def submit_to_misp(self, misp: PyMISP, misp_event: MISPEvent,
misp_objects: list):
'''
Submit a list of MISP objects to a MISP event
:misp: PyMISP API object for interfacing with MISP
:misp_event: MISPEvent object
:misp_objects: List of MISPObject objects. Must be a list
'''
# go through round one and only add MISP objects
misp_objects = []
for misp_object in misp_objects:
self.misp_logger.debug(misp_object)
if len(misp_object.attributes) > 0:
if misp_object.name == 'network-connection':
template_id = 'af16764b-f8e5-4603-9de1-de34d272f80b'
else:
# self.misp_logger.debug(dir(pymisp.api))
# self.misp_logger.debug(dir(self.misp))
# exit()
self.misp_logger.debug(misp_object.template_uuid)
object_template = self.misp.get_object_template(
misp_object.template_uuid)
template_id = object_template['ObjectTemplate']['id']
self.misp_logger.debug(template_id)
self.misp_logger.debug(dir(misp_event))
self.misp_logger.debug(misp_event)
# add the object and get the result
result = misp.add_object(event=misp_event,
misp_object=misp_object)
self.misp_logger.debug(result)
misp_objects.append(result)
# go through round two and add all the object references for each object
misp_object_references = []
for misp_object in misp_objects:
for reference in misp_object.ObjectReference:
# add the reference and get the result
result = misp.add_object_reference(reference)
misp_object_references.append(result)
return misp_objects, misp_object_references
class MISPIntegrator(object):
def __init__(self, logger, db):
"""
Declares some object attributes.
:param logger: A logger object.
:param db: A MongoDBConnection object.
"""
self.parser = get_main_config_parser()
self.misp_parser = get_misp_config_parser()
self.misp = PyMISP(self.parser.get('misp', 'url'),
self.parser.get('misp', 'key'),
ssl=bool(self.parser.get('misp', 'ssl')),
out_type=self.parser.get('misp', 'out_type'),
debug=bool(self.parser.get('misp', 'debug')))
self.distribution = self.parser.get('misp', 'distribution')
self.local_git = self.parser.get('git', 'local_git')
self.remote_git = self.parser.get('git', 'remote_git').rsplit('.',
1)[0]
self.attributes = dict(self.misp_parser.values()[1].items())
self.logger = logger
self.db = db
tag_name, tag_colour = self.parser.get('misp', 'tag').split(',')
all_tags = self._set_tag_id(tag_name, tag_colour)
taxonomies = self.parser.get('misp', 'taxonomies').split(',')
self._set_taxonomy_tag_ids(taxonomies, all_tags)
def _set_tag_id(self, tag_name, tag_colour):
"""
Determines the ID to a given tag. If the tag is not present in MISP
it will be created otherwise.
:param tag_name (str): Name of the tag to create if necessary.
:param tag_colour (str): A HTML colour code for the tag to create.
:return: List of all tags in MISP.
"""
all_tags = self.misp.get_tags_list()
exploit_tag = [tag for tag in all_tags if tag['name'] == tag_name]
if exploit_tag:
self.tag_ids = [exploit_tag[0]['id']]
else:
new_tag = self.misp.new_tag(name=tag_name, colour=tag_colour)
self.tag_ids = [new_tag['Tag']['id']]
return all_tags
def _set_taxonomy_tag_ids(self, taxonomies, all_tags):
"""
If the given taxonomies are not enabled yet, it will be enabled as well
as the specific tag. The IDs of the taxonomy tags are added to a list.
If a tag or taxonomy is not found, it will be logged.
:param taxonomies (list): A list of taxonomies as strings.
:param all_tags (list): List of all tags in MISP as strings.
"""
# TODO: it seems that get_taxonomies_list() does not fetch
# all existing taxonomies:
# https://github.com/MISP/PyMISP/issues/342
all_taxonomies = self.misp.get_taxonomies_list()['response']
for taxonomy in taxonomies:
namespace, _ = taxonomy.split(':')
tax = [
tax for tax in all_taxonomies
if namespace == tax['Taxonomy']['namespace']
]
if tax:
tax = tax[0]['Taxonomy']
if not tax['enabled']:
# TODO: it seems that it is not possible to enable a
# specific tag of a taxonomy, if it is not yet enabled:
# https://github.com/MISP/PyMISP/issues/343
# until this is not fixed, all tags of the taxonomy must
# be enabled. if it is fixed, remove the line with
# enable_taxonomy_tags() and uncomment the line with
# enable_tag() below
self.misp.enable_taxonomy(tax['id'])
self.misp.enable_taxonomy_tags(tax['id'])
tag = [tag for tag in all_tags if tag['name'] == taxonomy]
if tag:
tag_id = tag[0]['id']
# self.misp.enable_tag(tag_id)
self.tag_ids.append(tag_id)
else:
self.logger.warn(
'Could not find tag: {}.'.format(taxonomy))
else:
self.logger.warn(
'Could not find taxonomy: {}.'.format(taxonomy))
def _create_event(self, date, description):
"""
Creates a new event and tag it with the tag id of the config file.
"Threat Level" has not to be defined (:= no risk), because it is only
a POC analysis.
:param date (str): The date when the exploit was created.
:param description (str): Description of the new event.
:return: UUID of created event as string.
"""
uuid = self.misp.new_event(
date=date, info=description,
distribution=self.distribution)['Event']['uuid']
for tag_id in self.tag_ids:
response = self.misp.tag(uuid, tag_id)
if 'successfully attached to' not in response['message']:
self.logger.warn('Could not tag event {}: {}'.format(
uuid, response))
return uuid
def _add_attributes_to_event(self,
uuid,
misp_type,
values,
category,
new_event=True):
"""
Adds attributes to an event if it is new, otherwise it searches for
an attribute which has a given value. If not so, a new attribute will
be created for that event.
:param uuid (str): The uuid of the event.
:param misp_type (str): Type of an attribute.
:param values (list): List of values of the attribute as string.
:param category (str): Category of an attribute.
:param new_event (boolean): If the event was added before; default is
True.
"""
for val in values:
if new_event:
self.misp.add_named_attribute(uuid,
misp_type,
val,
category=category)
else:
# if we search for all values in the list, we do not know
# which attribute we need to add.
response = self.misp.search(
uuid=uuid,
type_attribute=misp_type,
category=category,
values=[val],
controller='attributes')['response']
if not response['Attribute']:
self.misp.add_named_attribute(uuid,
misp_type,
val,
category=category)
def _add_exploit_poc_template(self, uuid, exploit):
"""
Adds a new exploit-poc object template to a given event.
:param uuid (str): The uuid of the event.
:param exploit (dict): Dictionary of an exploit. It needs the following
keys: 'file', 'author' and 'description'.
"""
gen_obj = GenericObjectGenerator('exploit-poc')
attributes = []
exploit_file = exploit['file']
with open(os.path.join(self.local_git, exploit_file)) as f:
poc = f.read()
attributes.append({
'poc':
poc,
'references':
'{}/tree/master/{}'.format(self.remote_git, exploit_file),
'author':
exploit['author'],
'description':
exploit['description']
})
gen_obj.generate_attributes(attributes)
self.misp.add_object(uuid, gen_obj.template_uuid, gen_obj)
def integrate(self, exploits):
"""
It integrates the exploits as new events to MISP. If an unexcepted
exception occurs it will be logged.
:param exploits (list): List of exploit dictionaries.
"""
for exploit in exploits:
try:
# if this exploit alreadey exist, we do not need to add it
# again
if 'misp-uuid' not in exploit:
# encode uuid, otherwise the event is not found
uuid = self._create_event(
exploit['date'],
exploit['description']).encode('utf-8')
self.db.insert_or_update_exploits_by_id([{
'id':
exploit['id'],
'misp-uuid':
uuid
}])
event = None
else:
uuid = exploit['misp-uuid']
event = self.misp.get_event(uuid)
for tag, value in exploit.items():
category, misp_type = self.attributes.get(tag,
',').split(',')
if not value or tag not in exploit \
or (not category and not misp_type):
continue
# put value to a list, so that we do not need to differ if
# it is a list or not.
if not isinstance(value, list):
value = [value]
if event is None:
self._add_attributes_to_event(uuid, misp_type, value,
category)
else:
self._add_attributes_to_event(uuid,
misp_type,
value,
category,
new_event=False)
# only add poc if event is new
if event is None:
self._add_exploit_poc_template(uuid, exploit)
except Exception:
self.logger.warn(
'Unexpected exception while MISP integration occurred '
'for file: {}'.format(exploit['file']),
exc_info=True)
if args.disable_new:
event_id = response['response'][0]['id']
else:
last_event_date = parse(response['response'][0]['date']).date()
nb_attr = response['response'][0]['attribute_count']
if last_event_date < date.today() or int(nb_attr) > 1000:
me = create_new_event()
else:
event_id = response['response'][0]['id']
else:
me = create_new_event()
parameters = {'banned-ip': args.banned_ip, 'attack-type': args.attack_type}
if args.processing_timestamp:
parameters['processing-timestamp'] = args.processing_timestamp
if args.failures:
parameters['failures'] = args.failures
if args.sensor:
parameters['sensor'] = args.sensor
if args.victim:
parameters['victim'] = args.victim
if args.logline:
parameters['logline'] = b64decode(args.logline).decode()
f2b = Fail2BanObject(parameters=parameters, standalone=False)
if me:
me.add_object(f2b)
pymisp.add_event(me)
elif event_id:
template_id = pymisp.get_object_template_id(f2b.template_uuid)
a = pymisp.add_object(event_id, template_id, f2b)
import json
from pymisp import PyMISP
from keys import misp_url, misp_key, misp_verifycert
from pymisp.tools import SBSignatureObject
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
a = json.loads(
'{"signatures":[{"new_data":[],"confidence":100,"families":[],"severity":1,"weight":0,"description":"AttemptstoconnecttoadeadIP:Port(2uniquetimes)","alert":false,"references":[],"data":[{"IP":"95.101.39.58:80(Europe)"},{"IP":"192.35.177.64:80(UnitedStates)"}],"name":"dead_connect"},{"new_data":[],"confidence":30,"families":[],"severity":2,"weight":1,"description":"PerformssomeHTTPrequests","alert":false,"references":[],"data":[{"url":"http://cert.int-x3.letsencrypt.org/"},{"url":"http://apps.identrust.com/roots/dstrootcax3.p7c"}],"name":"network_http"},{"new_data":[],"confidence":100,"families":[],"severity":2,"weight":1,"description":"Theofficefilehasaunconventionalcodepage:ANSICyrillic;Cyrillic(Windows)","alert":false,"references":[],"data":[],"name":"office_code_page"}]}'
)
a = [(x['name'], x['description']) for x in a["signatures"]]
b = SBSignatureObject(a)
template_id = [
x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list()
if x['ObjectTemplate']['name'] == 'sb-signature'
][0]
pymisp.add_object(234111, template_id, b)
from keys import misp_url, misp_key, misp_verifycert
import argparse
class GenericObject(AbstractMISPObjectGenerator):
def __init__(self, type, data_dict):
super(GenericObject, self).__init__(type)
self.__data = data_dict
self.generate_attributes()
def generate_attributes(self):
for key, value in self.__data.items():
self.add_attribute(key, value=value)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Create a MISP Object selectable by type starting from a dictionary')
parser.add_argument("-e", "--event", required=True, help="Event ID to update")
parser.add_argument("-t", "--type", required=True, help="Type of the generic object")
parser.add_argument("-d", "--dict", required=True, help="Dict ")
args = parser.parse_args()
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
try:
template_id = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == args.type][0]
except IndexError:
valid_types = ", ".join([x['ObjectTemplate']['name'] for x in pymisp.get_object_templates_list()])
print ("Template for type %s not found! Valid types are: %s" % (args.type, valid_types))
exit()
misp_object = GenericObject(args.type.replace("|", "-"), json.loads(args.dict))
r = pymisp.add_object(args.event, template_id, misp_object)
misp_object = MISPObject(name="github-user")
github_user = r.json()
rfollowers = requests.get(github_user['followers_url'])
followers = rfollowers.json()
rfollowing = requests.get(
"https://api.github.com/users/{}/following".format(args.username))
followings = rfollowing.json()
rkeys = requests.get("https://api.github.com/users/{}/keys".format(
args.username))
keys = rkeys.json()
misp_object.add_attributes("follower",
*[follower['login'] for follower in followers])
misp_object.add_attributes(
"following", *[following['login'] for following in followings])
misp_object.add_attributes("ssh-public-key",
*[sshkey['key'] for sshkey in keys])
misp_object.add_attribute('bio', github_user['bio'])
misp_object.add_attribute('link', github_user['html_url'])
misp_object.add_attribute('user-fullname', github_user['name'])
misp_object.add_attribute('username', github_user['login'])
misp_object.add_attribute('twitter_username',
github_user['twitter_username'])
misp_object.add_attribute('location', github_user['location'])
misp_object.add_attribute('company', github_user['company'])
misp_object.add_attribute('public_gists', github_user['public_gists'])
misp_object.add_attribute('public_repos', github_user['public_repos'])
misp_object.add_attribute('blog', github_user['blog'])
misp_object.add_attribute('node_id', github_user['node_id'])
retcode = pymisp.add_object(args.event, misp_object)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.')
parser.add_argument("-e", "--event", required=True, help="Event ID to update.")
parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
for f in glob.glob(args.path):
try:
fo, peo, seos = make_binary_objects(f)
except Exception as e:
traceback.print_exc()
if seos:
for s in seos:
template_id = pymisp.get_object_template_id(s.template_uuid)
r = pymisp.add_object(args.event, template_id, s)
if peo:
template_id = pymisp.get_object_template_id(peo.template_uuid)
r = pymisp.add_object(args.event, template_id, peo)
for ref in peo.ObjectReference:
r = pymisp.add_object_reference(ref)
if fo:
template_id = pymisp.get_object_template_id(fo.template_uuid)
response = pymisp.add_object(args.event, template_id, fo)
for ref in fo.ObjectReference:
r = pymisp.add_object_reference(ref)
# -*- coding: utf-8 -*-
from pymisp import PyMISP
from pymisp.tools import EMailObject
import traceback
from keys import misp_url, misp_key, misp_verifycert
import glob
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.')
parser.add_argument("-e", "--event", required=True, help="Event ID to update.")
parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)
for f in glob.glob(args.path):
try:
eo = EMailObject(f)
except Exception as e:
traceback.print_exc()
continue
if eo:
template_id = pymisp.get_object_template_id(eo.template_uuid)
response = pymisp.add_object(args.event, template_id, eo)
for ref in eo.ObjectReference:
r = pymisp.add_object_reference(ref)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pymisp import PyMISP
from pymisp.tools import SSHAuthorizedKeysObject
import traceback
from keys import misp_url, misp_key, misp_verifycert
import glob
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Extract indicators out of authorized_keys file.')
parser.add_argument("-e", "--event", required=True, help="Event ID to update.")
parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)
for f in glob.glob(args.path):
try:
auth_keys = SSHAuthorizedKeysObject(f)
except Exception:
traceback.print_exc()
continue
template_id = pymisp.get_object_template_id(auth_keys.template_uuid)
response = pymisp.add_object(args.event, template_id, auth_keys)
for ref in auth_keys.ObjectReference:
r = pymisp.add_object_reference(ref)
required=True,
help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
for f in glob.glob(args.path):
try:
fo, peo, seos = make_binary_objects(f)
except Exception:
traceback.print_exc()
continue
if seos:
for s in seos:
r = pymisp.add_object(args.event, s)
if peo:
if hasattr(peo, 'certificates') and hasattr(peo, 'signers'):
# special authenticode case for PE objects
for c in peo.certificates:
pymisp.add_object(args.event, c, pythonify=True)
for s in peo.signers:
pymisp.add_object(args.event, s, pythonify=True)
del peo.certificates
del peo.signers
del peo.sections
r = pymisp.add_object(args.event, peo, pythonify=True)
for ref in peo.ObjectReference:
r = pymisp.add_object_reference(ref)
nb_attr = response['response'][0]['attribute_count']
if last_event_date < date.today() or int(nb_attr) > 1000:
me = create_new_event()
else:
event_id = response['response'][0]['id']
else:
me = create_new_event()
parameters = {'banned-ip': args.banned_ip, 'attack-type': args.attack_type}
if args.processing_timestamp:
parameters['processing-timestamp'] = args.processing_timestamp
if args.failures:
parameters['failures'] = args.failures
if args.sensor:
parameters['sensor'] = args.sensor
if args.victim:
parameters['victim'] = args.victim
if args.logline:
parameters['logline'] = b64decode(args.logline).decode()
if args.logfile:
with open(args.logfile, 'rb') as f:
parameters['logfile'] = {'value': os.path.basename(args.logfile),
'data': BytesIO(f.read())}
f2b = Fail2BanObject(parameters=parameters, standalone=False)
if me:
me.add_object(f2b)
pymisp.add_event(me)
elif event_id:
template_id = pymisp.get_object_template_id(f2b.template_uuid)
a = pymisp.add_object(event_id, template_id, f2b)
class MispImport:
def __init__(self, logger):
self.api = PyMISP(misp_url,
misp_key,
misp_verifycert,
'json',
debug=False)
self.response = None
self.logger = logger
self.caching = Caching()
def import_data(self, data_to_push):
all_events = []
for k, data in data_to_push.items():
if not self.is_already_present(data['url_tweet']):
if data['retweet']:
self.logger.info('RT %s %s ' %
(data['retweet_id'], data['url_tweet']))
eid = self.caching.translate(data['retweet_id'])
self.logger.info('translate found %s %s' %
(eid, data['retweet_id']))
if eid:
event = self.api.get(int(eid))
else:
res = self.api.search(values=data['retweet_id'],
type_attribute='twitter-id')
if res['response']:
event = res['response'][0]
else:
self.logger.error('Event not found tweet %s ' %
data['retweet_id'])
continue
if 'Event' in event:
self.logger.info('Event has found %s' %
event['Event']['id'])
self.caching.caching(data['retweet_id'],
event['Event']['id'])
self.api.add_named_attribute(
event=event,
type_value='url',
category='External analysis',
value=data['url_tweet'])
self.api.add_named_attribute(event=event,
type_value="twitter-id",
category="Social network",
value=k)
all_tags = [t['name'] for t in event['Event']['Tag']]
if not 'toqualify' in all_tags and not 'toenrich' in all_tags:
self.api.tag(event['Event']['uuid'], 'topublish')
else:
self.logger.error(
'Event not found tweet %s error decode %s' %
(data['retweet_id'], event))
continue
elif data['quoted_tweet']:
self.logger.info('Tweet quoted %s' % data['quoted_tweet'])
eid = self.caching.translate(data['quoted_status_id'])
if eid:
event = self.api.get(int(eid))
else:
res = self.api.search(values=data['quoted_status_id'],
type_attribute='twitter-id')
if res['response']:
event = res['response'][0]
if 'Event' in event:
self.caching.caching(data['quoted_status_id'],
event['Event']['id'])
else:
self.logger.error('Event not found tweet %s ' %
data['quoted_status_id'])
continue
else:
self.logger.error('Quoted Tweet not found %s' %
data['url_tweet'])
continue
else:
event = self.api.new_event(distribution=0,
info=data['url_tweet'],
analysis=0,
threat_level_id=1)
self.caching.caching(k, event['Event']['id'])
self.logger.info('Event create %s' % event['Event']['id'])
if event:
self.add_tags(event, data['tags'])
self.api.add_named_attribute(event=event,
type_value='url',
category='External analysis',
value=data['url_tweet'])
self.logger.info('add url tweet %s at %s' %
(data['url_tweet'], event['Event']['id']))
self.api.add_named_attribute(event=event,
type_value='text',
category='External analysis',
value=data['tweet_text'])
self.api.add_named_attribute(event=event,
type_value="twitter-id",
category="Social network",
value=k)
for url in data['urls']:
self.api.add_named_attribute(
event=event,
type_value='url',
category="External analysis",
value=url)
self.logger.info('add externals url %s to %s' %
(url, event['Event']['id']))
self.api.freetext(event_id=event['Event']['id'],
string=data['tweet_text'],
adhereToWarninglists=True)
self.logger.debug(
'add text %s to %s' %
(data['tweet_text'], event['Event']['id']))
for d in data['data']:
if 'magic' in d.state_machine and d.state_machine[
'magic']['pe']:
hash_algo = sha256()
hash_algo.update(d.content_decoded)
self.api.add_named_attribute(
event=event,
type_value='sha256',
category='Payload delivery',
value=hash_algo.hexdigest())
self.add_object(event, d.content_decoded,
hash_algo.hexdigest())
self.add_tags(event, ['Malware'])
self.logger.info('add malware')
elif 'magic' in d.state_machine and d.state_machine[
'magic']['elf']:
self.api.add_object(event['Event']['id'], 13,
d.content_decoded)
else:
try:
self.api.freetext(
event_id=event['Event']['id'],
string=d.content_decoded.decode(),
adhereToWarninglists=True)
self.api.add_named_attribute(
event=event,
type_value='text',
category='External analysis',
value=d.content_decoded.decode())
except UnicodeDecodeError:
self.logger.Error('Error decoding')
pass
self.__remove_shortcut(event)
all_events.append(event['Event']['id'])
return all_events
def is_already_present(self, url_tweet):
try:
response = self.api.search(values=[url_tweet],
type_value='url',
category='External analysis')
self.response = response
return bool(response['response'])
except:
self.logger.error('Error search %s ' % url_tweet)
return True
def add_object(self, event, data, filename):
obj = make_binary_objects(pseudofile=BytesIO(data), filename=filename)
if obj[1]:
self.api.add_object(event['Event']['id'], 28, obj[1])
def add_tags(self, event, tags):
#self.api.add_tag(event,'OSINT')
for t in tags:
self.api.tag(event['Event']['uuid'], t)
self.api.tag(event['Event']['uuid'], 'OSINT')
self.api.tag(event['Event']['uuid'], 'tlp:white')
self.api.tag(event['Event']['uuid'], 'toenrich')
def __remove_shortcut(self, event):
self.logger.debug('delete attr function')
event = self.api.get_event(event['Event']['id'])
attrs = [
attr for attr in event['Event']['Attribute']
if attr['category'] == 'Network activity'
and 'https://t.co' in attr['value']
]
for attr in attrs:
self.logger.debug('try to connect to %s' % attr['value'])
r = requests.get(attr['value'].replace("'", ""))
if r.status_code == 200:
self.api.add_named_attribute(event=event,
type_value='url',
category='External analysis',
value=r.url)
self.api.delete_attribute(attr['id'])
self.logger.info('delete attr %s' % attr['id'])
from keys import misp_url, misp_key, misp_verifycert
import glob
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description='Extract indicators out of authorized_keys file.')
parser.add_argument("-e",
"--event",
required=True,
help="Event ID to update.")
parser.add_argument("-p",
"--path",
required=True,
help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)
for f in glob.glob(args.path):
try:
auth_keys = SSHAuthorizedKeysObject(f)
except Exception:
traceback.print_exc()
continue
template_id = pymisp.get_object_template_id(auth_keys.template_uuid)
response = pymisp.add_object(args.event, template_id, auth_keys)
for ref in auth_keys.ObjectReference:
r = pymisp.add_object_reference(ref)
parser.add_argument("-e",
"--event",
required=True,
help="Event ID to update")
parser.add_argument("-t",
"--type",
required=True,
help="Type of the generic object")
parser.add_argument("-d", "--dict", required=True, help="Dict ")
args = parser.parse_args()
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
try:
template_id = [
x['ObjectTemplate']['id']
for x in pymisp.get_object_templates_list()
if x['ObjectTemplate']['name'] == args.type
][0]
except IndexError:
valid_types = ", ".join([
x['ObjectTemplate']['name']
for x in pymisp.get_object_templates_list()
])
print("Template for type %s not found! Valid types are: %s" %
(args.type, valid_types))
exit()
misp_object = GenericObject(args.type.replace("|", "-"),
json.loads(args.dict))
r = pymisp.add_object(args.event, template_id, misp_object)
import json
from pymisp import PyMISP
from keys import misp_url, misp_key, misp_verifycert
from pymisp.tools import SBSignatureObject
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
a = json.loads('{"signatures":[{"new_data":[],"confidence":100,"families":[],"severity":1,"weight":0,"description":"AttemptstoconnecttoadeadIP:Port(2uniquetimes)","alert":false,"references":[],"data":[{"IP":"95.101.39.58:80(Europe)"},{"IP":"192.35.177.64:80(UnitedStates)"}],"name":"dead_connect"},{"new_data":[],"confidence":30,"families":[],"severity":2,"weight":1,"description":"PerformssomeHTTPrequests","alert":false,"references":[],"data":[{"url":"http://cert.int-x3.letsencrypt.org/"},{"url":"http://apps.identrust.com/roots/dstrootcax3.p7c"}],"name":"network_http"},{"new_data":[],"confidence":100,"families":[],"severity":2,"weight":1,"description":"Theofficefilehasaunconventionalcodepage:ANSICyrillic;Cyrillic(Windows)","alert":false,"references":[],"data":[],"name":"office_code_page"}]}')
a = [(x['name'], x['description']) for x in a["signatures"]]
b = SBSignatureObject(a)
template_id = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == 'sb-signature'][0]
pymisp.add_object(234111, template_id, b)
parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.')
parser.add_argument("-e", "--event", required=True, help="Event ID to update.")
parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
for f in glob.glob(args.path):
try:
fo, peo, seos = make_binary_objects(f)
except Exception as e:
traceback.print_exc()
continue
if seos:
for s in seos:
template_id = pymisp.get_object_template_id(s.template_uuid)
r = pymisp.add_object(args.event, template_id, s)
if peo:
template_id = pymisp.get_object_template_id(peo.template_uuid)
r = pymisp.add_object(args.event, template_id, peo)
for ref in peo.ObjectReference:
r = pymisp.add_object_reference(ref)
if fo:
template_id = pymisp.get_object_template_id(fo.template_uuid)
response = pymisp.add_object(args.event, template_id, fo)
for ref in fo.ObjectReference:
r = pymisp.add_object_reference(ref)
