required=True,
help="Event ID to update.")
parser.add_argument("-p",
"--path",
required=True,
help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
for f in glob.glob(args.path):
try:
fo, peo, seos = make_binary_objects(f)
except Exception:
traceback.print_exc()
continue
if seos:
for s in seos:
r = pymisp.add_object(args.event, s)
if peo:
r = pymisp.add_object(args.event, peo)
for ref in peo.ObjectReference:
r = pymisp.add_object_reference(ref)
if fo:
response = pymisp.add_object(args.event, fo)
for ref in fo.ObjectReference:
r = pymisp.add_object_reference(ref)
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description=
'Extract indicators out of binaries and add MISP objects to a MISP instance.'
)
parser.add_argument("-e",
"--event",
required=True,
help="Event ID to update.")
parser.add_argument("-p",
"--path",
required=True,
help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, debug=True)
for f in glob.glob(args.path):
try:
eo = EMailObject(f)
except Exception:
traceback.print_exc()
continue
if eo:
response = pymisp.add_object(args.event, eo, pythonify=True)
for ref in eo.ObjectReference:
r = pymisp.add_object_reference(ref)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pymisp import ExpandedPyMISP
from pymisp.tools import SSHAuthorizedKeysObject
import traceback
from keys import misp_url, misp_key, misp_verifycert
import glob
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Extract indicators out of authorized_keys file.')
parser.add_argument("-e", "--event", required=True, help="Event ID to update.")
parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, debug=True)
for f in glob.glob(args.path):
try:
auth_keys = SSHAuthorizedKeysObject(f)
except Exception:
traceback.print_exc()
continue
response = pymisp.add_object(args.event, auth_keys, pythonify=True)
for ref in auth_keys.ObjectReference:
r = pymisp.add_object_reference(ref)
misp = ExpandedPyMISP(url=misp_url,
key=misp_key,
ssl=misp_verifycert)
if args.new_event:
event = MISPEvent()
event.info = args.new_event
for o in objects:
event.add_object(**o)
new_event = misp.add_event(event, pythonify=True)
if isinstance(new_event, str):
print(new_event)
elif 'id' in new_event:
print(f'Created new event {new_event.id}')
else:
print('Something went wrong:')
print(new_event)
else:
for o in objects:
new_object = misp.add_object(args.update_event,
o,
pythonify=True)
if isinstance(new_object, str):
print(new_object)
elif new_object.attributes:
print(
f'New {new_object.name} object added to {args.update_event}'
)
else:
print('Something went wrong:')
print(new_event)
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description=
'Extract indicators out of binaries and add MISP objects to a MISP instance.'
)
parser.add_argument("-e",
"--event",
required=True,
help="Event ID to update.")
parser.add_argument("-p",
"--path",
required=True,
help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, debug=True)
for f in glob.glob(args.path):
try:
eo = EMailObject(f)
except Exception:
traceback.print_exc()
continue
if eo:
response = pymisp.add_object(args.event, eo)
for ref in eo.ObjectReference:
r = pymisp.add_object_reference(ref)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Create a file type MISP Object starting from attributes in a csv file')
parser.add_argument("-e", "--event_uuid", required=True, help="Event UUID to update")
parser.add_argument("-f", "--attr_file", required=True, help="Attribute CSV file path")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
f = open(args.attr_file, newline='')
csv_reader = csv.reader(f, delimiter=";")
for line in csv_reader:
filename = line[0]
sha1 = line[1]
md5 = line[2]
sha256 = line[3]
misp_object = MISPObject(name='file', filename=filename)
obj1 = misp_object.add_attribute("filename", value = filename)
obj1.add_tag('tlp:green')
obj2 = misp_object.add_attribute("sha1", value = sha1)
obj2.add_tag('tlp:amber')
obj3 = misp_object.add_attribute("md5", value = md5)
obj3.add_tag('tlp:amber')
obj4 = misp_object.add_attribute("sha256", value = sha256)
obj4.add_tag('tlp:amber')
r = pymisp.add_object(args.event_uuid, misp_object)
print(line)
print("\nObjects created :)")
'comment': attribute.get("comment"),
'Tag': misp_tag
})
res = api.add_attribute(event, mispattribute)
time.sleep(insert_sleep)
count_attributes = count_attributes + 1
if 'Object' in data.get("response")[0].get("Event"):
objects = data.get("response")[0].get("Event").get("Object")
for obj in objects:
misp_object = MISPObject(obj.get('name'))
if 'Attribute' in obj:
for attribute in obj.get('Attribute'):
misp_object.add_attribute(
attribute.get('object_relation'),
type=attribute.get('type'),
category=attribute.get('category'),
value=attribute.get('value'),
to_ids=attribute.get('to_ids'),
comment=attribute.get('comment'))
api.add_object(event, misp_object)
time.sleep(insert_sleep)
count_objects = count_objects + 1
# Now publish the event
api.publish(event)
# Print result
print("Event %s (%s) created with %s attributes and %s objects." %
(event_import_info, event.id, count_attributes, count_objects))
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Extract indicators out of binaries and add MISP objects to a MISP instance.')
parser.add_argument("-e", "--event", required=True, help="Event ID to update.")
parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
for f in glob.glob(args.path):
try:
fo, peo, seos = make_binary_objects(f)
except Exception:
traceback.print_exc()
continue
if seos:
for s in seos:
r = pymisp.add_object(args.event, s)
if peo:
r = pymisp.add_object(args.event, peo, pythonify=True)
for ref in peo.ObjectReference:
r = pymisp.add_object_reference(ref)
if fo:
response = pymisp.add_object(args.event, fo, pythonify=True)
for ref in fo.ObjectReference:
r = pymisp.add_object_reference(ref)
print('You are in offline mode, quitting.')
else:
misp = ExpandedPyMISP(url=misp_url,
key=misp_key,
ssl=misp_verifycert)
if args.new_event:
event = MISPEvent()
event.info = args.new_event
for o in objects:
event.add_object(**o)
new_event = misp.add_event(event)
if isinstance(new_event, str):
print(new_event)
elif 'id' in new_event:
print(f'Created new event {new_event.id}')
else:
print('Something went wrong:')
print(new_event)
else:
for o in objects:
new_object = misp.add_object(args.update_event, o)
if isinstance(new_object, str):
print(new_object)
elif new_object.attributes:
print(
f'New {new_object.name} object added to {args.update_event}'
)
else:
print('Something went wrong:')
print(new_event)
import traceback
from keys import misp_url, misp_key, misp_verifycert
import glob
import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description='Extract indicators out of authorized_keys file.')
parser.add_argument("-e",
"--event",
required=True,
help="Event ID to update.")
parser.add_argument("-p",
"--path",
required=True,
help="Path to process (expanded using glob).")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert, debug=True)
for f in glob.glob(args.path):
try:
auth_keys = SSHAuthorizedKeysObject(f)
except Exception:
traceback.print_exc()
continue
response = pymisp.add_object(args.event, auth_keys)
for ref in auth_keys.ObjectReference:
r = pymisp.add_object_reference(ref)
from keys import misp_url, misp_key, misp_verifycert
import argparse
"""
Sample usage:
./add_generic_object.py -e 5065 -t email -l '[{"to": "*****@*****.**"}, {"to": "*****@*****.**"}]'
"""
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description=
'Create a MISP Object selectable by type starting from a dictionary')
parser.add_argument("-e",
"--event",
required=True,
help="Event ID to update")
parser.add_argument("-t",
"--type",
required=True,
help="Type of the generic object")
parser.add_argument("-l",
"--attr_list",
required=True,
help="List of attributes")
args = parser.parse_args()
pymisp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
misp_object = GenericObjectGenerator(args.type.replace("|", "-"))
misp_object.generate_attributes(json.loads(args.attr_list))
r = pymisp.add_object(args.event, misp_object)
if last_event_date < date.today() or int(nb_attr) > 1000:
me = create_new_event()
else:
event_id = response[0].id
else:
me = create_new_event()
parameters = {'banned-ip': args.banned_ip, 'attack-type': args.attack_type}
if args.processing_timestamp:
parameters['processing-timestamp'] = args.processing_timestamp
if args.failures:
parameters['failures'] = args.failures
if args.sensor:
parameters['sensor'] = args.sensor
if args.victim:
parameters['victim'] = args.victim
if args.logline:
parameters['logline'] = b64decode(args.logline).decode()
if args.logfile:
with open(args.logfile, 'rb') as f:
parameters['logfile'] = {
'value': os.path.basename(args.logfile),
'data': BytesIO(f.read())
}
f2b = Fail2BanObject(parameters=parameters, standalone=False)
if me:
me.add_object(f2b)
pymisp.add_event(me)
elif event_id:
a = pymisp.add_object(event_id, f2b)
for o in objects:
print(o.to_json())
else:
if offline:
print('You are in offline mode, quitting.')
else:
misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
if args.new_event:
event = MISPEvent()
event.info = args.new_event
for o in objects:
event.add_object(**o)
new_event = misp.add_event(event)
if isinstance(new_event, str):
print(new_event)
elif 'id' in new_event:
print(f'Created new event {new_event.id}')
else:
print('Something went wrong:')
print(new_event)
else:
for o in objects:
new_object = misp.add_object(args.update_event, o)
if isinstance(new_object, str):
print(new_object)
elif new_object.attributes:
print(f'New {new_object.name} object added to {args.update_event}')
else:
print('Something went wrong:')
print(new_event)