# Load the package log.info("Posting STIX...") package = pymisp.tools.stix.load_stix(content_block.content) log.info("STIX loaded succesfully.") values = [x.value for x in package.attributes] log.info("Extracted %s", values) for attrib in values: log.info("Checking for existence of %s", attrib) search = MISP.search("attributes", values=str(attrib)) if search["response"] != []: # This means we have it! log.info("%s is a duplicate, we'll ignore it.", attrib) package.attributes.pop([x.value for x in package.attributes].index(attrib)) else: log.info("%s is unique, we'll keep it", attrib) # Push the event to MISP # TODO: There's probably a proper method to do this rather than json_full # But I don't wanna read docs if (len(package.attributes) > 0): log.info("Uploading event to MISP with attributes %s", [x.value for x in package.attributes]) MISP.add_event(package._json_full()) else: log.info("No attributes, not bothering.") # Make TAXII call our push function whenever it gets new data CONTENT_BLOCK_CREATED.connect(post_stix)
from opentaxii.signals import ( CONTENT_BLOCK_CREATED, INBOX_MESSAGE_CREATED, SUBSCRIPTION_CREATED ) def post_create_content_block(manager, content_block, collection_ids, service_id): print 'Content block id=%s (collections=%s, service_id=%s) was created' % ( content_block.id, ', '.join(map(str, collection_ids)), service_id) def post_create_inbox_message(manager, inbox_message): print 'Inbox message id=%s was created' % inbox_message.id def post_create_subscription(manager, subscription): print 'Subscription id=%s (service_id=%s) was created' % (subscription.id, subscription.service_id) CONTENT_BLOCK_CREATED.connect(post_create_content_block) INBOX_MESSAGE_CREATED.connect(post_create_inbox_message) SUBSCRIPTION_CREATED.connect(post_create_subscription)