diff --git a/misp_taxii_conf.yaml b/misp_taxii_conf.yaml new file mode 100644 index 0000000..734ac4f --- /dev/null +++ b/misp_taxii_conf.yaml @@ -0,0 +1,10 @@ +# Sample configuration for misp_taxii_server + +zmq: + host: localhost + port: 50000 + +taxii: + host: localhost + port: 9000 + inbox: inbox diff --git a/misp_taxii_hooks/hooks.py b/misp_taxii_hooks/hooks.py index 7a2995c..30addba 100644 --- a/misp_taxii_hooks/hooks.py +++ b/misp_taxii_hooks/hooks.py @@ -4,20 +4,36 @@ # TODO: DETECT DUPLICATE DATA ##### +import os import pymisp import tempfile -import os +from pyaml import yaml from opentaxii.signals import ( CONTENT_BLOCK_CREATED, INBOX_MESSAGE_CREATED ) ## CONFIG +if "MISP_TAXII_CONFIG" in os.environ: + print("Using config from {}".format(os.environ["MISP_TAXII_CONFIG"])) + CONFIG = yaml.parse(open(os.environ["MISP_TAXII_CONFIG"], "r")) +else: + print("Trying to use env variables...") + if "MISP_URL" in os.environ: + misp_url = os.environ["MISP_URL"] + else: + print("Unkown misp URL. Set MISP_TAXII_CONFIG or MISP_URL.") + misp_url = "UNKNOWN" + if "MISP_API" in os.environ: + misp_api = os.environ["MISP_API"] + else: + print("Unknown misp API key. Set MISP_TAXII_CONFIG or MISP_API.") + misp_api = "UNKNOWN" -CONFIG = { - "MISP_URL" : "[URL]", - "MISP_API" : "[APIKEY]", - } + CONFIG = { + "MISP_URL" : misp_url, + "MISP_API" : misp_api, + } MISP = pymisp.PyMISP( CONFIG["MISP_URL"], @@ -31,12 +47,12 @@ def post_stix(manager, content_block, collection_ids, service_id): ''' # Create a temporary file to load STIX data from - f = tempfile.NamedTemporaryFile(delete=False, mode="w") + f = tempfile.SpooledTemporaryFile(max_size=10*1024, mode="w") f.write(content_block.content) - f.close() + f.seek(0) # Load the package - package = pymisp.tools.stix.load_stix(f.name) + package = pymisp.tools.stix.load_stix(f) # Check for duplicates for attrib in package.attributes: @@ -48,9 +64,6 @@ def post_stix(manager, content_block, collection_ids, service_id): # idk, this is just in case pymisp does a weird pass - # Delete that old temporary file - os.unlink(f.name) - # Push the event to MISP # TODO: There's probably a proper method to do this rather than json_full # But I don't wanna read docs diff --git a/push_published_to_taxii.py b/push_published_to_taxii.py new file mode 100644 index 0000000..f920853 --- /dev/null +++ b/push_published_to_taxii.py @@ -0,0 +1,35 @@ +import os +import zmq +import sys +import json +import pymisp +from pyaml import yaml + +if "MISP_TAXII_CONFIG" in os.environ: + config = yaml.parse(open(os.environ["MISP_TAXII_CONFIG"], "r")) +else: + config = { "taxii" : { "host" : "127.0.0.1", "port" : 9000, "inbox" : "inbox" }, + "zmq" : { "host" : "127.0.0.1", "port" : 50000 } + } + +context = zmq.Context() +socket = context.socket(zmq.SUB) + +print("Subscribing to tcp://{}:{}".format( + config["zmq"]["host"], + config["zmq"]["port"] + )) + +socket.connect("tcp://{}:{}".format( + config["zmq"]["host"], + config["zmq"]["port"] + )) + +socket.setsockopt_string(zmq.SUBSCRIBE, '') + +while True: + message = socket.recv().decode("utf-8")[10:] + msg = json.loads(message) + ev = pymisp.mispevent.MISPEvent() + ev.load(msg) + print(ev.attributes) diff --git a/setup.py b/setup.py index dcd80e0..8db1366 100644 --- a/setup.py +++ b/setup.py @@ -12,6 +12,7 @@ setup( author="Hannah Ward", author_email="hannah.ward2@baesystems.com", packages=['misp_taxii_hooks'], - install_requires=["pymisp>=2.4.53", "pyaml>=3.11", "cabby>=0.1", "mysqlclient>=1.3.9", "nose>=1.3.7"], + install_requires=["zmq", "misp-stix-converter", "pymisp>=2.4.53", "pyaml>=3.11", "cabby>=0.1", "mysqlclient>=1.3.9", "nose>=1.3.7"], + scripts=["start-misp-taxii.sh", "push_published_to_taxii.py"] ) diff --git a/start-misp-taxii.sh b/start-misp-taxii.sh new file mode 100755 index 0000000..320fb3b --- /dev/null +++ b/start-misp-taxii.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +if [ -z $OPENTAXII_CONFIG ] + then + echo "Warning : Variable OPENTAXII_CONFIG not set!"; +fi + +if [ -z $MISP_TAXII_CONFIG] + then + echo "Warning: Variable MISP_TAXII_CONFIG not set!"; +fi