chg: [misp] MISP export

chg: [mod] bump d4-golang-util - fix #13
2020-06-19 11:59:48 +02:00 · 2020-06-19 11:57:51 +02:00
4 changed files with 37 additions and 16 deletions
--- a/MISP_export/generator.py
+++ b/MISP_export/generator.py
@ -7,7 +7,6 @@ import os
 import sys
 import time
 import uuid
-import pdb

 from pymisp import MISPEvent

@ -86,6 +85,7 @@ class FeedGenerator:

    def add_object_to_event(self, obj_name, **data):
        """Add an object to the daily event"""
+
        self.update_daily_event_id()
        if obj_name not in self.sys_templates:
            print('Unkown object template')
@ -93,7 +93,6 @@ class FeedGenerator:

        #  Get MISP object constructor
        obj_constr = self.constructor_dict.get(obj_name, None)
-        pdb.set_trace()
        #  Constructor not known, using the generic one
        if obj_constr is None:
            obj_constr = self.constructor_dict.get('generic')
@ -175,7 +174,8 @@ class FeedGenerator:
            event = self.current_event

        eventFile = open(os.path.join(settings.outputdir, event_uuid+'.json'), 'w')
-        eventFile.write(event.to_json())
+        eventSupport = "{{\"Event\": {}}}".format(event.to_json())
+        eventFile.write(eventSupport)
        eventFile.close()

        self.save_hashes()
--- a/go.mod
+++ b/go.mod
@ -3,7 +3,7 @@ module github.com/D4-project/analyzer-d4-log
 go 1.13

 require (
-	github.com/D4-project/d4-golang-utils v0.1.5
+	github.com/D4-project/d4-golang-utils v0.1.6
 	github.com/ajstarks/svgo v0.0.0-20200204031535-0cbcf57ea1d8 // indirect
 	github.com/gomodule/redigo v2.0.0+incompatible
 	github.com/jung-kurt/gofpdf v1.16.2 // indirect
--- a/go.sum
+++ b/go.sum
@ -1,8 +1,6 @@
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/D4-project/d4-golang-utils v0.1.2 h1:aLdvwIR2CFvIn2FnqPjbHxzLeo3ZL7YEyhCXRL6a9kQ=
-github.com/D4-project/d4-golang-utils v0.1.2/go.mod h1:2rq8KBQnNNDocwc/49cnpaqoQA/komoSHKom7ynvqJc=
-github.com/D4-project/d4-golang-utils v0.1.5 h1:0aL2gv0uc56Gn2NwQY8L2C6OQRdq0LpoioAeLWs6zZc=
-github.com/D4-project/d4-golang-utils v0.1.5/go.mod h1:GGR5KMhvABZtIfmS5jZkwQnBoP+9/V0ZEETSGiWLaM4=
+github.com/D4-project/d4-golang-utils v0.1.6 h1:g8To+VLwa5ucH8hcmRZGx/hmrHmn6AD6A0vaiYKFAQc=
+github.com/D4-project/d4-golang-utils v0.1.6/go.mod h1:GGR5KMhvABZtIfmS5jZkwQnBoP+9/V0ZEETSGiWLaM4=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af h1:wVe6/Ea46ZMeNkQjjBW6xcqyQA/j5e0D6GytH95g0gQ=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
 github.com/ajstarks/svgo v0.0.0-20200204031535-0cbcf57ea1d8 h1:LMjxfr9tcHP10YI+i4+cjHWSjPeUAUy5+sqw5FhFzwE=
@ -58,8 +56,6 @@ gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6d
 gonum.org/v1/netlib v0.0.0-20191229114700-bbb4dff026f8 h1:kHY67jAKYewKUCz9YdNDa7iLAJ2WfNmoHzCCX4KnA8w=
 gonum.org/v1/netlib v0.0.0-20191229114700-bbb4dff026f8/go.mod h1:2IgXn/sJaRbePPBA1wRj8OE+QLvVaH0q8SK6TSTKlnk=
 gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc=
-gonum.org/v1/plot v0.0.0-20200212202559-4d97eda4de95 h1:dmUNA1pi2nVfGj2i7kijrI7bupgm2GFbJLYYu6C5bBY=
-gonum.org/v1/plot v0.0.0-20200212202559-4d97eda4de95/go.mod h1:+HbaZVpsa73UwN7kXGCECULRHovLRJjH+t5cFPgxErs=
 gonum.org/v1/plot v0.7.0 h1:Otpxyvra6Ie07ft50OX5BrCfS/BWEMvhsCUHwPEJmLI=
 gonum.org/v1/plot v0.7.0/go.mod h1:2wtU6YrrdQAhAF9+MTd5tOQjrov/zF70b1i99Npjvgo=
 modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
--- a/logcompiler/sshd.go
+++ b/logcompiler/sshd.go
@ -40,10 +40,12 @@ type GrokedSSHD struct {
 }

 type MISP_auth_failure_sshd_username struct {
-	Name     string `json:"name"`
-	Mtype    string `json:"type"`
-	Username string `json:"username"`
-	Total    string `json:"total"`
+	Name        string `json:"name"`
+	Mtype       string `json:"type"`
+	Username    string `json:"username"`
+	Destination string `json:"ip-dst"`
+	Source      string `json:"ip-src"`
+	Total       string `json:"total"`
 }

 // Flush recomputes statistics and recompile HTML output
@ -552,7 +554,12 @@ func (s *SSHDCompiler) MISPexport() error {
 		s.teardown(err)
 	}

-	zrank, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statsusername", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
+	zrankUsername, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statsusername", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
+	if err != nil {
+
+	}
+
+	zrankSource, err := redis.Strings(r0.Do("ZREVRANGEBYSCORE", fmt.Sprintf("%v:statssrc", dstr), "+inf", "-inf", "WITHSCORES", "LIMIT", 0, 100))
 	if err != nil {
 		return err
 	}
@ -561,7 +568,7 @@ func (s *SSHDCompiler) MISPexport() error {
 	mispobject.Name = "authentication-failure-report"
 	mispobject.Mtype = "sshd"

-	for k, v := range zrank {
+	for k, v := range zrankUsername {
 		// pair: keys
 		if (k % 2) == 0 {
 			mispobject.Username = v
@ -578,6 +585,24 @@ func (s *SSHDCompiler) MISPexport() error {
 		}
 	}

+	mispobject.Username = ""
+
+	for k, v := range zrankSource {
+		// pair: keys
+		if (k % 2) == 0 {
+			mispobject.Source = v
+			// even: values
+		} else {
+			mispobject.Total = v
+			b, err := json.Marshal(mispobject)
+			if err != nil {
+				return err
+			}
+			if string(b) != "{}" {
+				r1.Do("LPUSH", "authf_object", b)
+			}
+		}
+	}
 	return nil
 }
Author	SHA1	Message	Date
Jean-Louis Huynen	ab4f9b967c	chg: [misp] MISP export	2020-06-19 11:59:48 +02:00
Jean-Louis Huynen	16d08d375d	chg: [mod] bump d4-golang-util - fix #13	2020-06-19 11:57:51 +02:00