Added draft support of MISP ail-leak object

2017-11-16 09:52:37 +01:00 · 2017-11-16 09:52:37 +01:00 · 45a9897020
parent 652b00f4b2
commit 45a9897020
3 changed files with 51 additions and 0 deletions
--- a/bin/ailleakOject.py
+++ b/bin/ailleakOject.py
@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+# -*-coding:UTF-8 -*
+
+from pymisp.tools import GenericObjectGenerator
+from packages import Paste
+
+class AilleakObject(AbstractMISPObjectGenerator):
+    def __init__(self, moduleName, path):
+        super(GenericObject, self).__init__('ail-leak')
+        self.moduleName = moduleName
+        self.path = path
+        self.paste = Paste.Paste(path)
+        self.generate_attributes()
+
+    def generate_attributes(self):
+        self.add_attribute('type', value=self.moduleName)
+        self.add_attribute('origin', value=self.paste.p_source)
+        self.add_attribute('last-seen', value=self.paste.p_date)
+        self.add_attribute('raw-data', value=self.paste.get_p_content())
+        '''
+        # duplicated
+        duplicate_list = json.loads(paste._get_p_duplicate())
+        is_duplicate = True if len(duplicate_list) > 0 else False
+        self.add_attribute('duplicate', value=is_duplicate)
+        '''
--- a/bin/alertHandler.py
+++ b/bin/alertHandler.py
@ -20,6 +20,10 @@ from packages import Paste
 from pubsublogger import publisher
 from Helper import Process

+from pymisp import PyMISP
+import ailleakObject
+from ../mispKEYS import misp_url, misp_key, misp_verifycert
+
 if __name__ == "__main__":
    publisher.port = 6380
    publisher.channel = "Script"
@ -27,6 +31,9 @@ if __name__ == "__main__":
    config_section = 'alertHandler'

    p = Process(config_section)
+    pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
+    eventID = "9356"
+    mispTYPE = 'ail-leak'

    # port generated automatically depending on the date
    curYear = datetime.now().year
@ -55,3 +62,16 @@ if __name__ == "__main__":

            publisher.info('Saved warning paste {}'.format(p_path))

+            # Create MISP AIL-leak object
+            misp_object = AilleakObject(moduleName, path)
+            print('validate mispobj', misp_object._validate())
+            print(misp_object)
+
+            # Publish object to MISP
+            try:
+                    templateID = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == mispTYPE
+                except IndexError:
+                    valid_types = ", ".join([x['ObjectTemplate']['name'] for x in pymisp.get_object_templates_list()])
+                    print ("Template for type %s not found! Valid types are: %s" % (mispTYPE, valid_types))
+            continue
+            #r = pymisp.add_object(eventID, templateID, misp_object)
--- a/mispKEYS.py.default
+++ b/mispKEYS.py.default
@ -0,0 +1,6 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+misp_url = ''
+misp_key = '' # The MISP auth key can be found on the MISP web interface under the automation section
+misp_verifycert = True