#!/usr/bin/env python # -*- coding: utf-8 -*- from pymisp import ExpandedPyMISP from keys import misp_url, misp_key, misp_verifycert import argparse if __name__ == '__main__': parser = argparse.ArgumentParser( description='Delete an event from a MISP instance.') parser.add_argument("-e", "--event", help="Event ID to delete.") parser.add_argument("-a", "--attribute", help="Attribute ID to delete.") args = parser.parse_args() misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert) if args.event: result = misp.delete_event(args.event) else: result = misp.delete_attribute(args.attribute) print(result)
class MISPController(object): ''' MISP Controller ''' def __init__(self, misp_param, debug=False): self.misp_param = misp_param self.debug = debug if misp_param.get('connect_immediately', False): self._connect() else: self.misp = None def import_event(self, event_data): ''' Import event ''' # Check registered same event info print('importing: {}'.format(event_data['title'])) events = self._search_event(eventinfo=event_data['title']) if events != None: for event in events: if event_data['title'] == event['Event']['info']: self._remove_event(event['Event']['id']) event = self._add_event(event_data) if event: print('created event: {}'.format(event.id)) else: print("Import failed.Please retry: {}".format(event_data['title'])) def _connect(self): self.debug_print('URL: {}'.format(self.misp_param['url'])) self.debug_print('authkey: {}'.format(self.misp_param['authkey'])) self.misp = ExpandedPyMISP(self.misp_param['url'], self.misp_param['authkey'], ssl=False, debug=False) self._registered_tags = self.misp.tags() def _check_tag(self, target_tag): if self.misp == None: self._connect() if self._registered_tags == None: self._get_tags() for tag_info in self._registered_tags: if tag_info.get('name', '') == target_tag: return True self.debug_print('new tag: {}'.format(target_tag)) cnt = 0 while True: try: if self.misp == None: self._connect() tmp = MISPTag() tmp.from_dict(name=target_tag) self.misp.add_tag(tmp) self._get_tags() return True except: print(traceback.format_exc()) if cnt < int(self.misp_param.get('max_retry_count', '0')): print('add new tag retry: {}'.format(cnt)) cnt = cnt + 1 time.sleep(10) else: return False def _add_event(self, value): for tag in value['event_tags']: self._check_tag(tag) for attribute in value['attributes']: for tag in attribute['tags']: self._check_tag(tag) cnt = 0 while True: try: if self.misp == None: self._connect() tmp = MISPEvent() tmp.from_dict( distribution=self.misp_param['distribution'], threat_level_id=self.misp_param['threat_level_id'], analysis=self.misp_param['analysis'], info=value['title'], date=value['date'], published=False) response = self.misp.add_event(tmp) if response.get('errors'): raise Exception(str(response['errors'])) event = MISPEvent() event.load(response) break except: print(traceback.format_exc()) if cnt < int(self.misp_param.get('max_retry_count', '0')): print('add new event retry: {}'.format(cnt)) cnt = cnt + 1 time.sleep(10) else: return None self.debug_print(event.id) for tag in value['event_tags']: event.add_tag(tag) for attribute in value['attributes']: attribute_tags = [] event.add_attribute(type=attribute['type'], value=attribute['value'], category=attribute['category'], comment=attribute.get('comment', ''), distribution=self.misp_param['distribution'], Tag=self._create_tags(attribute['tags'])) event.published = True if self._update_event(event): self.debug_print('completed') return event else: self.debug_print('add failed') return None def _get_event(self, id): cnt = 0 while True: try: if self.misp == None: self._connect() self.debug_print('get event start: {}'.format(id)) event = self.misp.get_event(id) if event.get('errors'): raise Exception(str(event['errors'])) self.debug_print('get event end: {}'.format(id)) return event except: print(traceback.format_exc()) if cnt < int(self.misp_param.get('max_retry_count', '0')): print('get event retry: {}'.format(cnt)) cnt = cnt + 1 time.sleep(10) else: return None def _remove_event(self, id): if id: print('delete event: {}'.format(id)) cnt = 0 while True: try: if self.misp == None: self._connect() response = self.misp.delete_event(id) if response.get('errors'): raise Exception(str(response['errors'])) return True except: print(traceback.format_exc()) if cnt < int(self.misp_param.get('max_retry_count', '0')): print('remove event retry: {}'.format(cnt)) cnt = cnt + 1 time.sleep(10) else: return False def _search_event(self, **cons): cnt = 0 while True: try: if self.misp == None: self._connect() self.debug_print('search event start') response = self.misp.search_index(**cons) self.debug_print('search event end') results = [] for json in response: if json.get('id', ''): results.append(self._get_event(json['id'])) else: print('no event ID') print(json) return results except: print(traceback.format_exc()) if cnt < int(self.misp_param.get('max_retry_count', '0')): print('search event retry: {}'.format(cnt)) cnt = cnt + 1 time.sleep(10) else: return None def _update_event(self, event): cnt = 0 while True: try: if self.misp == None: self._connect() self.debug_print('event update start: {}'.format(event.id)) response = self.misp.update_event(event) if response.get('errors'): raise Exception(str(response['errors'])) self.debug_print('{} updated'.format(event.id)) return True except: print(traceback.format_exc()) if cnt < int(self.misp_param.get('max_retry_count', '0')): print('retry: {}'.format(cnt)) cnt = cnt + 1 time.sleep(10) else: print('event update failed: {}'.format(event.info)) try: self._remove_event(event.id) except: pass return False def _create_tags(self, values): tags = [] for value in values: if value: tags.append({'name': value}) return tags def debug_print(self, message): if self.debug == False: return # nowstr = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S') nowstr = datetime.datetime.now().strftime('%H:%M:%S') print('{}\t{}'.format(nowstr, message))