def setUp(self):
self.maxDiff = None
self.misp = PyMISP(url, key, True, 'json')
def run(self):
super(MISP, self).run()
if self.args is None:
return
if not HAVE_PYMISP:
self.log(
'error',
"Missing dependency, install pymisp (`pip install pymisp`)")
return
if self.args.url is None:
self.url = cfg.misp.misp_url
else:
self.url = self.args.url
if self.args.key is None:
self.key = cfg.misp.misp_key
else:
self.key = self.args.key
if self.url is None:
self.log(
'error',
"This command requires the URL of the MISP instance you want to query."
)
return
if self.key is None:
self.log('error', "This command requires a MISP private API key.")
return
if not self.args.verify:
verify = False
else:
verify = cfg.misp.misp_verify
try:
self.misp = PyMISP(self.url, self.key, verify, 'json')
except PyMISPError as e:
self.log('error', e.message)
return
# Require an open MISP session
if self.args.subname in ['add', 'show', 'publish'
] and not __sessions__.is_attached_misp():
return
# Require an open file session
if self.args.subname in ['upload'
] and not __sessions__.is_attached_file():
return
try:
if self.args.subname == 'upload':
self.upload()
elif self.args.subname == 'search':
self.searchall()
elif self.args.subname == 'download':
self.download()
elif self.args.subname == 'check_hashes':
self.check_hashes()
elif self.args.subname == 'yara':
self.yara()
elif self.args.subname == 'pull':
self.pull()
elif self.args.subname == 'create_event':
self.create_event()
elif self.args.subname == 'add':
self.add()
elif self.args.subname == 'show':
self.show()
elif self.args.subname == 'open':
self.open()
elif self.args.subname == 'publish':
self.publish()
elif self.args.subname == 'version':
self.version()
elif self.args.subname == 'store':
self.store()
else:
self.log('error', "No calls defined for this command.")
except requests.exceptions.HTTPError as e:
self.log('error', e)
def test_getSharingGroups(self, m):
self.initURI(m)
pymisp = PyMISP(self.domain, self.key)
sharing_groups = pymisp.get_sharing_groups()
self.assertEqual(sharing_groups[0], self.sharing_groups['response'][0])
def init(url, key):
return PyMISP(url, key, False, 'json', debug=False)
def setUp(self):
self.maxDiff = None
self.misp = PyMISP(url, key, True, 'json')
self.live_describe_types = self.misp.get_live_describe_types()
def init(url,key):
return PyMISP(url,key, False, 'json')
def run(self):
super(MISP, self).run()
if self.args is None:
return
if not HAVE_PYMISP:
self.log(
'error',
"Missing dependency, install pymisp (`pip install pymisp`)")
return
self.offline_mode = False
if self.args.on:
self.offline_mode = False
if __sessions__.is_attached_misp(True):
__sessions__.current.misp_event.off = False
elif self.args.off or (__sessions__.is_attached_misp(True)
and __sessions__.current.misp_event.off):
self.offline_mode = True
if __sessions__.is_attached_misp(True):
__sessions__.current.misp_event.off = True
self.url = self.args.url
if self.url is None:
self.url = cfg.misp.misp_url
if self.url is None:
self.log(
'error',
"This command requires the URL of the MISP instance you want to query."
)
return
self.key = self.args.key
if self.key is None:
self.key = cfg.misp.misp_key
if self.key is None:
self.log('error', "This command requires a MISP private API key.")
return
if not self.args.verify:
verify = False
else:
verify = cfg.misp.tls_verify
# Capture default distribution and sharing group settings. Backwards compatability and empty string check
self.distribution = cfg.misp.get("misp_distribution", None)
self.distribution = None if self.distribution == "" else self.distribution
if type(self.distribution) not in (type(None), int):
self.distribution = None
self.log(
'info',
"The distribution stored in viper config is not an integer, setting to None"
)
self.sharinggroup = cfg.misp.get("misp_sharinggroup", None)
self.sharinggroup = None if self.sharinggroup == "" else self.sharinggroup
if type(self.sharinggroup) not in (type(None), int):
self.sharinggroup = None
self.log(
'info',
"The sharing group stored in viper config is not an integer, setting to None"
)
if not self.offline_mode:
try:
self.misp = PyMISP(self.url,
self.key,
ssl=False,
proxies=cfg.misp.proxies,
cert=('/opt/ssl/server/csp-internal.crt',
'/opt/ssl/server/csp-internal.key'))
except PyMISPError as e:
self.log('error', e.message)
return
# Require an open MISP session
if self.args.subname in ['add_hashes', 'add', 'show', 'publish'
] and not __sessions__.is_attached_misp():
return
# Require an open file session
if self.args.subname in ['upload'
] and not __sessions__.is_attached_file():
return
try:
if self.args.subname == 'upload':
self.upload()
elif self.args.subname == 'search':
self.searchall()
elif self.args.subname == 'download':
self.download()
elif self.args.subname == 'check_hashes':
self.check_hashes()
elif self.args.subname == 'yara':
self.yara()
elif self.args.subname == 'pull':
self.pull()
elif self.args.subname == 'create_event':
self.create_event()
elif self.args.subname == 'add':
self.add()
elif self.args.subname == 'add_hashes':
self.add_hashes()
elif self.args.subname == 'show':
self.show()
elif self.args.subname == 'open':
self.open_samples()
elif self.args.subname == 'publish':
self.publish()
elif self.args.subname == 'version':
self.version()
elif self.args.subname == 'store':
self.store()
elif self.args.subname == 'tag':
self.tag()
elif self.args.subname == 'galaxies':
self.galaxies()
elif self.args.subname == 'admin':
self.admin()
else:
self.log('error', "No calls defined for this command.")
except requests.exceptions.HTTPError as e:
self.log('error', e)
help="Host where neo4j is running.")
parser.add_argument("-u", "--user", default='neo4j', help="User on neo4j.")
parser.add_argument("-p",
"--password",
default='neo4j',
help="Password on neo4j.")
parser.add_argument("-d",
"--deleteall",
action="store_true",
default=False,
help="Delete all nodes from the database")
args = parser.parse_args()
neo4j = Neo4j(args.host, args.user, args.password)
if args.deleteall:
neo4j.del_all()
misp = PyMISP(misp_url, misp_key)
result = misp.search_all(args.search)
for json_event in result['response']:
if not json_event['Event']:
print(json_event)
continue
print('Importing', json_event['Event']['info'],
json_event['Event']['id'])
try:
misp_event = MISPEvent()
misp_event.load(json_event)
neo4j.import_event(misp_event)
except:
print('broken')
def init_misp(): global mymisp mymisp = PyMISP(misp_url, misp_key)
def processSTIX(pkg, args, misp_url, misp_key, ssl=True):
# Load the PyMISP functions
# misp = PyMISP(misp_url, misp_key, ssl, 'json')
misp = PyMISP(misp_url, misp_key, ssl, 'json', proxies=proxies)
# Build the event and add tags if applicable
misp_title = ""
#if '_id' in pkg:
# misp_title += str(pkg._id)+" | "
misp_title += str(pkg.stix_header.title)
if misp_title == "None":
try:
misp_title = str(
pkg.stix_header.information_source.description) + " | " + str(
pkg.stix_header.information_source.time.produced_time.value
)
except:
misp_title = str(pkg.id_)
misp_date = str(pkg.timestamp)
event = mispBuildEvent(misp, misp_url, misp_key, misp_title, misp_date,
args)
# Process force-tags if applicable
if args.forcetag:
# Add the package ID as a tag
try:
tag = str(pkg._id)
except AttributeError:
tag = ""
if tag:
forceTag(pkg, args, misp, event, tag)
# Add Internal Reference Attribute
misp.add_internal_other(event, tag)
# Add the package title as a tag
try:
tag = str(pkg.stix_header.title)
except AttributeError:
tag = ""
if tag:
forceTag(pkg, args, misp, event, tag)
# Add Internal Reference Attribute
misp.add_internal_other(event, tag)
# Add the sender's name as a tag
try:
tag = str(pkg.stix_header.information_source.identity.name)
except AttributeError:
tag = ""
if tag:
forceTag(pkg, args, misp, event, tag)
# Add Internal Reference Attribute
#
# Commenting this out because it would end up saying every STIX document
# coming from the same originator is related.
#
# misp.add_internal_other(event, tag)
# Output to screen
print "\r\n##################"
#print "ID: "+str(pkg._id)
print "Title: " + misp_title
print "Time: " + misp_date
print "##################\r\n"
all_inc_desc = ""
all_ind_desc = ""
# Loop through all incidents
if pkg.incidents:
for inc in pkg.incidents:
# Get incindent descriptions
for inc_desc in inc.descriptions:
if inc_desc:
inc_desc = str(inc_desc)
all_inc_desc = all_inc_desc + "=============NEW DESCRIPTION=============\r\n\r\n" + inc_desc
# Loop through all indicators
for ind in pkg.indicators:
for type in ind.indicator_types:
print "Indicator Type: " + str(type)
# Collect indicator descriptions
for ind_desc in ind.descriptions:
if ind_desc:
ind_desc = str(ind_desc)
all_ind_desc = all_ind_desc + "\r\n\r\n=============NEW DESCRIPTION=============\r\n\r\n" + ind_desc
# For processing STIX w/ composite_indicator_expression(s)
if ind.composite_indicator_expression:
for cie in ind.composite_indicator_expression:
properties = cie.observable.object_.properties
object_type = properties._XSI_TYPE
print " Observable type: " + str(object_type)
# processObject(object_type, properties)
mispBuildObject(object_type, properties, event, args)
# For processing STIX that without composite_indicator_expression(s)
else:
properties = ind.observable.object_.properties
object_type = properties._XSI_TYPE
print " Observable type: " + str(object_type)
# processObject(object_type, properties)
mispBuildObject(object_type, properties, event, args)
# Process Descriptions and add as files to MISP
if all_ind_desc:
# Grab all the descriptions and add them to the event in a text file
filename = str(event['Event']['id']) + "_Indicator_Descriptions.txt"
processDescriptions(misp, event, filename, all_ind_desc)
if all_inc_desc:
# Grab all the descriptions and add them to the event in a text file
filename = str(event['Event']['id']) + "_Incident_Descriptions.txt"
processDescriptions(misp, event, filename, all_inc_desc)
def mispBuildObject(object_type, properties, event, args):
# Set MISP instance
# misp = PyMISP(misp_url, misp_key, False, 'json')
misp = PyMISP(misp_url, misp_key, False, 'json', proxies=proxies)
# Process Args
if not args.ids:
args.ids = True
# Grab important info from File Objects
if "FileObjectType" in str(object_type):
# print dir(properties)
print " file_format: " + str(properties.file_format)
print " file_name: " + str(properties.file_name)
print " file_path: " + str(properties.file_path)
print " md5: " + str(properties.md5)
print " sha1: " + str(properties.sha1)
print " peak_entropy: " + str(properties.peak_entropy)
print " sha_224: " + str(properties.sha224)
print " size: " + str(properties.size)
print " size_in_bytes: " + str(properties.size_in_bytes)
# print " hashes_dir: "+str(dir(properties.hashes))
# Get other file info
if properties.file_name:
file_name = str(properties.file_name)
else:
file_name = ""
if properties.file_path:
file_path = str(properties.file_path)
else:
file_path = ""
if properties.size:
size = str(properties.size)
elif properties.size_in_bytes:
size = str(properties.size_in_bytes)
else:
size = ""
if properties.file_format:
file_format = str(properties.file_format)
else:
file_format = ""
# Build the comment w/ related info
comment = ""
if file_path:
comment = "[PATH] " + file_path
if size:
if comment:
comment = comment + " | [SIZE] " + size
else:
comment = "[SIZE] " + size
if file_format:
if comment:
comment = comment + " | [FORMAT] " + file_format
else:
comment = "[FORMAT] " + file_format
for hash in properties.hashes:
print " " + str(hash.type_) + ": " + str(hash)
# Add to MISP
if str(hash.type_) == "MD5":
# Add the hash by itself
#misp.add_hashes(event, md5=str(hash))
misp.add_hashes(event,
filename=str(properties.file_name),
md5=str(hash),
comment=comment,
to_ids=args.ids)
elif str(hash.type_) == "SHA1":
# Add the hash by itself
#misp.add_hashes(event, sha1=str(hash))
misp.add_hashes(event,
filename=str(properties.file_name),
sha1=str(hash),
comment=comment,
to_ids=args.ids)
elif str(hash.type_) == "SHA256":
# Add the hash by itself
#misp.add_hashes(event, sha256=str(hash))
misp.add_hashes(event,
filename=str(properties.file_name),
sha256=str(hash),
comment=comment,
to_ids=args.ids)
elif str(hash.type_) == "SSDEEP":
# Add the hash by itself
#misp.add_hashes(event, ssdeep=str(hash))
misp.add_hashes(event,
filename=str(properties.file_name),
ssdeep=str(hash),
comment=comment,
to_ids=args.ids)
# Grab important info from Mutex Objects
if "MutexObjectType" in str(object_type):
print " name: " + str(properties.name)
# Add to MISP
misp.add_mutex(event, str(properties.name), to_ids=args.ids)
# Grab important info from Registry Keys:
if "WindowsRegistryKeyObjectType" in str(object_type):
print " key: " + str(properties.key)
if properties.values:
for value in properties.values:
print " value.datatype: " + str(value.datatype)
print " value.data: " + str(value.data)
#print " value: "+str(dir(value))
# Add to MISP
misp.add_regkey(event,
str(properties.key),
rvalue=str(value.data),
to_ids=args.ids)
else:
misp.add_regkey(event, str(properties.key), to_ids=args.ids)
# Grab Domain Names:
if "DomainNameObjectType" in str(object_type):
print " domain: " + str(properties.value)
# Add to MISP
misp.add_domain(event, str(properties.value), to_ids=args.ids)
# Grab URI's
if "URIObjectType" in str(object_type):
print " uri: " + str(properties.value)
# Add to MISP
misp.add_url(event, str(properties.value), to_ids=args.ids)
# Grab IP's
if "AddressObjectType" in str(object_type):
print " ip: " + str(properties.address_value)
# Add to MISP
misp.add_ipsrc(event, str(properties.address_value), to_ids=args.ids)
# Grab Ports
if "PortObjectType" in str(object_type):
print " port: " + str(properties.port_value)
# Grab Email Info
if "EmailMessageObjectType" in str(object_type):
print " date: " + str(properties.date)
print " from: " + str(properties.from_)
print " sender: " + str(properties.sender)
if properties.from_:
misp.add_email_src(event, str(properties.from_), to_ids=args.ids)
elif properties.sender:
misp.add_email_src(event, str(properties.sender), to_ids=args.ids)
print " to: " + str(properties.to)
if properties.to:
misp.add_email_dst(event, str(properties.to), to_ids=args.ids)
print " subject: " + str(properties.subject)
if properties.subject:
misp.add_email_subject(event,
str(properties.subject),
to_ids=args.ids)
print " reply_to: " + str(properties.reply_to)
if properties.reply_to:
misp.add_email_src(event,
str(properties.reply_to),
comment="Reply-To Address",
to_ids=args.ids)
print " message_id: " + str(properties.message_id)
print " x_originating_ip: " + str(properties.x_originating_ip)
if properties.x_originating_ip:
misp.add_ipsrc(event,
str(properties.x_originating_ip),
comment="MAIL X-Origin-IP",
to_ids=args.ids)
print " email_server: " + str(properties.email_server)
#!/usr/bin/env python
from obj.misp_conf import *
from obj.fmc_conf import *
from pymisp import PyMISP
MISP_CONF = MispConf()
FMC_CONF = FmcConf()
MISP_INSTANCE = PyMISP(MISP_CONF.ip_addr, MISP_CONF.api_token,
MISP_CONF.ver_cert, 'json')
def run(self):
Analyzer.run(self)
data = self.getData()
try:
# search service
if self.service == 'search':
misp = PyMISP(self.url, self.api_key)
result = misp.search_all(data)
events = []
if 'response' in result:
# Trim the report to make it readable in a browser
# Remove null events
result['response'] = list(
filter(lambda e: e != {'Event': None},
result['response']))
for e in result['response']:
if 'Event' in e and e['Event']:
event = e['Event']
# Remove attributes
if 'Attribute' in event:
del event['Attribute']
# Remove org
if 'Org' in event:
del event['Org']
# Remove related events
if 'RelatedEvent' in event:
del event['RelatedEvent']
# Remove shadow attributes
if 'ShadowAttribute' in event:
del event['ShadowAttribute']
# Remove sharing group
if 'SharingGroup' in event:
del event['SharingGroup']
# Remove sharing group
if 'Galaxy' in event:
del event['Galaxy']
# Replace tags by a string array
if 'Tag' in event:
tags = list((t['name'] for t in event['Tag']))
del event['Tag']
event['tags'] = tags
# Add url to the MISP event
if 'id' in event:
event[
'url'] = self.url + '/events/view/' + event[
'id']
if 'publish_timestamp' in event:
event['publish_timestamp'] = long(
event['publish_timestamp']) * 1000
events.append(event)
self.report(events)
else:
self.error('Unknown MISP service')
except Exception as e:
self.unexpectedError(e)
# This includes all of the following:
# - OTX pulses to which you subscribed through the web UI
# - Pulses created by OTX users to whom you subscribe
# - OTX pulses you created.
# If this is the first time you are using your account, the download includes all pulses created by AlienVault.
# All users are subscribed to these by default.
mtime = readTimestamp()
pulses = otx.getsince(mtime)
print("Retrived %d pulses" % len(pulses))
# Create a connection to a MISP server where arguments are:
# - MISP URL
# - Key for user who can create and update events
misp = PyMISP(misp_url, misp_key, False, 'json')
# Summary of information retrieved from OTX
for p in pulses:
print(p['modified'])
print(p['name'])
print(p['author_name'])
print(len(p['indicators']))
print('=' * 12)
# Add retrieved indicators (pulses) to MISP
for pulse in pulses:
pulse_to_misp(misp, pulse)
saveTimestamp()
def run(self, results):
"""Run analysis.
@return: MISP results dict.
"""
if not PYMISP:
log.error("pyMISP dependency is missing.")
return
url = self.options.get("url", "")
apikey = self.options.get("apikey", "")
if not url or not apikey:
log.error("MISP URL or API key not configured.")
return
self.threads = self.options.get("threads", "")
if not self.threads:
self.threads = 5
whitelist = list()
self.iocs = deque()
self.misper = dict()
threads_list = list()
self.misp_full_report = dict()
self.lock = threading.Lock()
try:
# load whitelist if exists
if os.path.exists(os.path.join(CUCKOO_ROOT, "conf", "misp.conf")):
whitelist = Config("misp").whitelist.whitelist
if whitelist:
whitelist = [ioc.strip() for ioc in whitelist.split(",")]
self.misp = PyMISP(url, apikey, False, "json")
if self.options.get("extend_context", ""):
for drop in results.get("dropped", []):
if drop.get("md5",
"") and drop["md5"] not in self.iocs and drop[
"md5"] not in whitelist:
self.iocs.append(drop["md5"])
if results.get("target", {}).get("file", {}).get(
"md5", ""
) and results["target"]["file"]["md5"] not in whitelist:
self.iocs.append(results["target"]["file"]["md5"])
for block in results.get("network", {}).get("hosts", []):
if block.get(
"ip",
"") and block["ip"] not in self.iocs and block[
"ip"] not in whitelist:
self.iocs.append(block["ip"])
if block.get(
"hostname", ""
) and block["hostname"] not in self.iocs and block[
"hostname"] not in whitelist:
self.iocs.append(block["hostname"])
if not self.iocs:
return
for thread_id in xrange(int(self.threads)):
thread = threading.Thread(target=self.misper_thread,
args=(url, ))
thread.daemon = True
thread.start()
threads_list.append(thread)
for thread in threads_list:
thread.join()
if self.misper:
results["misp"] = sorted(
self.misper.values(),
key=lambda x: datetime.strptime(x["date"], "%Y-%m-%d"),
reverse=True)
misp_report_path = os.path.join(self.reports_path,
"misp.json")
full_report = open(misp_report_path, "wb")
full_report.write(json.dumps(self.misp_full_report))
full_report.close()
if self.options.get("upload_iocs", False) and results.get(
"malscore", 0) >= self.options.get("min_malscore", 0):
self.cuckoo2misp(results, whitelist)
except Exception as e:
log.error("Failed to generate JSON report: %s" % e)
def init(url, key):
return PyMISP(url, key, misp_verifycert, 'json')
result = m.get_event(event)
]
with open(out_path, mode='wt', encoding='utf-8') as out_file:
out_file.write('\n'.join(sorted_list))
else:
LOGGER.warning('No attributes returned.')
LOGGER.info('Run complete!')
if __name__ == '__main__':
LOGGER.info('Setting up MISP connector...')
if MISP_VALIDATE_SSL == False:
disable_ssl_warnings()
try:
misp = PyMISP(MISP_URL, MISP_API_KEY, ssl=MISP_VALIDATE_SSL)
except Exception as ex:
LOGGER.error('Failed to connect to MISP: {0}'.format(str(ex)))
sys.exit(1)
parser = argparse.ArgumentParser()
parser.add_argument('--full', default=False, action='store_true')
args = parser.parse_args()
export_run(misp, start_fresh=args.full)
def test_searchIndexByTagName(self, m):
self.initURI(m)
pymisp = PyMISP(self.domain, self.key)
response = pymisp.search_index(
tag='ecsirt:malicious-code="ransomware"')
self.assertEqual(response['response'], self.search_index_result)
def _lookup_artifact(self, event, *args, **kwargs):
"""Lookup an artifact"""
# This is a generic handler - we only care about lookup events but might be sent others
if not isinstance(event, ThreatServiceLookupEvent):
return
# event.artifact is a ThreatServiceArtifactDTO
artifact_type = event.artifact['type']
artifact_value = event.artifact['value']
# Check that the event matches an artifact type that we want to search in MISP
if artifact_type not in MISP_TYPES:
# Nothing to do
LOG.info(u"MISP lookup not implemented for %s", artifact_type)
return
# Doc says: MISP search for IP addresses using CIDR, uses '|' (pipe) instead of '/' (slashes) in the value.
# But this appears not to be the case, we just search for the unchanged value.
# if artifact_type == "net.cidr":
# artifact_value = str(artifact_value).replace('/', '|')
LOG.info("MISP Lookup: " + str(artifact_value))
if sys.version_info < (3, 6):
misp_api = PyMISP(self.misp_url, self.misp_key,
self.misp_verifycert, 'json')
else:
misp_api = ExpandedPyMISP(self.misp_url,
self.misp_key,
ssl=self.misp_verifycert)
# MISP search_index: produces a list of events, and their key attributes, based on search criteria.
# But does not filter by attribute type (only by the value that matched),
# and the value matches include substrings, so we can't filter the results effectively.
# matches = misp_api.search_index(published=1,
# tag=self.misp_tag,
# org=self.misp_org,
# attribute=str(artifact_value))
# MISP search: produce events or attribute values, but only for a single type of attribute (or all types).
# Attribute value matches partial strings (LIKE %value%), but we usually want exact-match searching.
# Our search strategy is this:
# - search for each type, returning only attributes;
# - filter the attribute results for case-insensitive exact matches only,
# - collect the list of events that the attributes belong to,
# - finally retrieve the event metadata for our results.
#
# (This strategy will likely change with future versions of MISP!)
misp_types = MISP_TYPES[artifact_type]
search_value = str(artifact_value).lower()
event_ids = set()
def matches(an_attribute):
"""Does the attribute value match? MISP does substring searches but we want exact."""
if artifact_type == "net.cidr":
# Match any CIDR, we assume the server did the logical search
return True
if an_attribute["value"].lower() == search_value:
# Match the whole attribute value, lowercase.
return True
if "|" in misp_type and "|" in an_attribute["value"]:
# Some misp types are compound types, allow searching of both parts of the compound type
my_misp_value = an_attribute["value"].lower()
return search_value in my_misp_value.split("|")
return False
for misp_type in misp_types:
# Search for this one attribute-type
result = misp_api.search(controller='attributes',
values=[search_value],
type_attribute=misp_type,
tags=self.misp_tag,
org=self.misp_org,
withAttachments=0)
LOG.debug("Search for %s", misp_type)
LOG.debug(json.dumps(result))
if result:
if misp_api.__class__.__name__ == "PyMISP":
response = result.get("response", {})
else:
response = result
if isinstance(response, dict):
attributes = response.get("Attribute", [])
for attribute in attributes:
if matches(attribute):
event_ids.add(attribute["event_id"])
hits = []
if not event_ids:
# Nothing to do
return hits
# Finally let's get summary for each event.
# (Don't use the search api for this, it will match partial event ids).
for event_id in event_ids:
result = misp_api.get_event(event_id)
if "Event" in result:
event = result["Event"]
LOG.debug(json.dumps(event))
event_id = event["id"]
link = self.misp_link_url + "/events/view/" + str(event_id)
info = event.get("info")
datestr = event.get("date")
hit = Hit(
StringProp(name="Info", value=info),
StringProp(name="Date", value=datestr),
UriProp(name="MISP Link", value=link),
)
# Add all the tags as separate properties
tag_counter = {}
for tag in event.get("Tag", []):
if ":" in tag["name"]:
tag_name, tag_value = tag["name"].split(":", 1)
else:
tag_name = tag_value = tag["name"]
# start counter at 0 if it doesn't exist
tag_count = tag_counter.get(tag_name, -1) + 1
tag_counter[tag_name] = tag_count
# only add count to name if > 0
if tag_count:
tag_name = u"{}_{}".format(tag_name, tag_count)
hit.append(
StringProp(name=u"{}:".format(tag_name),
value=tag_value))
hits.append(hit)
return hits
def init(url, key):
return PyMISP(url, key, True, 'json')
def init(url, key):
return PyMISP(url, key, True)
remote_port = "8080"
target_uri = "/struts2_2.3.15.1-showcase/showcase.action"
sessionid = 0
active_shell = True
#----------------------------------------------------------------------------------------
# search threat intel platform for actionable intels
misp_api_endpoint = 'http://192.168.1.136/events/index'
misp_key = os.environ['misp_key']
misp_verifycert = False
relative_path = ''
searchinfo = input("Enter a keyword you'd like to search in the Threat DB (defaul: struts): ")
searcheventid = input("Enter EventID (optional): ")
if not searcheventid:
searcheventid = "1016"
body = ('{"searchinfo":"%s", "searchpublished":1, "searchdistribution":0, "searcheventid":"%s"}' % (searchinfo, searcheventid))
misp = PyMISP(misp_api_endpoint, misp_key, misp_verifycert)
search_results = misp.direct_call(relative_path, body)
data = json.dumps(search_results,sort_keys=True,indent=4)
print ("\nSearching MISP Threat Intelligence Platform for 'struts' vulnerability... ")
time.sleep(sleep_time)
print (data)
misp_results = json.loads(data)
print("\nFocusing on what matters...\n")
results = misp_results['response'][0]['info']
print(results, "\n")
cve = results.split('(')
cve = cve[1]
cve = cve.split(')')
cve = cve[0]
time.sleep(sleep_time)
port=cfg.getint(
"ARDB_Metadata", "port"),
db=cfg.getint("ARDB_Metadata", "db"),
decode_responses=True)
uuid_ail = r_serv_db.get('ail:uuid')
if uuid_ail is None:
uuid_ail = r_serv_db.set('ail:uuid', uuid.uuid4())
config_section = 'misp_the_hive_feeder'
p = Process(config_section)
# create MISP connection
if flag_misp:
try:
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
except:
flag_misp = False
r_serv_db.set('ail:misp', False)
print('Not connected to MISP')
if flag_misp:
try:
misp_wrapper = ailleakObject.ObjectWrapper(pymisp)
r_serv_db.set('ail:misp', True)
print('Connected to MISP:', misp_url)
except e:
flag_misp = False
r_serv_db.set('ail:misp', False)
print(e)
print('Not connected to MISP')
def get_misp_client(URL, API_KEY, VERIFY_CERT, proxies):
misp_client = PyMISP(URL, API_KEY, VERIFY_CERT, 'json', proxies=proxies)
return misp_client
def init(url, key):
return PyMISP(url, key, misp_verifycert, 'json')
def init_misp():
global mymisp
mymisp = PyMISP(misp_url, misp_key, misp_verifycert)
def test_deleteAttribute(self, m):
self.initURI(m)
pymisp = PyMISP(self.domain, self.key)
d = pymisp.delete_attribute(2)
self.assertEqual(d, {'message': 'Attribute deleted.'})
def init():
""" init connection to MISP """
return PyMISP(misp_url, misp_key, misp_verifycert, 'json')
def test_searchIndexByTagId(self, m):
self.initURI(m)
pymisp = PyMISP(self.domain, self.key)
response = pymisp.search_index(tag="1")
self.assertEqual(response['response'], self.search_index_result)
def run(self, results):
"""Run analysis.
@return: MISP results dict.
"""
url = self.options.get("url", "")
apikey = self.options.get("apikey", "")
if not url or not apikey:
log.error("MISP URL or API key not configured")
return
self.misp = PyMISP(url, apikey, False, "json")
self.threads = self.options.get("threads", "")
if not self.threads:
self.threads = 5
self.iocs = deque()
self.misper = {}
try:
if self.options.get("upload_iocs", False) and results.get(
"malscore", 0) >= self.options.get("min_malscore", 0):
distribution = int(self.options.get("distribution", 0))
threat_level_id = int(self.options.get("threat_level_id", 4))
analysis = int(self.options.get("analysis", 0))
tag = self.options.get("tag") or "CAPEv2"
info = self.options.get("title", "")
upload_sample = self.options.get("upload_sample")
malfamily = ""
if results.get("detections"):
malfamily = ",".join(block["family"]
for block in results["detections"])
response = self.misp.search(
"attributes",
value=results["target"]["file"]["sha256"],
return_format="json",
pythonify=True)
if response:
event = self.misp.get_event(response[0].event_id,
pythonify=True)
else:
event = MISPEvent()
event.distribution = distribution
event.threat_level_id = threat_level_id
event.analysis = analysis
event.info = f"{info} {malfamily} - {results.get('info', {}).get('id')}"
event = self.misp.add_event(event, pythonify=True)
# Add a specific tag to flag Cuckoo's event
if tag:
self.misp.tag(event, tag)
# malpedia galaxy
if malpedia_json:
self.malpedia(results, event, malfamily)
# ToDo?
self.signature(results, event)
self.sample_hashes(results, event)
self.all_network(results, event)
self.dropped_files(results, event)
if upload_sample:
target = results.get("target", {})
f = target.get("file", {})
if target.get("category") == "file" and f:
with open(f["path"], "rb") as f:
event.add_attribute(
"malware-sample",
value=os.path.basename(f["path"]),
data=BytesIO(f.read()),
expand="binary",
comment="Sample run",
)
if results.get("target", {}).get(
"url",
"") and results["target"]["url"] not in whitelist:
event.add_attribute("url", results["target"]["url"])
# ToDo migth be outdated!
# if self.options.get("ids_files", False) and "suricata" in results.keys():
# for surifile in results["suricata"]["files"]:
# if "file_info" in surifile.keys():
# self.misper["iocs"].append({"md5": surifile["file_info"]["md5"]})
# self.misper["iocs"].append({"sha1": surifile["file_info"]["sha1"]})
# self.misper["iocs"].append({"sha256": surifile["file_info"]["sha256"]})
if self.options.get(
"mutexes", False
) and "behavior" in results and "summary" in results[
"behavior"]:
if "mutexes" in results.get("behavior",
{}).get("summary", {}):
for mutex in results["behavior"]["summary"]["mutexes"]:
if mutex not in whitelist:
event.add_attribute("mutex", mutex)
if self.options.get(
"registry", False
) and "behavior" in results and "summary" in results[
"behavior"]:
if "read_keys" in results["behavior"].get("summary", {}):
for regkey in results["behavior"]["summary"][
"read_keys"]:
event.add_attribute("regkey", regkey)
event.run_expansions()
self.misp.update_event(event)
# Make event public
if self.options.get("published", True):
self.misp.publish(event)
except Exception as e:
log.error("Failed to generate JSON report: %s", e, exc_info=True)
