def create_new_event(self, entry): if self.is_python2: self.misp_api.upload_sample( entry["shasum"], entry["outfile"], None, distribution=1, info="File uploaded to Cowrie ({})".format(entry["sensor"]), analysis=0, threat_level_id=2 ) else: attribute = MISPAttribute() attribute.type = "malware-sample" attribute.value = entry["shasum"] attribute.data = Path(entry["outfile"]) attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"]) attribute.expand = "binary" event = MISPEvent() event.info = "File uploaded to Cowrie ({})".format(entry["sensor"]) event.attributes = [attribute] event.run_expansions() if self.publish: event.publish() result = self.misp_api.add_event(event) if self.debug: log.msg("Event creation result: \n%s" % result)
def create_new_event(self, entry): attribute = MISPAttribute() attribute.type = "malware-sample" attribute.value = entry["shasum"] attribute.data = Path(entry["outfile"]) attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"]) attribute.expand = "binary" if "url" in entry: attributeURL = MISPAttribute() attributeURL.type = "url" attributeURL.value = entry["url"] attributeURL.to_ids = True else: attributeURL = MISPAttribute() attributeURL.type = "text" attributeURL.value = "External upload" attributeIP = MISPAttribute() attributeIP.type = "ip-src" attributeIP.value = entry["src_ip"] attributeDT = MISPAttribute() attributeDT.type = "datetime" attributeDT.value = entry["timestamp"] event = MISPEvent() event.info = "File uploaded to Cowrie ({})".format(entry["sensor"]) event.add_tag("tlp:white") event.attributes = [attribute, attributeURL, attributeIP, attributeDT] event.run_expansions() if self.publish: event.publish() result = self.misp_api.add_event(event) if self.debug: log.msg(f"Event creation result: \n{result}")
def create_new_event(self, entry): attribute = MISPAttribute() attribute.type = "malware-sample" attribute.value = entry["shasum"] attribute.data = Path(entry["outfile"]) attribute.comment = "File uploaded to Cowrie ({})".format(entry["sensor"]) attribute.expand = "binary" event = MISPEvent() event.info = "File uploaded to Cowrie ({})".format(entry["sensor"]) event.attributes = [attribute] event.run_expansions() if self.publish: event.publish() result = self.misp_api.add_event(event) if self.debug: log.msg(f"Event creation result: \n{result}")
def form_attr_obj(self, type, value, file=None): try: attr = MISPAttribute() attr.type = type attr.value = value if file is not None: path = Path(file) attr.data = path self.attributes.append(attr) except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() print("ERROR: Error in {location}.{funct_name}() - line {line_no} : {error}" .format(location=__name__, funct_name=sys._getframe().f_code.co_name, line_no=exc_tb.tb_lineno, error=str(e)))
else: print('invalid upload path (must be file or dir)') exit(0) if args.is_malware: arg_type = 'malware-sample' else: arg_type = 'attachment' # Create attributes attributes = [] for f in files: a = MISPAttribute() a.type = arg_type a.value = f.name a.data = f a.comment = args.comment a.distribution = args.distrib if args.expand and arg_type == 'malware-sample': a.expand = 'binary' attributes.append(a) if args.event: for a in attributes: misp.add_attribute(args.event, a) else: m = MISPEvent() m.info = args.info m.distribution = args.distrib m.attributes = attributes if args.expand and arg_type == 'malware-sample':