def create_new_event(self, entry):
if self.is_python2:
self.misp_api.upload_sample(
entry["shasum"],
entry["outfile"],
None,
distribution=1,
info="File uploaded to Cowrie ({})".format(entry["sensor"]),
analysis=0,
threat_level_id=2
)
else:
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.attributes = [attribute]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg("Event creation result: \n%s" % result)
def create_new_event(self, entry):
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
if "url" in entry:
attributeURL = MISPAttribute()
attributeURL.type = "url"
attributeURL.value = entry["url"]
attributeURL.to_ids = True
else:
attributeURL = MISPAttribute()
attributeURL.type = "text"
attributeURL.value = "External upload"
attributeIP = MISPAttribute()
attributeIP.type = "ip-src"
attributeIP.value = entry["src_ip"]
attributeDT = MISPAttribute()
attributeDT.type = "datetime"
attributeDT.value = entry["timestamp"]
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.add_tag("tlp:white")
event.attributes = [attribute, attributeURL, attributeIP, attributeDT]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg(f"Event creation result: \n{result}")
def create_new_event(self, entry):
attribute = MISPAttribute()
attribute.type = "malware-sample"
attribute.value = entry["shasum"]
attribute.data = Path(entry["outfile"])
attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"])
attribute.expand = "binary"
event = MISPEvent()
event.info = "File uploaded to Cowrie ({})".format(entry["sensor"])
event.attributes = [attribute]
event.run_expansions()
if self.publish:
event.publish()
result = self.misp_api.add_event(event)
if self.debug:
log.msg(f"Event creation result: \n{result}")
def form_attr_obj(self, type, value, file=None):
try:
attr = MISPAttribute()
attr.type = type
attr.value = value
if file is not None:
path = Path(file)
attr.data = path
self.attributes.append(attr)
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
print("ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}"
.format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno,
error=str(e)))
else:
print('invalid upload path (must be file or dir)')
exit(0)
if args.is_malware:
arg_type = 'malware-sample'
else:
arg_type = 'attachment'
# Create attributes
attributes = []
for f in files:
a = MISPAttribute()
a.type = arg_type
a.value = f.name
a.data = f
a.comment = args.comment
a.distribution = args.distrib
if args.expand and arg_type == 'malware-sample':
a.expand = 'binary'
attributes.append(a)
if args.event:
for a in attributes:
misp.add_attribute(args.event, a)
else:
m = MISPEvent()
m.info = args.info
m.distribution = args.distrib
m.attributes = attributes
if args.expand and arg_type == 'malware-sample':
