From 4552e4a033ece7dbe378afcdbc30b972e8b92500 Mon Sep 17 00:00:00 2001 From: Lesley De Keyser Date: Mon, 10 May 2021 16:51:06 +0200 Subject: [PATCH] Submit file contents to TheHive --- bin/MISP_The_Hive_feeder.py | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/bin/MISP_The_Hive_feeder.py b/bin/MISP_The_Hive_feeder.py index 41d18b43..9b555263 100755 --- a/bin/MISP_The_Hive_feeder.py +++ b/bin/MISP_The_Hive_feeder.py @@ -14,6 +14,8 @@ import uuid import redis import time import json +import binascii +import gzip from pubsublogger import publisher from Helper import Process @@ -56,7 +58,8 @@ import thehive4py.exceptions from thehive4py.models import Alert, AlertArtifact from thehive4py.models import Case, CaseTask, CustomFieldHelper - +def is_gzip_file(magic_nuber): + return binascii.hexlify(magic_nuber) == b'1f8b' def create_the_hive_alert(source, item_id, tag): # # TODO: check items status (processed by all modules) @@ -64,9 +67,26 @@ def create_the_hive_alert(source, item_id, tag): # # # TODO: description, add AIL link:show items ? tags = list( r_serv_metadata.smembers('tag:{}'.format(item_id)) ) + path = item_basic.get_item_filepath(item_id) + paste_handle = open(path, 'rb') + paste_data = paste_handle.read() + tmp_path = None + + if is_gzip_file(paste_data[0:2]): # if gzip, create a new file to supply to TheHive + paste_handle.close() # TheHive expects a file handle, that's why we create a new file + tmp_data = gzip.decompress(paste_data) + tmp_path = path + '.unzip' + with open(tmp_path, 'wb+') as f: + f.write(tmp_data) + paste_handle = open(tmp_path, 'rb') + if path.endswith(".gz"): # remove .gz from submitted path to TheHive beause we've decompressed it + path = path[:-3] + + path = os.path.basename(os.path.normpath(path)) + ".txt" # get last part of path, add .txt so it's easier to open when downloaded from TheHive + artifacts = [ AlertArtifact( dataType='uuid-ail', data=r_serv_db.get('ail:uuid') ), - AlertArtifact( dataType='file', data=item_basic.get_item_filepath(item_id), tags=tags ) + AlertArtifact( dataType='file', data=(paste_handle, path), tags=tags ) ] # Prepare the sample Alert @@ -95,6 +115,10 @@ def create_the_hive_alert(source, item_id, tag): except: print('hive connection error') + paste_handle.close() + if tmp_path is not None: # this file has been send to TheHive, we won't ever need it again + os.remove(tmp_path) + def feeder(message, count=0): if flag_the_hive or flag_misp: