def store_sample(file_object):
sha256 = file_object.sha256
if not sha256:
print_error("No hash")
return None
folder = os.path.join(
__project__.get_path(),
'binaries',
sha256[0],
sha256[1],
sha256[2],
sha256[3]
)
if not os.path.exists(folder):
os.makedirs(folder, 0o750)
file_path = os.path.join(folder, sha256)
if not os.path.exists(file_path):
with open(file_path, 'wb') as stored:
for chunk in file_object.get_chunks():
stored.write(chunk)
else:
print_warning("File exists already")
return None
return file_path
def __init__(self):
super(VirusTotal, self).__init__()
if not HAVE_VT:
self.log('error', "Missing dependency, install virustotal-api (`pip install virustotal-api`)")
return
self.cur_path = __project__.get_path()
if cfg.virustotal.virustotal_has_private_key:
self.vt = vt_priv(cfg.virustotal.virustotal_key)
else:
self.vt = vt(cfg.virustotal.virustotal_key)
if cfg.virustotal.virustotal_has_intel_key:
self.vt_intel = vt_intel(cfg.virustotal.virustotal_key)
self.parser.add_argument('--search', help='Search a hash.')
self.parser.add_argument('-c', '--comment', nargs='+', help='Comment to add to the file')
self.parser.add_argument('-d', '--download', action='store_true', help='Hash of the file to download')
self.parser.add_argument('-dl', '--download_list', action='store_true', help='List the downloaded files')
self.parser.add_argument('-do', '--download_open', type=int, help='Open a file from the list of the DL files (ID)')
self.parser.add_argument('-don', '--download_open_name', help='Open a file by name from the list of the DL files (NAMe)')
self.parser.add_argument('-dd', '--download_delete', help='Delete a file from the list of the DL files can be an ID or all.')
self.parser.add_argument('-s', '--submit', action='store_true', help='Submit file or a URL to VirusTotal (by default it only looks up the hash/url)')
self.parser.add_argument('-i', '--ip', help='IP address to lookup in the passive DNS')
self.parser.add_argument('-dm', '--domain', help='Domain to lookup in the passive DNS')
self.parser.add_argument('-u', '--url', help='URL to lookup on VT')
self.parser.add_argument("-v", "--verbose", action='store_true', help="Turn on verbose mode.")
self.parser.add_argument('-m', '--misp', default=None, choices=['hashes', 'ips', 'domains', 'urls', 'download', 'download_all'],
help='Searches for the hashes, ips, domains or URLs from the current MISP event, or download the samples if possible. Be carefull with download_all: it will download *all* the samples of all the MISP events in the current project.')
def __init__(self):
super(VirusTotal, self).__init__()
if not HAVE_VT:
self.log('error', "Missing dependency, install virustotal-api (`pip install virustotal-api`)")
return
self.cur_path = __project__.get_path()
if cfg.virustotal.virustotal_has_private_key:
self.vt = vt_priv(cfg.virustotal.virustotal_key)
else:
self.vt = vt(cfg.virustotal.virustotal_key)
if cfg.virustotal.virustotal_has_intel_key:
self.vt_intel = vt_intel(cfg.virustotal.virustotal_key)
self.parser.add_argument('--search', help='Search a hash.')
self.parser.add_argument('-c', '--comment', nargs='+', help='Comment to add to the file')
self.parser.add_argument('-d', '--download', action='store_true', help='Hash of the file to download')
self.parser.add_argument('-dl', '--download_list', action='store_true', help='List the downloaded files')
self.parser.add_argument('-do', '--download_open', type=int, help='Open a file from the list of the DL files (ID)')
self.parser.add_argument('-don', '--download_open_name', help='Open a file by name from the list of the DL files (NAMe)')
self.parser.add_argument('-dd', '--download_delete', help='Delete a file from the list of the DL files can be an ID or all.')
self.parser.add_argument('-s', '--submit', action='store_true', help='Submit file or a URL to VirusTotal (by default it only looks up the hash/url)')
self.parser.add_argument('-i', '--ip', help='IP address to lookup in the passive DNS')
self.parser.add_argument('-dm', '--domain', help='Domain to lookup in the passive DNS')
self.parser.add_argument('-u', '--url', help='URL to lookup on VT')
self.parser.add_argument("-v", "--verbose", action='store_true', help="Turn on verbose mode.")
self.parser.add_argument('-m', '--misp', default=None, choices=['hashes', 'ips', 'domains', 'urls', 'download', 'download_all'],
help='Searches for the hashes, ips, domains or URLs from the current MISP event, or download the samples if possible. Be carefull with download_all: it will download *all* the samples of all the MISP events in the current project.')
def __init__(self):
super(Scraper, self).__init__()
try:
self.user_agents = cfg.useragents.ua.split('\n')
except Exception:
# Use a generic user agent in case the viper user didn't update their config file
self.user_agents = ['Mozilla/5.0 (Windows NT 6.3; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0']
self.scraper_store = os.path.join(__project__.get_path(), 'scraper')
if not os.path.exists(self.scraper_store):
os.makedirs(self.scraper_store)
self.quiet = False
self.very_quiet = False
self.verbose = False
self.debug = False
# Scraping paramaters
self.parser.add_argument("-u", "--url", help='URL to scrap')
self.parser.add_argument("--depth", type=int, default=1, help='Depth to crawl on the website')
# Actions on already scraped data
self.parser.add_argument("-l", "--list", action='store_true', help='List already scraped URLs')
group1 = self.parser.add_argument_group('ID details', 'Actions on scraped data (by ID).')
group1.add_argument("-i", "--id", type=int, help='Dump ID (get it from -l/--list).')
group1.add_argument("-d", "--delete", action='store_true', help='Delete a report (ID, or all).')
group1.add_argument("-v", "--view", action='store_true', help='View a dump.')
group1.add_argument("-t", "--tree", action='store_true', help='Tree view.')
group1.add_argument("-ch", "--copy_har", help='Copy harfiles somewhere else.')
# General parameters
self.parser.add_argument("-vq", "--very_quiet", action='store_true', help='Very quiet view (Only display hostnames)')
self.parser.add_argument("-q", "--quiet", action='store_true', help='Quiet view (Only display external URLs)')
self.parser.add_argument("--verbose", action='store_true', help='Verbose view')
self.parser.add_argument("--debug", action='store_true', help='Enable debug on the crawler.')
def store_sample(file_object):
sha256 = file_object.sha256
if not sha256:
print_error("No hash")
return None
folder = os.path.join(
__project__.get_path(),
'binaries',
sha256[0],
sha256[1],
sha256[2],
sha256[3]
)
if not os.path.exists(folder):
os.makedirs(folder, 0o750)
file_path = os.path.join(folder, sha256)
if not os.path.exists(file_path):
with open(file_path, 'wb') as stored:
for chunk in file_object.get_chunks():
stored.write(chunk)
else:
print_warning("File exists already")
return None
return file_path
def get_sample_path(sha256):
path = os.path.join(__project__.get_path(), 'binaries', sha256[0],
sha256[1], sha256[2], sha256[3], sha256)
if not os.path.exists(path):
return None
return path
def _download_all(self):
project_path = __project__.get_path()
acq = snoopdroid.Acquisition(storage_folder="/tmp", all_apks=True)
acq.connect()
acq.get_packages()
acq.pull_packages()
acq.disconnect()
def __init__(self):
db_path = os.path.join(__project__.get_path(), "viper.db")
self.engine = create_engine("sqlite:///{0}".format(db_path), poolclass=NullPool)
self.engine.echo = False
self.engine.pool_timeout = 60
Base.metadata.create_all(self.engine)
self.Session = sessionmaker(bind=self.engine)
def __init__(self):
db_path = os.path.join(__project__.get_path(), 'viper.db')
self.engine = create_engine('sqlite:///{0}'.format(db_path), poolclass=NullPool)
self.engine.echo = False
self.engine.pool_timeout = 60
Base.metadata.create_all(self.engine)
self.Session = sessionmaker(bind=self.engine)
def _connect_database(self, connection):
if connection.startswith("mysql+pymysql"):
self.engine = create_engine(connection)
elif connection.startswith("mysql"):
self.engine = create_engine(connection, connect_args={"check_same_thread": False})
elif connection.startswith("postgresql"):
self.engine = create_engine(connection, connect_args={"sslmode": "disable"})
else:
db_path = os.path.join(__project__.get_path(), 'viper.db')
self.engine = create_engine('sqlite:///{0}'.format(db_path), poolclass=NullPool)
def _connect_database(self, connection):
if connection.startswith("mysql+pymysql"):
self.engine = create_engine(connection)
elif connection.startswith("mysql"):
self.engine = create_engine(connection, connect_args={"check_same_thread": False})
elif connection.startswith("postgresql"):
self.engine = create_engine(connection, connect_args={"sslmode": "disable"})
else:
db_path = os.path.join(__project__.get_path(), 'viper.db')
self.engine = create_engine('sqlite:///{0}'.format(db_path), poolclass=NullPool)
def __init__(self):
connection_string = cfg.database.conn_string
if not connection_string:
db_path = os.path.join(__project__.get_path(), 'viper.db')
self.engine = create_engine('sqlite:///{0}'.format(db_path), poolclass=NullPool)
else:
self.engine = create_engine(connection_string, poolclass=NullPool)
self.engine.echo = False
self.engine.pool_timeout = 60
Base.metadata.create_all(self.engine)
self.Session = sessionmaker(bind=self.engine)
def get_sample_path(sha256):
path = os.path.join(
__project__.get_path(),
'binaries',
sha256[0],
sha256[1],
sha256[2],
sha256[3],
sha256
)
if not os.path.exists(path):
return None
return path
def __init__(self):
super(MISP, self).__init__()
self.cur_path = __project__.get_path()
self.parser.add_argument("--url", help='URL of the MISP instance')
self.parser.add_argument("--off", action='store_true', help='Use offline (can only work on pre-downloaded events)')
self.parser.add_argument("--on", action='store_true', help='Switch to online mode')
self.parser.add_argument("-k", "--key", help='Your key on the MISP instance')
self.parser.add_argument("-v", "--verify", default=True, action='store_false', help='Disable certificate verification (for self-signed)')
subparsers = self.parser.add_subparsers(dest='subname')
# ##### Upload sample to MISP #####
parser_up = subparsers.add_parser('upload', help='Send malware sample to MISP.',
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent('''
Distribution levels:
* 0: Your organisation only
* 1: This community only
* 2: Connected communities
* 3: All communities
* 5: Inherit
Sample categories:
* 0: Payload delivery
* 1: Artifacts dropped
* 2: Payload installation
* 3: External analysis
Analysis levels:
* 0: Initial
* 1: Ongoing
* 2: Completed
Threat levels:
* 0: High
* 1: Medium
* 2: Low
* 3: Undefined
'''))
parser_up.add_argument("-e", "--event", type=int, help="Event ID to update. If None, and you're not connected to a MISP event a new one is created.")
parser_up.add_argument("-d", "--distrib", type=int, choices=[0, 1, 2, 3, 5], help="Distribution of the attributes for the new event.")
parser_up.add_argument("-s", "--sharing", type=int, help="Sharing group ID when distribution is set to 4.")
parser_up.add_argument("-ids", action='store_true', help="Is eligible for automatically creating IDS signatures.")
parser_up.add_argument("-c", "--categ", type=int, choices=[0, 1, 2, 3], default=1, help="Category of the samples.")
parser_up.add_argument("-i", "--info", nargs='+', help="Event info field of a new event.")
parser_up.add_argument("-o", "--comment", nargs='+', help="Comment associated to the sample.")
parser_up.add_argument("-a", "--analysis", type=int, choices=[0, 1, 2], help="Analysis level a new event.")
parser_up.add_argument("-t", "--threat", type=int, choices=[0, 1, 2, 3], help="Threat level of a new event.")
# ##### Download samples from event #####
parser_down = subparsers.add_parser('download', help='Download malware samples from MISP.')
group = parser_down.add_mutually_exclusive_group()
group.add_argument("-e", "--event", type=int, help="Download all the samples related to this event ID.")
group.add_argument("-l", "--list", nargs='*', help="Download all the samples related to a list of events. Empty list to download all the samples of all the events stored in the current project.") # noqa
group.add_argument("--hash", help="Download the sample related to this hash (only MD5).")
# ##### Search in MISP #####
parser_search = subparsers.add_parser('search', help='Search in all the attributes.')
parser_search.add_argument("query", nargs='*', help="String to search (if empty, search the hashes of the current file).")
# ##### Check hashes on VT #####
parser_checkhashes = subparsers.add_parser('check_hashes', help='Crosscheck hashes on VT.')
parser_checkhashes.add_argument("event", nargs='?', default=None, type=int, help="Lookup all the hashes of an event on VT.")
parser_checkhashes.add_argument("-p", "--populate", action='store_true', help="Automatically populate event with hashes found on VT.")
# ##### Download Yara rules #####
parser_checkhashes = subparsers.add_parser('yara', help='Get YARA rules of an event.')
parser_checkhashes.add_argument("event", nargs='?', default=None, type=int, help="Download the yara rules of that event.")
# ##### Get Events #####
parser_pull = subparsers.add_parser('pull', help='Initialize the session with an existing MISP event.')
parser_pull.add_argument("event", nargs='+', type=int, help="(List of) Event(s) ID.")
# ##### Create an Event #####
parser_create_event = subparsers.add_parser('create_event', help='Create a new event on MISP and initialize the session with it.',
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent('''
Distribution levels:
* 0: Your organisation only
* 1: This community only
* 2: Connected communities
* 3: All communities
* 4: Sharing group
Sharing Group:
* #: ID of sharing group
Analysis levels:
* 0: Initial
* 1: Ongoing
* 2: Completed
Threat levels:
* 0: High
* 1: Medium
* 2: Low
* 3: Undefined
'''))
parser_create_event.add_argument("-d", "--distrib", type=int, choices=[0, 1, 2, 3, 4], help="Distribution of the attributes for the new event.")
parser_create_event.add_argument("-s", "--sharing", type=int, help="Sharing group ID when distribution is set to 4.")
parser_create_event.add_argument("-t", "--threat", type=int, choices=[0, 1, 2, 3], help="Threat level of a new event.")
parser_create_event.add_argument("-a", "--analysis", type=int, choices=[0, 1, 2], help="Analysis level a new event.")
parser_create_event.add_argument("-i", "--info", required=True, nargs='+', help="Event info field of a new event.")
parser_create_event.add_argument("--date", help="Date of the event. (Default: today).")
# ##### Add Hashes #####
h = subparsers.add_parser("add_hashes", help="If no parameters, add all the hashes of the current session.")
h.add_argument("-f", "--filename", help="Filename")
h.add_argument("-m", "--md5", help="MD5")
h.add_argument("-s", "--sha1", help="SHA1")
h.add_argument("-a", "--sha256", help="SHA256")
# ##### Add attributes #####
if HAVE_PYMISP:
parser_add = subparsers.add_parser('add', help='Add attributes to an existing MISP event.')
subparsers_add = parser_add.add_subparsers(dest='add')
# Hashes
# Generic add
temp_me = MISPEvent()
if hasattr(temp_me, "types"):
known_types = temp_me.types
else:
# New API
known_types = temp_me.known_types
for t in known_types:
sp = subparsers_add.add_parser(t, help="Add {} to the event.".format(t))
sp.add_argument(t, nargs='+')
# ##### Show attributes #####
subparsers.add_parser('show', help='Show attributes to an existing MISP event.')
# ##### Open file #####
o = subparsers.add_parser('open', help='Open a sample from the temp directory.')
ox = o.add_mutually_exclusive_group(required=True)
ox.add_argument("-l", "--list", action='store_true', help="List available files")
ox.add_argument("-d", "--delete", help="Delete temporary files (use 'all' to remove all the local samples or an Event ID to only remove the associated samples)")
ox.add_argument("sid", nargs='?', type=int, help='Sample ID to open (from the list option).')
# ##### Publish an event #####
subparsers.add_parser('publish', help='Publish an existing MISP event.')
# ##### Show version #####
subparsers.add_parser('version', help='Returns the version of the MISP instance.')
# Store
s = subparsers.add_parser('store', help='Store the current MISP event in the current project.')
s.add_argument("-l", "--list", action='store_true', help="List stored MISP events")
s.add_argument("-u", "--update", action='store_true', help="Update all stored MISP events")
s.add_argument("-s", "--sync", action='store_true', help="Sync all MISP Events with the remote MISP instance")
s.add_argument("-d", "--delete", type=int, help="Delete a stored MISP event")
s.add_argument("-o", "--open", help="Open a stored MISP event")
# Tags
s = subparsers.add_parser('tag', help='Tag managment using MISP taxonomies.')
s.add_argument("-l", "--list", action='store_true', help="List Existing taxonomies.")
s.add_argument("-d", "--details", help="Display all values of a taxonomy.")
s.add_argument("-s", "--search", help="Search all tags matching a value.")
s.add_argument("-e", "--event", help="Add tag to the current event.")
s.add_argument("-a", "--attribute", nargs='+', help="Add tag to an attribute of the current event. Syntax: <identifier for the attribute> <machinetag>")
# Galaxies
s = subparsers.add_parser('galaxies', help='Use misp-galaxy with PyMISPGalaxies.')
s.add_argument("-l", "--list", action='store_true', help="List existing galaxies.")
s.add_argument("-d", "--details", help="Display all values of a galaxy.")
s.add_argument("-v", "--cluster-value", nargs='+', help="Display all details of a cluster value.")
s.add_argument("-s", "--search", nargs='+', help="Search all galaxies matching a value.")
# Admin
s = subparsers.add_parser('admin', help='Administration options.')
admin_parser = s.add_subparsers(dest='admin')
# Organisation
org = admin_parser.add_parser('org', help="Organisation managment.")
subparsers_org = org.add_subparsers(dest='org')
# Get
display = subparsers_org.add_parser('display', help="Display an organisation.")
display.add_argument('id', help='ID of the organisation to display. Use "local" to display all local organisations, "external" for all remote organisations, and "all", for both.')
# Search
search_parser = subparsers_org.add_parser('search', help="Search an organisation by name.")
search_parser.add_argument('name', help='(Partial) name of the organisation.')
search_parser.add_argument('-t', '--type', default='local', choices=['local', 'external', 'all'],
help='Use "local" to search in all local organisations, "external" for remote organisations, and "all", for both.')
# Add
add_org = subparsers_org.add_parser('add', help="Add an organisation.")
add_org.add_argument('name', help='Organisation name.')
add_org.add_argument('-u', '--uuid', default=None, help='UUID of the organisation.')
add_org.add_argument('-d', '--description', default=[], nargs='+', help='Description of the organisation.')
add_org.add_argument('-t', '--type', default=[], nargs='+', help='Type of the organisation.')
add_org.add_argument('-n', '--nationality', default=None, help='Nationality of the organisation.')
add_org.add_argument('-s', '--sector', default=[], nargs='+', help='Sector of the organisation.')
add_org.add_argument('-c', '--contacts', default=[], nargs='+', help='Contact point(s) in the organisation.')
add_org.add_argument('--not-local', default=True, action='store_false', help='**Not** a local organisation.')
# Delete
delete = subparsers_org.add_parser('delete', help="Delete an organisation.")
delete.add_argument('id', help='ID of the organisation to delete.')
# Edit
edit = subparsers_org.add_parser('edit', help="Edit an organisation.")
edit.add_argument('id', help='ID of the organisation to edit.')
edit.add_argument('-n', '--name', help='Organisation name.')
edit.add_argument('-u', '--uuid', help='UUID of the organisation.')
edit.add_argument('-d', '--description', default=[], nargs='+', help='Description of the organisation.')
edit.add_argument('-t', '--type', default=[], nargs='+', help='Type of the organisation.')
edit.add_argument('--nationality', help='Nationality of the organisation.')
edit.add_argument('-s', '--sector', default=[], nargs='+', help='Sector of the organisation.')
edit.add_argument('-c', '--contacts', default=[], nargs='+', help='Contact point(s) in the organisation.')
edit.add_argument('--not-local', default=True, action='store_false', help='**Not** a local organisation.')
# User
user = admin_parser.add_parser('user', help="User managment.")
subparsers_user = user.add_subparsers(dest='user')
# Get
display = subparsers_user.add_parser('display', help="Display a user.")
display.add_argument('id', help='ID of the user to display. Use "all" to display all users.')
# Search
search_usr = subparsers_user.add_parser('search', help="Search a user by email.")
search_usr.add_argument('name', help='(Partial) email of the user.')
# Add
add_usr = subparsers_user.add_parser('add', help="Add a user.")
add_usr.add_argument('email', help='User email address.')
add_usr.add_argument('-o', '--org-id', default=None, help='Organisation ID of the user.')
add_usr.add_argument('-r', '--role-id', default=None, help='Role of the user')
add_usr.add_argument('-g', '--gpgkey', default=None, help='Path to the GPG public key export')
add_usr.add_argument('-c', '--change-pw', default=None, action='store_true', help='Force thanging the password after next login')
add_usr.add_argument('-t', '--termsaccepted', default=None, action='store_true', help='Set the TOC to accepted')
add_usr.add_argument('-p', '--password', default=None, help='Set a new password')
add_usr.add_argument('-d', '--disabled', default=None, action='store_true', help='Disable the account')
# Delete
delete = subparsers_user.add_parser('delete', help="Delete a user.")
delete.add_argument('id', help='ID of the user to delete.')
# Edit
edit = subparsers_user.add_parser('edit', help="Edit a user.")
edit.add_argument('id', help='ID of the user to edit.')
edit.add_argument('-e', '--email', help='User email address.')
edit.add_argument('-o', '--org-id', default=None, help='Organisation ID of the user.')
edit.add_argument('-r', '--role-id', default=None, help='Role of the user')
edit.add_argument('-g', '--gpgkey', default=None, help='Path to the GPG public key export')
edit.add_argument('-c', '--change-pw', default=None, action='store_true', help='Force thanging the password after next login')
edit.add_argument('-t', '--termsaccepted', default=None, action='store_true', help='Set the TOC to accepted')
edit.add_argument('-p', '--password', default=None, help='Set a new password')
edit.add_argument('-d', '--disabled', default=None, action='store_true', help='Disable the account')
# Role
role = admin_parser.add_parser('role', help="Role managment.")
subparsers_role = role.add_subparsers(dest='role')
# Get
display = subparsers_role.add_parser('display', help="Display all the roles.")
# Search
search_role = subparsers_role.add_parser('search', help="Search a role by name.")
search_role.add_argument('name', help='(Partial) name of the role.')
# Tags
t = admin_parser.add_parser('tag', help="Tag managment.")
subparsers_tag = t.add_subparsers(dest='tag')
# Get
display = subparsers_tag.add_parser('display', help="Display all the tags.")
# Search
search_tag = subparsers_tag.add_parser('search', help="Search a tag by name.")
search_tag.add_argument('name', help='(Partial) name of the tag.')
self.categories = {0: 'Payload delivery', 1: 'Artifacts dropped', 2: 'Payload installation', 3: 'External analysis'}
def __init__(self):
super(MISP, self).__init__()
self.cur_path = __project__.get_path()
self.parser.add_argument("--url", help='URL of the MISP instance')
self.parser.add_argument("-k", "--key", help='Your key on the MISP instance')
self.parser.add_argument("-v", "--verify", action='store_false', help='Disable certificate verification (for self-signed)')
subparsers = self.parser.add_subparsers(dest='subname')
# ##### Upload sample to MISP #####
parser_up = subparsers.add_parser('upload', help='Send malware sample to MISP.',
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent('''
Distribution levels:
* 0: Your organisation only
* 1: This community only
* 2: Connected communities
* 3: All communities
Sample categories:
* 0: Payload delivery
* 1: Artifacts dropped
* 2: Payload installation
* 3: External analysis
Analysis levels:
* 0: Initial
* 1: Ongoing
* 2: Completed
Threat levels:
* 0: High
* 1: Medium
* 2: Low
* 3: Undefined
'''))
parser_up.add_argument("-e", "--event", type=int, help="Event ID to update. If None, and you're not connected to a MISP event a new one is created.")
parser_up.add_argument("-d", "--distrib", type=int, choices=[0, 1, 2, 3], help="Distribution of the attributes for the new event.")
parser_up.add_argument("-ids", action='store_true', help="Is eligible for automatically creating IDS signatures.")
parser_up.add_argument("-c", "--categ", type=int, choices=[0, 1, 2, 3], default=1, help="Category of the samples.")
parser_up.add_argument("-i", "--info", nargs='+', help="Event info field of a new event.")
parser_up.add_argument("-o", "--comment", nargs='+', help="Comment associated to the sample.")
parser_up.add_argument("-a", "--analysis", type=int, choices=[0, 1, 2], help="Analysis level a new event.")
parser_up.add_argument("-t", "--threat", type=int, choices=[0, 1, 2, 3], help="Threat level of a new event.")
# ##### Download samples from event #####
parser_down = subparsers.add_parser('download', help='Download malware samples from MISP.')
group = parser_down.add_mutually_exclusive_group()
group.add_argument("-e", "--event", type=int, help="Download all the samples related to this event ID.")
group.add_argument("-l", "--list", nargs='*', help="Download all the samples related to a list of events. Empty list to download all the samples of all the events stored in the current project.")
group.add_argument("--hash", help="Download the sample related to this hash (only MD5).")
# ##### Search in MISP #####
parser_search = subparsers.add_parser('search', help='Search in all the attributes.')
parser_search.add_argument("query", nargs='*', help="String to search (if empty, search the hashes of the current file).")
# ##### Check hashes on VT #####
parser_checkhashes = subparsers.add_parser('check_hashes', help='Crosscheck hashes on VT.')
parser_checkhashes.add_argument("event", nargs='?', default=None, type=int, help="Lookup all the hashes of an event on VT.")
parser_checkhashes.add_argument("-p", "--populate", action='store_true', help="Automatically populate event with hashes found on VT.")
# ##### Download Yara rules #####
parser_checkhashes = subparsers.add_parser('yara', help='Get YARA rules of an event.')
parser_checkhashes.add_argument("event", nargs='?', default=None, type=int, help="Download the yara rules of that event.")
# ##### Get Events #####
parser_pull = subparsers.add_parser('pull', help='Initialize the session with an existing MISP event.')
parser_pull.add_argument("event", nargs='+', type=int, help="(List of) Event(s) ID.")
# ##### Create an Event #####
parser_create_event = subparsers.add_parser('create_event', help='Create a new event on MISP and initialize the session with it.',
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent('''
Distribution levels:
* 0: Your organisation only
* 1: This community only
* 2: Connected communities
* 3: All communities
Analysis levels:
* 0: Initial
* 1: Ongoing
* 2: Completed
Threat levels:
* 0: High
* 1: Medium
* 2: Low
* 3: Undefined
'''))
parser_create_event.add_argument("-d", "--distrib", required=True, type=int, choices=[0, 1, 2, 3], help="Distribution of the attributes for the new event.")
parser_create_event.add_argument("-t", "--threat", required=True, type=int, choices=[0, 1, 2, 3], help="Threat level of a new event.")
parser_create_event.add_argument("-a", "--analysis", required=True, type=int, choices=[0, 1, 2], help="Analysis level a new event.")
parser_create_event.add_argument("-i", "--info", required=True, nargs='+', help="Event info field of a new event.")
parser_create_event.add_argument("--date", help="Date of the event. (Default: today).")
# ##### Add attributes #####
parser_add = subparsers.add_parser('add', help='Add attributes to an existing MISP event.')
subparsers_add = parser_add.add_subparsers(dest='add')
# Hashes
h = subparsers_add.add_parser("hashes", help="If no parameters, add all the hashes of the current session.")
h.add_argument("-f", "--filename", help="Filename")
h.add_argument("-m", "--md5", help="MD5")
h.add_argument("-s", "--sha1", help="SHA1")
h.add_argument("-a", "--sha256", help="SHA256")
# Registry key
rk = subparsers_add.add_parser("regkey", help="Add a registry key to the event.")
rk.add_argument("regkey", nargs='+', help="First word is the key, second word (optional) is the value: <key> <value>")
# Pipe
pipe = subparsers_add.add_parser("pipe", help="Add a pipe to the event.")
pipe.add_argument("pipe", help='Name of the pipe.')
# Mutex
mutex = subparsers_add.add_parser("mutex", help="Add a mutex to the event.")
mutex.add_argument("mutex", help='Name of the mutex.')
# IP Destination
ipdst = subparsers_add.add_parser("ipdst", help="Add a destination IP (C&C Server) to the event.")
ipdst.add_argument("ipdst", help='IP address')
# Hostname
hostname = subparsers_add.add_parser("hostname", help="Add an hostname to the event.")
hostname.add_argument("hostname", help='Hostname')
# Domain
domain = subparsers_add.add_parser("domain", help="Add a domain to the event.")
domain.add_argument("domain", help='Domain')
# URL
url = subparsers_add.add_parser("url", help="Add a URL to the event.")
url.add_argument("full_url", help='URL')
# User Agent
ua = subparsers_add.add_parser("ua", help="Add a user-agent to the event.")
ua.add_argument("ua", help='User Agent')
# Pattern in file
pfile = subparsers_add.add_parser("pattern_file", help="Add a pattern in file to the event.")
pfile.add_argument("pfile", help='Pattern in file')
# Pattern in Memory
pmem = subparsers_add.add_parser("pattern_mem", help="Add a pattern in memory to the event.")
pmem.add_argument("pmem", help='Pattern in memory')
# Pattern in traffic
ptraffic = subparsers_add.add_parser("pattern_traffic", help="Add a to the event.")
ptraffic.add_argument("ptraffic", help='Pattern in traffic')
# ##### Show attributes #####
subparsers.add_parser('show', help='Show attributes to an existing MISP event.')
# ##### Open file #####
o = subparsers.add_parser('open', help='Open a sample from the temp directory.')
ox = o.add_mutually_exclusive_group(required=True)
ox.add_argument("-l", "--list", action='store_true', help="List available files")
ox.add_argument("-d", "--delete", help="Delete temporary files (use 'all' to remove all the local samples or an Event ID to only remove the associated samples)")
ox.add_argument("sid", nargs='?', type=int, help='Sample ID to open (from the list option).')
# ##### Publish an event #####
subparsers.add_parser('publish', help='Publish an existing MISP event.')
# ##### Show version #####
subparsers.add_parser('version', help='Returns the version of the MISP instance.')
# Store
s = subparsers.add_parser('store', help='Store the current MISP event in the current project.')
s.add_argument("-l", "--list", action='store_true', help="List stored MISP events")
s.add_argument("-u", "--update", action='store_true', help="Update all stored MISP events")
s.add_argument("-d", "--delete", type=int, help="Delete a stored MISP event")
s.add_argument("-o", "--open", type=int, help="Open a stored MISP event")
self.categories = {0: 'Payload delivery', 1: 'Artifacts dropped', 2: 'Payload installation', 3: 'External analysis'}
def __init__(self):
super(MISP, self).__init__()
self.cur_path = __project__.get_path()
self.parser.add_argument("--url", help='URL of the MISP instance')
self.parser.add_argument("--off", action='store_true', help='Use offline (can only work on pre-downloaded events)')
self.parser.add_argument("--on", action='store_true', help='Switch to online mode')
self.parser.add_argument("-k", "--key", help='Your key on the MISP instance')
self.parser.add_argument("-v", "--verify", action='store_false', help='Disable certificate verification (for self-signed)')
subparsers = self.parser.add_subparsers(dest='subname')
# ##### Upload sample to MISP #####
parser_up = subparsers.add_parser('upload', help='Send malware sample to MISP.',
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent('''
Distribution levels:
* 0: Your organisation only
* 1: This community only
* 2: Connected communities
* 3: All communities
Sample categories:
* 0: Payload delivery
* 1: Artifacts dropped
* 2: Payload installation
* 3: External analysis
Analysis levels:
* 0: Initial
* 1: Ongoing
* 2: Completed
Threat levels:
* 0: High
* 1: Medium
* 2: Low
* 3: Undefined
'''))
parser_up.add_argument("-e", "--event", type=int, help="Event ID to update. If None, and you're not connected to a MISP event a new one is created.")
parser_up.add_argument("-d", "--distrib", type=int, choices=[0, 1, 2, 3], help="Distribution of the attributes for the new event.")
parser_up.add_argument("-ids", action='store_true', help="Is eligible for automatically creating IDS signatures.")
parser_up.add_argument("-c", "--categ", type=int, choices=[0, 1, 2, 3], default=1, help="Category of the samples.")
parser_up.add_argument("-i", "--info", nargs='+', help="Event info field of a new event.")
parser_up.add_argument("-o", "--comment", nargs='+', help="Comment associated to the sample.")
parser_up.add_argument("-a", "--analysis", type=int, choices=[0, 1, 2], help="Analysis level a new event.")
parser_up.add_argument("-t", "--threat", type=int, choices=[0, 1, 2, 3], help="Threat level of a new event.")
# ##### Download samples from event #####
parser_down = subparsers.add_parser('download', help='Download malware samples from MISP.')
group = parser_down.add_mutually_exclusive_group()
group.add_argument("-e", "--event", type=int, help="Download all the samples related to this event ID.")
group.add_argument("-l", "--list", nargs='*', help="Download all the samples related to a list of events. Empty list to download all the samples of all the events stored in the current project.")
group.add_argument("--hash", help="Download the sample related to this hash (only MD5).")
# ##### Search in MISP #####
parser_search = subparsers.add_parser('search', help='Search in all the attributes.')
parser_search.add_argument("query", nargs='*', help="String to search (if empty, search the hashes of the current file).")
# ##### Check hashes on VT #####
parser_checkhashes = subparsers.add_parser('check_hashes', help='Crosscheck hashes on VT.')
parser_checkhashes.add_argument("event", nargs='?', default=None, type=int, help="Lookup all the hashes of an event on VT.")
parser_checkhashes.add_argument("-p", "--populate", action='store_true', help="Automatically populate event with hashes found on VT.")
# ##### Download Yara rules #####
parser_checkhashes = subparsers.add_parser('yara', help='Get YARA rules of an event.')
parser_checkhashes.add_argument("event", nargs='?', default=None, type=int, help="Download the yara rules of that event.")
# ##### Get Events #####
parser_pull = subparsers.add_parser('pull', help='Initialize the session with an existing MISP event.')
parser_pull.add_argument("event", nargs='+', type=int, help="(List of) Event(s) ID.")
# ##### Create an Event #####
parser_create_event = subparsers.add_parser('create_event', help='Create a new event on MISP and initialize the session with it.',
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent('''
Distribution levels:
* 0: Your organisation only
* 1: This community only
* 2: Connected communities
* 3: All communities
Analysis levels:
* 0: Initial
* 1: Ongoing
* 2: Completed
Threat levels:
* 0: High
* 1: Medium
* 2: Low
* 3: Undefined
'''))
parser_create_event.add_argument("-d", "--distrib", type=int, choices=[0, 1, 2, 3], help="Distribution of the attributes for the new event.")
parser_create_event.add_argument("-t", "--threat", type=int, choices=[0, 1, 2, 3], help="Threat level of a new event.")
parser_create_event.add_argument("-a", "--analysis", type=int, choices=[0, 1, 2], help="Analysis level a new event.")
parser_create_event.add_argument("-i", "--info", required=True, nargs='+', help="Event info field of a new event.")
parser_create_event.add_argument("--date", help="Date of the event. (Default: today).")
# ##### Add Hashes #####
h = subparsers.add_parser("add_hashes", help="If no parameters, add all the hashes of the current session.")
h.add_argument("-f", "--filename", help="Filename")
h.add_argument("-m", "--md5", help="MD5")
h.add_argument("-s", "--sha1", help="SHA1")
h.add_argument("-a", "--sha256", help="SHA256")
# ##### Add attributes #####
parser_add = subparsers.add_parser('add', help='Add attributes to an existing MISP event.')
subparsers_add = parser_add.add_subparsers(dest='add')
# Hashes
# Generic add
temp_me = MISPEvent()
for t in sorted(temp_me.types):
sp = subparsers_add.add_parser(t, help="Add {} to the event.".format(t))
sp.add_argument(t, nargs='+')
# ##### Show attributes #####
subparsers.add_parser('show', help='Show attributes to an existing MISP event.')
# ##### Open file #####
o = subparsers.add_parser('open', help='Open a sample from the temp directory.')
ox = o.add_mutually_exclusive_group(required=True)
ox.add_argument("-l", "--list", action='store_true', help="List available files")
ox.add_argument("-d", "--delete", help="Delete temporary files (use 'all' to remove all the local samples or an Event ID to only remove the associated samples)")
ox.add_argument("sid", nargs='?', type=int, help='Sample ID to open (from the list option).')
# ##### Publish an event #####
subparsers.add_parser('publish', help='Publish an existing MISP event.')
# ##### Show version #####
subparsers.add_parser('version', help='Returns the version of the MISP instance.')
# Store
s = subparsers.add_parser('store', help='Store the current MISP event in the current project.')
s.add_argument("-l", "--list", action='store_true', help="List stored MISP events")
s.add_argument("-u", "--update", action='store_true', help="Update all stored MISP events")
s.add_argument("-s", "--sync", action='store_true', help="Sync all MISP Events with the remote MISP instance")
s.add_argument("-d", "--delete", type=int, help="Delete a stored MISP event")
s.add_argument("-o", "--open", help="Open a stored MISP event")
# Tags
s = subparsers.add_parser('tag', help='Tag managment using MISP taxonomies.')
s.add_argument("-l", "--list", action='store_true', help="List Existing taxonomies.")
s.add_argument("-d", "--details", help="Display all values of a taxonomy.")
s.add_argument("-s", "--search", help="Search all tags matching a value.")
s.add_argument("-e", "--event", help="Add tag to the current event.")
s.add_argument("-a", "--attribute", nargs='+', help="Add tag to an attribute of the current event. Syntax: <identifier for the attribute> <machinetag>")
self.categories = {0: 'Payload delivery', 1: 'Artifacts dropped', 2: 'Payload installation', 3: 'External analysis'}
