def create_tag(self, name: str, exportable: bool, reserved: bool):
tag = MISPTag()
tag.name = name
tag.exportable = exportable
if reserved:
tag.org_id = self.host_org.id
self.create_or_update_tag(tag)
def create_misp_tags(misp_api):
"""
Check if all tags exist in the MISP instance and if one is not, create it.
:param misp_api: MISP Object API.
:return: Tags created.
:rtype: list
"""
print(str(timezone.now()) + " - " + 'Generate MISP Tags')
print('-----------------------------')
required_tags = settings.MISP_TAGS
tag_list = list()
tags = misp_api.tags(pythonify=True)
tags_names = list()
for tag in tags:
tags_names.append(tag.name)
for tag in required_tags:
t = MISPTag()
t.name = tag
t.org_id = 1
if tag not in tags_names:
print(str(timezone.now()) + " - " + "Create tag: ", tag)
misp_api.add_tag(t)
tag_list.append(t)
return tag_list
def create_misp_tags(misp_api):
"""
Check if all tags exist in the MISP instance and if one is not, create it.
:param misp_api: MISP Object API.
:return: Tags created.
:rtype: list
"""
print(str(timezone.now()) + " - " + 'Generate MISP Tags')
print('-----------------------------')
required_tags = [
'Watcher', 'Impersonation', 'Malicious Domain', 'Typosquatting',
'TLP:Amber'
]
tag_list = list()
tags = misp_api.tags(pythonify=True)
tags_names = list()
for tag in tags:
tags_names.append(tag.name)
for tag in required_tags:
t = MISPTag()
t.name = tag
t.org_id = 1
if tag not in tags_names:
print(str(timezone.now()) + " - " + "Create tag: ", tag)
misp_api.add_tag(t)
tag_list.append(t)
return tag_list
def add_tag_filter_sync(self, server_sync: MISPServer, name: str):
# Add tag to limit push
tag = MISPTag()
tag.name = name
tag.exportable = False
tag.org_id = self.host_org.id
tag = self.site_admin_connector.add_tag(tag)
if not isinstance(tag, MISPTag):
for t in self.site_admin_connector.tags():
if t.name == name:
tag = t
break
else:
raise Exception('Unable to find tag')
# Set limit on sync config
filter_tag_push = {
"tags": {
'OR': [tag.id],
'NOT': []
},
'orgs': {
'OR': [],
'NOT': []
}
}
# filter_tag_pull = {"tags": {'OR': [], 'NOT': []}, 'orgs': {'OR': [], 'NOT': []}}
server_sync.push_rules = json.dumps(filter_tag_push)
# server.pull_rules = json.dumps(filter_tag_pull)
server_sync = self.site_admin_connector.update_server(server_sync)
def tag_mlo(self):
tag = MISPTag()
tag.name = 'scrippsco2-sampling-stations:MLO'
return tag
def tag_bcs(self):
tag = MISPTag()
tag.name = 'scrippsco2-sampling-stations:BCS'
return tag
def tag_stp(self):
tag = MISPTag()
tag.name = 'scrippsco2-sampling-stations:STP'
return tag
def tag_ptb(self):
tag = MISPTag()
tag.name = 'scrippsco2-sampling-stations:PTB'
return tag
def tag_alt(self) -> MISPTag:
tag = MISPTag()
tag.name = 'scrippsco2-sampling-stations:ALT'
return tag
def tag_nzd(self):
tag = MISPTag()
tag.name = 'scrippsco2-sampling-stations:NZD'
return tag
def tag_ker(self):
tag = MISPTag()
tag.name = 'scrippsco2-sampling-stations:KER'
return tag
def misp_add_tag(self, event, a_value):
# Create Tag object in MISP
misp_tag = MISPTag()
if a_value: misp_tag.name = a_value
event.add_tag(misp_tag)
def createFamily(iUUID, iUpdate=False):
try:
# fUNCTION SETUP
# -----------------------------------------------
myUUID = iUUID
myLinks = []
myTags = []
myMeta = []
myCommonName = ""
# ATTRIBUTES COMMON FIELDS
# -----------------------------------------------
attributeToIDS = 0 # 0 false : 1 true
attributeComment = ""
attribDisableCorrelation = 1 # 0 false : 1 true
# MISP SETUP
# -----------------------------------------------
event = pm.MISPEvent()
event.uuid = myUUID
# GET UUID METADATA FROM PARENT CHILD TABLE
# -----------------------------------------------
iPC_META = db.get_parent_child_data(iUUID=myUUID)
parentuuid = iPC_META["parentuuid"]
event.extends_uuid = parentuuid
# -----------------------------------------------
# REFERENCES/URLS
myLinks = db.get_links(myUUID)
for link in myLinks:
attributeType = "link"
attributeCategory = "Internal reference"
if gv._DEBUG:
print(
"f(x) createFamily: LINK: \nCATEGORY: {} \nTYPE: {} \nVALUE: {} \nTO_IDS: {} \nCOMMENT: {}\nDISABLE CORRELATION: {} \
".format(attributeCategory, attributeType, link["url"],
attributeToIDS, attributeComment,
attribDisableCorrelation))
event.add_attribute(attributeType,
link["url"],
comment=attributeComment,
category=attributeCategory,
to_ids=attributeToIDS,
disable_correlation=attribDisableCorrelation)
# GET TAGS
myTags = db.get_set_all_tags(myUUID)
event.tags = myTags
if gv._DEBUG:
print("f(x) createFamily: TAGS")
print(*myTags, sep="\n")
# GET META FOR ACTOR (USE COMMON NAME AS INCIDENT NAME)
myMeta = db.get_family_meta(iUUID=myUUID)
if gv._DEBUG:
print("f(x) createFamily: META")
print(json.dumps(myMeta, indent=4))
# USED AS INCIDENT NAME
myCommonName = myMeta["commonname"]
event.info = myCommonName
print("f(x) createFamily: MALWARE NAME: {}".format(myCommonName))
# USED AS A TEXT ATTRIBUTE
myDescription = myMeta["description"]
if myDescription != "":
attributeType = "text"
attributeCategory = "Internal reference"
if gv._DEBUG:
print(
"f(x) createFamily: CREATING FAMILY COMMENT: \nCATEGORY: {} \nTYPE: {} \nVALUE: {} \nCOMMENT: {} \nDISABLE CORRELATION: {} \
".format(attributeCategory, attributeType, myDescription,
attributeToIDS, attributeComment,
attribDisableCorrelation))
event.add_attribute(attributeType,
myDescription,
comment=attributeComment,
category=attributeCategory,
to_ids=attributeToIDS,
disable_correlation=attribDisableCorrelation)
# MARK SOURCE OF INFORMATION
attributeType = "link"
attributeCategory = "Internal reference"
attributeComment = "DATA FROM MALPEDIA."
if gv._DEBUG:
print(
"f(x) createFamily: ATTRIBUTION LINK: \nCATEGORY: {} \nTYPE: {} \nVALUE: {} \nTO_IDS: {} \nCOMMENT: {} \nDISABLE CORRELATION: {} \
".format(attributeCategory, attributeType,
gv._MALPEDIA_URL, attributeToIDS,
attributeComment, attribDisableCorrelation))
event.add_attribute(attributeType,
gv._MALPEDIA_URL,
comment=attributeComment,
category=attributeCategory,
to_ids=attributeToIDS,
disable_correlation=attribDisableCorrelation)
# YARA
# ADD OBJECTS
# -----------------------------------------------
# YARA
iYara = db.get_yara_rules(myUUID)
tlp = ""
yaraAbsPath = ""
for yara in iYara:
tagList = []
newTag = MISPTag()
tlp = yara["tlp"]
yaraAbsPath = yara["path_to_yara"]
tlpTag = "tlp:" + tlp.split("_")[1]
newTag.name = tlpTag
tagList.append(newTag)
yaraUUID = yara["attribute_uuid"]
yaraContents = ""
with open(yaraAbsPath, 'r') as yaraIn:
yaraContents = yaraIn.read()
yaraIn.close()
misp_object = pm.tools.GenericObjectGenerator("yara")
misp_object.comment = tlpTag
misp_object.uuid = yaraUUID
subAttribute = misp_object.add_attribute("yara", yaraContents)
subAttribute.disable_correlation = True
subAttribute.to_ids = False
subAttribute.comment = tlpTag
subAttribute.tags = tagList
event.add_object(misp_object)
if gv._DEBUG:
print("f(x) createFamily: YARA")
print(*iYara, sep="\n")
gv._THREAD_LIST.append(
executor.submit(pushToMISP, event, iUpdate, gv._MISP_URL,
gv._MISP_KEY, gv._MISP_VERIFYCERT, gv._DEBUG))
# pushToMISP(event, iUpdate, gv._MISP_URL, gv._MISP_KEY, gv._MISP_VERIFYCERT, gv._DEBUG)
except Exception as e:
exc_type, _, exc_tb = sys.exc_info()
fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
print("f(x) createFamily: {}: {}: {}".format(exc_type, fname,
exc_tb.tb_lineno))
sys.exit(e)
from pymisp import PyMISP, MISPEvent, MISPTag
from keys import *
from iocparser import IOCParser
logging.basicConfig(level=logging.INFO,
format="%(asctime)s - %(levelname)s - %(message)s")
logging.info("Starting the Pastebin scraper.")
# Setting the directory path:
absolutePath = os.path.abspath(__file__)
path = os.path.dirname(absolutePath)
parsedPaste = []
usernames = []
toScrape = []
tagosint = MISPTag()
tagosint.name = 'paste_osint'
os.chdir(path)
try:
shelfFile = shelve.open('knownpastes')
knownPastes = shelfFile['knownPastes']
shelfFile.close()
logging.debug(
"Imported a grand total of {} previously imported pastes.".format(
len(knownPastes)))
except:
logging.warning("Failed to import known pastes.")
knownPastes = []
f = open('usernames.conf')
for i in f:
def get_set_all_tags(iUUID):
ret_list = []
session = Session()
try:
# query = "SELECT * FROM mp_tags WHERE uuid = ?"
tmp_dict = session.query(md.Tag). \
filter(md.Tag.uuid == iUUID). \
all()
tag_dict = md.TagSchema(many=True).dump(tmp_dict)
# BUILD RETURN LIST
for tag in tag_dict:
tmpGalaxy = tag["galaxy"]
tmpTagVal = tag["tag"]
tmpTypeTag = tag["type"]
newTag = MISPTag()
# POTENTIAL tmpTypeTag Values
# "ACTOR"
# "COUNTRY_SPONSOR"
# "GALAXY"
# "GALAXY_SYNONIM"
# "ISO_COUNTRY"
# "MALWARE"
# "TARGETS"
# "TYPE_OF_INCIDENT"
# "VICTIMS"
if "tlp:" in tmpTagVal:
newTag.name = tmpTagVal
elif tmpTypeTag == "ACTOR":
newTag.name = "Actor: " + tmpTagVal
newTag.colour = gv._ACTOR_TAG
elif tmpTypeTag == "COUNTRY_SPONSOR":
newTag.name = "Sponsor: " + tmpTagVal
newTag.colour = gv._COUNTRY_SPONSOR_TAG
elif tmpTypeTag == "GALAXY":
if tmpGalaxy != "":
newTag.name = "misp-galaxy:" + tmpGalaxy + "=\"" + tmpTagVal + "\""
else:
newTag.name = "Synonym: " + tmpTagVal
newTag.colour = gv._GALAXY_SYNONIM_TAG
elif tmpTypeTag == "GALAXY_SYNONIM":
newTag.name = "Synonym: " + tmpTagVal
newTag.colour = gv._GALAXY_SYNONIM_TAG
elif tmpTypeTag == "ISO_COUNTRY":
newTag.name = "Country ISO: " + tmpTagVal
newTag.colour = gv._ISO_COUNTRY_TAG
elif tmpTypeTag == "MALWARE":
newTag.name = "Malware: " + tmpTagVal
newTag.colour = gv._MALWARE_TAG
elif tmpTypeTag == "TARGETS":
newTag.name = "Target: " + tmpTagVal
newTag.colour = gv._TARGETS_TAG
elif tmpTypeTag == "TYPE_OF_INCIDENT":
newTag.name = "Type of Incident: " + tmpTagVal
newTag.colour = gv._TYPE_OF_INCIDENT_TAG
elif tmpTypeTag == "VICTIMS":
newTag.name = "Victim: " + tmpTagVal
newTag.colour = gv._VICTIMS_TAG
else:
newTag.name = tmpTagVal
newTag.colour = gv._OTHER_TAG
ret_list.append(newTag)
return ret_list
except Exception as error:
print("f(x) get_set_all_tags: DATABASE ERROR: {}".format(error))
sys.exit(error)
finally:
session.close()