def submit_to_misp(self, misp: PyMISP, misp_event: MISPEvent, misp_objects: list): ''' Submit a list of MISP objects to a MISP event :misp: PyMISP API object for interfacing with MISP :misp_event: MISPEvent object :misp_objects: List of MISPObject objects. Must be a list ''' # go through round one and only add MISP objects misp_objects = [] for misp_object in misp_objects: self.misp_logger.debug(misp_object) if len(misp_object.attributes) > 0: if misp_object.name == 'network-connection': template_id = 'af16764b-f8e5-4603-9de1-de34d272f80b' else: # self.misp_logger.debug(dir(pymisp.api)) # self.misp_logger.debug(dir(self.misp)) # exit() self.misp_logger.debug(misp_object.template_uuid) object_template = self.misp.get_object_template( misp_object.template_uuid) template_id = object_template['ObjectTemplate']['id'] self.misp_logger.debug(template_id) self.misp_logger.debug(dir(misp_event)) self.misp_logger.debug(misp_event) # add the object and get the result result = misp.add_object(event=misp_event, misp_object=misp_object) self.misp_logger.debug(result) misp_objects.append(result) # go through round two and add all the object references for each object misp_object_references = [] for misp_object in misp_objects: for reference in misp_object.ObjectReference: # add the reference and get the result result = misp.add_object_reference(reference) misp_object_references.append(result) return misp_objects, misp_object_references
class MISPIntegrator(object): def __init__(self, logger, db): """ Declares some object attributes. :param logger: A logger object. :param db: A MongoDBConnection object. """ self.parser = get_main_config_parser() self.misp_parser = get_misp_config_parser() self.misp = PyMISP(self.parser.get('misp', 'url'), self.parser.get('misp', 'key'), ssl=bool(self.parser.get('misp', 'ssl')), out_type=self.parser.get('misp', 'out_type'), debug=bool(self.parser.get('misp', 'debug'))) self.distribution = self.parser.get('misp', 'distribution') self.local_git = self.parser.get('git', 'local_git') self.remote_git = self.parser.get('git', 'remote_git').rsplit('.', 1)[0] self.attributes = dict(self.misp_parser.values()[1].items()) self.logger = logger self.db = db tag_name, tag_colour = self.parser.get('misp', 'tag').split(',') all_tags = self._set_tag_id(tag_name, tag_colour) taxonomies = self.parser.get('misp', 'taxonomies').split(',') self._set_taxonomy_tag_ids(taxonomies, all_tags) def _set_tag_id(self, tag_name, tag_colour): """ Determines the ID to a given tag. If the tag is not present in MISP it will be created otherwise. :param tag_name (str): Name of the tag to create if necessary. :param tag_colour (str): A HTML colour code for the tag to create. :return: List of all tags in MISP. """ all_tags = self.misp.get_tags_list() exploit_tag = [tag for tag in all_tags if tag['name'] == tag_name] if exploit_tag: self.tag_ids = [exploit_tag[0]['id']] else: new_tag = self.misp.new_tag(name=tag_name, colour=tag_colour) self.tag_ids = [new_tag['Tag']['id']] return all_tags def _set_taxonomy_tag_ids(self, taxonomies, all_tags): """ If the given taxonomies are not enabled yet, it will be enabled as well as the specific tag. The IDs of the taxonomy tags are added to a list. If a tag or taxonomy is not found, it will be logged. :param taxonomies (list): A list of taxonomies as strings. :param all_tags (list): List of all tags in MISP as strings. """ # TODO: it seems that get_taxonomies_list() does not fetch # all existing taxonomies: # https://github.com/MISP/PyMISP/issues/342 all_taxonomies = self.misp.get_taxonomies_list()['response'] for taxonomy in taxonomies: namespace, _ = taxonomy.split(':') tax = [ tax for tax in all_taxonomies if namespace == tax['Taxonomy']['namespace'] ] if tax: tax = tax[0]['Taxonomy'] if not tax['enabled']: # TODO: it seems that it is not possible to enable a # specific tag of a taxonomy, if it is not yet enabled: # https://github.com/MISP/PyMISP/issues/343 # until this is not fixed, all tags of the taxonomy must # be enabled. if it is fixed, remove the line with # enable_taxonomy_tags() and uncomment the line with # enable_tag() below self.misp.enable_taxonomy(tax['id']) self.misp.enable_taxonomy_tags(tax['id']) tag = [tag for tag in all_tags if tag['name'] == taxonomy] if tag: tag_id = tag[0]['id'] # self.misp.enable_tag(tag_id) self.tag_ids.append(tag_id) else: self.logger.warn( 'Could not find tag: {}.'.format(taxonomy)) else: self.logger.warn( 'Could not find taxonomy: {}.'.format(taxonomy)) def _create_event(self, date, description): """ Creates a new event and tag it with the tag id of the config file. "Threat Level" has not to be defined (:= no risk), because it is only a POC analysis. :param date (str): The date when the exploit was created. :param description (str): Description of the new event. :return: UUID of created event as string. """ uuid = self.misp.new_event( date=date, info=description, distribution=self.distribution)['Event']['uuid'] for tag_id in self.tag_ids: response = self.misp.tag(uuid, tag_id) if 'successfully attached to' not in response['message']: self.logger.warn('Could not tag event {}: {}'.format( uuid, response)) return uuid def _add_attributes_to_event(self, uuid, misp_type, values, category, new_event=True): """ Adds attributes to an event if it is new, otherwise it searches for an attribute which has a given value. If not so, a new attribute will be created for that event. :param uuid (str): The uuid of the event. :param misp_type (str): Type of an attribute. :param values (list): List of values of the attribute as string. :param category (str): Category of an attribute. :param new_event (boolean): If the event was added before; default is True. """ for val in values: if new_event: self.misp.add_named_attribute(uuid, misp_type, val, category=category) else: # if we search for all values in the list, we do not know # which attribute we need to add. response = self.misp.search( uuid=uuid, type_attribute=misp_type, category=category, values=[val], controller='attributes')['response'] if not response['Attribute']: self.misp.add_named_attribute(uuid, misp_type, val, category=category) def _add_exploit_poc_template(self, uuid, exploit): """ Adds a new exploit-poc object template to a given event. :param uuid (str): The uuid of the event. :param exploit (dict): Dictionary of an exploit. It needs the following keys: 'file', 'author' and 'description'. """ gen_obj = GenericObjectGenerator('exploit-poc') attributes = [] exploit_file = exploit['file'] with open(os.path.join(self.local_git, exploit_file)) as f: poc = f.read() attributes.append({ 'poc': poc, 'references': '{}/tree/master/{}'.format(self.remote_git, exploit_file), 'author': exploit['author'], 'description': exploit['description'] }) gen_obj.generate_attributes(attributes) self.misp.add_object(uuid, gen_obj.template_uuid, gen_obj) def integrate(self, exploits): """ It integrates the exploits as new events to MISP. If an unexcepted exception occurs it will be logged. :param exploits (list): List of exploit dictionaries. """ for exploit in exploits: try: # if this exploit alreadey exist, we do not need to add it # again if 'misp-uuid' not in exploit: # encode uuid, otherwise the event is not found uuid = self._create_event( exploit['date'], exploit['description']).encode('utf-8') self.db.insert_or_update_exploits_by_id([{ 'id': exploit['id'], 'misp-uuid': uuid }]) event = None else: uuid = exploit['misp-uuid'] event = self.misp.get_event(uuid) for tag, value in exploit.items(): category, misp_type = self.attributes.get(tag, ',').split(',') if not value or tag not in exploit \ or (not category and not misp_type): continue # put value to a list, so that we do not need to differ if # it is a list or not. if not isinstance(value, list): value = [value] if event is None: self._add_attributes_to_event(uuid, misp_type, value, category) else: self._add_attributes_to_event(uuid, misp_type, value, category, new_event=False) # only add poc if event is new if event is None: self._add_exploit_poc_template(uuid, exploit) except Exception: self.logger.warn( 'Unexpected exception while MISP integration occurred ' 'for file: {}'.format(exploit['file']), exc_info=True)
if args.disable_new: event_id = response['response'][0]['id'] else: last_event_date = parse(response['response'][0]['date']).date() nb_attr = response['response'][0]['attribute_count'] if last_event_date < date.today() or int(nb_attr) > 1000: me = create_new_event() else: event_id = response['response'][0]['id'] else: me = create_new_event() parameters = {'banned-ip': args.banned_ip, 'attack-type': args.attack_type} if args.processing_timestamp: parameters['processing-timestamp'] = args.processing_timestamp if args.failures: parameters['failures'] = args.failures if args.sensor: parameters['sensor'] = args.sensor if args.victim: parameters['victim'] = args.victim if args.logline: parameters['logline'] = b64decode(args.logline).decode() f2b = Fail2BanObject(parameters=parameters, standalone=False) if me: me.add_object(f2b) pymisp.add_event(me) elif event_id: template_id = pymisp.get_object_template_id(f2b.template_uuid) a = pymisp.add_object(event_id, template_id, f2b)
import json from pymisp import PyMISP from keys import misp_url, misp_key, misp_verifycert from pymisp.tools import SBSignatureObject pymisp = PyMISP(misp_url, misp_key, misp_verifycert) a = json.loads( '{"signatures":[{"new_data":[],"confidence":100,"families":[],"severity":1,"weight":0,"description":"AttemptstoconnecttoadeadIP:Port(2uniquetimes)","alert":false,"references":[],"data":[{"IP":"95.101.39.58:80(Europe)"},{"IP":"192.35.177.64:80(UnitedStates)"}],"name":"dead_connect"},{"new_data":[],"confidence":30,"families":[],"severity":2,"weight":1,"description":"PerformssomeHTTPrequests","alert":false,"references":[],"data":[{"url":"http://cert.int-x3.letsencrypt.org/"},{"url":"http://apps.identrust.com/roots/dstrootcax3.p7c"}],"name":"network_http"},{"new_data":[],"confidence":100,"families":[],"severity":2,"weight":1,"description":"Theofficefilehasaunconventionalcodepage:ANSICyrillic;Cyrillic(Windows)","alert":false,"references":[],"data":[],"name":"office_code_page"}]}' ) a = [(x['name'], x['description']) for x in a["signatures"]] b = SBSignatureObject(a) template_id = [ x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == 'sb-signature' ][0] pymisp.add_object(234111, template_id, b)
from keys import misp_url, misp_key, misp_verifycert import argparse class GenericObject(AbstractMISPObjectGenerator): def __init__(self, type, data_dict): super(GenericObject, self).__init__(type) self.__data = data_dict self.generate_attributes() def generate_attributes(self): for key, value in self.__data.items(): self.add_attribute(key, value=value) if __name__ == '__main__': parser = argparse.ArgumentParser(description='Create a MISP Object selectable by type starting from a dictionary') parser.add_argument("-e", "--event", required=True, help="Event ID to update") parser.add_argument("-t", "--type", required=True, help="Type of the generic object") parser.add_argument("-d", "--dict", required=True, help="Dict ") args = parser.parse_args() pymisp = PyMISP(misp_url, misp_key, misp_verifycert) try: template_id = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == args.type][0] except IndexError: valid_types = ", ".join([x['ObjectTemplate']['name'] for x in pymisp.get_object_templates_list()]) print ("Template for type %s not found! Valid types are: %s" % (args.type, valid_types)) exit() misp_object = GenericObject(args.type.replace("|", "-"), json.loads(args.dict)) r = pymisp.add_object(args.event, template_id, misp_object)
misp_object = MISPObject(name="github-user") github_user = r.json() rfollowers = requests.get(github_user['followers_url']) followers = rfollowers.json() rfollowing = requests.get( "https://api.github.com/users/{}/following".format(args.username)) followings = rfollowing.json() rkeys = requests.get("https://api.github.com/users/{}/keys".format( args.username)) keys = rkeys.json() misp_object.add_attributes("follower", *[follower['login'] for follower in followers]) misp_object.add_attributes( "following", *[following['login'] for following in followings]) misp_object.add_attributes("ssh-public-key", *[sshkey['key'] for sshkey in keys]) misp_object.add_attribute('bio', github_user['bio']) misp_object.add_attribute('link', github_user['html_url']) misp_object.add_attribute('user-fullname', github_user['name']) misp_object.add_attribute('username', github_user['login']) misp_object.add_attribute('twitter_username', github_user['twitter_username']) misp_object.add_attribute('location', github_user['location']) misp_object.add_attribute('company', github_user['company']) misp_object.add_attribute('public_gists', github_user['public_gists']) misp_object.add_attribute('public_repos', github_user['public_repos']) misp_object.add_attribute('blog', github_user['blog']) misp_object.add_attribute('node_id', github_user['node_id']) retcode = pymisp.add_object(args.event, misp_object)
if __name__ == '__main__': parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.') parser.add_argument("-e", "--event", required=True, help="Event ID to update.") parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).") args = parser.parse_args() pymisp = PyMISP(misp_url, misp_key, misp_verifycert) for f in glob.glob(args.path): try: fo, peo, seos = make_binary_objects(f) except Exception as e: traceback.print_exc() if seos: for s in seos: template_id = pymisp.get_object_template_id(s.template_uuid) r = pymisp.add_object(args.event, template_id, s) if peo: template_id = pymisp.get_object_template_id(peo.template_uuid) r = pymisp.add_object(args.event, template_id, peo) for ref in peo.ObjectReference: r = pymisp.add_object_reference(ref) if fo: template_id = pymisp.get_object_template_id(fo.template_uuid) response = pymisp.add_object(args.event, template_id, fo) for ref in fo.ObjectReference: r = pymisp.add_object_reference(ref)
# -*- coding: utf-8 -*- from pymisp import PyMISP from pymisp.tools import EMailObject import traceback from keys import misp_url, misp_key, misp_verifycert import glob import argparse if __name__ == '__main__': parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.') parser.add_argument("-e", "--event", required=True, help="Event ID to update.") parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).") args = parser.parse_args() pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True) for f in glob.glob(args.path): try: eo = EMailObject(f) except Exception as e: traceback.print_exc() continue if eo: template_id = pymisp.get_object_template_id(eo.template_uuid) response = pymisp.add_object(args.event, template_id, eo) for ref in eo.ObjectReference: r = pymisp.add_object_reference(ref)
#!/usr/bin/env python3 # -*- coding: utf-8 -*- from pymisp import PyMISP from pymisp.tools import SSHAuthorizedKeysObject import traceback from keys import misp_url, misp_key, misp_verifycert import glob import argparse if __name__ == '__main__': parser = argparse.ArgumentParser(description='Extract indicators out of authorized_keys file.') parser.add_argument("-e", "--event", required=True, help="Event ID to update.") parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).") args = parser.parse_args() pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True) for f in glob.glob(args.path): try: auth_keys = SSHAuthorizedKeysObject(f) except Exception: traceback.print_exc() continue template_id = pymisp.get_object_template_id(auth_keys.template_uuid) response = pymisp.add_object(args.event, template_id, auth_keys) for ref in auth_keys.ObjectReference: r = pymisp.add_object_reference(ref)
required=True, help="Path to process (expanded using glob).") args = parser.parse_args() pymisp = PyMISP(misp_url, misp_key, misp_verifycert) for f in glob.glob(args.path): try: fo, peo, seos = make_binary_objects(f) except Exception: traceback.print_exc() continue if seos: for s in seos: r = pymisp.add_object(args.event, s) if peo: if hasattr(peo, 'certificates') and hasattr(peo, 'signers'): # special authenticode case for PE objects for c in peo.certificates: pymisp.add_object(args.event, c, pythonify=True) for s in peo.signers: pymisp.add_object(args.event, s, pythonify=True) del peo.certificates del peo.signers del peo.sections r = pymisp.add_object(args.event, peo, pythonify=True) for ref in peo.ObjectReference: r = pymisp.add_object_reference(ref)
nb_attr = response['response'][0]['attribute_count'] if last_event_date < date.today() or int(nb_attr) > 1000: me = create_new_event() else: event_id = response['response'][0]['id'] else: me = create_new_event() parameters = {'banned-ip': args.banned_ip, 'attack-type': args.attack_type} if args.processing_timestamp: parameters['processing-timestamp'] = args.processing_timestamp if args.failures: parameters['failures'] = args.failures if args.sensor: parameters['sensor'] = args.sensor if args.victim: parameters['victim'] = args.victim if args.logline: parameters['logline'] = b64decode(args.logline).decode() if args.logfile: with open(args.logfile, 'rb') as f: parameters['logfile'] = {'value': os.path.basename(args.logfile), 'data': BytesIO(f.read())} f2b = Fail2BanObject(parameters=parameters, standalone=False) if me: me.add_object(f2b) pymisp.add_event(me) elif event_id: template_id = pymisp.get_object_template_id(f2b.template_uuid) a = pymisp.add_object(event_id, template_id, f2b)
class MispImport: def __init__(self, logger): self.api = PyMISP(misp_url, misp_key, misp_verifycert, 'json', debug=False) self.response = None self.logger = logger self.caching = Caching() def import_data(self, data_to_push): all_events = [] for k, data in data_to_push.items(): if not self.is_already_present(data['url_tweet']): if data['retweet']: self.logger.info('RT %s %s ' % (data['retweet_id'], data['url_tweet'])) eid = self.caching.translate(data['retweet_id']) self.logger.info('translate found %s %s' % (eid, data['retweet_id'])) if eid: event = self.api.get(int(eid)) else: res = self.api.search(values=data['retweet_id'], type_attribute='twitter-id') if res['response']: event = res['response'][0] else: self.logger.error('Event not found tweet %s ' % data['retweet_id']) continue if 'Event' in event: self.logger.info('Event has found %s' % event['Event']['id']) self.caching.caching(data['retweet_id'], event['Event']['id']) self.api.add_named_attribute( event=event, type_value='url', category='External analysis', value=data['url_tweet']) self.api.add_named_attribute(event=event, type_value="twitter-id", category="Social network", value=k) all_tags = [t['name'] for t in event['Event']['Tag']] if not 'toqualify' in all_tags and not 'toenrich' in all_tags: self.api.tag(event['Event']['uuid'], 'topublish') else: self.logger.error( 'Event not found tweet %s error decode %s' % (data['retweet_id'], event)) continue elif data['quoted_tweet']: self.logger.info('Tweet quoted %s' % data['quoted_tweet']) eid = self.caching.translate(data['quoted_status_id']) if eid: event = self.api.get(int(eid)) else: res = self.api.search(values=data['quoted_status_id'], type_attribute='twitter-id') if res['response']: event = res['response'][0] if 'Event' in event: self.caching.caching(data['quoted_status_id'], event['Event']['id']) else: self.logger.error('Event not found tweet %s ' % data['quoted_status_id']) continue else: self.logger.error('Quoted Tweet not found %s' % data['url_tweet']) continue else: event = self.api.new_event(distribution=0, info=data['url_tweet'], analysis=0, threat_level_id=1) self.caching.caching(k, event['Event']['id']) self.logger.info('Event create %s' % event['Event']['id']) if event: self.add_tags(event, data['tags']) self.api.add_named_attribute(event=event, type_value='url', category='External analysis', value=data['url_tweet']) self.logger.info('add url tweet %s at %s' % (data['url_tweet'], event['Event']['id'])) self.api.add_named_attribute(event=event, type_value='text', category='External analysis', value=data['tweet_text']) self.api.add_named_attribute(event=event, type_value="twitter-id", category="Social network", value=k) for url in data['urls']: self.api.add_named_attribute( event=event, type_value='url', category="External analysis", value=url) self.logger.info('add externals url %s to %s' % (url, event['Event']['id'])) self.api.freetext(event_id=event['Event']['id'], string=data['tweet_text'], adhereToWarninglists=True) self.logger.debug( 'add text %s to %s' % (data['tweet_text'], event['Event']['id'])) for d in data['data']: if 'magic' in d.state_machine and d.state_machine[ 'magic']['pe']: hash_algo = sha256() hash_algo.update(d.content_decoded) self.api.add_named_attribute( event=event, type_value='sha256', category='Payload delivery', value=hash_algo.hexdigest()) self.add_object(event, d.content_decoded, hash_algo.hexdigest()) self.add_tags(event, ['Malware']) self.logger.info('add malware') elif 'magic' in d.state_machine and d.state_machine[ 'magic']['elf']: self.api.add_object(event['Event']['id'], 13, d.content_decoded) else: try: self.api.freetext( event_id=event['Event']['id'], string=d.content_decoded.decode(), adhereToWarninglists=True) self.api.add_named_attribute( event=event, type_value='text', category='External analysis', value=d.content_decoded.decode()) except UnicodeDecodeError: self.logger.Error('Error decoding') pass self.__remove_shortcut(event) all_events.append(event['Event']['id']) return all_events def is_already_present(self, url_tweet): try: response = self.api.search(values=[url_tweet], type_value='url', category='External analysis') self.response = response return bool(response['response']) except: self.logger.error('Error search %s ' % url_tweet) return True def add_object(self, event, data, filename): obj = make_binary_objects(pseudofile=BytesIO(data), filename=filename) if obj[1]: self.api.add_object(event['Event']['id'], 28, obj[1]) def add_tags(self, event, tags): #self.api.add_tag(event,'OSINT') for t in tags: self.api.tag(event['Event']['uuid'], t) self.api.tag(event['Event']['uuid'], 'OSINT') self.api.tag(event['Event']['uuid'], 'tlp:white') self.api.tag(event['Event']['uuid'], 'toenrich') def __remove_shortcut(self, event): self.logger.debug('delete attr function') event = self.api.get_event(event['Event']['id']) attrs = [ attr for attr in event['Event']['Attribute'] if attr['category'] == 'Network activity' and 'https://t.co' in attr['value'] ] for attr in attrs: self.logger.debug('try to connect to %s' % attr['value']) r = requests.get(attr['value'].replace("'", "")) if r.status_code == 200: self.api.add_named_attribute(event=event, type_value='url', category='External analysis', value=r.url) self.api.delete_attribute(attr['id']) self.logger.info('delete attr %s' % attr['id'])
from keys import misp_url, misp_key, misp_verifycert import glob import argparse if __name__ == '__main__': parser = argparse.ArgumentParser( description='Extract indicators out of authorized_keys file.') parser.add_argument("-e", "--event", required=True, help="Event ID to update.") parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).") args = parser.parse_args() pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True) for f in glob.glob(args.path): try: auth_keys = SSHAuthorizedKeysObject(f) except Exception: traceback.print_exc() continue template_id = pymisp.get_object_template_id(auth_keys.template_uuid) response = pymisp.add_object(args.event, template_id, auth_keys) for ref in auth_keys.ObjectReference: r = pymisp.add_object_reference(ref)
parser.add_argument("-e", "--event", required=True, help="Event ID to update") parser.add_argument("-t", "--type", required=True, help="Type of the generic object") parser.add_argument("-d", "--dict", required=True, help="Dict ") args = parser.parse_args() pymisp = PyMISP(misp_url, misp_key, misp_verifycert) try: template_id = [ x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == args.type ][0] except IndexError: valid_types = ", ".join([ x['ObjectTemplate']['name'] for x in pymisp.get_object_templates_list() ]) print("Template for type %s not found! Valid types are: %s" % (args.type, valid_types)) exit() misp_object = GenericObject(args.type.replace("|", "-"), json.loads(args.dict)) r = pymisp.add_object(args.event, template_id, misp_object)
import json from pymisp import PyMISP from keys import misp_url, misp_key, misp_verifycert from pymisp.tools import SBSignatureObject pymisp = PyMISP(misp_url, misp_key, misp_verifycert) a = json.loads('{"signatures":[{"new_data":[],"confidence":100,"families":[],"severity":1,"weight":0,"description":"AttemptstoconnecttoadeadIP:Port(2uniquetimes)","alert":false,"references":[],"data":[{"IP":"95.101.39.58:80(Europe)"},{"IP":"192.35.177.64:80(UnitedStates)"}],"name":"dead_connect"},{"new_data":[],"confidence":30,"families":[],"severity":2,"weight":1,"description":"PerformssomeHTTPrequests","alert":false,"references":[],"data":[{"url":"http://cert.int-x3.letsencrypt.org/"},{"url":"http://apps.identrust.com/roots/dstrootcax3.p7c"}],"name":"network_http"},{"new_data":[],"confidence":100,"families":[],"severity":2,"weight":1,"description":"Theofficefilehasaunconventionalcodepage:ANSICyrillic;Cyrillic(Windows)","alert":false,"references":[],"data":[],"name":"office_code_page"}]}') a = [(x['name'], x['description']) for x in a["signatures"]] b = SBSignatureObject(a) template_id = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == 'sb-signature'][0] pymisp.add_object(234111, template_id, b)
parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.') parser.add_argument("-e", "--event", required=True, help="Event ID to update.") parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).") args = parser.parse_args() pymisp = PyMISP(misp_url, misp_key, misp_verifycert) for f in glob.glob(args.path): try: fo, peo, seos = make_binary_objects(f) except Exception as e: traceback.print_exc() continue if seos: for s in seos: template_id = pymisp.get_object_template_id(s.template_uuid) r = pymisp.add_object(args.event, template_id, s) if peo: template_id = pymisp.get_object_template_id(peo.template_uuid) r = pymisp.add_object(args.event, template_id, peo) for ref in peo.ObjectReference: r = pymisp.add_object_reference(ref) if fo: template_id = pymisp.get_object_template_id(fo.template_uuid) response = pymisp.add_object(args.event, template_id, fo) for ref in fo.ObjectReference: r = pymisp.add_object_reference(ref)