'publish'] and not __sessions__.is_attached_misp():
return
# Require an open file session
if self.args.subname in ['upload'] and not __sessions__.is_attached_file():
return
try:
if self.args.subname == 'upload':
self.upload()
elif self.args.subname == 'search':
self.searchall()
elif self.args.subname == 'download':
self.download()
elif self.args.subname == 'check_hashes':
self.check_hashes()
elif self.args.subname == 'yara':
self.yara()
elif self.args.subname == 'pull':
self.pull()
elif self.args.subname == 'create_event':
self.create_event()
elif self.args.subname == 'add':
self.add()
elif self.args.subname == 'add_hashes':
self.add_hashes()
elif self.args.subname == 'show':
self.show()
elif self.args.subname == 'open':
self.open_samples()
elif self.args.subname == 'publish':
self.publish()
elif self.args.subname == 'version':
self.version()
elif self.args.subname == 'store':
self.store()
elif self.args.subname == 'tag':
self.tag()
elif self.args.subname == 'galaxies':
self.galaxies()
elif self.args.subname == 'admin':
self.admin()
else:
self.log('error', "No calls defined for this command.")
except requests.exceptions.HTTPError as e:
self.log('error', e)
def run(self):
super(MISP, self).run()
if self.args is None:
return
if not HAVE_PYMISP:
self.log('error', "Missing dependency, install pymisp (`pip install pymisp`)")
return
self.offline_mode = False
if self.args.on:
self.offline_mode = False
if __sessions__.is_attached_misp(True):
__sessions__.current.misp_event.off = False
elif self.args.off or (__sessions__.is_attached_misp(True) and __sessions__.current.misp_event.off):
self.offline_mode = True
if __sessions__.is_attached_misp(True):
__sessions__.current.misp_event.off = True
self.url = self.args.url
if self.url is None:
self.url = cfg.misp.misp_url
if self.url is None:
self.log('error', "This command requires the URL of the MISP instance you want to query.")
return
self.key = self.args.key
if self.key is None:
self.key = cfg.misp.misp_key
if self.key is None:
self.log('error', "This command requires a MISP private API key.")
return
if not self.args.verify:
verify = False
else:
verify = cfg.misp.tls_verify
# Capture default distribution and sharing group settings. Backwards compatability and empty string check
self.distribution = cfg.misp.get("misp_distribution", None)
self.distribution = None if self.distribution == "" else self.distribution
if type(self.distribution) not in (type(None), int):
self.distribution = None
self.log('info', "The distribution stored in viper config is not an integer, setting to None")
self.sharinggroup = cfg.misp.get("misp_sharinggroup", None)
self.sharinggroup = None if self.sharinggroup == "" else self.sharinggroup
if type(self.sharinggroup) not in (type(None), int):
self.sharinggroup = None
self.log('info', "The sharing group stored in viper config is not an integer, setting to None")
if not self.offline_mode:
try:
self.misp = ExpandedPyMISP(self.url, self.key, ssl=verify, proxies=cfg.misp.proxies, cert=cfg.misp.cert)
except PyMISPError as e:
self.log('error', e.message)
return
# Require an open MISP session
if self.args.subname in ['add_hashes', 'add', 'show', 'publish'] and not __sessions__.is_attached_misp():
return
# Require an open file session
if self.args.subname in ['upload'] and not __sessions__.is_attached_file():
return
try:
if self.args.subname == 'upload':
self.upload()
elif self.args.subname == 'search':
self.searchall()
elif self.args.subname == 'download':
self.download()
elif self.args.subname == 'check_hashes':
self.check_hashes()
elif self.args.subname == 'yara':
self.yara()
elif self.args.subname == 'pull':
self.pull()
elif self.args.subname == 'create_event':
self.create_event()
elif self.args.subname == 'add':
self.add()
elif self.args.subname == 'add_hashes':
self.add_hashes()
elif self.args.subname == 'show':
self.show()
elif self.args.subname == 'open':
self.open_samples()
elif self.args.subname == 'publish':
self.publish()
elif self.args.subname == 'version':
self.version()
elif self.args.subname == 'store':
self.store()
elif self.args.subname == 'tag':
self.tag()
elif self.args.subname == 'galaxies':
self.galaxies()
elif self.args.subname == 'admin':
self.admin()
else:
self.log('error', "No calls defined for this command.")
except requests.exceptions.HTTPError as e:
self.log('error', e)
