def buildEvent(pkg, **kwargs):
log.info("Building Event...")
if not pkg.stix_header:
title = "STIX Import"
else:
if not pkg.stix_header.title:
title = "STIX Import"
else:
title = pkg.stix_header.title
log.info(title)
event = mispevent.MISPEvent()
event.distribution = kwargs.get("distribution", 0)
event.threat_level_id = kwargs.get("threat_level_id", 3)
event.analysis = kwargs.get("analysis", 0)
event.info = title
ids = []
to_process = []
for obj in lintRoll(pkg):
if isinstance(obj, cybox.core.observable.Observable):
if obj.id_ not in ids:
ids.append(obj.id_)
to_process.append(obj)
for obj in to_process:
# This will find literally every object ever.
event = buildAttribute(obj, event)
return event
def buildEvent(pkg, **kwargs):
log.info("Building Event...")
if not pkg.stix_header:
title = "STIX Import"
else:
if not pkg.stix_header.title:
title = "STIX Import"
else:
title = pkg.stix_header.title
log.info("Using title %s", title)
log.debug("Seting up MISPEvent...")
event = mispevent.MISPEvent()
event.distribution = kwargs.get("distribution", 0)
event.threat_level_id = kwargs.get("threat_level_id", 3)
event.analysis = kwargs.get("analysis", 0)
event.info = title
if hasattr(pkg, "description"):
log.debug("Found description %s", pkg.description)
event.add_attribute("comment", pkg.description)
log.debug("Beginning to Lint_roll...")
ids = []
to_process = []
for obj in lintRoll(pkg):
if isinstance(obj, stix.core.Incident):
to_process.append(obj)
if isinstance(obj, cybox.core.observable.Observable):
if obj.id_ not in ids:
ids.append(obj.id_)
to_process.append(obj)
log.debug("Processing %s object...", len(to_process))
for obj in to_process:
log.debug("Working on %s...", obj)
# This will find literally every object ever.
try:
event = buildAttribute(obj, event)
except Exception as ex:
log.exception(ex)
# Now make sure we only have unique items
log.debug("Making sure we only have Unique attributes...")
uniqueAttribValues = []
for attrindex, attrib in enumerate(event.attributes):
if attrib.value not in uniqueAttribValues:
uniqueAttribValues.append(attrib.value)
else:
log.debug("Removed duplicated attribute in package: %s",
attrib.value)
event.attributes.pop(attrindex)
log.debug("Finished parsing attributes.")
return event
def buildEvent(pkg, **kwargs):
log.info("Building Event...")
if not pkg.stix_header:
title = "STIX Import"
else:
if not pkg.stix_header.title:
title = "STIX Import"
else:
title = pkg.stix_header.title
log.info(title)
event = mispevent.MISPEvent()
event.distribution = kwargs.get("distribution", 0)
event.threat_level_id = kwargs.get("threat_level_id", 3)
event.analysis = kwargs.get("analysis", 0)
event.info = title
for obj in lintRoll(pkg):
# This will find literally every object ever.
event = buildAttribute(obj, event)
return event
def write_pkg(pkg, outfile):
# Set the version
log.debug("Writing to %s", outfile)
log.debug("As stix v%s", args.stix_version)
if args.stix_version:
if args.stix_version == "1.1.1":
objs = lint_roller.lintRoll(pkg)
for i in objs:
# Set the object's version
if hasattr(i, "version"):
i.version = args.stix_version
elif args.stix_version == "1.2":
pass # Is default
else:
print("INVALID STIX VERSION {}".format(args.stix_version))
sys.exit()
if args.format == "json":
log.debug("In JSON format")
# Output to JSON
if outfile == "stdout":
# Output to stdout
print(pkg.to_json())
else:
# Output to file
with open(outfile, "w") as f:
f.write(pkg.to_json())
else:
log.debug("In XML format")
# Output to XML
if outfile == "stdout":
# Output to stdout
print(pkg.to_xml())
else:
# Output to file
with open(outfile, "wb") as f:
f.write(pkg.to_xml())
log.debug("Written!")
log.debug(msg)
# Load it as a misp object for easy conversion to STIX
ev = pymisp.mispevent.MISPEvent()
ev.load(msg)
# Convert to STIX
pkg = pymisp.tools.stix.make_stix_package(ev)
log.debug("Loaded successfully!")
# Push the package to TAXII
for version in config.get("stix_versions", ["1.1.1"]):
# Convert to that version
objs = lint_roller.lintRoll(pkg)
for i in objs:
# Set the object's version
if hasattr(i, "version"):
i.version = version
# Set the top-level
pkg.version = version
try:
log.info("Using binding %s", "urn:stix.mitre.org:xml:{}".format(version))
cli.push(content=pkg.to_xml().decode("utf-8"),
content_binding="urn:stix.mitre.org:xml:{}".format(version),
uri="{}://{}/services/inbox".format(config.get("protocol", "http"),
config["domain"]),
collection_names=config["taxii"].get("collections", ["collection"]))
package = convert.MISPtoSTIX(jsondata)
except FileNotFoundError:
print("Could not open {}".format(args.file))
sys.exit()
else:
# This requires a connection to MISP
# As we need to pull an event
# Connect to MISP
MISP = misp.MISP(CONFIG["MISP"]["URL"], CONFIG["MISP"]["KEY"])
package = MISP.pull(args.eid)[0]
# Set the version
if args.stix_version:
if args.stix_version == "1.1.1":
objs = lint_roller.lintRoll(package)
for i in objs:
# Set the object's version
if hasattr(i, "version"):
i.version = args.stix_version
elif args.stix_version == "1.2":
pass # Is default
else:
print("INVALID STIX VERSION {}".format(args.stix_version))
sys.exit()
if args.format == "json":
# Output to JSON
if not args.outfile:
# Output to stdout