class generateEvents():
# generates a seperate event for every paste with more than 1 parsed IOC, after initialising a connection with the MISP instance.
def __init__(self, paste):
self.paste = paste
self.url = MISP_URL
self.key = MISP_KEY
def initMISP(self):
self.misp = PyMISP(self.url, self.key, False, 'json', debug=True)
def addEvents(self):
for i in range(len(self.paste)):
if len(self.paste[i].iocs) != 0:
logging.debug(
"Paste: {}, # of IOCs: {}. Creating an event.".format(
self.paste[i].title, len(self.paste[i].iocs)))
event = self.misp.new_event(distribution=2,
analysis=2,
info=self.paste[i].title)
self.misp.add_internal_link(event,
self.paste[i].URI,
category="External analysis")
self.misp.add_tag(event, "Type:OSINT")
self.misp.add_tag(event, 'osint:source-type="pastie-website"')
self.misp.add_tag(event, 'OSINT')
self.misp.add_tag(event, 'tlp:white')
for j in range(len(self.paste[i].iocs)):
if self.paste[i].iocs[j].kind == "IP":
self.misp.add_ipsrc(event, self.paste[i].iocs[j].value)
elif self.paste[i].iocs[j].kind == "uri":
self.misp.add_url(event, self.paste[i].iocs[j].value)
elif self.paste[i].iocs[j].kind == "md5":
self.misp.add_hashes(event,
md5=self.paste[i].iocs[j].value)
elif self.paste[i].iocs[j].kind == "sha1":
self.misp.add_hashes(event,
sha1=self.paste[i].iocs[j].value)
elif self.paste[i].iocs[j].kind == "sha256":
self.misp.add_hashes(
event, sha256=self.paste[i].iocs[j].value)
elif self.paste[i].iocs[j].kind == "CVE":
#self.misp.add_object(event, 63, self.paste[i].iocs[j].value)
pass
if self.paste[i].iocs[j].kind == "email":
self.misp.add_email_src(event,
self.paste[i].iocs[j].value)
if self.paste[i].iocs[j].kind == "filename":
self.misp.add_filename(event,
self.paste[i].iocs[j].value)
if PUBLISH_EVENTS:
self.misp.publish(event, alert=EMAIL_ALERTS)
def submit_to_misp(hash_dict, tweet, tweet_url):
misp = PyMISP(misp_url, misp_key, True, 'json')
event_name = 'New tweet from ' + status.author.screen_name
comment = tweet + '\t' + tweet_url
for malware_hash in hash_dict:
if event == 0:
event = misp.new_event(0, 4, 0, event_name)
eventid = event['Event']['id']
hash_type = hash_dict[malware_hash]
if hash_type == 'sha256':
misp.add_hashes(event, sha256=malware_hash, comment=comment)
elif hash_type == 'sha1':
misp.add_hashes(event, sha1=malware_hash, comment=comment)
elif hash_type == 'md5':
misp.add_hashes(event, md5=malware_hash, comment=comment)
class TestBasic(unittest.TestCase):
def setUp(self):
self.maxDiff = None
self.misp = PyMISP(url, key, True, 'json', True)
def _clean_event(self, event):
event['Event'].pop('orgc_id', None)
event['Event'].pop('uuid', None)
event['Event'].pop('sharing_group_id', None)
event['Event'].pop('timestamp', None)
event['Event'].pop('org_id', None)
event['Event'].pop('date', None)
event['Event'].pop('RelatedEvent', None)
event['Event'].pop('publish_timestamp', None)
if event['Event'].get('Attribute'):
for a in event['Event'].get('Attribute'):
a.pop('uuid', None)
a.pop('event_id', None)
a.pop('id', None)
a.pop('timestamp', None)
if event['Event'].get('Orgc'):
event['Event']['Orgc'].pop('uuid', None)
event['Event']['Orgc'].pop('id', None)
if event['Event'].get('Org'):
event['Event']['Org'].pop('uuid', None)
event['Event']['Org'].pop('id', None)
return event['Event'].pop('id', None)
def new_event(self):
event = self.misp.new_event(0, 1, 0, "This is a test")
event_id = self._clean_event(event)
to_check = {
u'Event': {
u'info': u'This is a test',
u'locked': False,
u'attribute_count': u'0',
'disable_correlation': False,
u'analysis': u'0',
u'ShadowAttribute': [],
u'published': False,
u'distribution': u'0',
u'event_creator_email': u'*****@*****.**',
u'Attribute': [],
u'proposal_email_lock': False,
u'Org': {
u'name': u'ORGNAME'
},
u'Orgc': {
u'name': u'ORGNAME'
},
u'Galaxy': [],
u'threat_level_id': u'1'
}
}
self.assertEqual(event, to_check, 'Failed at creating a new Event')
return int(event_id)
def add_hashes(self, eventid):
r = self.misp.get_event(eventid)
event = r.json()
event = self.misp.add_hashes(
event, 'Payload installation', 'dll_installer.dll',
'0a209ac0de4ac033f31d6ba9191a8f7a',
'1f0ae54ac3f10d533013f74f48849de4e65817a7',
'003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
'Fanny modules', False, 2)
self._clean_event(event)
to_check = {
u'Event': {
u'info':
u'This is a test',
u'locked':
False,
u'attribute_count':
u'3',
u'analysis':
u'0',
u'ShadowAttribute': [],
u'published':
False,
u'distribution':
u'0',
u'event_creator_email':
u'*****@*****.**',
u'Org': {
u'name': u'ORGNAME'
},
u'Orgc': {
u'name': u'ORGNAME'
},
u'Galaxy': [],
u'Attribute': [{
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|md5'
}, {
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|sha1'
}, {
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|sha256'
}],
u'proposal_email_lock':
False,
u'threat_level_id':
u'1'
}
}
self.assertEqual(event, to_check, 'Failed at adding hashes')
def publish(self, eventid):
r = self.misp.get_event(eventid)
event = r.json()
event = self.misp.publish(event)
self._clean_event(event)
to_check = {
u'Event': {
u'info':
u'This is a test',
u'locked':
False,
u'attribute_count':
u'3',
u'analysis':
u'0',
u'ShadowAttribute': [],
u'published':
True,
u'distribution':
u'0',
u'event_creator_email':
u'*****@*****.**',
u'Org': {
u'name': u'ORGNAME'
},
u'Orgc': {
u'name': u'ORGNAME'
},
u'Galaxy': [],
u'Attribute': [{
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|md5'
}, {
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|sha1'
}, {
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|sha256'
}],
u'proposal_email_lock':
False,
u'threat_level_id':
u'1'
}
}
self.assertEqual(event, to_check, 'Failed at publishing event')
def delete(self, eventid):
event = self.misp.delete_event(eventid)
print(event)
def delete_attr(self, attrid):
event = self.misp.delete_attribute(attrid)
print(event)
def get(self, eventid):
event = self.misp.get_event(eventid)
print(event)
def get_stix(self, **kwargs):
event = self.misp.get_stix(kwargs)
print(event)
def add(self):
event = {
u'Event': {
u'info':
u'This is a test',
u'locked':
False,
u'attribute_count':
u'3',
u'analysis':
u'0',
u'ShadowAttribute': [],
u'published':
False,
u'distribution':
u'0',
u'event_creator_email':
u'*****@*****.**',
u'Attribute': [{
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|md5'
}, {
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|sha1'
}, {
u'category': u'Payload installation',
u'comment': u'Fanny modules',
u'to_ids': False,
u'value':
u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [],
u'distribution': u'2',
u'type': u'filename|sha256'
}],
u'proposal_email_lock':
False,
u'threat_level_id':
u'1'
}
}
event = self.misp.add_event(event)
print(event)
def add_user(self):
email = '*****@*****.**'
role_id = '5'
org_id = '1'
password = '******'
external_auth_required = False
external_auth_key = ''
enable_password = False
nids_sid = '1238717'
server_id = '1'
gpgkey = ''
certif_public = ''
autoalert = False
contactalert = False
disabled = False
change_pw = '0'
termsaccepted = False
newsread = '0'
authkey = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
to_check = {
'User': {
'email': email,
'org_id': org_id,
'role_id': role_id,
'password': password,
'external_auth_required': external_auth_required,
'external_auth_key': external_auth_key,
'enable_password': enable_password,
'nids_sid': nids_sid,
'server_id': server_id,
'gpgkey': gpgkey,
'certif_public': certif_public,
'autoalert': autoalert,
'contactalert': contactalert,
'disabled': disabled,
'change_pw': change_pw,
'termsaccepted': termsaccepted,
'newsread': newsread,
'authkey': authkey
}
}
user = self.misp.add_user(
email=email,
role_id=role_id,
org_id=org_id,
password=password,
external_auth_required=external_auth_required,
external_auth_key=external_auth_key,
enable_password=enable_password,
nids_sid=nids_sid,
server_id=server_id,
gpgkey=gpgkey,
certif_public=certif_public,
autoalert=autoalert,
contactalert=contactalert,
disabled=disabled,
change_pw=change_pw,
termsaccepted=termsaccepted,
newsread=newsread,
authkey=authkey)
# delete user to allow reuse of test
uid = user.get('User').get('id')
self.misp.delete_user(uid)
# ----------------------------------
# test interesting keys only (some keys are modified(password) and some keys are added (lastlogin)
tested_keys = [
'email', 'org_id', 'role_id', 'server_id', 'autoalert', 'authkey',
'gpgkey', 'certif_public', 'nids_sid', 'termsaccepted', 'newsread',
'contactalert', 'disabled'
]
for k in tested_keys:
self.assertEqual(
user.get('User').get(k),
to_check.get('User').get(k),
"Failed to match input with output on key: {}".format(k))
def add_organisation(self):
name = 'Organisation tests'
description = 'This is a test organisation'
orgtype = 'Type is a string'
nationality = 'French'
sector = 'Bank sector'
uuid = '16fd2706-8baf-433b-82eb-8c7fada847da'
contacts = 'Text field with no limitations'
local = False
to_check = {
'Organisation': {
'name': name,
'description': description,
'type': orgtype,
'nationality': nationality,
'sector': sector,
'uuid': uuid,
'contacts': contacts,
'local': local
}
}
org = self.misp.add_organisation(
name=name,
description=description,
type=orgtype,
nationality=nationality,
sector=sector,
uuid=uuid,
contacts=contacts,
local=local,
)
# delete organisation to allow reuse of test
oid = org.get('Organisation').get('id')
self.misp.delete_organisation(oid)
# ----------------------------------
tested_keys = [
'anonymise', 'contacts', 'description', 'local', 'name',
'nationality', 'sector', 'type', 'uuid'
]
for k in tested_keys:
self.assertEqual(
org.get('Organisation').get(k),
to_check.get('Organisation').get(k),
"Failed to match input with output on key: {}".format(k))
def test_create_event(self):
eventid = self.new_event()
time.sleep(1)
self.delete(eventid)
def test_get_event(self):
eventid = self.new_event()
time.sleep(1)
self.get(eventid)
time.sleep(1)
self.delete(eventid)
def test_add_event(self):
self.add()
time.sleep(1)
self.delete(1)
def test_del_attr(self):
eventid = self.new_event()
time.sleep(1)
self.delete_attr(1)
time.sleep(1)
self.delete(eventid)
def test_one_or_more(self):
self.assertEqual(self.misp._one_or_more(1), (1, ))
self.assertEqual(self.misp._one_or_more([1]), [1])
def test_create_user(self):
self.add_user()
def test_create_organisation(self):
self.add_organisation()
class TestBasic(unittest.TestCase):
def setUp(self):
self.maxDiff = None
self.misp = PyMISP(url, key, True, 'json')
def _clean_event(self, event):
event['Event'].pop('uuid', None)
event['Event'].pop('timestamp', None)
event['Event'].pop('date', None)
event['Event'].pop('org', None)
event['Event'].pop('orgc', None)
event['Event'].pop('RelatedEvent', None)
event['Event'].pop('publish_timestamp', None)
if event['Event'].get('Attribute'):
for a in event['Event'].get('Attribute'):
a.pop('uuid', None)
a.pop('event_id', None)
a.pop('id', None)
a.pop('timestamp', None)
return event['Event'].pop('id', None)
def new_event(self):
event = self.misp.new_event(0, 1, 0, "This is a test")
event_id = self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'0', u'analysis': u'0',
u'ShadowAttribute': [], u'published': False,
u'distribution': u'0', u'Attribute': [], u'proposal_email_lock': False,
u'threat_level_id': u'1'}},
self.assertEqual(event, to_check, 'Failed at creating a new Event')
return int(event_id)
def add_hashes(self, eventid):
r = self.misp.get_event(eventid)
event = r.json()
event = self.misp.add_hashes(event, 'Payload installation', 'dll_installer.dll', '0a209ac0de4ac033f31d6ba9191a8f7a', '1f0ae54ac3f10d533013f74f48849de4e65817a7', '003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9', 'Fanny modules', False, 2)
self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': False, u'distribution': u'0',
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
self.assertEqual(event, to_check, 'Failed at adding hashes')
def publish(self, eventid):
r = self.misp.get_event(eventid)
event = r.json()
event = self.misp.publish(event)
self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': True, u'distribution': u'0',
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
self.assertEqual(event, to_check, 'Failed at publishing event')
def delete(self, eventid):
event = self.misp.delete_event(eventid)
print event.json()
def delete_attr(self, attrid):
event = self.misp.delete_attribute(attrid)
print event.json()
def get(self, eventid):
event = self.misp.get_event(eventid)
print event.json()
def add(self):
event = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': False, u'distribution': u'0',
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
event = self.misp.add_event(event)
print event.json()
def test_create_event(self):
eventid = self.new_event()
time.sleep(1)
self.delete(eventid)
def test_get_event(self):
eventid = self.new_event()
time.sleep(1)
self.get(eventid)
time.sleep(1)
self.delete(eventid)
def test_add_event(self):
self.add()
time.sleep(1)
self.delete(1)
def test_del_attr(self):
eventid = self.new_event()
time.sleep(1)
self.delete_attr(1)
time.sleep(1)
self.delete(eventid)
class TestBasic(unittest.TestCase):
def setUp(self):
self.maxDiff = None
self.misp = PyMISP(url, key, True, 'json')
def _clean_event(self, event):
event['Event'].pop('orgc_id', None)
event['Event'].pop('uuid', None)
event['Event'].pop('sharing_group_id', None)
event['Event'].pop('timestamp', None)
event['Event'].pop('org_id', None)
event['Event'].pop('date', None)
event['Event'].pop('RelatedEvent', None)
event['Event'].pop('publish_timestamp', None)
if event['Event'].get('Attribute'):
for a in event['Event'].get('Attribute'):
a.pop('uuid', None)
a.pop('event_id', None)
a.pop('id', None)
a.pop('timestamp', None)
if event['Event'].get('Orgc'):
event['Event']['Orgc'].pop('uuid', None)
event['Event']['Orgc'].pop('id', None)
if event['Event'].get('Org'):
event['Event']['Org'].pop('uuid', None)
event['Event']['Org'].pop('id', None)
return event['Event'].pop('id', None)
def new_event(self):
event = self.misp.new_event(0, 1, 0, "This is a test")
event_id = self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'0', 'disable_correlation': False, u'analysis': u'0',
u'ShadowAttribute': [], u'published': False,
u'distribution': u'0', u'event_creator_email': u'*****@*****.**', u'Attribute': [], u'proposal_email_lock': False,
u'Object': [], u'Org': {u'name': u'ORGNAME'},
u'Orgc': {u'name': u'ORGNAME'},
u'Galaxy': [],
u'threat_level_id': u'1'}}
self.assertEqual(event, to_check, 'Failed at creating a new Event')
return int(event_id)
def add_hashes(self, eventid):
r = self.misp.get_event(eventid)
event = r.json()
event = self.misp.add_hashes(event, 'Payload installation', 'dll_installer.dll', '0a209ac0de4ac033f31d6ba9191a8f7a', '1f0ae54ac3f10d533013f74f48849de4e65817a7', '003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9', 'Fanny modules', False, 2)
self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': False, u'distribution': u'0', u'event_creator_email': u'*****@*****.**',
u'Org': {u'name': u'ORGNAME'},
u'Orgc': {u'name': u'ORGNAME'},
u'Galaxy': [],
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
self.assertEqual(event, to_check, 'Failed at adding hashes')
def publish(self, eventid):
r = self.misp.get_event(eventid)
event = r.json()
event = self.misp.publish(event)
self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': True, u'distribution': u'0', u'event_creator_email': u'*****@*****.**',
u'Org': {u'name': u'ORGNAME'},
u'Orgc': {u'name': u'ORGNAME'},
u'Galaxy': [],
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
self.assertEqual(event, to_check, 'Failed at publishing event')
def delete(self, eventid):
event = self.misp.delete_event(eventid)
print(event)
def delete_attr(self, attrid):
event = self.misp.delete_attribute(attrid)
print(event)
def get(self, eventid):
event = self.misp.get_event(eventid)
print(event)
def get_stix(self, **kwargs):
event = self.misp.get_stix(kwargs)
print(event)
def add(self):
event = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': False, u'distribution': u'0', u'event_creator_email': u'*****@*****.**',
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
event = self.misp.add_event(event)
print(event)
def add_user(self):
email = '*****@*****.**'
role_id = '5'
org_id = '1'
password = '******'
external_auth_required = False
external_auth_key = ''
enable_password = False
nids_sid = '1238717'
server_id = '1'
gpgkey = ''
certif_public = ''
autoalert = False
contactalert = False
disabled = False
change_pw = '0'
termsaccepted = False
newsread = '0'
authkey = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
to_check = {'User': {'email': email, 'org_id': org_id, 'role_id': role_id,
'password': password, 'external_auth_required': external_auth_required,
'external_auth_key': external_auth_key, 'enable_password': enable_password,
'nids_sid': nids_sid, 'server_id': server_id, 'gpgkey': gpgkey,
'certif_public': certif_public, 'autoalert': autoalert,
'contactalert': contactalert, 'disabled': disabled,
'change_pw': change_pw, 'termsaccepted': termsaccepted,
'newsread': newsread, 'authkey': authkey}}
user = self.misp.add_user(email=email,
role_id=role_id,
org_id=org_id,
password=password,
external_auth_required=external_auth_required,
external_auth_key=external_auth_key,
enable_password=enable_password,
nids_sid=nids_sid,
server_id=server_id,
gpgkey=gpgkey,
certif_public=certif_public,
autoalert=autoalert,
contactalert=contactalert,
disabled=disabled,
change_pw=change_pw,
termsaccepted=termsaccepted,
newsread=newsread,
authkey=authkey)
# delete user to allow reuse of test
uid = user.get('User').get('id')
self.misp.delete_user(uid)
# ----------------------------------
# test interesting keys only (some keys are modified(password) and some keys are added (lastlogin)
tested_keys = ['email', 'org_id', 'role_id', 'server_id', 'autoalert',
'authkey', 'gpgkey', 'certif_public', 'nids_sid', 'termsaccepted',
'newsread', 'contactalert', 'disabled']
for k in tested_keys:
self.assertEqual(user.get('User').get(k), to_check.get('User').get(k), "Failed to match input with output on key: {}".format(k))
def add_organisation(self):
name = 'Organisation tests'
description = 'This is a test organisation'
orgtype = 'Type is a string'
nationality = 'French'
sector = 'Bank sector'
uuid = '16fd2706-8baf-433b-82eb-8c7fada847da'
contacts = 'Text field with no limitations'
local = False
to_check = {'Organisation': {'name': name, 'description': description,
'type': orgtype, 'nationality': nationality,
'sector': sector, 'uuid': uuid, 'contacts': contacts,
'local': local}}
org = self.misp.add_organisation(name=name,
description=description,
type=orgtype,
nationality=nationality,
sector=sector,
uuid=uuid,
contacts=contacts,
local=local,
)
# delete organisation to allow reuse of test
oid = org.get('Organisation').get('id')
self.misp.delete_organisation(oid)
# ----------------------------------
tested_keys = ['anonymise', 'contacts', 'description', 'local', 'name',
'nationality', 'sector', 'type', 'uuid']
for k in tested_keys:
self.assertEqual(org.get('Organisation').get(k), to_check.get('Organisation').get(k), "Failed to match input with output on key: {}".format(k))
def test_create_event(self):
eventid = self.new_event()
time.sleep(1)
self.delete(eventid)
def test_get_event(self):
eventid = self.new_event()
time.sleep(1)
self.get(eventid)
time.sleep(1)
self.delete(eventid)
def test_add_event(self):
self.add()
time.sleep(1)
self.delete(1)
def test_del_attr(self):
eventid = self.new_event()
time.sleep(1)
self.delete_attr(1)
time.sleep(1)
self.delete(eventid)
def test_one_or_more(self):
self.assertEqual(self.misp._one_or_more(1), (1,))
self.assertEqual(self.misp._one_or_more([1]), [1])
def test_create_user(self):
self.add_user()
def test_create_organisation(self):
self.add_organisation()
def mispBuildObject(object_type, properties, event, args):
# Set MISP instance
# misp = PyMISP(misp_url, misp_key, False, 'json')
misp = PyMISP(misp_url, misp_key, False, 'json', proxies=proxies)
# Process Args
if not args.ids:
args.ids = True
# Grab important info from File Objects
if "FileObjectType" in str(object_type):
# print dir(properties)
print " file_format: " + str(properties.file_format)
print " file_name: " + str(properties.file_name)
print " file_path: " + str(properties.file_path)
print " md5: " + str(properties.md5)
print " sha1: " + str(properties.sha1)
print " peak_entropy: " + str(properties.peak_entropy)
print " sha_224: " + str(properties.sha224)
print " size: " + str(properties.size)
print " size_in_bytes: " + str(properties.size_in_bytes)
# print " hashes_dir: "+str(dir(properties.hashes))
# Get other file info
if properties.file_name:
file_name = str(properties.file_name)
else:
file_name = ""
if properties.file_path:
file_path = str(properties.file_path)
else:
file_path = ""
if properties.size:
size = str(properties.size)
elif properties.size_in_bytes:
size = str(properties.size_in_bytes)
else:
size = ""
if properties.file_format:
file_format = str(properties.file_format)
else:
file_format = ""
# Build the comment w/ related info
comment = ""
if file_path:
comment = "[PATH] " + file_path
if size:
if comment:
comment = comment + " | [SIZE] " + size
else:
comment = "[SIZE] " + size
if file_format:
if comment:
comment = comment + " | [FORMAT] " + file_format
else:
comment = "[FORMAT] " + file_format
for hash in properties.hashes:
print " " + str(hash.type_) + ": " + str(hash)
# Add to MISP
if str(hash.type_) == "MD5":
# Add the hash by itself
#misp.add_hashes(event, md5=str(hash))
misp.add_hashes(event,
filename=str(properties.file_name),
md5=str(hash),
comment=comment,
to_ids=args.ids)
elif str(hash.type_) == "SHA1":
# Add the hash by itself
#misp.add_hashes(event, sha1=str(hash))
misp.add_hashes(event,
filename=str(properties.file_name),
sha1=str(hash),
comment=comment,
to_ids=args.ids)
elif str(hash.type_) == "SHA256":
# Add the hash by itself
#misp.add_hashes(event, sha256=str(hash))
misp.add_hashes(event,
filename=str(properties.file_name),
sha256=str(hash),
comment=comment,
to_ids=args.ids)
elif str(hash.type_) == "SSDEEP":
# Add the hash by itself
#misp.add_hashes(event, ssdeep=str(hash))
misp.add_hashes(event,
filename=str(properties.file_name),
ssdeep=str(hash),
comment=comment,
to_ids=args.ids)
# Grab important info from Mutex Objects
if "MutexObjectType" in str(object_type):
print " name: " + str(properties.name)
# Add to MISP
misp.add_mutex(event, str(properties.name), to_ids=args.ids)
# Grab important info from Registry Keys:
if "WindowsRegistryKeyObjectType" in str(object_type):
print " key: " + str(properties.key)
if properties.values:
for value in properties.values:
print " value.datatype: " + str(value.datatype)
print " value.data: " + str(value.data)
#print " value: "+str(dir(value))
# Add to MISP
misp.add_regkey(event,
str(properties.key),
rvalue=str(value.data),
to_ids=args.ids)
else:
misp.add_regkey(event, str(properties.key), to_ids=args.ids)
# Grab Domain Names:
if "DomainNameObjectType" in str(object_type):
print " domain: " + str(properties.value)
# Add to MISP
misp.add_domain(event, str(properties.value), to_ids=args.ids)
# Grab URI's
if "URIObjectType" in str(object_type):
print " uri: " + str(properties.value)
# Add to MISP
misp.add_url(event, str(properties.value), to_ids=args.ids)
# Grab IP's
if "AddressObjectType" in str(object_type):
print " ip: " + str(properties.address_value)
# Add to MISP
misp.add_ipsrc(event, str(properties.address_value), to_ids=args.ids)
# Grab Ports
if "PortObjectType" in str(object_type):
print " port: " + str(properties.port_value)
# Grab Email Info
if "EmailMessageObjectType" in str(object_type):
print " date: " + str(properties.date)
print " from: " + str(properties.from_)
print " sender: " + str(properties.sender)
if properties.from_:
misp.add_email_src(event, str(properties.from_), to_ids=args.ids)
elif properties.sender:
misp.add_email_src(event, str(properties.sender), to_ids=args.ids)
print " to: " + str(properties.to)
if properties.to:
misp.add_email_dst(event, str(properties.to), to_ids=args.ids)
print " subject: " + str(properties.subject)
if properties.subject:
misp.add_email_subject(event,
str(properties.subject),
to_ids=args.ids)
print " reply_to: " + str(properties.reply_to)
if properties.reply_to:
misp.add_email_src(event,
str(properties.reply_to),
comment="Reply-To Address",
to_ids=args.ids)
print " message_id: " + str(properties.message_id)
print " x_originating_ip: " + str(properties.x_originating_ip)
if properties.x_originating_ip:
misp.add_ipsrc(event,
str(properties.x_originating_ip),
comment="MAIL X-Origin-IP",
to_ids=args.ids)
print " email_server: " + str(properties.email_server)
class TestBasic(unittest.TestCase):
def setUp(self):
self.maxDiff = None
self.misp = PyMISP(url, key, True, 'json', True)
def _clean_event(self, event):
event['Event'].pop('orgc_id', None)
event['Event'].pop('uuid', None)
event['Event'].pop('sharing_group_id', None)
event['Event'].pop('timestamp', None)
event['Event'].pop('org_id', None)
event['Event'].pop('date', None)
event['Event'].pop('RelatedEvent', None)
event['Event'].pop('publish_timestamp', None)
if event['Event'].get('Attribute'):
for a in event['Event'].get('Attribute'):
a.pop('uuid', None)
a.pop('event_id', None)
a.pop('id', None)
a.pop('timestamp', None)
if event['Event'].get('Orgc'):
event['Event']['Orgc'].pop('uuid', None)
event['Event']['Orgc'].pop('id', None)
if event['Event'].get('Org'):
event['Event']['Org'].pop('uuid', None)
event['Event']['Org'].pop('id', None)
return event['Event'].pop('id', None)
def new_event(self):
event = self.misp.new_event(0, 1, 0, "This is a test")
event_id = self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': None, 'disable_correlation': False, u'analysis': u'0',
u'ShadowAttribute': [], u'published': False,
u'distribution': u'0', u'Attribute': [], u'proposal_email_lock': False,
u'Org': {u'name': u'ORGNAME'},
u'Orgc': {u'name': u'ORGNAME'},
u'Galaxy': [],
u'threat_level_id': u'1'}}
print(event)
self.assertEqual(event, to_check, 'Failed at creating a new Event')
return int(event_id)
def add_hashes(self, eventid):
r = self.misp.get_event(eventid)
event = r.json()
event = self.misp.add_hashes(event, 'Payload installation', 'dll_installer.dll', '0a209ac0de4ac033f31d6ba9191a8f7a', '1f0ae54ac3f10d533013f74f48849de4e65817a7', '003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9', 'Fanny modules', False, 2)
self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': False, u'distribution': u'0',
u'Org': {u'name': u'ORGNAME'},
u'Orgc': {u'name': u'ORGNAME'},
u'Galaxy': [],
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
self.assertEqual(event, to_check, 'Failed at adding hashes')
def publish(self, eventid):
r = self.misp.get_event(eventid)
event = r.json()
event = self.misp.publish(event)
self._clean_event(event)
to_check = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': True, u'distribution': u'0',
u'Org': {u'name': u'ORGNAME'},
u'Orgc': {u'name': u'ORGNAME'},
u'Galaxy': [],
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
self.assertEqual(event, to_check, 'Failed at publishing event')
def delete(self, eventid):
event = self.misp.delete_event(eventid)
print(event)
def delete_attr(self, attrid):
event = self.misp.delete_attribute(attrid)
print(event)
def get(self, eventid):
event = self.misp.get_event(eventid)
print(event)
def get_stix(self, **kwargs):
event = self.misp.get_stix(kwargs)
print(event)
def add(self):
event = {u'Event': {u'info': u'This is a test', u'locked': False,
u'attribute_count': u'3', u'analysis': u'0',
u'ShadowAttribute': [], u'published': False, u'distribution': u'0',
u'Attribute': [
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|0a209ac0de4ac033f31d6ba9191a8f7a',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|md5'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|1f0ae54ac3f10d533013f74f48849de4e65817a7',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha1'},
{u'category': u'Payload installation', u'comment': u'Fanny modules',
u'to_ids': False, u'value': u'dll_installer.dll|003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9',
u'ShadowAttribute': [], u'distribution': u'2', u'type': u'filename|sha256'}],
u'proposal_email_lock': False, u'threat_level_id': u'1'}}
event = self.misp.add_event(event)
print(event)
def test_create_event(self):
eventid = self.new_event()
time.sleep(1)
self.delete(eventid)
def test_get_event(self):
eventid = self.new_event()
time.sleep(1)
self.get(eventid)
time.sleep(1)
self.delete(eventid)
def test_add_event(self):
self.add()
time.sleep(1)
self.delete(1)
def test_del_attr(self):
eventid = self.new_event()
time.sleep(1)
self.delete_attr(1)
time.sleep(1)
self.delete(eventid)
def test_one_or_more(self):
self.assertEqual(self.misp._one_or_more(1), (1,))
self.assertEqual(self.misp._one_or_more([1]), [1])
def mispBuildObject(object_type, properties, event, args):
# Set MISP instance
# misp = PyMISP(misp_url, misp_key, False, 'json')
misp = PyMISP(misp_url, misp_key, False, 'json', proxies=proxies)
# Process Args
if not args.ids:
args.ids=True
# Grab important info from File Objects
if "FileObjectType" in str(object_type):
# print dir(properties)
print " file_format: "+str(properties.file_format)
print " file_name: "+str(properties.file_name)
print " file_path: "+str(properties.file_path)
print " md5: "+str(properties.md5)
print " sha1: "+str(properties.sha1)
print " peak_entropy: "+str(properties.peak_entropy)
print " sha_224: "+str(properties.sha224)
print " size: "+str(properties.size)
print " size_in_bytes: "+str(properties.size_in_bytes)
# print " hashes_dir: "+str(dir(properties.hashes))
# Get other file info
if properties.file_name:
file_name=str(properties.file_name)
else:
file_name=""
if properties.file_path:
file_path=str(properties.file_path)
else:
file_path=""
if properties.size:
size = str(properties.size)
elif properties.size_in_bytes:
size = str(properties.size_in_bytes)
else:
size = ""
if properties.file_format:
file_format = str(properties.file_format)
else:
file_format = ""
# Build the comment w/ related info
comment = ""
if file_path:
comment="[PATH] "+file_path
if size:
if comment:
comment=comment+" | [SIZE] "+size
else:
comment="[SIZE] "+size
if file_format:
if comment:
comment = comment+" | [FORMAT] "+file_format
else:
comment = "[FORMAT] "+file_format
for hash in properties.hashes:
print " "+str(hash.type_)+": "+str(hash)
# Add to MISP
if str(hash.type_)=="MD5":
# Add the hash by itself
#misp.add_hashes(event, md5=str(hash))
misp.add_hashes(event, filename=str(properties.file_name), md5=str(hash), comment=comment, to_ids=args.ids)
elif str(hash.type_)=="SHA1":
# Add the hash by itself
#misp.add_hashes(event, sha1=str(hash))
misp.add_hashes(event, filename=str(properties.file_name), sha1=str(hash), comment=comment, to_ids=args.ids)
elif str(hash.type_)=="SHA256":
# Add the hash by itself
#misp.add_hashes(event, sha256=str(hash))
misp.add_hashes(event, filename=str(properties.file_name), sha256=str(hash), comment=comment, to_ids=args.ids)
elif str(hash.type_)=="SSDEEP":
# Add the hash by itself
#misp.add_hashes(event, ssdeep=str(hash))
misp.add_hashes(event, filename=str(properties.file_name), ssdeep=str(hash), comment=comment, to_ids=args.ids)
# Grab important info from Mutex Objects
if "MutexObjectType" in str(object_type):
print " name: "+str(properties.name)
# Add to MISP
misp.add_mutex(event, str(properties.name), to_ids=args.ids)
# Grab important info from Registry Keys:
if "WindowsRegistryKeyObjectType" in str(object_type):
print " key: "+str(properties.key)
if properties.values:
for value in properties.values:
print " value.datatype: "+str(value.datatype)
print " value.data: "+str(value.data)
#print " value: "+str(dir(value))
# Add to MISP
misp.add_regkey(event, str(properties.key), rvalue=str(value.data), to_ids=args.ids)
else:
misp.add_regkey(event, str(properties.key), to_ids=args.ids)
# Grab Domain Names:
if "DomainNameObjectType" in str(object_type):
print " domain: "+str(properties.value)
# Add to MISP
misp.add_domain(event, str(properties.value), to_ids=args.ids)
# Grab URI's
if "URIObjectType" in str(object_type):
print " uri: "+str(properties.value)
# Add to MISP
misp.add_url(event, str(properties.value), to_ids=args.ids)
# Grab IP's
if "AddressObjectType" in str(object_type):
print " ip: "+str(properties.address_value)
# Add to MISP
misp.add_ipsrc(event, str(properties.address_value), to_ids=args.ids)
# Grab Ports
if "PortObjectType" in str(object_type):
print " port: "+str(properties.port_value)
# Grab Email Info
if "EmailMessageObjectType" in str(object_type):
print " date: "+str(properties.date)
print " from: "+str(properties.from_)
print " sender: "+str(properties.sender)
if properties.from_:
misp.add_email_src(event, str(properties.from_), to_ids=args.ids)
elif properties.sender:
misp.add_email_src(event, str(properties.sender), to_ids=args.ids)
print " to: "+str(properties.to)
if properties.to:
misp.add_email_dst(event, str(properties.to), to_ids=args.ids)
print " subject: "+str(properties.subject)
if properties.subject:
misp.add_email_subject(event, str(properties.subject), to_ids=args.ids)
print " reply_to: "+str(properties.reply_to)
if properties.reply_to:
misp.add_email_src(event, str(properties.reply_to), comment="Reply-To Address", to_ids=args.ids)
print " message_id: "+str(properties.message_id)
print " x_originating_ip: "+str(properties.x_originating_ip)
if properties.x_originating_ip:
misp.add_ipsrc(event, str(properties.x_originating_ip), comment="MAIL X-Origin-IP", to_ids=args.ids)
print " email_server: "+str(properties.email_server)