def test_valid_misp_inputs(self):
intel_data = IntelData(self.indicator,
self.expected_intel_type,
source="MISP")
expected_intel = Intel(self.ts, self.id, intel_data, Operation.ADD)
self.assertEqual(map_to_internal(self.valid_misp_attribute, "add"),
expected_intel)
def setUp(self):
self.ts = datetime.now().astimezone()
self.intel_id = "intel-42"
self.indicator = "6.6.6.6"
self.intel_type = IntelType.IPSRC
self.operation = Operation.ADD
self.intel_data = IntelData(self.indicator,
self.intel_type,
foo=23,
more_args="MORE ARGS")
self.intel = Intel(self.ts, self.intel_id, self.intel_data,
self.operation)
self.sighting_context = {
"ts": "2017-03-03T23:56:09.652643840",
"uid": "CMeLkt11aTqwgN4FI9",
"id.orig_h": "172.31.130.19",
"id.orig_p": 43872,
"id.resp_h": "172.31.129.17",
"id.resp_p": 20004,
"proto": "tcp",
"service": None,
"duration": 0.025249,
"orig_bytes": 311,
"resp_bytes": 999,
"conn_state": "SF",
"local_orig": None,
"local_resp": None,
"missed_bytes": 0,
"history": "ShADadFf",
"orig_pkts": 9,
"orig_ip_bytes": 787,
"resp_pkts": 7,
"resp_ip_bytes": 1371,
"tunnel_parents": [],
"alert": {
"signature": "VAST-RETRO Generic IoC match for: 172.31.129.17",
"category": "Potentially Bad Traffic",
"action": "allowed",
},
"event_type": "alert",
"_extra": {
"vast-ioc": "172.31.129.17"
},
"source": "VAST",
}
self.sighting = Sighting(self.ts, self.intel_id, self.sighting_context,
(self.indicator, ))
self.snapshot_id = "SNAPSHOT_UUID"
self.snapshot = timedelta(days=42, hours=23, minutes=13, seconds=37)
self.snapshot_request = SnapshotRequest(MessageType.SIGHTING,
self.snapshot_id,
self.snapshot)
self.snapshot_envelope_intel = SnapshotEnvelope(
MessageType.INTEL, self.snapshot_id, self.intel)
self.snapshot_envelope_sighting = SnapshotEnvelope(
MessageType.SIGHTING, self.snapshot_id, self.sighting)
def test_valid_intel(self):
data = IntelData("6.6.6.6", IntelType.IPDST_PORT, foo=23)
expected_broker_data = {"indicator": "6.6.6.6", "intel_type": "ADDR"}
op = Operation.REMOVE
intel = Intel(self.ts, self.id, data, op)
broker_msg = map_to_broker(intel, self.module_namespace)
self.assertEqual(broker_msg.name(), self.module_namespace + "::intel")
self.assertEqual(broker_msg.args(),
[(self.ts, self.id, expected_broker_data, op.value)])
def test_valid_intel(self):
data = IntelData("6.6.6.6", IntelType.IPSRC, foo=23)
op = Operation.REMOVE
intel = Intel(self.ts, self.id, data, op)
expected_vast_msg = {
"ioc": "6.6.6.6",
"type": "ip",
"operation": "REMOVE",
"reference": "threatbus__" + str(self.id),
}
vast_msg = map_intel_to_vast(intel)
self.assertEqual(json.loads(vast_msg), expected_vast_msg)
def map_to_internal(misp_attribute, action, logger=None):
"""Maps the given MISP attribute to the threatbus intel format.
@param misp_attribute A MISP attribute
@param action A string from MISP, describing the action for the attribute (either 'add' or 'delete')
@return the mapped intel item or None
"""
# parse MISP attribute
if not misp_attribute:
return None
to_ids = misp_attribute.get("to_ids", False)
if not to_ids and action != "edit" or not action:
return None
operation = Operation.REMOVE
if (action == "edit" or action == "add") and to_ids:
operation = Operation.ADD
# parse values
intel_type = misp_attribute.get("type", None)
indicator = misp_attribute.get("value", None)
if not intel_type or not indicator:
return None
# parse compound MISP intel:
if "|" in intel_type:
indicator = tuple(indicator.split("|"))
if len(indicator) != 2:
if logger:
logger.debug(
f"Expected '|'-separated composite values for MISP intel type {intel_type}"
)
return None
return Intel(
datetime.fromtimestamp(int(misp_attribute["timestamp"])),
str(misp_attribute["id"]),
IntelData(
indicator,
misp_intel_type_mapping[intel_type],
source="MISP",
),
operation,
)
def map_to_internal(broker_data, module_namespace):
"""Maps a broker message, based on the event name, to the internal format.
@param broker_data The raw data that was received via broker
@param module_namespace A Zeek namespace to accept events from
"""
event = broker.zeek.Event(broker_data)
name, args = event.name(), event.args()
module_namespace = module_namespace + "::" if module_namespace else ""
name = name[name.startswith(module_namespace) and len(module_namespace) :]
if name == "sighting" and len(args) == 3:
# convert args to sighting
return Sighting(args[0], str(args[1]), args[2])
elif name == "intel" and len(args) >= 3:
# convert args to intel
op = Operation.ADD
with suppress(Exception):
op = Operation(args[3])
intel_data = map_broker_intel_to_internal(args[2])
if not intel_data:
return None
return Intel(args[0], str(args[1]), intel_data, op)
from datetime import datetime
import json
import pika
import sys
from threatbus.data import Intel, IntelData, IntelType, Operation, IntelEncoder
## Dummy intel data
intel_id = "intel-42"
indicator = "68.216.79.113"
intel_type = IntelType.IPSRC
operation = Operation.ADD
intel_data = IntelData(indicator, intel_type, foo=23, more_args="MORE ARGS")
intel = Intel(
datetime.strptime("2020-11-02 17:00:00", "%Y-%m-%d %H:%M:%S"),
intel_id,
intel_data,
operation,
)
intel_json = json.dumps(intel, cls=IntelEncoder)
## rabbitmq
host = "localhost"
port = "5672"
vhost = "/"
credentials = pika.PlainCredentials("guest", "guest")
conn_params = pika.ConnectionParameters(host, port, vhost, credentials)
connection = pika.BlockingConnection(conn_params)
channel = connection.channel()