def buildEvent(pkg, **kwargs):
log.info("Building Event...")
if not pkg.stix_header:
title = "STIX Import"
else:
if not pkg.stix_header.title:
title = "STIX Import"
else:
title = pkg.stix_header.title
log.info(title)
event = mispevent.MISPEvent()
event.distribution = kwargs.get("distribution", 0)
event.threat_level_id = kwargs.get("threat_level_id", 3)
event.analysis = kwargs.get("analysis", 0)
event.info = title
ids = []
to_process = []
for obj in lintRoll(pkg):
if isinstance(obj, cybox.core.observable.Observable):
if obj.id_ not in ids:
ids.append(obj.id_)
to_process.append(obj)
for obj in to_process:
# This will find literally every object ever.
event = buildAttribute(obj, event)
return event
def MISPtoSTIX(mispJSON):
"""
Function to convert from a MISP JSON to a STIX stix
:param mispJSON: A dict (json) containing a misp Event.
:returns stix: A STIX stix with as much of the original
data as we could convert.
"""
if isinstance(mispJSON, mispevent.MISPEvent):
misp_event = mispJSON
else:
misp_event = mispevent.MISPEvent()
misp_event.load(mispJSON)
# We should now have a proper MISP JSON loaded.
# Create a base stix
stix = STIXPackage()
# Create a header for the new stix
stix.stix_header = STIXHeader()
# Try to use the event title as the stix title
stix.stix_header.title = misp_event.info
# We're going to store our observables inside an indicator
indicator = Indicator()
# Go through each attribute and transfer what we can.
for one_attrib in misp_event.attributes:
# Build an attribute from the JSON. Is all nice.
buildSTIXAttribute.buildAttribute(one_attrib, stix, indicator)
stix.add_indicator(indicator)
return stix
def buildEvent(pkg, **kwargs):
log.info("Building Event...")
if not pkg.stix_header:
title = "STIX Import"
else:
if not pkg.stix_header.title:
title = "STIX Import"
else:
title = pkg.stix_header.title
log.info("Using title %s", title)
log.debug("Seting up MISPEvent...")
event = mispevent.MISPEvent()
event.distribution = kwargs.get("distribution", 0)
event.threat_level_id = kwargs.get("threat_level_id", 3)
event.analysis = kwargs.get("analysis", 0)
event.info = title
if hasattr(pkg, "description"):
log.debug("Found description %s", pkg.description)
event.add_attribute("comment", pkg.description)
log.debug("Beginning to Lint_roll...")
ids = []
to_process = []
for obj in lintRoll(pkg):
if isinstance(obj, stix.core.Incident):
to_process.append(obj)
if isinstance(obj, cybox.core.observable.Observable):
if obj.id_ not in ids:
ids.append(obj.id_)
to_process.append(obj)
log.debug("Processing %s object...", len(to_process))
for obj in to_process:
log.debug("Working on %s...", obj)
# This will find literally every object ever.
try:
event = buildAttribute(obj, event)
except Exception as ex:
log.exception(ex)
# Now make sure we only have unique items
log.debug("Making sure we only have Unique attributes...")
uniqueAttribValues = []
for attrindex, attrib in enumerate(event.attributes):
if attrib.value not in uniqueAttribValues:
uniqueAttribValues.append(attrib.value)
else:
log.debug("Removed duplicated attribute in package: %s",
attrib.value)
event.attributes.pop(attrindex)
log.debug("Finished parsing attributes.")
return event
def MISPtoSTIX(mispJSON):
"""
Function to convert from a MISP JSON to a STIX stix
:param mispJSON: A dict (json) containing a misp Event.
:returns stix: A STIX stix with as much of the original
data as we could convert.
"""
if isinstance(mispJSON, mispevent.MISPEvent):
misp_event = mispJSON
else:
misp_event = mispevent.MISPEvent()
misp_event.load(mispJSON)
# We should now have a proper MISP JSON loaded.
# Create a base stix
stix = STIXPackage()
try:
stix.MISPID = mispJSON["Event"]["id"]
except Exception:
# We don't have an ID?
# Generate a random number and use that
stix.MISPID = random.randint(1, 9000)
# it's being silly
# backup the ID
backupID = stix.MISPID
# Create a header for the new stix
stix.stix_header = STIXHeader()
# Try to use the event title as the stix title
stix.stix_header.title = misp_event.info
# Go through each attribute and transfer what we can.
for one_attrib in misp_event.attributes:
# We're going to store our observables inside an indicator
# One for each attribute because @iglocska said so
# I swear STIX is gonna be the death of me.
indicator = Indicator()
# Build an attribute from the JSON. Is all nice.
buildSTIXAttribute.buildAttribute(one_attrib, stix, indicator)
stix.add_indicator(indicator)
stix.MISPID = backupID
return stix
def buildEvent(pkg, **kwargs):
log.info("Building Event...")
if not pkg.stix_header:
title = "STIX Import"
else:
if not pkg.stix_header.title:
title = "STIX Import"
else:
title = pkg.stix_header.title
log.info(title)
event = mispevent.MISPEvent()
event.distribution = kwargs.get("distribution", 0)
event.threat_level_id = kwargs.get("threat_level_id", 3)
event.analysis = kwargs.get("analysis", 0)
event.info = title
for obj in lintRoll(pkg):
# This will find literally every object ever.
event = buildAttribute(obj, event)
return event
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import argparse
from pymisp import mispevent
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Sign & verify a MISP event.')
parser.add_argument("-i", "--input", required=True, help="Json file")
parser.add_argument("-u", "--uid", required=True, help="GPG UID")
args = parser.parse_args()
me = mispevent.MISPEvent()
me.load(args.input)
me.sign(args.uid)
me.verify(args.uid)