From ab4f9b967cbee19601d26012800d202e7527f8b8 Mon Sep 17 00:00:00 2001
From: Jean-Louis Huynen <huynenjl@gmail.com>
Date: Fri, 19 Jun 2020 11:59:48 +0200
Subject: [PATCH] chg: [misp] MISP export

---
 MISP_export/generator.py |  6 +++---
 logcompiler/sshd.go      | 37 +++++++++++++++++++++++++++++++------
 2 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/MISP_export/generator.py b/MISP_export/generator.py
index 1f3d87a..c6d4cd1 100755
--- a/MISP_export/generator.py
+++ b/MISP_export/generator.py
@@ -7,7 +7,6 @@ import os
 import sys
 import time
 import uuid
-import pdb
 
 from pymisp import MISPEvent
 
@@ -86,6 +85,7 @@ class FeedGenerator:
 
     def add_object_to_event(self, obj_name, **data):
         """Add an object to the daily event"""
+
         self.update_daily_event_id()
         if obj_name not in self.sys_templates:
             print('Unkown object template')
@@ -93,7 +93,6 @@ class FeedGenerator:
 
         #  Get MISP object constructor
         obj_constr = self.constructor_dict.get(obj_name, None)
-        pdb.set_trace()
         #  Constructor not known, using the generic one
         if obj_constr is None:
             obj_constr = self.constructor_dict.get('generic')
@@ -175,7 +174,8 @@ class FeedGenerator:
             event = self.current_event
 
         eventFile = open(os.path.join(settings.outputdir, event_uuid+'.json'), 'w')
-        eventFile.write(event.to_json())
+        eventSupport = "{{\"Event\": {}}}".format(event.to_json())
+        eventFile.write(eventSupport)
         eventFile.close()
 
         self.save_hashes()
diff --git a/logcompiler/sshd.go b/logcompiler/sshd.go
index fed16d2..f530049 100644
--- a/logcompiler/sshd.go
+++ b/logcompiler/sshd.go
@@ -40,10 +40,12 @@ type GrokedSSHD struct {
 }
 
 type MISP_auth_failure_sshd_username struct {
-	Name     string `json:"name"`
-	Mtype    string `json:"type"`
-	Username string `json:"username"`
-	Total    string `json:"total"`
+	Name        string `json:"name"`
+	Mtype       string `json:"type"`
+	Username    string `json:"username"`
+	Destination string `json:"ip-dst"`
+	Source      string `json:"ip-src"`
+	Total       string `json:"total"`
 }
 
 // Flush recomputes statistics and recompile HTML output
@@ -552,7 +554,12 @@ func (s *SSHDCompiler) MISPexport() error {
 		s.teardown(err)
 	}
 
-	zrank, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statsusername", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
+	zrankUsername, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statsusername", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
+	if err != nil {
+
+	}
+
+	zrankSource, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statssrc", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
 	if err != nil {
 		return err
 	}
@@ -561,7 +568,7 @@ func (s *SSHDCompiler) MISPexport() error {
 	mispobject.Name = "authentication-failure-report"
 	mispobject.Mtype = "sshd"
 
-	for k, v := range zrank {
+	for k, v := range zrankUsername {
 		// pair: keys
 		if (k % 2) == 0 {
 			mispobject.Username = v
@@ -578,6 +585,24 @@ func (s *SSHDCompiler) MISPexport() error {
 		}
 	}
 
+	mispobject.Username = ""
+
+	for k, v := range zrankSource {
+		// pair: keys
+		if (k % 2) == 0 {
+			mispobject.Source = v
+			// even: values
+		} else {
+			mispobject.Total = v
+			b, err := json.Marshal(mispobject)
+			if err != nil {
+				return err
+			}
+			if string(b) != "{}" {
+				r1.Do("LPUSH", "authf_object", b)
+			}
+		}
+	}
 	return nil
 }