From 1e76e10c012a9c84b6c29c8a4e263c58639f26a3 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Mon, 20 Nov 2017 12:12:53 +0100 Subject: [PATCH] Support of add_object to a MISP instance --- bin/ailleakOject.py | 89 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 83 insertions(+), 6 deletions(-) diff --git a/bin/ailleakOject.py b/bin/ailleakOject.py index 8459a126..d56b5012 100755 --- a/bin/ailleakOject.py +++ b/bin/ailleakOject.py @@ -3,20 +3,38 @@ from pymisp.tools.abstractgenerator import AbstractMISPObjectGenerator from packages import Paste +import datetime class AilleakObject(AbstractMISPObjectGenerator): - def __init__(self, moduleName, path): + def __init__(self, moduleName, p_source, p_date): + #def __init__(self, moduleName, p_source, p_date, p_content): super(AbstractMISPObjectGenerator, self).__init__('ail-leak') self.moduleName = moduleName - self.path = path - self.paste = Paste.Paste(path) + self.p_source = p_source + self.p_date = p_date + #self.p_content = p_content self.generate_attributes() def generate_attributes(self): self.add_attribute('type', value=self.moduleName) - self.add_attribute('origin', value=self.paste.p_source) - self.add_attribute('last-seen', value=self.paste.p_date) - #self.add_attribute('raw-data', value=self.paste.get_p_content()) + self.add_attribute('origin', value=self.p_source) + self.add_attribute('last-seen', value=self.p_date) + #self.add_attribute('raw-data', value=self.p_content) + +class objectWrapper: + def __init__(self, moduleName, path, pymisp): + self.moduleName = moduleName + self.path = path + self.pymisp = pymisp + self.paste = Paste.Paste(path) + self.p_date = self.date_to_str(self.paste.p_date) + self.p_source = self.paste.supposed_url + self.p_content = self.paste.get_p_content() + + self.eventID_to_push = self.get_daily_event_id() + self.mispObject = AilleakObject(self.moduleName, self.p_source, self.p_date) + #self.mispObject = AilleakObject(self.moduleName, self.p_source, self.p_date, self.p_content) + ''' # duplicated duplicate_list = json.loads(paste._get_p_duplicate()) @@ -24,6 +42,65 @@ class AilleakObject(AbstractMISPObjectGenerator): self.add_attribute('duplicate', value=is_duplicate) ''' + def date_to_str(self, date): + return "{0}-{1}-{2}".format(date.year, date.month, date.day) + + def get_all_related_events(self): + to_search = "Daily AIL-leaks" + result = pymisp.search_all(to_search) + events = [] + for e in result['response']: + events.append({'id': e['Event']['id'], 'org_id': e['Event']['org_id'], 'info': e['Event']['info']}) + return events + + def get_daily_event_id(self): + to_match = "Daily AIL-leaks {}".format(datetime.date.today()) + events = self.get_all_related_events() + for dic in events: + info = dic['info'] + e_id = dic['id'] + if info == to_match: + print('Found: ', info, '->', e_id) + return e_id + created_event = self.create_daily_event()['Event'] + new_id = created_event['id'] + print('New event created:', new_id) + return new_id + + + def create_daily_event(self): + today = datetime.date.today() + # [0-3] + distribution = 0 + info = "Daily AIL-leaks {}".format(today) + # [0-2] + analysis = 0 + # [1-4] + threat = 3 + published = False + org_id = None + orgc_id = None + sharing_group_id = None + date = None + event = self.pymisp.new_event(distribution, threat, + analysis, info, date, + published, orgc_id, org_id, sharing_group_id) + return event + + # Publish object to MISP + def pushToMISP(self): + mispTYPE = 'ail-leak' + try: + templateID = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == mispTYPE][0] + except IndexError: + valid_types = ", ".join([x['ObjectTemplate']['name'] for x in pymisp.get_object_templates_list()]) + print ("Template for type %s not found! Valid types are: %s" % (mispTYPE, valid_types)) + r = self.pymisp.add_object(self.eventID_to_push, templateID, self.mispObject) + if 'errors' in r: + print(r) + else: + print('Pushed:', self.moduleName, '->', self.p_source) + if __name__ == "__main__":