def GetMISPData(): reports = {} relative_path = 'attributes/restSearch' body = { "returnFormat": "json", "type": ["ip-src", "ip-dst", "domain", "hostname", "md5", "sha256"], "tags": misp_tag, "enforceWarninglist": "true", "to_ids": "true" } misp = PyMISP(misp_url, misp_key, misp_verifycert) data = misp.direct_call(relative_path, body) iocs_dns, iocs_ipv4, iocs_ipv6, iocs_md5, iocs_sha256 = [], [], [], [], [] for e in data['response']['Attribute']: if (e['type'] == 'domain' or e['type'] == 'hostname'): iocs_dns.append(e['value']) elif (e['type'] == 'ip-src' or e['type'] == 'ip-dst'): if (is_valid_ipv4_address(e['value'])): iocs_ipv4.append(e['value']) if (is_valid_ipv6_address(e['value'])): iocs_ipv6.append(e['value']) elif (e['type'] == 'md5'): if re.search("([a-f0-9][32,32])", e['value'], re.IGNORECASE | re.MULTILINE): iocs_md5.append(e['value']) elif (e['type'] == 'sha256'): if re.search("([a-f0-9][64,64])", e['value'], re.IGNORECASE | re.MULTILINE): iocs_sha256.append(e['value']) return (Build_CB_Feed(iocs_dns, iocs_ipv4, iocs_ipv6, iocs_md5, iocs_sha256))
def retrieve_spam_from_misp(): misp = PyMISP(misp_url, misp_key, misp_verifycert) result = misp.direct_call(relative_path, body) h = hashlib.sha512() for attribute in result['response']['Attribute']: if Spam.query.filter(Spam.uuid==attribute['uuid']).count(): continue try: x = phonenumbers.parse(attribute['value'], None) except phonenumbers.phonenumberutil.NumberParseException as e: continue #iternational_format = phonenumbers.format_number(x, #phonenumbers.PhoneNumberFormat.INTERNATIONAL) #geo = geocoder.description_for_number(x, "en") #print("{} - {} - {}".format(iternational_format, geo, #attribute['category'])) h.update(attribute['value'].encode('utf-8')) new_spam = Spam(uuid=attribute['uuid'], number_hash=h.hexdigest(), category=attribute['category'], source=misp_url, date=datetime.fromtimestamp(int(attribute['timestamp']))) db.session.add(new_spam) db.session.commit()
def get_pymisp_data(refSet_etype): print(time.strftime("%H:%M:%S") + " -- " + "Filter: " + MISP_body) print( time.strftime("%H:%M:%S") + " -- " + "Initiating, GET data from MISP on " + misp_server) misp = PyMISP(misp_url, misp_auth_key, False) response = misp.direct_call(relative_path, MISP_body) if response and "response" in response and "Attribute" in response[ "response"]: json_data = response print(time.strftime("%H:%M:%S") + " -- " + "MISP API Query (Success) ") iocs = {} for data in json_data["response"]["Attribute"]: iocs[data['value']] = data['value'] rList = list(iocs) import_data = json.dumps(rList) ioc_count = len(rList) print( time.strftime("%H:%M:%S") + " -- " + str(ioc_count) + " IOCs imported") if refSet_etype == "IP": print( time.strftime("%H:%M:%S") + " -- " + "Trying to clean the IOCs to IP address, as " + qradar_ref_set + " element type = IP") # IPv6??? # # r = re.compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$") #r = re.compile("^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") # print(rList) r = re.compile( "(?:(?:1\d\d|2[0-5][0-5]|2[0-4]\d|0?[1-9]\d|0?0?\d)\.){3}(?:1\d\d|2[0-5][0-5]|2[0-4]\d|0?[1-9]\d|0?0?\d)" ) #r = re.compile("(?:(?:1\d\d|2[0-5][0-5]|2[0-5]\d|[1-9]\d|0?0?\d)\.){3}(?:1\d\d|2[0-5][0-5]|2[0-4]\d|0?[1-9]\d|0?0?\d)") str1 = ''.join(rList) # #print("Str1: ",str1) r1 = r.findall(str1) ioc_cleaned = list(r1) #print("\n\nIOC?cleaned: ",ioc_cleaned) ioc_cleaned_data = json.dumps(ioc_cleaned) ioc_count_cleaned = len(ioc_cleaned) #ioc_cleaned = list(filter(r.match, rList)) #ioc_cleaned_data = json.dumps(ioc_cleaned) #ioc_count_cleaned = len(ioc_cleaned) print( time.strftime("%H:%M:%S") + " -- " + "(Success) Extracted " + str(ioc_count_cleaned) + " IPs from initial import.") qradar_post_IP(ioc_cleaned_data, ioc_count_cleaned) else: qradar_post_all(import_data, ioc_count) else: print( time.strftime("%H:%M:%S") + " -- " + "MISP API Query (Failed), Please check the network connectivity") sys.exit()
target_uri = "/struts2_2.3.15.1-showcase/showcase.action" sessionid = 0 active_shell = True #---------------------------------------------------------------------------------------- # search threat intel platform for actionable intels misp_api_endpoint = 'http://x.x.x.x/events/index' misp_key = os.environ['misp_key'] misp_verifycert = False relative_path = '' searchinfo = input("Enter a keyword you'd like to search in the Threat DB (defaul: struts): ") searcheventid = input("Enter EventID (optional): ") if not searcheventid: searcheventid = "1016" body = ('{"searchinfo":"%s", "searchpublished":1, "searchdistribution":0, "searcheventid":"%s"}' % (searchinfo, searcheventid)) misp = PyMISP(misp_api_endpoint, misp_key, misp_verifycert) search_results = misp.direct_call(relative_path, body) data = json.dumps(search_results,sort_keys=True,indent=4) print ("\nSearching MISP Threat Intelligence Platform for 'struts' vulnerability... ") time.sleep(sleep_time) print (data) misp_results = json.loads(data) print("\nFocusing on what matters...\n") results = misp_results['response'][0]['info'] print(results, "\n") cve = results.split('(') cve = cve[1] cve = cve.split(')') cve = cve[0] time.sleep(sleep_time)
#Example code to export IOCS of type 'domain' from Misp which have the tag 'Relevant' set misp_url = ' -- your_misp_url -- ' misp_key = ' -- your_Misp_api_key -- ' misp_verifycert = False relative_path = '' body = { "returnFormat": "text", "type": "domain", "tags": "1" # you should put the ID of the 'Relevant' tag here , in your case it might be a different nr } from pymisp import PyMISP misp = PyMISP(misp_url, misp_key, misp_verifycert) r = misp.direct_call(relative_path, body) f = open("retro_iocs", "w") f.write(r) f.close()