chg: [misp] MISP export
Jean-Louis Huynen
parent
16d08d375d
commit
ab4f9b967c
|
|
@ -7,7 +7,6 @@ import os
|
|||
import sys
|
||||
import time
|
||||
import uuid
|
||||
import pdb
|
||||
|
||||
from pymisp import MISPEvent
|
||||
|
||||
|
|
@ -86,6 +85,7 @@ class FeedGenerator:
|
|||
|
||||
def add_object_to_event(self, obj_name, **data):
|
||||
"""Add an object to the daily event"""
|
||||
|
||||
self.update_daily_event_id()
|
||||
if obj_name not in self.sys_templates:
|
||||
print('Unkown object template')
|
||||
|
|
@ -93,7 +93,6 @@ class FeedGenerator:
|
|||
|
||||
# Get MISP object constructor
|
||||
obj_constr = self.constructor_dict.get(obj_name, None)
|
||||
pdb.set_trace()
|
||||
# Constructor not known, using the generic one
|
||||
if obj_constr is None:
|
||||
obj_constr = self.constructor_dict.get('generic')
|
||||
|
|
@ -175,7 +174,8 @@ class FeedGenerator:
|
|||
event = self.current_event
|
||||
|
||||
eventFile = open(os.path.join(settings.outputdir, event_uuid+'.json'), 'w')
|
||||
eventFile.write(event.to_json())
|
||||
eventSupport = "{{\"Event\": {}}}".format(event.to_json())
|
||||
eventFile.write(eventSupport)
|
||||
eventFile.close()
|
||||
|
||||
self.save_hashes()
|
||||
|
|
|
|||
|
|
@ -40,10 +40,12 @@ type GrokedSSHD struct {
|
|||
}
|
||||
|
||||
type MISP_auth_failure_sshd_username struct {
|
||||
Name string `json:"name"`
|
||||
Mtype string `json:"type"`
|
||||
Username string `json:"username"`
|
||||
Total string `json:"total"`
|
||||
Name string `json:"name"`
|
||||
Mtype string `json:"type"`
|
||||
Username string `json:"username"`
|
||||
Destination string `json:"ip-dst"`
|
||||
Source string `json:"ip-src"`
|
||||
Total string `json:"total"`
|
||||
}
|
||||
|
||||
// Flush recomputes statistics and recompile HTML output
|
||||
|
|
@ -552,7 +554,12 @@ func (s *SSHDCompiler) MISPexport() error {
|
|||
s.teardown(err)
|
||||
}
|
||||
|
||||
zrank, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statsusername", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
|
||||
zrankUsername, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statsusername", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
|
||||
if err != nil {
|
||||
|
||||
}
|
||||
|
||||
zrankSource, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statssrc", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -561,7 +568,7 @@ func (s *SSHDCompiler) MISPexport() error {
|
|||
mispobject.Name = "authentication-failure-report"
|
||||
mispobject.Mtype = "sshd"
|
||||
|
||||
for k, v := range zrank {
|
||||
for k, v := range zrankUsername {
|
||||
// pair: keys
|
||||
if (k % 2) == 0 {
|
||||
mispobject.Username = v
|
||||
|
|
@ -578,6 +585,24 @@ func (s *SSHDCompiler) MISPexport() error {
|
|||
}
|
||||
}
|
||||
|
||||
mispobject.Username = ""
|
||||
|
||||
for k, v := range zrankSource {
|
||||
// pair: keys
|
||||
if (k % 2) == 0 {
|
||||
mispobject.Source = v
|
||||
// even: values
|
||||
} else {
|
||||
mispobject.Total = v
|
||||
b, err := json.Marshal(mispobject)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if string(b) != "{}" {
|
||||
r1.Do("LPUSH", "authf_object", b)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue