def GetMISPData():
reports = {}
relative_path = 'attributes/restSearch'
body = {
"returnFormat": "json",
"type": ["ip-src", "ip-dst", "domain", "hostname", "md5", "sha256"],
"tags": misp_tag,
"enforceWarninglist": "true",
"to_ids": "true"
}
misp = PyMISP(misp_url, misp_key, misp_verifycert)
data = misp.direct_call(relative_path, body)
iocs_dns, iocs_ipv4, iocs_ipv6, iocs_md5, iocs_sha256 = [], [], [], [], []
for e in data['response']['Attribute']:
if (e['type'] == 'domain' or e['type'] == 'hostname'):
iocs_dns.append(e['value'])
elif (e['type'] == 'ip-src' or e['type'] == 'ip-dst'):
if (is_valid_ipv4_address(e['value'])):
iocs_ipv4.append(e['value'])
if (is_valid_ipv6_address(e['value'])):
iocs_ipv6.append(e['value'])
elif (e['type'] == 'md5'):
if re.search("([a-f0-9][32,32])", e['value'],
re.IGNORECASE | re.MULTILINE):
iocs_md5.append(e['value'])
elif (e['type'] == 'sha256'):
if re.search("([a-f0-9][64,64])", e['value'],
re.IGNORECASE | re.MULTILINE):
iocs_sha256.append(e['value'])
return (Build_CB_Feed(iocs_dns, iocs_ipv4, iocs_ipv6, iocs_md5,
iocs_sha256))
def retrieve_spam_from_misp():
misp = PyMISP(misp_url, misp_key, misp_verifycert)
result = misp.direct_call(relative_path, body)
h = hashlib.sha512()
for attribute in result['response']['Attribute']:
if Spam.query.filter(Spam.uuid==attribute['uuid']).count():
continue
try:
x = phonenumbers.parse(attribute['value'], None)
except phonenumbers.phonenumberutil.NumberParseException as e:
continue
#iternational_format = phonenumbers.format_number(x,
#phonenumbers.PhoneNumberFormat.INTERNATIONAL)
#geo = geocoder.description_for_number(x, "en")
#print("{} - {} - {}".format(iternational_format, geo,
#attribute['category']))
h.update(attribute['value'].encode('utf-8'))
new_spam = Spam(uuid=attribute['uuid'],
number_hash=h.hexdigest(),
category=attribute['category'],
source=misp_url,
date=datetime.fromtimestamp(int(attribute['timestamp'])))
db.session.add(new_spam)
db.session.commit()
def get_pymisp_data(refSet_etype):
print(time.strftime("%H:%M:%S") + " -- " + "Filter: " + MISP_body)
print(
time.strftime("%H:%M:%S") + " -- " +
"Initiating, GET data from MISP on " + misp_server)
misp = PyMISP(misp_url, misp_auth_key, False)
response = misp.direct_call(relative_path, MISP_body)
if response and "response" in response and "Attribute" in response[
"response"]:
json_data = response
print(time.strftime("%H:%M:%S") + " -- " + "MISP API Query (Success) ")
iocs = {}
for data in json_data["response"]["Attribute"]:
iocs[data['value']] = data['value']
rList = list(iocs)
import_data = json.dumps(rList)
ioc_count = len(rList)
print(
time.strftime("%H:%M:%S") + " -- " + str(ioc_count) +
" IOCs imported")
if refSet_etype == "IP":
print(
time.strftime("%H:%M:%S") + " -- " +
"Trying to clean the IOCs to IP address, as " +
qradar_ref_set + " element type = IP")
# IPv6??? #
# r = re.compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
#r = re.compile("^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
# print(rList)
r = re.compile(
"(?:(?:1\d\d|2[0-5][0-5]|2[0-4]\d|0?[1-9]\d|0?0?\d)\.){3}(?:1\d\d|2[0-5][0-5]|2[0-4]\d|0?[1-9]\d|0?0?\d)"
)
#r = re.compile("(?:(?:1\d\d|2[0-5][0-5]|2[0-5]\d|[1-9]\d|0?0?\d)\.){3}(?:1\d\d|2[0-5][0-5]|2[0-4]\d|0?[1-9]\d|0?0?\d)")
str1 = ''.join(rList) #
#print("Str1: ",str1)
r1 = r.findall(str1)
ioc_cleaned = list(r1)
#print("\n\nIOC?cleaned: ",ioc_cleaned)
ioc_cleaned_data = json.dumps(ioc_cleaned)
ioc_count_cleaned = len(ioc_cleaned)
#ioc_cleaned = list(filter(r.match, rList))
#ioc_cleaned_data = json.dumps(ioc_cleaned)
#ioc_count_cleaned = len(ioc_cleaned)
print(
time.strftime("%H:%M:%S") + " -- " + "(Success) Extracted " +
str(ioc_count_cleaned) + " IPs from initial import.")
qradar_post_IP(ioc_cleaned_data, ioc_count_cleaned)
else:
qradar_post_all(import_data, ioc_count)
else:
print(
time.strftime("%H:%M:%S") + " -- " +
"MISP API Query (Failed), Please check the network connectivity")
sys.exit()
target_uri = "/struts2_2.3.15.1-showcase/showcase.action"
sessionid = 0
active_shell = True
#----------------------------------------------------------------------------------------
# search threat intel platform for actionable intels
misp_api_endpoint = 'http://x.x.x.x/events/index'
misp_key = os.environ['misp_key']
misp_verifycert = False
relative_path = ''
searchinfo = input("Enter a keyword you'd like to search in the Threat DB (defaul: struts): ")
searcheventid = input("Enter EventID (optional): ")
if not searcheventid:
searcheventid = "1016"
body = ('{"searchinfo":"%s", "searchpublished":1, "searchdistribution":0, "searcheventid":"%s"}' % (searchinfo, searcheventid))
misp = PyMISP(misp_api_endpoint, misp_key, misp_verifycert)
search_results = misp.direct_call(relative_path, body)
data = json.dumps(search_results,sort_keys=True,indent=4)
print ("\nSearching MISP Threat Intelligence Platform for 'struts' vulnerability... ")
time.sleep(sleep_time)
print (data)
misp_results = json.loads(data)
print("\nFocusing on what matters...\n")
results = misp_results['response'][0]['info']
print(results, "\n")
cve = results.split('(')
cve = cve[1]
cve = cve.split(')')
cve = cve[0]
time.sleep(sleep_time)
#Example code to export IOCS of type 'domain' from Misp which have the tag 'Relevant' set
misp_url = ' -- your_misp_url -- '
misp_key = ' -- your_Misp_api_key -- '
misp_verifycert = False
relative_path = ''
body = {
"returnFormat": "text",
"type": "domain",
"tags":
"1" # you should put the ID of the 'Relevant' tag here , in your case it might be a different nr
}
from pymisp import PyMISP
misp = PyMISP(misp_url, misp_key, misp_verifycert)
r = misp.direct_call(relative_path, body)
f = open("retro_iocs", "w")
f.write(r)
f.close()
