Added draft support of MISP ail-leak object

pull/151/head
Sami Mokaddem 2017-11-16 09:52:37 +01:00
parent 652b00f4b2
commit 45a9897020
3 changed files with 51 additions and 0 deletions

25
bin/ailleakOject.py Normal file
View File

@ -0,0 +1,25 @@
#!/usr/bin/env python3
# -*-coding:UTF-8 -*
from pymisp.tools import GenericObjectGenerator
from packages import Paste
class AilleakObject(AbstractMISPObjectGenerator):
def __init__(self, moduleName, path):
super(GenericObject, self).__init__('ail-leak')
self.moduleName = moduleName
self.path = path
self.paste = Paste.Paste(path)
self.generate_attributes()
def generate_attributes(self):
self.add_attribute('type', value=self.moduleName)
self.add_attribute('origin', value=self.paste.p_source)
self.add_attribute('last-seen', value=self.paste.p_date)
self.add_attribute('raw-data', value=self.paste.get_p_content())
'''
# duplicated
duplicate_list = json.loads(paste._get_p_duplicate())
is_duplicate = True if len(duplicate_list) > 0 else False
self.add_attribute('duplicate', value=is_duplicate)
'''

View File

@ -20,6 +20,10 @@ from packages import Paste
from pubsublogger import publisher from pubsublogger import publisher
from Helper import Process from Helper import Process
from pymisp import PyMISP
import ailleakObject
from ../mispKEYS import misp_url, misp_key, misp_verifycert
if __name__ == "__main__": if __name__ == "__main__":
publisher.port = 6380 publisher.port = 6380
publisher.channel = "Script" publisher.channel = "Script"
@ -27,6 +31,9 @@ if __name__ == "__main__":
config_section = 'alertHandler' config_section = 'alertHandler'
p = Process(config_section) p = Process(config_section)
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
eventID = "9356"
mispTYPE = 'ail-leak'
# port generated automatically depending on the date # port generated automatically depending on the date
curYear = datetime.now().year curYear = datetime.now().year
@ -55,3 +62,16 @@ if __name__ == "__main__":
publisher.info('Saved warning paste {}'.format(p_path)) publisher.info('Saved warning paste {}'.format(p_path))
# Create MISP AIL-leak object
misp_object = AilleakObject(moduleName, path)
print('validate mispobj', misp_object._validate())
print(misp_object)
# Publish object to MISP
try:
templateID = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == mispTYPE
except IndexError:
valid_types = ", ".join([x['ObjectTemplate']['name'] for x in pymisp.get_object_templates_list()])
print ("Template for type %s not found! Valid types are: %s" % (mispTYPE, valid_types))
continue
#r = pymisp.add_object(eventID, templateID, misp_object)

6
mispKEYS.py.default Normal file
View File

@ -0,0 +1,6 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
misp_url = ''
misp_key = '' # The MISP auth key can be found on the MISP web interface under the automation section
misp_verifycert = True