def get_event(self, instance, from_date, to_date=None):
misp_client = PyMISP(url=self.instances[instance]["url"],
key=self.instances[instance]["key"])
results = misp_client.search(date_from=from_date, date_to=to_date)
for r in results:
if "Event" in r:
yield r["Event"]
def __init__(self):
misp_conf = MispAdapter.get()
url = misp_conf.url
scheme = urlparse.urlparse(url).scheme
host = urlparse.urlparse(url).hostname
url = '%s://%s/%s' % (scheme, host, 'events')
self.py_misp = PyMISP(url=url, key=misp_conf.apikey, ssl=False)
return
def stream_events(self, inputs, ew):
ew.log("INFO", "Streaming events for MISP modular input")
sync_time = self.get_sync_time()
ew.log("INFO", "Events are streamed every %d minutes\n" % (sync_time))
for input_name, input_item in inputs.inputs.iteritems():
misp_url = input_item["misp_url"]
automation_key = input_item["automation_key"]
misp = PyMISP(str(misp_url), str(automation_key), True, 'json')
# except:
# traceback.print_exc(file=fp)
# res = misp.get_index()
if self.is_first_time:
ew.log(
"INFO",
"Downloading MISP objects for the first time. It will take a while."
)
try:
res = misp.download_last(MISP_FIRST_TIME_SNAPSHOT)
except:
tracebk = traceback.format_exc()
ew.log("ERROR", tracebk)
else:
ew.log(
"INFO",
"Downloading MISP objects every %d minutes." % (sync_time))
try:
res = misp.download_last("%dm" % (sync_time))
except:
tracebk = traceback.format_exc()
ew.log("ERROR", tracebk)
ew.log("INFO", "MISP objects collected, creating events")
try:
for item in res['response']:
event = Event()
# event.index = MISP_INDEX
event.stanza = input_name
event.data = item
ew.write_event(event)
except:
tracebk = traceback.format_exc()
ew.log("ERROR", tracebk)
ew.log("INFO", "MISP Events created, now creating lookups")
lookups = Misp2Lookup(res, lookup_dir)
lookups.write()
ew.log("INFO", "Streaming finished")
def __init__(self):
misp_conf = MispAdapter.get()
url = misp_conf.url
scheme = urllib.parse.urlparse(url).scheme
host = urllib.parse.urlparse(url).hostname
port = urllib.parse.urlparse(url).port
if port:
url = '%s://%s:%d/%s' % (scheme, host, port, 'events')
else:
url = '%s://%s/%s' % (scheme, host, 'events')
self.py_misp = PyMISP(url=url,
key=misp_conf.apikey,
ssl=False,
proxies=System.get_request_proxies())
return
def get_organisations(self, instance):
try:
misp_client = PyMISP(url=self.instances[instance]["url"],
key=self.instances[instance]["key"])
if not misp_client:
logging.error("Issue on misp client")
return
orgs = misp_client.organisations(scope="all")
for org in orgs:
org_id = org["Organisation"]["id"]
org_name = org["Organisation"]["name"]
self.instances[instance]["organisations"][org_id] = org_name
except Exception as e:
logging.error("error http %s to get instances" % e)
class MispUploadAdapterControl(object):
# シングルトン
__instance = None
def __new__(cls, *args, **kwargs):
if cls.__instance is None:
cls.__instance = object.__new__(cls)
return cls.__instance
def __init__(self):
misp_conf = MispAdapter.get()
url = misp_conf.url
scheme = urllib.parse.urlparse(url).scheme
host = urllib.parse.urlparse(url).hostname
port = urllib.parse.urlparse(url).port
if port:
url = '%s://%s:%d/%s' % (scheme, host, port, 'events')
else:
url = '%s://%s/%s' % (scheme, host, 'events')
self.py_misp = PyMISP(url=url,
key=misp_conf.apikey,
ssl=False,
proxies=System.get_request_proxies())
return
# package_id から stix を抽出し、misp import 形式に変換し upload する
def upload_misp(self, package_id):
stix_file = StixFiles.objects.get(package_id=package_id)
if stix_file.version.startswith('1.'):
content = stix_file.content
else:
content = io.StringIO(stix_file.get_slide_12())
stix_package = STIXPackage.from_xml(content)
misp_event = load_stix(stix_package)
tag = self.get_tlp_tag(stix_package)
if tag is not None:
misp_event.add_tag(tag)
resp = self.py_misp.add_event(misp_event)
if ('Event' in resp):
return resp
else:
raise Exception(str(resp['errors']))
# stix_pacakge から TLP 取得して TAG の形式にして返却
# TLP が存在しない場合は None 返却
def get_tlp_tag(self, stix_package):
try:
for marking in stix_package.stix_header.handling.marking:
marking_structure = marking.marking_structures[0]
if isinstance(marking_structure, TLPMarkingStructure):
tlp = marking_structure.color
return 'TLP:%s' % (tlp.upper())
return None
except BaseException:
return None