def buildEvent(pkg, **kwargs): log.info("Building Event...") if not pkg.stix_header: title = "STIX Import" else: if not pkg.stix_header.title: title = "STIX Import" else: title = pkg.stix_header.title log.info(title) event = mispevent.MISPEvent() event.distribution = kwargs.get("distribution", 0) event.threat_level_id = kwargs.get("threat_level_id", 3) event.analysis = kwargs.get("analysis", 0) event.info = title ids = [] to_process = [] for obj in lintRoll(pkg): if isinstance(obj, cybox.core.observable.Observable): if obj.id_ not in ids: ids.append(obj.id_) to_process.append(obj) for obj in to_process: # This will find literally every object ever. event = buildAttribute(obj, event) return event
def buildEvent(pkg, **kwargs): log.info("Building Event...") if not pkg.stix_header: title = "STIX Import" else: if not pkg.stix_header.title: title = "STIX Import" else: title = pkg.stix_header.title log.info("Using title %s", title) log.debug("Seting up MISPEvent...") event = mispevent.MISPEvent() event.distribution = kwargs.get("distribution", 0) event.threat_level_id = kwargs.get("threat_level_id", 3) event.analysis = kwargs.get("analysis", 0) event.info = title if hasattr(pkg, "description"): log.debug("Found description %s", pkg.description) event.add_attribute("comment", pkg.description) log.debug("Beginning to Lint_roll...") ids = [] to_process = [] for obj in lintRoll(pkg): if isinstance(obj, stix.core.Incident): to_process.append(obj) if isinstance(obj, cybox.core.observable.Observable): if obj.id_ not in ids: ids.append(obj.id_) to_process.append(obj) log.debug("Processing %s object...", len(to_process)) for obj in to_process: log.debug("Working on %s...", obj) # This will find literally every object ever. try: event = buildAttribute(obj, event) except Exception as ex: log.exception(ex) # Now make sure we only have unique items log.debug("Making sure we only have Unique attributes...") uniqueAttribValues = [] for attrindex, attrib in enumerate(event.attributes): if attrib.value not in uniqueAttribValues: uniqueAttribValues.append(attrib.value) else: log.debug("Removed duplicated attribute in package: %s", attrib.value) event.attributes.pop(attrindex) log.debug("Finished parsing attributes.") return event
def buildEvent(pkg, **kwargs): log.info("Building Event...") if not pkg.stix_header: title = "STIX Import" else: if not pkg.stix_header.title: title = "STIX Import" else: title = pkg.stix_header.title log.info(title) event = mispevent.MISPEvent() event.distribution = kwargs.get("distribution", 0) event.threat_level_id = kwargs.get("threat_level_id", 3) event.analysis = kwargs.get("analysis", 0) event.info = title for obj in lintRoll(pkg): # This will find literally every object ever. event = buildAttribute(obj, event) return event
def write_pkg(pkg, outfile): # Set the version log.debug("Writing to %s", outfile) log.debug("As stix v%s", args.stix_version) if args.stix_version: if args.stix_version == "1.1.1": objs = lint_roller.lintRoll(pkg) for i in objs: # Set the object's version if hasattr(i, "version"): i.version = args.stix_version elif args.stix_version == "1.2": pass # Is default else: print("INVALID STIX VERSION {}".format(args.stix_version)) sys.exit() if args.format == "json": log.debug("In JSON format") # Output to JSON if outfile == "stdout": # Output to stdout print(pkg.to_json()) else: # Output to file with open(outfile, "w") as f: f.write(pkg.to_json()) else: log.debug("In XML format") # Output to XML if outfile == "stdout": # Output to stdout print(pkg.to_xml()) else: # Output to file with open(outfile, "wb") as f: f.write(pkg.to_xml()) log.debug("Written!")
log.debug(msg) # Load it as a misp object for easy conversion to STIX ev = pymisp.mispevent.MISPEvent() ev.load(msg) # Convert to STIX pkg = pymisp.tools.stix.make_stix_package(ev) log.debug("Loaded successfully!") # Push the package to TAXII for version in config.get("stix_versions", ["1.1.1"]): # Convert to that version objs = lint_roller.lintRoll(pkg) for i in objs: # Set the object's version if hasattr(i, "version"): i.version = version # Set the top-level pkg.version = version try: log.info("Using binding %s", "urn:stix.mitre.org:xml:{}".format(version)) cli.push(content=pkg.to_xml().decode("utf-8"), content_binding="urn:stix.mitre.org:xml:{}".format(version), uri="{}://{}/services/inbox".format(config.get("protocol", "http"), config["domain"]), collection_names=config["taxii"].get("collections", ["collection"]))
package = convert.MISPtoSTIX(jsondata) except FileNotFoundError: print("Could not open {}".format(args.file)) sys.exit() else: # This requires a connection to MISP # As we need to pull an event # Connect to MISP MISP = misp.MISP(CONFIG["MISP"]["URL"], CONFIG["MISP"]["KEY"]) package = MISP.pull(args.eid)[0] # Set the version if args.stix_version: if args.stix_version == "1.1.1": objs = lint_roller.lintRoll(package) for i in objs: # Set the object's version if hasattr(i, "version"): i.version = args.stix_version elif args.stix_version == "1.2": pass # Is default else: print("INVALID STIX VERSION {}".format(args.stix_version)) sys.exit() if args.format == "json": # Output to JSON if not args.outfile: # Output to stdout