chg: [misp] MISP export
parent
16d08d375d
commit
ab4f9b967c
|
@ -7,7 +7,6 @@ import os
|
||||||
import sys
|
import sys
|
||||||
import time
|
import time
|
||||||
import uuid
|
import uuid
|
||||||
import pdb
|
|
||||||
|
|
||||||
from pymisp import MISPEvent
|
from pymisp import MISPEvent
|
||||||
|
|
||||||
|
@ -86,6 +85,7 @@ class FeedGenerator:
|
||||||
|
|
||||||
def add_object_to_event(self, obj_name, **data):
|
def add_object_to_event(self, obj_name, **data):
|
||||||
"""Add an object to the daily event"""
|
"""Add an object to the daily event"""
|
||||||
|
|
||||||
self.update_daily_event_id()
|
self.update_daily_event_id()
|
||||||
if obj_name not in self.sys_templates:
|
if obj_name not in self.sys_templates:
|
||||||
print('Unkown object template')
|
print('Unkown object template')
|
||||||
|
@ -93,7 +93,6 @@ class FeedGenerator:
|
||||||
|
|
||||||
# Get MISP object constructor
|
# Get MISP object constructor
|
||||||
obj_constr = self.constructor_dict.get(obj_name, None)
|
obj_constr = self.constructor_dict.get(obj_name, None)
|
||||||
pdb.set_trace()
|
|
||||||
# Constructor not known, using the generic one
|
# Constructor not known, using the generic one
|
||||||
if obj_constr is None:
|
if obj_constr is None:
|
||||||
obj_constr = self.constructor_dict.get('generic')
|
obj_constr = self.constructor_dict.get('generic')
|
||||||
|
@ -175,7 +174,8 @@ class FeedGenerator:
|
||||||
event = self.current_event
|
event = self.current_event
|
||||||
|
|
||||||
eventFile = open(os.path.join(settings.outputdir, event_uuid+'.json'), 'w')
|
eventFile = open(os.path.join(settings.outputdir, event_uuid+'.json'), 'w')
|
||||||
eventFile.write(event.to_json())
|
eventSupport = "{{\"Event\": {}}}".format(event.to_json())
|
||||||
|
eventFile.write(eventSupport)
|
||||||
eventFile.close()
|
eventFile.close()
|
||||||
|
|
||||||
self.save_hashes()
|
self.save_hashes()
|
||||||
|
|
|
@ -40,10 +40,12 @@ type GrokedSSHD struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type MISP_auth_failure_sshd_username struct {
|
type MISP_auth_failure_sshd_username struct {
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
Mtype string `json:"type"`
|
Mtype string `json:"type"`
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
Total string `json:"total"`
|
Destination string `json:"ip-dst"`
|
||||||
|
Source string `json:"ip-src"`
|
||||||
|
Total string `json:"total"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Flush recomputes statistics and recompile HTML output
|
// Flush recomputes statistics and recompile HTML output
|
||||||
|
@ -552,7 +554,12 @@ func (s *SSHDCompiler) MISPexport() error {
|
||||||
s.teardown(err)
|
s.teardown(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
zrank, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statsusername", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
|
zrankUsername, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statsusername", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
|
||||||
|
if err != nil {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
zrankSource, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statssrc", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -561,7 +568,7 @@ func (s *SSHDCompiler) MISPexport() error {
|
||||||
mispobject.Name = "authentication-failure-report"
|
mispobject.Name = "authentication-failure-report"
|
||||||
mispobject.Mtype = "sshd"
|
mispobject.Mtype = "sshd"
|
||||||
|
|
||||||
for k, v := range zrank {
|
for k, v := range zrankUsername {
|
||||||
// pair: keys
|
// pair: keys
|
||||||
if (k % 2) == 0 {
|
if (k % 2) == 0 {
|
||||||
mispobject.Username = v
|
mispobject.Username = v
|
||||||
|
@ -578,6 +585,24 @@ func (s *SSHDCompiler) MISPexport() error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mispobject.Username = ""
|
||||||
|
|
||||||
|
for k, v := range zrankSource {
|
||||||
|
// pair: keys
|
||||||
|
if (k % 2) == 0 {
|
||||||
|
mispobject.Source = v
|
||||||
|
// even: values
|
||||||
|
} else {
|
||||||
|
mispobject.Total = v
|
||||||
|
b, err := json.Marshal(mispobject)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if string(b) != "{}" {
|
||||||
|
r1.Do("LPUSH", "authf_object", b)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue