def parse_events(self, xml, full=True):
events = xml.iterfind('./Event')
rest_events = []
for event in events:
rest_event = Event()
event_id = self.set_event_header(event, rest_event)
if full:
observables = self.parse_attributes(rest_event, event)
rest_event.observables = observables
# Append reference
# check if there aren't any empty reports
result = list()
for event_report in rest_event.reports:
if event_report.references:
result.append(event_report)
report = Report()
report.identifier = uuid4()
self.set_properties(report, False)
# self.set_extended_logging(report, rest_event)
# IMPORTANT logging of this should not be set, as this should onbly be visible for the owner/inserter
value = u'{0}{1} Event ID {2}'.format('', self.tag, event_id)
reference = self.create_reference(None, uuid4(), None, 'reference_external_identifier', value, None, False, rest_event, False)
report.references.append(reference)
value = u'{0}/events/view/{1}'.format(self.api_url, event_id)
reference = self.create_reference(None, uuid4(), None, 'link', value, None, False, rest_event, False)
report.references.append(reference)
result.append(report)
rest_event.reports = result
setattr(rest_event, 'misp_id', event_id)
rest_events.append(rest_event)
return rest_events
def create_observable(self, id_, uuid, category, type_, value, data, comment, ioc, share, event):
if ((category in ['external analysis', 'internal reference', 'targeting data', 'antivirus detection'] and
(type_ in ['attachment', 'comment', 'link', 'text', 'url', 'text', 'malware-sample', 'filename|sha1', 'filename|md5', 'filename|sha256', 'vulnerability'])) or
(category == 'internal reference' and type_ in ['text', 'comment']) or
type_ == 'other' or (category == 'attribution' and type_ == 'comment') or
category == 'other' or (category == 'antivirus detection' and type_ == 'link')):
# make a report
# Create Report it will be just a single one
reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
if reference:
if len(event.reports) == 0:
report = Report()
report.identifier = uuid4()
self.set_properties(report, True)
self.set_extended_logging(report, event)
event.reports.append(report)
if comment:
if event.reports[0].description:
event.reports[0].description = event.reports[0].description + ' - ' + comment
else:
event.reports[0].description = comment
event.reports[0].references.append(reference)
elif category == 'payload installation' and type_ == 'vulnerability':
reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
if reference:
reference.value = u'Vulnerablility: {0}'.format(reference.value)
if len(event.reports) == 0:
report = Report()
report.identifier = uuid4()
self.set_properties(report, True)
self.set_extended_logging(report, event)
event.reports.append(report)
if comment:
if event.reports[0].description:
event.reports[0].description = event.reports[0].description + ' - ' + comment
else:
event.reports[0].description = comment
event.reports[0].references.append(reference)
elif category == 'attribution':
reference = self.create_reference(id_, uuid, category, type_, value, data, share, event)
if reference:
reference.value = u'Attribution: {0}'.format(reference.value)
if len(event.reports) == 0:
report = Report()
report.identifier = uuid4()
self.set_properties(report, True)
self.set_extended_logging(report, event)
event.reports.append(report)
if comment:
if event.reports[0].description:
event.reports[0].description = event.reports[0].description + ' - ' + comment
else:
event.reports[0].description = comment
event.reports[0].references.append(reference)
else:
observable = self.make_observable(event, comment, share)
# create object
obj = Object()
obj.identifier = uuid4()
self.set_properties(obj, share)
self.set_extended_logging(obj, event)
observable.object = obj
obj.definition = self.get_object_definition(category, type_, value, event)
if obj.definition:
obj.definition_id = obj.definition.identifier
# create attribute(s) for object
self.append_attributes(obj, observable, id_, category, type_, value, ioc, share, event, uuid)
if not observable.description:
observable.description = None
return observable
else:
return None
