class generateEvents(): # generates a seperate event for every paste with more than 1 parsed IOC, after initialising a connection with the MISP instance. def __init__(self, paste): self.paste = paste self.url = MISP_URL self.key = MISP_KEY def initMISP(self): self.misp = PyMISP(self.url, self.key, False, 'json', debug=True) def addEvents(self): for i in range(len(self.paste)): if len(self.paste[i].iocs) != 0: logging.debug( "Paste: {}, # of IOCs: {}. Creating an event.".format( self.paste[i].title, len(self.paste[i].iocs))) event = self.misp.new_event(distribution=2, analysis=2, info=self.paste[i].title) self.misp.add_internal_link(event, self.paste[i].URI, category="External analysis") self.misp.add_tag(event, "Type:OSINT") self.misp.add_tag(event, 'osint:source-type="pastie-website"') self.misp.add_tag(event, 'OSINT') self.misp.add_tag(event, 'tlp:white') for j in range(len(self.paste[i].iocs)): if self.paste[i].iocs[j].kind == "IP": self.misp.add_ipsrc(event, self.paste[i].iocs[j].value) elif self.paste[i].iocs[j].kind == "uri": self.misp.add_url(event, self.paste[i].iocs[j].value) elif self.paste[i].iocs[j].kind == "md5": self.misp.add_hashes(event, md5=self.paste[i].iocs[j].value) elif self.paste[i].iocs[j].kind == "sha1": self.misp.add_hashes(event, sha1=self.paste[i].iocs[j].value) elif self.paste[i].iocs[j].kind == "sha256": self.misp.add_hashes( event, sha256=self.paste[i].iocs[j].value) elif self.paste[i].iocs[j].kind == "CVE": #self.misp.add_object(event, 63, self.paste[i].iocs[j].value) pass if self.paste[i].iocs[j].kind == "email": self.misp.add_email_src(event, self.paste[i].iocs[j].value) if self.paste[i].iocs[j].kind == "filename": self.misp.add_filename(event, self.paste[i].iocs[j].value) if PUBLISH_EVENTS: self.misp.publish(event, alert=EMAIL_ALERTS)
def mispBuildObject(object_type, properties, event, args): # Set MISP instance # misp = PyMISP(misp_url, misp_key, False, 'json') misp = PyMISP(misp_url, misp_key, False, 'json', proxies=proxies) # Process Args if not args.ids: args.ids = True # Grab important info from File Objects if "FileObjectType" in str(object_type): # print dir(properties) print " file_format: " + str(properties.file_format) print " file_name: " + str(properties.file_name) print " file_path: " + str(properties.file_path) print " md5: " + str(properties.md5) print " sha1: " + str(properties.sha1) print " peak_entropy: " + str(properties.peak_entropy) print " sha_224: " + str(properties.sha224) print " size: " + str(properties.size) print " size_in_bytes: " + str(properties.size_in_bytes) # print " hashes_dir: "+str(dir(properties.hashes)) # Get other file info if properties.file_name: file_name = str(properties.file_name) else: file_name = "" if properties.file_path: file_path = str(properties.file_path) else: file_path = "" if properties.size: size = str(properties.size) elif properties.size_in_bytes: size = str(properties.size_in_bytes) else: size = "" if properties.file_format: file_format = str(properties.file_format) else: file_format = "" # Build the comment w/ related info comment = "" if file_path: comment = "[PATH] " + file_path if size: if comment: comment = comment + " | [SIZE] " + size else: comment = "[SIZE] " + size if file_format: if comment: comment = comment + " | [FORMAT] " + file_format else: comment = "[FORMAT] " + file_format for hash in properties.hashes: print " " + str(hash.type_) + ": " + str(hash) # Add to MISP if str(hash.type_) == "MD5": # Add the hash by itself #misp.add_hashes(event, md5=str(hash)) misp.add_hashes(event, filename=str(properties.file_name), md5=str(hash), comment=comment, to_ids=args.ids) elif str(hash.type_) == "SHA1": # Add the hash by itself #misp.add_hashes(event, sha1=str(hash)) misp.add_hashes(event, filename=str(properties.file_name), sha1=str(hash), comment=comment, to_ids=args.ids) elif str(hash.type_) == "SHA256": # Add the hash by itself #misp.add_hashes(event, sha256=str(hash)) misp.add_hashes(event, filename=str(properties.file_name), sha256=str(hash), comment=comment, to_ids=args.ids) elif str(hash.type_) == "SSDEEP": # Add the hash by itself #misp.add_hashes(event, ssdeep=str(hash)) misp.add_hashes(event, filename=str(properties.file_name), ssdeep=str(hash), comment=comment, to_ids=args.ids) # Grab important info from Mutex Objects if "MutexObjectType" in str(object_type): print " name: " + str(properties.name) # Add to MISP misp.add_mutex(event, str(properties.name), to_ids=args.ids) # Grab important info from Registry Keys: if "WindowsRegistryKeyObjectType" in str(object_type): print " key: " + str(properties.key) if properties.values: for value in properties.values: print " value.datatype: " + str(value.datatype) print " value.data: " + str(value.data) #print " value: "+str(dir(value)) # Add to MISP misp.add_regkey(event, str(properties.key), rvalue=str(value.data), to_ids=args.ids) else: misp.add_regkey(event, str(properties.key), to_ids=args.ids) # Grab Domain Names: if "DomainNameObjectType" in str(object_type): print " domain: " + str(properties.value) # Add to MISP misp.add_domain(event, str(properties.value), to_ids=args.ids) # Grab URI's if "URIObjectType" in str(object_type): print " uri: " + str(properties.value) # Add to MISP misp.add_url(event, str(properties.value), to_ids=args.ids) # Grab IP's if "AddressObjectType" in str(object_type): print " ip: " + str(properties.address_value) # Add to MISP misp.add_ipsrc(event, str(properties.address_value), to_ids=args.ids) # Grab Ports if "PortObjectType" in str(object_type): print " port: " + str(properties.port_value) # Grab Email Info if "EmailMessageObjectType" in str(object_type): print " date: " + str(properties.date) print " from: " + str(properties.from_) print " sender: " + str(properties.sender) if properties.from_: misp.add_email_src(event, str(properties.from_), to_ids=args.ids) elif properties.sender: misp.add_email_src(event, str(properties.sender), to_ids=args.ids) print " to: " + str(properties.to) if properties.to: misp.add_email_dst(event, str(properties.to), to_ids=args.ids) print " subject: " + str(properties.subject) if properties.subject: misp.add_email_subject(event, str(properties.subject), to_ids=args.ids) print " reply_to: " + str(properties.reply_to) if properties.reply_to: misp.add_email_src(event, str(properties.reply_to), comment="Reply-To Address", to_ids=args.ids) print " message_id: " + str(properties.message_id) print " x_originating_ip: " + str(properties.x_originating_ip) if properties.x_originating_ip: misp.add_ipsrc(event, str(properties.x_originating_ip), comment="MAIL X-Origin-IP", to_ids=args.ids) print " email_server: " + str(properties.email_server)
def mispBuildObject(object_type, properties, event, args): # Set MISP instance # misp = PyMISP(misp_url, misp_key, False, 'json') misp = PyMISP(misp_url, misp_key, False, 'json', proxies=proxies) # Process Args if not args.ids: args.ids=True # Grab important info from File Objects if "FileObjectType" in str(object_type): # print dir(properties) print " file_format: "+str(properties.file_format) print " file_name: "+str(properties.file_name) print " file_path: "+str(properties.file_path) print " md5: "+str(properties.md5) print " sha1: "+str(properties.sha1) print " peak_entropy: "+str(properties.peak_entropy) print " sha_224: "+str(properties.sha224) print " size: "+str(properties.size) print " size_in_bytes: "+str(properties.size_in_bytes) # print " hashes_dir: "+str(dir(properties.hashes)) # Get other file info if properties.file_name: file_name=str(properties.file_name) else: file_name="" if properties.file_path: file_path=str(properties.file_path) else: file_path="" if properties.size: size = str(properties.size) elif properties.size_in_bytes: size = str(properties.size_in_bytes) else: size = "" if properties.file_format: file_format = str(properties.file_format) else: file_format = "" # Build the comment w/ related info comment = "" if file_path: comment="[PATH] "+file_path if size: if comment: comment=comment+" | [SIZE] "+size else: comment="[SIZE] "+size if file_format: if comment: comment = comment+" | [FORMAT] "+file_format else: comment = "[FORMAT] "+file_format for hash in properties.hashes: print " "+str(hash.type_)+": "+str(hash) # Add to MISP if str(hash.type_)=="MD5": # Add the hash by itself #misp.add_hashes(event, md5=str(hash)) misp.add_hashes(event, filename=str(properties.file_name), md5=str(hash), comment=comment, to_ids=args.ids) elif str(hash.type_)=="SHA1": # Add the hash by itself #misp.add_hashes(event, sha1=str(hash)) misp.add_hashes(event, filename=str(properties.file_name), sha1=str(hash), comment=comment, to_ids=args.ids) elif str(hash.type_)=="SHA256": # Add the hash by itself #misp.add_hashes(event, sha256=str(hash)) misp.add_hashes(event, filename=str(properties.file_name), sha256=str(hash), comment=comment, to_ids=args.ids) elif str(hash.type_)=="SSDEEP": # Add the hash by itself #misp.add_hashes(event, ssdeep=str(hash)) misp.add_hashes(event, filename=str(properties.file_name), ssdeep=str(hash), comment=comment, to_ids=args.ids) # Grab important info from Mutex Objects if "MutexObjectType" in str(object_type): print " name: "+str(properties.name) # Add to MISP misp.add_mutex(event, str(properties.name), to_ids=args.ids) # Grab important info from Registry Keys: if "WindowsRegistryKeyObjectType" in str(object_type): print " key: "+str(properties.key) if properties.values: for value in properties.values: print " value.datatype: "+str(value.datatype) print " value.data: "+str(value.data) #print " value: "+str(dir(value)) # Add to MISP misp.add_regkey(event, str(properties.key), rvalue=str(value.data), to_ids=args.ids) else: misp.add_regkey(event, str(properties.key), to_ids=args.ids) # Grab Domain Names: if "DomainNameObjectType" in str(object_type): print " domain: "+str(properties.value) # Add to MISP misp.add_domain(event, str(properties.value), to_ids=args.ids) # Grab URI's if "URIObjectType" in str(object_type): print " uri: "+str(properties.value) # Add to MISP misp.add_url(event, str(properties.value), to_ids=args.ids) # Grab IP's if "AddressObjectType" in str(object_type): print " ip: "+str(properties.address_value) # Add to MISP misp.add_ipsrc(event, str(properties.address_value), to_ids=args.ids) # Grab Ports if "PortObjectType" in str(object_type): print " port: "+str(properties.port_value) # Grab Email Info if "EmailMessageObjectType" in str(object_type): print " date: "+str(properties.date) print " from: "+str(properties.from_) print " sender: "+str(properties.sender) if properties.from_: misp.add_email_src(event, str(properties.from_), to_ids=args.ids) elif properties.sender: misp.add_email_src(event, str(properties.sender), to_ids=args.ids) print " to: "+str(properties.to) if properties.to: misp.add_email_dst(event, str(properties.to), to_ids=args.ids) print " subject: "+str(properties.subject) if properties.subject: misp.add_email_subject(event, str(properties.subject), to_ids=args.ids) print " reply_to: "+str(properties.reply_to) if properties.reply_to: misp.add_email_src(event, str(properties.reply_to), comment="Reply-To Address", to_ids=args.ids) print " message_id: "+str(properties.message_id) print " x_originating_ip: "+str(properties.x_originating_ip) if properties.x_originating_ip: misp.add_ipsrc(event, str(properties.x_originating_ip), comment="MAIL X-Origin-IP", to_ids=args.ids) print " email_server: "+str(properties.email_server)