def run(self, conf, args, plugins): server = ExpandedPyMISP(conf['Misp']['url'], conf['Misp']['key'], not args.no_tls) if args.list: # List events events = server.events(pythonify=True) for event in sorted(events, key=lambda x: x.id): print("%i : %s" % (event.id, event.info)) elif args.event is not None: event = server.get_event(args.event, pythonify=True) if args.attr is None and args.type is None: if args.raw: for a in event.attributes: print(a.value) else: print("Event {} : {}".format(event.id, event.info)) print("Tags : {}".format(", ".join( map(lambda x: str(x.name), event.tags)))) print("{} Attributes including:".format( len(event.attributes))) attrs = Counter(map(lambda x: x.type, event.attributes)) attrs_ids = Counter( map(lambda x: x.type, filter(lambda x: x.to_ids, event.attributes))) for type in attrs: print("- %i %s (%i for detection)" % (attrs[type], type, attrs_ids[type])) else: if args.type is not None: # Display all attributes from this type for attr in event.attributes: if attr.type == args.type: if args.raw: print("%s" % attr.value) else: print("{:20}{:10}{:40}{}{}".format( attr.category, attr.type, attr.value, attr.comment, attr.to_ids)) elif args.attr is not None: # search by attribute value for attr in event.attributes: if args.attr in str(attr.value): print("%s\t%s\t%s\t%s\t%s" % (attr.category, attr.type, attr.value, attr.comment, attr.to_ids)) elif args.attr is not None: res = server.search('attributes', value=args.attr) if len(res['Attribute']) == 0: print("Search %s: no results" % args.attr) else: print("Search %s, result founds" % args.attr) for attr in res['Attribute']: print('{} - {}'.format(attr['Event']['id'], attr['Event']['info'])) else: self.parser.print_help()
class MISPInstance(): def __init__(self, params): self.initial_user_connector = ExpandedPyMISP(params['url'], params['key'], ssl=False, debug=False) # Git pull self.initial_user_connector.update_misp() # Set the default role (id 3 on the VM is normal user) self.initial_user_connector.set_default_role(3) # Restart workers self.initial_user_connector.restart_workers() if not fast_mode: # Load submodules self.initial_user_connector.update_object_templates() self.initial_user_connector.update_galaxies() self.initial_user_connector.update_noticelists() self.initial_user_connector.update_warninglists() self.initial_user_connector.update_taxonomies() self.initial_user_connector.toggle_global_pythonify() # Create organisation organisation = MISPOrganisation() organisation.name = params['orgname'] self.test_org = self.initial_user_connector.add_organisation( organisation) print(self.test_org.name, self.test_org.uuid) # Create Site admin in new org user = MISPUser() user.email = params['email_site_admin'] user.org_id = self.test_org.id user.role_id = 1 # Site admin self.test_site_admin = self.initial_user_connector.add_user(user) self.site_admin_connector = ExpandedPyMISP( params['url'], self.test_site_admin.authkey, ssl=False, debug=False) self.site_admin_connector.toggle_global_pythonify() # Create org admin user = MISPUser() user.email = params['email_admin'] user.org_id = self.test_org.id user.role_id = 2 # Org admin self.test_org_admin = self.site_admin_connector.add_user(user) self.org_admin_connector = ExpandedPyMISP(params['url'], self.test_org_admin.authkey, ssl=False, debug=False) self.org_admin_connector.toggle_global_pythonify() # Create user user = MISPUser() user.email = params['email_user'] user.org_id = self.test_org.id self.test_usr = self.org_admin_connector.add_user(user) self.user_connector = ExpandedPyMISP(params['url'], self.test_usr.authkey, ssl=False, debug=False) self.user_connector.toggle_global_pythonify() # Setup external_baseurl self.site_admin_connector.set_server_setting( 'MISP.external_baseurl', params['external_baseurl'], force=True) # Setup baseurl self.site_admin_connector.set_server_setting('MISP.baseurl', params['url'], force=True) # Setup host org self.site_admin_connector.set_server_setting('MISP.host_org_id', self.test_org.id) self.external_base_url = params['external_baseurl'] self.sync = [] self.sync_servers = [] def __repr__(self): return f'<{self.__class__.__name__}(external={self.external_base_url})' def create_sync_user(self, organisation): sync_org = self.site_admin_connector.add_organisation(organisation) short_org_name = sync_org.name.lower().replace(' ', '-') user = MISPUser() user.email = f"sync_user@{short_org_name}.local" user.org_id = sync_org.id user.role_id = 5 # Org admin sync_user = self.site_admin_connector.add_user(user) sync_user_connector = ExpandedPyMISP( self.site_admin_connector.root_url, sync_user.authkey, ssl=False, debug=False) sync_server_config = sync_user_connector.get_sync_config( pythonify=True) self.sync.append((sync_org, sync_user, sync_server_config)) def create_sync_server(self, name, server): server = self.site_admin_connector.import_server(server) server.self_signed = True server.pull = True # Not automatic, but allows to do a pull server = self.site_admin_connector.update_server(server) r = self.site_admin_connector.test_server(server) if r['status'] != 1: raise Exception(f'Sync test failed: {r}') self.sync_servers.append(server) def cleanup(self): for org, user, _ in self.sync: self.site_admin_connector.delete_user( user) # Delete user from other org self.site_admin_connector.delete_organisation(org) # Delete sync servers for server in self.site_admin_connector.servers(): self.site_admin_connector.delete_server(server) # Delete users self.org_admin_connector.delete_user(self.test_usr.id) self.site_admin_connector.delete_user(self.test_org_admin.id) self.initial_user_connector.delete_user(self.test_site_admin.id) # Delete org self.initial_user_connector.delete_organisation(self.test_org.id) # Make sure the instance is back to a clean state if self.initial_user_connector.events(): raise Exception( f'Events still on the instance {self.external_base_url}') if self.initial_user_connector.attributes(): raise Exception( f'Attributes still on the instance {self.external_base_url}') if self.initial_user_connector.attribute_proposals(): raise Exception( f'AttributeProposals still on the instance {self.external_base_url}' ) if self.initial_user_connector.sightings(): raise Exception( f'Sightings still on the instance {self.external_base_url}') if self.initial_user_connector.servers(): raise Exception( f'Servers still on the instance {self.external_base_url}') if self.initial_user_connector.sharing_groups(): raise Exception( f'SharingGroups still on the instance {self.external_base_url}' ) if len(self.initial_user_connector.organisations()) > 1: raise Exception( f'Organisations still on the instance {self.external_base_url}' ) if len(self.initial_user_connector.users()) > 1: raise Exception( f'Users still on the instance {self.external_base_url}')