MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'misp-stix' into develop

pull/7818/head
iglocska 2021-10-07 16:35:44 +02:00
parent df86ab3daa 30cc4d268f
commit 20c453d970
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
31 changed files with 264 additions and 4664 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
.gitmodules vendored
View File

@ -25,7 +25,7 @@
path = misp-vagrant
url = https://github.com/MISP/misp-vagrant.git
[submodule "cti-python-stix2"]
path = cti-python-stix2
path = app/files/scripts/cti-python-stix2
url = https://github.com/MISP/cti-python-stix2
[submodule "app/files/noticelists"]
path = app/files/noticelists
@ -36,3 +36,19 @@
[submodule "app/files/scripts/misp-opendata"]
path = app/files/scripts/misp-opendata
url = https://github.com/MISP/misp-opendata
[submodule "app/files/scripts/misp-stix"]
path = app/files/scripts/misp-stix
url = git@github.com:misp/misp-stix.git
branch = dev
[submodule "app/files/scripts/python-stix"]
path = app/files/scripts/python-stix
url = https://github.com/STIXProject/python-stix
[submodule "app/files/scripts/python-cybox"]
path = app/files/scripts/python-cybox
url = https://github.com/CybOXProject/python-cybox
[submodule "app/files/scripts/mixbox"]
path = app/files/scripts/mixbox
url = https://github.com/CybOXProject/mixbox
[submodule "app/files/scripts/python-maec"]
path = app/files/scripts/python-maec
url = https://github.com/MAECProject/python-maec

67
INSTALL/INSTALL.sh
View File

@ -1403,15 +1403,6 @@ installCore () {
sudo mkdir /var/www/.cache/
sudo chown ${WWW_USER}:${WWW_USER} /var/www/.cache
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git clone https://github.com/${dependency}.git ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}; done
${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} config core.filemode false
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
done
debug "Install python-stix2"
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/cti-python-stix2
debug "Install PyMISP"
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/PyMISP
@ -1453,12 +1444,7 @@ installCore () {
false; while [[ $? -ne 0 ]]; do ${SUDO_WWW} git -C ${PATH_TO_MISP} submodule update --progress --init --recursive; done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U setuptools pip lief zmq redis python-magic plyara
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} pull; done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/cti-python-stix2
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/PyMISP
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U git+https://github.com/kbandla/pydeep.git; done
fi
@ -2357,35 +2343,10 @@ installCoreRHEL7 () {
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
cd $PATH_TO_MISP/app/files/scripts
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install mixbox to accommodate the new STIX dependencies:
cd $PATH_TO_MISP/app/files/scripts/mixbox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install STIX2.0 library to support STIX 2.0 export:
cd $PATH_TO_MISP/cti-python-stix2
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install maec
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec
# install zmq
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq
@ -2490,13 +2451,6 @@ installCoreRHEL8 () {
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
cd $PATH_TO_MISP/app/files/scripts
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
([[ ${DISTRI} == 'fedora33' ]] || [[ ${DISTRI} == 'fedora34' ]] || [[ ${DISTRI} == 'rhel8.3' ]]) && sudo dnf install cmake3 -y && CMAKE_BIN='cmake3'
([[ ${DISTRI} == 'centos8stream' ]] || [[ ${DISTRI} == 'centos8' ]] || [[ ${DISTRI} == 'rocky8.4' ]]) && sudo dnf install cmake -y && CMAKE_BIN='cmake'
@ -2504,25 +2458,8 @@ installCoreRHEL8 () {
UMASK=$(umask)
umask 0022
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install mixbox to accommodate the new STIX dependencies:
cd $PATH_TO_MISP/app/files/scripts/mixbox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install STIX2.0 library to support STIX 2.0 export:
cd $PATH_TO_MISP/cti-python-stix2
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install maec, zmq, redis
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec zmq redis
# install zmq, redis
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq redis
# install magic, pydeep
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara

8
INSTALL/INSTALL.sh.sfv
View File

@ -1,5 +1,13 @@
<<<<<<< HEAD
; Generated by RHash v1.3.9 on 2021-09-07 at 12:30.22
; Written by Kravchenko Aleksey (Akademgorodok) - http://rhash.sf.net/
;
; 162425 12:30.22 2021-09-07 INSTALL.sh
INSTALL.sh 703A2E500533F450DBC44A1F8A92E2FD43848A27 867CBAE82D2BC9D2794622BBAEEEE80D5EB6802E4602F4EB6B4F82677BB6A47D 8CCBFDF6D407C8F5E606DFB0F448EE138120561EFD2705749B57B3CD734E1D42DD94082D7598695FF8BC84E7AC361942 F357713AAAE1419420BDB6C805EA1A9738C3684FE85A26AF71F87F79FDAA15ECF8D7450BBD164532CFB8F70750EEB23BA2C735C3A489047B161D997257556153
=======
; Generated by RHash v1.3.9 on 2021-10-07 at 13:45.11
; Written by Kravchenko Aleksey (Akademgorodok) - http://rhash.sf.net/
;
; 159443 13:45.11 2021-10-07 INSTALL.sh
INSTALL.sh CAF32D243ADA252E3AC7031CCF42905B755675E8 59111904FEC4DADE7F9FB5D43B83B24D66D0AC66EAECF9C072A482B7B76FCFDE 99D652927259D23CD80AD79F1398AF71ACD108B1BA29800ED9E60705E1FF083763D22850882BA1C4A1163EDFB1E17D00 F6A7B4483D9C607F21FCC7EBAC8FF5160F549F641AD2E964E7157C5AF15A9CCEC45E437D3577684CE6EABFA5793506554C7DCAD30C6098C2521B08CF38BD028A
>>>>>>> misp-stix

2
INSTALL/INSTALL.sh.sha1
View File

@ -1 +1 @@
703a2e500533f450dbc44a1f8a92e2fd43848a27 INSTALL.sh
caf32d243ada252e3ac7031ccf42905b755675e8 INSTALL.sh

2
INSTALL/INSTALL.sh.sha256
View File

@ -1 +1 @@
867cbae82d2bc9d2794622bbaeeee80d5eb6802e4602f4eb6b4f82677bb6a47d INSTALL.sh
59111904fec4dade7f9fb5d43b83b24d66d0ac66eaecf9c072a482b7b76fcfde INSTALL.sh

2
INSTALL/INSTALL.sh.sha384
View File

@ -1 +1 @@
8ccbfdf6d407c8f5e606dfb0f448ee138120561efd2705749b57b3cd734e1d42dd94082d7598695ff8bc84e7ac361942 INSTALL.sh
99d652927259d23cd80ad79f1398af71acd108b1ba29800ed9e60705e1ff083763d22850882ba1c4a1163edfb1e17d00 INSTALL.sh

2
INSTALL/INSTALL.sh.sha512
View File

@ -1 +1 @@
f357713aaae1419420bdb6c805ea1a9738c3684fe85a26af71f87f79fdaa15ecf8d7450bbd164532cfb8f70750eeb23ba2c735c3a489047b161d997257556153 INSTALL.sh
f6a7b4483d9c607f21fcc7ebac8ff5160f549f641ad2e964e7157c5af15a9ccec45e437d3577684ce6eabfa5793506554c7dcad30c6098c2521b08cf38bd028a INSTALL.sh

11
app/Lib/Export/Stix1Export.php
View File

@ -5,23 +5,24 @@ App::uses('StixExport', 'Export');
class Stix1Export extends StixExport
{
protected $__attributes_limit = 15000;
protected $__default_version = '1.1.1';
protected $__sane_versions = array('1.1.1', '1.2');
private $__script_name = 'misp2stix.py ';
private $__baseurl = null;
private $__org = null;
protected function initiate_framing_params()
protected function __initiate_framing_params()
{
$this->__baseurl = escapeshellarg(Configure::read('MISP.baseurl'));
$this->__org = escapeshellarg(Configure::read('MISP.org'));
$framing_file = $this->__scripts_dir . 'misp_framing.py ';
$my_server = ClassRegistry::init('Server');
return $my_server->getPythonVersion() . ' ' . $framing_file . $this->__return_type . ' ' . $this->__baseurl . ' ' . $this->__org . ' ' . $this->__return_format . ' ' . $this->__end_of_cmd;
return $my_server->getPythonVersion() . ' ' . $this->__framing_script . ' stix1 -v ' . $this->__version . ' -n ' . $this->__baseurl . ' -o ' . $this->__org . ' -f ' . $this->__return_format . ' ' . $this->__end_of_cmd;
}
protected function __parse_misp_events($filename)
protected function __parse_misp_events($filenames)
{
$scriptFile = $this->__scripts_dir . $this->__script_name;
$my_server = ClassRegistry::init('Server');
return shell_exec($my_server->getPythonVersion() . ' ' . $scriptFile . ' ' . $filename . ' ' . $this->__return_format . ' ' . $this->__baseurl . ' ' . $this->__org . $this->__end_of_cmd);
return shell_exec($my_server->getPythonVersion() . ' ' . $scriptFile . '-v ' . $this->__version . ' -f ' . $this->__return_format . ' -o ' . $this->__org . ' -i ' . $this->__tmp_dir . $filenames . $this->__end_of_cmd);
}
}

13
app/Lib/Export/Stix2Export.php
View File

@ -5,21 +5,22 @@ App::uses('StixExport', 'Export');
class Stix2Export extends StixExport
{
protected $__attributes_limit = 15000;
protected $__default_version = '2.0';
protected $__sane_versions = array('2.0', '2.1');
private $__script_name = 'stix2/misp2stix2.py ';
protected function initiate_framing_params()
protected function __initiate_framing_params()
{
$framing_file = $this->__scripts_dir . 'misp_framing.py ';
$my_server = ClassRegistry::init('Server');
return $my_server->getPythonVersion() . ' ' . $framing_file . $this->__return_type . ' ' . escapeshellarg(CakeText::uuid()) . $this->__end_of_cmd;
return $my_server->getPythonVersion() . ' ' . $this->__framing_script . ' stix2 -v ' . $this->__version . ' --uuid ' . escapeshellarg(CakeText::uuid()) . $this->__end_of_cmd;
}
protected function __parse_misp_events($filename)
protected function __parse_misp_events($filenames)
{
$scriptFile = $this->__scripts_dir . $this->__script_name;
$filename = $this->__scripts_dir . 'tmp/' . $filename;
$filenames = implode(' ' . $this->__tmp_dir, $this->__filenames);
$my_server = ClassRegistry::init('Server');
$result = shell_exec($my_server->getPythonVersion() . ' ' . $scriptFile . ' ' . $filename . $this->__end_of_cmd);
$result = shell_exec($my_server->getPythonVersion() . ' ' . $scriptFile . '-v ' . $this->__version . ' -i ' . $this->__tmp_dir . $filenames . $this->__end_of_cmd);
$result = preg_split("/\r\n|\n|\r/", trim($result));
return end($result);
}

40
app/Lib/Export/StixExport.php
View File

@ -8,19 +8,29 @@ class StixExport
);
protected $__return_format = 'json';
protected $__scripts_dir = APP . 'files/scripts/';
protected $__tmp_dir = APP . 'files/scripts/tmp/';
protected $__framing_script = APP . 'files/scripts/misp_framing.py';
protected $__end_of_cmd = ' 2>' . APP . 'tmp/logs/exec-errors.log';
protected $__return_type = null;
protected $__filenames = array();
protected $__default_filters = null;
protected $__version = null;
private $__current_filename = null;
private $__empty_file = null;
private $__framing = null;
private $__stix_file = null;
private $__tmp_dir = null;
private $__tmp_file = null;
private $__n_attributes = 0;
private $__filenames = array();
public $non_restrictive_export = true;
public $use_default_filters = true;
public function setDefaultFilters($filters)
{
$sane_version = (!empty($filters['version']) && in_array($filters['version'], $this->__sane_versions));
$this->__version = $sane_version ? $filters['version'] : $this->__default_version;
}
public function handler($data, $options = array())
{
@ -34,7 +44,7 @@ class StixExport
$converter = new JSONConverterTool();
$event = $converter->convert($data);
if ($this->__n_attributes + $attributes_count < $this->__attributes_limit) {
($this->__n_attributes == 0) ? $this->__tmp_file->append($event) : $this->__tmp_file->append(',' . $event);
$this->__tmp_file->append($this->__n_attributes == 0 ? $event : ',' . $event);
$this->__n_attributes += $attributes_count;
$this->__empty_file = false;
} else {
@ -64,9 +74,8 @@ class StixExport
} else if ($this->__return_type == 'stix') {
$this->__return_format = 'xml';
}
$framing_cmd = $this->initiate_framing_params();
$framing_cmd = $this->__initiate_framing_params();
$randomFileName = $this->__generateRandomFileName();
$this->__tmp_dir = $this->__scripts_dir . 'tmp/';
$this->__framing = json_decode(shell_exec($framing_cmd), true);
$this->__stix_file = new File($this->__tmp_dir . $randomFileName . '.' . $this->__return_type);
unset($randomFileName);
@ -85,14 +94,15 @@ class StixExport
$this->__tmp_file->close();
array_push($this->__filenames, $this->__current_filename);
}
$filenames = implode(' ' . $this->__tmp_dir, $this->__filenames);
$result = $this->__parse_misp_events($filenames);
$decoded = json_decode($result, true);
if (!isset($decoded['success']) || !$decoded['success']) {
$this->__delete_temporary_files();
$error = $decoded && !empty($decoded['error']) ? $decoded['error'] : $result;
return 'Error while processing your query: ' . $error;
}
foreach ($this->__filenames as $f => $filename) {
$result = $this->__parse_misp_events($filename);
$decoded = json_decode($result, true);
if (!isset($decoded['success']) || !$decoded['success']) {
$this->__delete_temporary_files($f);
$error = $decoded && !empty($decoded['error']) ? $decoded['error'] : $result;
return 'Error while processing your query: ' . $error;
}
$file = new File($this->__tmp_dir . $filename . '.out');
$stix_event = ($this->__return_type == 'stix') ? $file->read() : substr($file->read(), 1, -1);
$file->close();
@ -127,12 +137,10 @@ class StixExport
return (new RandomTool())->random_str(false, 12);
}
private function __delete_temporary_files($index)
private function __delete_temporary_files()
{
foreach ($this->__filenames as $f => $filename) {
if ($index >= $f) {
@unlink($this->__tmp_dir . $filename);
}
@unlink($this->__tmp_dir . $filename);
}
$this->__stix_file->close();
$this->__stix_file->delete();

2
app/Model/Server.php
View File

@ -3240,7 +3240,7 @@ class Server extends AppModel
public function stixDiagnostics(&$diagnostic_errors)
{
$expected = array('stix' => '>1.2.0.11', 'cybox' => '>2.1.0.21', 'mixbox' => '>1.0.5', 'maec' => '>4.1.0.17', 'stix2' => '>2.0', 'pymisp' => '>2.4.120');
$expected = array('stix' => '>1.2.0.11', 'cybox' => '>2.1.0.21', 'mixbox' => '>1.0.5', 'maec' => '>4.1.0.17', 'stix2' => '>3.0.0', 'pymisp' => '>2.4.120');
// check if the STIX and Cybox libraries are working using the test script stixtest.py
$scriptResult = shell_exec($this->getPythonVersion() . ' ' . APP . 'files' . DS . 'scripts' . DS . 'stixtest.py');
try {

2
app/files/misp-objects

@ -1 +1 @@
Subproject commit cefd58b101284cf9a8879f23ea9b701bee83230b
Subproject commit 1827b14c20e31355b1216fa896e6f8dad62ec12b

1
app/files/scripts/cti-python-stix2 Submodule

@ -0,0 +1 @@
Subproject commit 519a5cb8fad2fdfd715ca32bcd5b7f414e395a59

1
app/files/scripts/misp-stix Submodule

@ -0,0 +1 @@
Subproject commit 8cfdcb04db3418636fa1c39f7f8655e91b160b50

1863
app/files/scripts/misp2stix.py
View File

File diff suppressed because it is too large Load Diff

448
app/files/scripts/misp2stix_mapping.py
View File

@ -1,448 +0,0 @@
# mappings
status_mapping = {'0': 'New', '1': 'Open', '2': 'Closed'}
threat_level_mapping = {'1': 'High', '2': 'Medium', '3': 'Low', '4': 'Undefined'}
TLP_order = {'RED': 4, 'AMBER': 3, 'AMBER NATO ALLIANCE': 3, 'GREEN': 2, 'WHITE': 1}
confidence_mapping = {False: 'None', True: 'High'}
not_implemented_attributes = ('yara', 'snort', 'pattern-in-traffic', 'pattern-in-memory')
non_indicator_attributes = (
'text',
'comment',
'other',
'link',
'target-user',
'target-email',
'target-machine',
'target-org',
'target-location',
'target-external',
'vulnerability'
)
hash_type_attributes = {
"single": (
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"ssdeep",
"imphash",
"authentihash",
"pehash",
"tlsh",
"cdhash"
),
"composite": (
"filename|md5",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|authentihash",
"filename|ssdeep",
"filename|tlsh",
"filename|imphash",
"filename|pehash"
)
}
# mapping for the attributes that can go through the simpleobservable script
misp_cybox_name = {
"domain": "DomainName",
"hostname": "Hostname",
"url": "URI",
"AS": "AutonomousSystem",
"mutex": "Mutex",
"named pipe": "Pipe",
"link": "URI",
"network-connection": "NetworkConnection",
"windows-service-name": "WinService"
}
cybox_name_attribute = {
"DomainName": "value",
"Hostname": "hostname_value",
"URI": "value",
"AutonomousSystem": "number",
"Pipe": "name",
"Mutex": "name",
"WinService": "name"
}
misp_indicator_type = {
"email-attachment": "Malicious E-mail",
"filename": "File Hash Watchlist",
"mutex": "Host Characteristics",
"named pipe": "Host Characteristics",
"url": "URL Watchlist"
}
misp_indicator_type.update(dict.fromkeys(list(hash_type_attributes["single"]), "File Hash Watchlist"))
misp_indicator_type.update(dict.fromkeys(list(hash_type_attributes["composite"]), "File Hash Watchlist"))
misp_indicator_type.update(
dict.fromkeys(
[
"email-src",
"email-dst",
"email-subject",
"email-reply-to",
"email-attachment"
],
"Malicious E-mail"
)
)
misp_indicator_type.update(
dict.fromkeys(
[
"AS",
"ip-src",
"ip-dst",
"ip-src|port",
"ip-dst|port"
],
"IP Watchlist"
)
)
misp_indicator_type.update(
dict.fromkeys(
[
"domain",
"domain|ip",
"hostname"
],
"Domain Watchlist"
)
)
misp_indicator_type.update(
dict.fromkeys(
[
"regkey",
"regkey|value"
],
"Host Characteristics"
)
)
cybox_validation = {"AutonomousSystem": "isInt"}
## ATTRIBUTES MAPPING
simple_type_to_method = {
'attachment': 'resolve_attachment',
'domain|ip': 'generate_domain_ip_observable',
'email-attachment': 'generate_email_attachment_observable',
'filename': 'resolve_file_observable',
'mac-address': 'resolve_system_observable',
'malware-sample': 'resolve_malware_sample',
'named pipe': 'generate_pipe_observable',
'port': 'generate_port_observable',
}
simple_type_to_method.update(
dict.fromkeys(
list(hash_type_attributes["single"]),
'resolve_file_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
list(hash_type_attributes["composite"]),
'resolve_file_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"ip-src",
"ip-dst"
],
'generate_ip_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"ip-src|port",
"ip-dst|port",
"hostname|port"
],
'generate_socket_address_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"regkey",
"regkey|value"
],
'generate_regkey_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"hostname",
"domain",
"url",
"AS",
"mutex",
"named pipe",
"link",
"windows-service-name"
],
'generate_simple_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"email-src",
"email-dst",
"email-subject",
"email-reply-to"
],
'resolve_email_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"http-method",
"user-agent"
],
'resolve_http_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
"pattern-in-file",
"pattern-in-traffic",
"pattern-in-memory"
],
'resolve_pattern_observable'
)
)
simple_type_to_method.update(
dict.fromkeys(
[
'x509-fingerprint-md5',
'x509-fingerprint-sha1',
'x509-fingerprint-sha256'
],
'parse_x509_object'
)
)
## OBJECTS MAPPING
ttp_names = {
'attack-pattern': 'parse_attack_pattern',
'course-of-action': 'parse_course_of_action',
'vulnerability': 'parse_vulnerability',
'weakness': 'parse_weakness'
}
objects_mapping = {
"asn": 'parse_asn_object',
"credential": 'parse_credential_object',
"domain-ip": 'parse_domain_ip_object',
"email": 'parse_email_object',
"file": 'parse_file_object',
"ip-port": 'parse_ip_port_object',
"network-connection": 'parse_network_connection_object',
"network-socket": 'parse_network_socket_object',
"pe": 'store_pe',
"pe-section": 'store_pe',
"process": 'parse_process_object',
"registry-key": 'parse_regkey_object',
"url": 'parse_url_object',
"user-account": 'parse_user_account_object',
"whois": 'parse_whois',
"x509": 'parse_x509_object'
}
## GALAXIES MAPPING
galaxy_types_mapping = {'branded-vulnerability': 'parse_vulnerability_galaxy'}
galaxy_types_mapping.update(
dict.fromkeys(
[
'mitre-attack-pattern',
'mitre-enterprise-attack-attack-pattern',
'mitre-mobile-attack-attack-pattern',
'mitre-pre-attack-attack-pattern'
],
'parse_attack_pattern_galaxy'
)
)
galaxy_types_mapping.update(
dict.fromkeys(
[
'mitre-course-of-action',
'mitre-enterprise-attack-course-of-action',
'mitre-mobile-attack-course-of-action'
],
'parse_course_of_action_galaxy'
)
)
galaxy_types_mapping.update(
dict.fromkeys(
[
'android',
'banker',
'stealer',
'backdoor',
'ransomware',
'mitre-malware',
'malpedia',
'mitre-enterprise-attack-malware',
'mitre-mobile-attack-malware'
],
'parse_malware_galaxy'
)
)
galaxy_types_mapping.update(
dict.fromkeys(
[
'threat-actor',
'microsoft-activity-group'
],
'parse_threat_actor_galaxy'
)
)
galaxy_types_mapping.update(
dict.fromkeys(
[
'botnet',
'rat',
'exploit-kit',
'tds',
'tool',
'mitre-tool',
'mitre-enterprise-attack-tool',
'mitre-mobile-attack-tool'
],
'parse_tool_galaxy'
)
)
# mapping Windows Registry Hives and their abbreviations
# see https://cybox.mitre.org/language/version2.1/xsddocs/objects/Win_Registry_Key_Object_xsd.html#RegistryHiveEnum
# the dict keys must be UPPER CASE and end with \\
misp_reghive = {
"HKEY_CLASSES_ROOT\\": "HKEY_CLASSES_ROOT",
"HKCR\\": "HKEY_CLASSES_ROOT",
"HKEY_CURRENT_CONFIG\\": "HKEY_CURRENT_CONFIG",
"HKCC\\": "HKEY_CURRENT_CONFIG",
"HKEY_CURRENT_USER\\": "HKEY_CURRENT_USER",
"HKCU\\": "HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\": "HKEY_LOCAL_MACHINE",
"HKLM\\": "HKEY_LOCAL_MACHINE",
"HKEY_USERS\\": "HKEY_USERS",
"HKU\\": "HKEY_USERS",
"HKEY_CURRENT_USER_LOCAL_SETTINGS\\": "HKEY_CURRENT_USER_LOCAL_SETTINGS",
"HKCULS\\": "HKEY_CURRENT_USER_LOCAL_SETTINGS",
"HKEY_PERFORMANCE_DATA\\": "HKEY_PERFORMANCE_DATA",
"HKPD\\": "HKEY_PERFORMANCE_DATA",
"HKEY_PERFORMANCE_NLSTEXT\\": "HKEY_PERFORMANCE_NLSTEXT",
"HKPN\\": "HKEY_PERFORMANCE_NLSTEXT",
"HKEY_PERFORMANCE_TEXT\\": "HKEY_PERFORMANCE_TEXT",
"HKPT\\": "HKEY_PERFORMANCE_TEXT",
}
attack_pattern_object_mapping = {
'id': 'capec_id',
'name': 'title',
'summary': 'description'
}
course_of_action_object_keys = (
'type',
'description',
'objective',
'stage',
'cost',
'impact',
'efficacy'
)
email_object_mapping = {
'from': 'from_',
'reply-to': 'reply_to',
'subject': 'subject',
'x-mailer': 'x_mailer',
'mime-boundary': 'boundary',
'user-agent': 'user_agent'
}
file_object_mapping = {
'path': 'full_path',
'size-in-bytes': 'size_in_bytes',
'entropy': 'peak_entropy'
}
process_object_keys = (
'creation-time',
'start-time',
'name',
'pid',
'parent-pid'
)
regkey_object_mapping = {
'name': 'name',
'data': 'data',
'data-type': 'datatype'
}
user_account_id_mapping = {
'unix': 'user_id',
'windows-domain': 'security_id',
'windows-local': 'security_id'
}
user_account_object_mapping = {
'username': 'username',
'display-name': 'full_name',
'disabled': 'disabled',
'created': 'creation_date',
'last_login': 'last_login',
'home_dir': 'home_directory',
'shell': 'script_path'
}
vulnerability_object_mapping = {
'id': 'cve_id',
'summary': 'description',
'published': 'published_datetime'
}
weakness_object_mapping = {
'id': 'cwe_id',
'description': 'description'
}
whois_object_mapping = {
'creation-date': 'creation_date',
'modification-date': 'updated_date',
'expiration-date': 'expiration_date'
}
whois_registrant_mapping = {
'registrant-name': 'name',
'registrant-phone': 'phone_number',
'registrant-email': 'email_address',
'registrant-org': 'organization'
}
x509_creation_mapping = {
'version': 'contents',
'serial-number': 'contents',
'issuer': 'contents',
'subject': 'contents',
'validity-not-before': 'validity',
'validity-not-after': 'validity',
'pubkey-info-exponent': 'rsa_pubkey',
'pubkey-info-modulus': 'rsa_pubkey',
'raw-base64': 'raw_certificate',
'pem': 'raw_certificate',
'x509-fingerprint-md5': 'signature',
'x509-fingerprint-sha1': 'signature',
'x509-fingerprint-sha256': 'signature',
'pubkey-info-algorithm': 'subject_pubkey'
}
x509_object_keys = (
'version',
'serial-number',
'issuer',
'subject'
)

191
app/files/scripts/misp_framing.py
View File

@ -1,164 +1,47 @@
#!/usr/bin/env python3
import sys, json
import argparse
import json
import sys
from pathlib import Path
n_args = {'stix': 4, 'stix2': 2}
json_footer = "]}\n"
keys_to_return = ['header', 'separator', 'footer']
_current_path = Path(__file__).resolve().parent
sys.path.insert(0, str(_current_path / 'cti-python-stix2'))
sys.path.insert(1, str(_current_path / 'python-stix'))
sys.path.insert(2, str(_current_path / 'python-cybox'))
sys.path.insert(3, str(_current_path / 'mixbox'))
sys.path.insert(4, str(_current_path / 'misp-stix'))
from misp_stix_converter import stix1_framing, stix20_framing, stix21_framing
def stix_framing(*args):
import datetime, re
from stix.core import STIXPackage, STIXHeader
from cybox.utils import Namespace
# As python3 is forced anyway, mixbox is used and we don't need to try to import idgen from stix.utils
from mixbox import idgen
from stix import __version__ as STIXVER
NS_DICT = {
"http://cybox.mitre.org/common-2" : 'cyboxCommon',
"http://cybox.mitre.org/cybox-2" : 'cybox',
"http://cybox.mitre.org/default_vocabularies-2" : 'cyboxVocabs',
"http://cybox.mitre.org/objects#AccountObject-2" : 'AccountObj',
"http://cybox.mitre.org/objects#ArtifactObject-2": 'ArtifactObj',
"http://cybox.mitre.org/objects#ASObject-1" : 'ASObj',
"http://cybox.mitre.org/objects#AddressObject-2" : 'AddressObj',
"http://cybox.mitre.org/objects#PortObject-2" : 'PortObj',
"http://cybox.mitre.org/objects#DomainNameObject-1" : 'DomainNameObj',
"http://cybox.mitre.org/objects#EmailMessageObject-2" : 'EmailMessageObj',
"http://cybox.mitre.org/objects#FileObject-2" : 'FileObj',
"http://cybox.mitre.org/objects#HTTPSessionObject-2" : 'HTTPSessionObj',
"http://cybox.mitre.org/objects#HostnameObject-1" : 'HostnameObj',
"http://cybox.mitre.org/objects#MutexObject-2" : 'MutexObj',
"http://cybox.mitre.org/objects#PipeObject-2" : 'PipeObj',
"http://cybox.mitre.org/objects#URIObject-2" : 'URIObj',
"http://cybox.mitre.org/objects#WinRegistryKeyObject-2" : 'WinRegistryKeyObj',
'http://cybox.mitre.org/objects#WinServiceObject-2' : 'WinServiceObj',
"http://cybox.mitre.org/objects#NetworkConnectionObject-2" : 'NetworkConnectionObj',
"http://cybox.mitre.org/objects#NetworkSocketObject-2" : 'NetworkSocketObj',
"http://cybox.mitre.org/objects#SocketAddressObject-1" : 'SocketAddressObj',
"http://cybox.mitre.org/objects#SystemObject-2" : 'SystemObj',
"http://cybox.mitre.org/objects#ProcessObject-2" : 'ProcessObj',
"http://cybox.mitre.org/objects#X509CertificateObject-2" : 'X509CertificateObj',
"http://cybox.mitre.org/objects#WhoisObject-2" : 'WhoisObj',
"http://cybox.mitre.org/objects#WinExecutableFileObject-2" : 'WinExecutableFileObj',
"http://cybox.mitre.org/objects#UnixUserAccountObject-2": "UnixUserAccountObj",
"http://cybox.mitre.org/objects#UserAccountObject-2": "UserAccountObj",
"http://cybox.mitre.org/objects#WinUserAccountObject-2": "WinUserAccountObj",
"http://cybox.mitre.org/objects#CustomObject-1": "CustomObj",
"http://data-marking.mitre.org/Marking-1" : 'marking',
"http://data-marking.mitre.org/extensions/MarkingStructure#Simple-1": 'simpleMarking',
"http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1" : 'tlpMarking',
"http://stix.mitre.org/ExploitTarget-1" : 'et',
"http://stix.mitre.org/Incident-1" : 'incident',
"http://stix.mitre.org/Indicator-2" : 'indicator',
"http://stix.mitre.org/CourseOfAction-1": 'coa',
"http://stix.mitre.org/TTP-1" : 'ttp',
"http://stix.mitre.org/ThreatActor-1" : 'ta',
"http://stix.mitre.org/common-1" : 'stixCommon',
"http://stix.mitre.org/default_vocabularies-1" : 'stixVocabs',
"http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1" : 'stix-ciqidentity',
"http://stix.mitre.org/extensions/TestMechanism#Snort-1" : 'snortTM',
"http://stix.mitre.org/stix-1" : 'stix',
"http://www.w3.org/2001/XMLSchema-instance" : 'xsi',
"urn:oasis:names:tc:ciq:xal:3" : 'xal',
"urn:oasis:names:tc:ciq:xnl:3" : 'xnl',
"urn:oasis:names:tc:ciq:xpil:3" : 'xpil',
}
SCHEMALOC_DICT = {
'http://cybox.mitre.org/common-2': 'http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd',
'http://cybox.mitre.org/cybox-2': 'http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd',
'http://cybox.mitre.org/default_vocabularies-2': 'http://cybox.mitre.org/XMLSchema/default_vocabularies/2.1/cybox_default_vocabularies.xsd',
'http://cybox.mitre.org/objects#AccountObject-2': ' http://cybox.mitre.org/XMLSchema/objects/Account/2.1/Account_Object.xsd',
'http://cybox.mitre.org/objects#ArtifactObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Artifact/2.1/Artifact_Object.xsd',
'http://cybox.mitre.org/objects#ASObject-1': 'http://cybox.mitre.org/XMLSchema/objects/AS/1.0/AS_Object.xsd',
'http://cybox.mitre.org/objects#AddressObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Address/2.1/Address_Object.xsd',
'http://cybox.mitre.org/objects#PortObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Port/2.1/Port_Object.xsd',
'http://cybox.mitre.org/objects#DomainNameObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Domain_Name/1.0/Domain_Name_Object.xsd',
'http://cybox.mitre.org/objects#EmailMessageObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Email_Message/2.1/Email_Message_Object.xsd',
'http://cybox.mitre.org/objects#FileObject-2': 'http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd',
'http://cybox.mitre.org/objects#HTTPSessionObject-2': 'http://cybox.mitre.org/XMLSchema/objects/HTTP_Session/2.1/HTTP_Session_Object.xsd',
'http://cybox.mitre.org/objects#HostnameObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Hostname/1.0/Hostname_Object.xsd',
'http://cybox.mitre.org/objects#MutexObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Mutex/2.1/Mutex_Object.xsd',
'http://cybox.mitre.org/objects#PipeObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Pipe/2.1/Pipe_Object.xsd',
'http://cybox.mitre.org/objects#URIObject-2': 'http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd',
'http://cybox.mitre.org/objects#WinServiceObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Service/2.1/Win_Service_Object.xsd',
'http://cybox.mitre.org/objects#WinRegistryKeyObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Registry_Key/2.1/Win_Registry_Key_Object.xsd',
'http://cybox.mitre.org/objects#NetworkConnectionObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.0.1/Network_Connection_Object.xsd',
'http://cybox.mitre.org/objects#NetworkSocketObject-2': 'https://cybox.mitre.org/XMLSchema/objects/Network_Socket/2.1/Network_Socket_Object.xsd',
'http://cybox.mitre.org/objects#SystemObject-2': 'http://cybox.mitre.org/XMLSchema/objects/System/2.1/System_Object.xsd',
'http://cybox.mitre.org/objects#SocketAddressObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Socket_Address/1.1/Socket_Address_Object.xsd',
'http://cybox.mitre.org/objects#ProcessObject-2': 'https://cybox.mitre.org/XMLSchema/objects/Process/2.1/Process_Object.xsd',
'http://cybox.mitre.org/objects#X509CertificateObject-2': 'http://cybox.mitre.org/XMLSchema/objects/X509_Certificate/2.1/X509_Certificate_Object.xsd',
'http://cybox.mitre.org/objects#WhoisObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Whois/2.1/Whois_Object.xsd',
'http://cybox.mitre.org/objects#WinExecutableFileObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_Executable_File/2.1/Win_Executable_File_Object.xsd',
'http://cybox.mitre.org/objects#UnixUserAccountObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Unix_User_Account/2.1/Unix_User_Account_Object.xsd',
'http://cybox.mitre.org/objects#UserAccountObject-2': 'http://cybox.mitre.org/XMLSchema/objects/User_Account/2.1/User_Account_Object.xsd',
'http://cybox.mitre.org/objects#WinUserAccountObject-2': 'http://cybox.mitre.org/XMLSchema/objects/Win_User_Account/2.1/Win_User_Account_Object.xsd',
'http://cybox.mitre.org/objects#CustomObject-1': 'http://cybox.mitre.org/XMLSchema/objects/Custom/1.1/Custom_Object.xsd',
'http://data-marking.mitre.org/Marking-1': 'http://stix.mitre.org/XMLSchema/data_marking/1.1.1/data_marking.xsd',
'http://data-marking.mitre.org/extensions/MarkingStructure#Simple-1': 'http://stix.mitre.org/XMLSchema/extensions/marking/simple/1.1.1/simple_marking.xsd',
'http://data-marking.mitre.org/extensions/MarkingStructure#TLP-1': 'http://stix.mitre.org/XMLSchema/extensions/marking/tlp/1.1.1/tlp_marking.xsd',
'http://stix.mitre.org/ExploitTarget-1': 'http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd',
'http://stix.mitre.org/Incident-1': 'http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd',
'http://stix.mitre.org/Indicator-2': 'http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd',
'http://stix.mitre.org/CourseOfAction-1': 'http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd',
'http://stix.mitre.org/TTP-1': 'http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd',
'http://stix.mitre.org/ThreatActor-1': 'http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd',
'http://stix.mitre.org/common-1': 'http://stix.mitre.org/XMLSchema/common/1.1.1/stix_common.xsd',
'http://stix.mitre.org/default_vocabularies-1': 'http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd',
'http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1': 'http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd',
'http://stix.mitre.org/extensions/TestMechanism#Snort-1': 'http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd',
'http://stix.mitre.org/stix-1': 'http://stix.mitre.org/XMLSchema/core/1.1.1/stix_core.xsd',
'urn:oasis:names:tc:ciq:xal:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xAL.xsd',
'urn:oasis:names:tc:ciq:xnl:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xNL.xsd',
'urn:oasis:names:tc:ciq:xpil:3': 'http://stix.mitre.org/XMLSchema/external/oasis_ciq_3.0/xPIL.xsd',
}
baseurl, orgname, return_type = args
if not baseurl:
baseurl = 'https://www.misp-project.org'
real_orgname = args[1]
orgname = re.sub('[\W]+', '', orgname.replace(" ", "_"))
NS_DICT[baseurl] = orgname
try:
idgen.set_id_namespace(Namespace(baseurl, orgname))
except TypeError:
idgen.set_id_namespace(Namespace(baseurl, orgname, "MISP"))
stix_package = STIXPackage()
stix_header = STIXHeader()
stix_header.title="Export from {} MISP".format(real_orgname)
stix_header.package_intents="Threat Report"
stix_package.stix_header = stix_header
stix_package.version = "1.1.1"
stix_package.timestamp = datetime.datetime.now()
return stix_json_framing(stix_package) if return_type == 'json' else stix_xml_framing(stix_package, NS_DICT, SCHEMALOC_DICT)
def stix_framing(args: argparse.Namespace) -> dict:
header, separator, footer = stix1_framing(args.namespace, args.orgname, args.format, args.version)
return {'header': header, 'separator': separator, 'footer': footer}
def stix_json_framing(stix_package):
header = '{}, "related_packages": ['.format(stix_package.to_json()[:-1])
return header, ',', json_footer
def stix_xml_framing(stix_package, ns, schema):
s_stix_package = "</stix:STIX_Package>\n"
s_related_package = "stix:Related_Package"
header = stix_package.to_xml(auto_namespace=False, ns_dict=ns, schemaloc_dict=schema)
header = header.decode()
header = "{0} <{1}s>\n <{1}>\n".format(header, s_related_package).replace(s_stix_package, "")
footer = " </{0}>\n </{0}s>\n{1}".format(s_related_package, s_stix_package)
separator = " </{0}>\n <{0}>\n".format(s_related_package)
return header, separator, footer
def stix2_framing(args: argparse.Namespace) -> dict:
header, separator, footer = stix20_framing(args.uuid) if args.version == '2.0' else stix21_framing(args.uuid)
return {'header': header, 'separator': separator, 'footer': footer}
def stix2_framing(*args):
return '{"type": "bundle", "spec_version": "2.0", "id": "bundle--%s", "objects": [' % args[0], ',', json_footer
framing_mapping = {'stix': stix_framing, 'stix2': stix2_framing}
def main(args):
framing_type = args[1]
n = n_args[framing_type]
if len(args) < n:
sys.exit("Invalid parameters")
args = args[2:]
values_to_return = framing_mapping[framing_type](*args)
print(json.dumps({keys: values for keys, values in zip(keys_to_return, values_to_return)}))
if __name__ == "__main__":
main(sys.argv)
parser = argparse.ArgumentParser(description='Handle framing to return header, separator and footer for a given return format.')
subparsers = parser.add_subparsers()
stix1_parser = subparsers.add_parser('stix1', help='STIX1 framing.')
stix1_parser.add_argument('-v', '--version', default='1.1.1', choices=['1.1.1', '1.2'], help='STIX1 version (1.1.1 or 1.2).')
stix1_parser.add_argument('-f', '--format', default='xml', choices=['json', 'xml'], help='Return format (xml or json).')
stix1_parser.add_argument('-n', '--namespace', default='https://misp-project.org', help='Default namespace to include in the namespaces defined in the STIX header.')
stix1_parser.add_argument('-o', '--orgname', default='MISP', help='Default Org name associated with the namespace.')
stix1_parser.set_defaults(func=stix_framing)
stix2_parser = subparsers.add_parser('stix2', help='STIX2 framing.')
stix2_parser.add_argument('-v', '--version', default='2.0', choices=['2.0', '2.1'], help='STIX2 version (2.0 or 2.1).')
stix2_parser.add_argument('--uuid', help='UUID used to identity the STIX2 bundle.')
stix2_parser.set_defaults(func=stix2_framing)
try:
args = parser.parse_args()
print(json.dumps(args.func(args)))
except SystemExit:
print(json.dumps({'error': 'Framing arguments error, please check requirements for each return format.'}))

1
app/files/scripts/mixbox Submodule

@ -0,0 +1 @@
Subproject commit 70bc18c714134c5be5a70226aac5961ad810a6c0

1
app/files/scripts/python-cybox Submodule

@ -0,0 +1 @@
Subproject commit 25e6e8b3a6f429f079d3fbd9ace3db9eb3d5ab71

1
app/files/scripts/python-maec Submodule

@ -0,0 +1 @@
Subproject commit 13e66105c9646156060d0896a4d54970ea358f44

1
app/files/scripts/python-stix Submodule

@ -0,0 +1 @@
Subproject commit 34f24261b70c7d02ddf0f5696d3919e771dbd32f

1892
app/files/scripts/stix2/misp2stix2.py
View File

File diff suppressed because it is too large Load Diff

256
app/files/scripts/stix2/misp2stix2_mapping.py
View File

@ -1,256 +0,0 @@
misp_hash_types = ("authentihash", "ssdeep", "imphash", "md5", "sha1", "sha224",
"sha256", "sha384", "sha512", "sha512/224","sha512/256","tlsh")
attack_pattern_galaxies_list = ('mitre-attack-pattern', 'mitre-enterprise-attack-attack-pattern',
'mitre-mobile-attack-attack-pattern', 'mitre-pre-attack-attack-pattern')
course_of_action_galaxies_list = ('mitre-course-of-action', 'mitre-enterprise-attack-course-of-action',
'mitre-mobile-attack-course-of-action')
intrusion_set_galaxies_list = ('mitre-enterprise-attack-intrusion-set', 'mitre-mobile-attack-intrusion-set',
'mitre-pre-attack-intrusion-set', 'mitre-intrusion-set')
malware_galaxies_list = ('android', 'banker', 'stealer', 'backdoor', 'ransomware', 'mitre-malware',
'mitre-enterprise-attack-malware', 'mitre-mobile-attack-malware')
threat_actor_galaxies_list = ('threat-actor', 'microsoft-activity-group')
tool_galaxies_list = ('botnet', 'rat', 'exploit-kit', 'tds', 'tool', 'mitre-tool',
'mitre-enterprise-attack-tool', 'mitre-mobile-attack-tool')
galaxies_mapping = {'branded-vulnerability': ['vulnerability', 'add_vulnerability_from_galaxy']}
galaxies_mapping.update(dict.fromkeys(attack_pattern_galaxies_list, ['attack-pattern', 'add_attack_pattern']))
galaxies_mapping.update(dict.fromkeys(course_of_action_galaxies_list, ['course-of-action', 'add_course_of_action']))
galaxies_mapping.update(dict.fromkeys(intrusion_set_galaxies_list, ['intrusion-set', 'add_intrusion_set']))
galaxies_mapping.update(dict.fromkeys(malware_galaxies_list, ['malware', 'add_malware']))
galaxies_mapping.update(dict.fromkeys(threat_actor_galaxies_list, ['threat-actor', 'add_threat_actor']))
galaxies_mapping.update(dict.fromkeys(tool_galaxies_list, ['tool', 'add_tool']))
mispTypesMapping = {
'md5': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'sha1': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'sha256': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'filename': {'observable': '_get_file_observable', 'pattern': '_get_file_pattern'},
'filename|md5': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|sha1': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|sha256': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'ip-src': {'observable': '_get_ip_observable', 'pattern': '_get_ip_pattern'},
'ip-dst': {'observable': '_get_ip_observable', 'pattern': '_get_ip_pattern'},
'hostname': {'observable': '_get_domain_observable', 'pattern': '_get_domain_pattern'},
'domain': {'observable': '_get_domain_observable', 'pattern': '_get_domain_pattern'},
'domain|ip': {'observable': '_get_domain_ip_observable', 'pattern': '_get_domain_ip_pattern'},
'email-src': {'observable': '_get_email_address_observable', 'pattern': '_get_email_address_pattern'},
'email-dst': {'observable': '_get_email_address_observable', 'pattern': '_get_email_address_pattern'},
'email-subject': {'observable': '_get_email_message_observable', 'pattern': '_get_email_message_pattern'},
'email-body': {'observable': '_get_email_message_observable', 'pattern': '_get_email_message_pattern'},
'email-attachment': {'observable': '_get_email_attachment_observable', 'pattern': '_get_email_attachment_observable'},
'url': {'observable': '_get_url_observable', 'pattern': '_get_url_pattern'},
'regkey': {'observable': '_get_regkey_observable', 'pattern': '_get_regkey_pattern'},
'regkey|value': {'observable': '_get_regkey_value_observable', 'pattern': '_get_regkey_value_pattern'},
'malware-sample': {'observable': '_get_malware_sample_observable', 'pattern': '_get_malware_sample_pattern'},
'mutex': {'observable': '_get_mutex_observable', 'pattern': '_get_mutex_pattern'},
'uri': {'observable': '_get_url_observable', 'pattern': '_get_url_pattern'},
'authentihash': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'ssdeep': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'imphash': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'pehash': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'impfuzzy': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'sha224': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'sha384': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'sha512': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'sha512/224': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'sha512/256': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'tlsh': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'cdhash': {'observable': '_get_hash_observable', 'pattern': '_get_hash_pattern'},
'filename|authentihash': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|ssdeep': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|imphash': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|impfuzzy': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|pehash': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|sha224': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|sha384': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|sha512': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|sha512/224': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|sha512/256': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'filename|tlsh': {'observable': '_get_file_hash_observable', 'pattern': '_get_file_hash_pattern'},
'x509-fingerprint-md5': {'observable': '_get_x509_observable', 'pattern': '_get_x509_pattern'},
'x509-fingerprint-sha1': {'observable': '_get_x509_observable', 'pattern': '_get_x509_pattern'},
'x509-fingerprint-sha256': {'observable': '_get_x509_observable', 'pattern': '_get_x509_pattern'},
'port': {'observable': '_get_port_observable', 'pattern': '_get_port_pattern'},
'ip-dst|port': {'observable': '_get_ip_port_observable', 'pattern': '_get_ip_port_pattern'},
'ip-src|port': {'observable': '_get_ip_port_observable', 'pattern': '_get_ip_port_pattern'},
'hostname|port': {'observable': '_get_hostname_port_observable', 'pattern': '_get_hostname_port_pattern'},
'email-reply-to': {'observable': '_get_reply_to_observable', 'pattern': '_get_reply_to_pattern'},
'attachment': {'observable': '_get_attachment_observable', 'pattern': '_get_attachment_pattern'},
'mac-address': {'observable': '_get_mac_address_observable', 'pattern': '_get_mac_address_pattern'},
'AS': {'observable': '_get_as_observable', 'pattern': '_get_as_pattern'}
#'email-dst-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
# 'pattern': 'email-addr:display_name = \'{0}\''},
#'email-src-display-name': {'observable': {'0': {'type': 'email-addr', 'display_name': ''}},
# 'pattern': 'email-addr:display_name = \'{0}\''}
}
objects_mapping = {
'asn': {'observable': 'resolve_asn_observable',
'pattern': 'resolve_asn_pattern'},
'credential': {'observable': 'resolve_credential_observable',
'pattern': 'resolve_credential_pattern'},
'domain-ip': {'observable': 'resolve_domain_ip_observable',
'pattern': 'resolve_domain_ip_pattern'},
'email': {'observable': 'resolve_email_object_observable',
'pattern': 'resolve_email_object_pattern'},
'file': {'observable': 'resolve_file_observable',
'pattern': 'resolve_file_pattern'},
'ip-port': {'observable': 'resolve_ip_port_observable',
'pattern': 'resolve_ip_port_pattern'},
'network-connection': {'observable': 'resolve_network_connection_observable',
'pattern': 'resolve_network_connection_pattern'},
'network-socket': {'observable': 'resolve_network_socket_observable',
'pattern': 'resolve_network_socket_pattern'},
'process': {'observable': 'resolve_process_observable',
'pattern': 'resolve_process_pattern'},
'registry-key': {'observable': 'resolve_regkey_observable',
'pattern': 'resolve_regkey_pattern'},
'stix2-pattern': {'pattern': 'resolve_stix2_pattern'},
'url': {'observable': 'resolve_url_observable',
'pattern': 'resolve_url_pattern'},
'user-account': {'observable': 'resolve_user_account_observable',
'pattern': 'resolve_user_account_pattern'},
'x509': {'observable': 'resolve_x509_observable',
'pattern': 'resolve_x509_pattern'}
}
network_traffic_pattern = "network-traffic:{0} = '{1}'"
network_traffic_src_ref = "src_{0}.type = '{1}' AND network-traffic:src_{0}.value"
network_traffic_dst_ref = "dst_{0}.type = '{1}' AND network-traffic:dst_{0}.value"
network_traffic_reference_mapping = {'': ''}
objectsMapping = {'asn': {'to_call': 'handle_usual_object_name',
'observable': {'type': 'autonomous-system'},
'pattern': "autonomous-system:{0} = '{1}'"},
'attack-pattern': {'to_call': 'add_attack_pattern_object'},
'course-of-action': {'to_call': 'add_course_of_action_from_object'},
'credential': {'to_call': 'handle_usual_object_name',
'observable': {'type': 'user-account'},
'pattern': "user-account:{0} = '{1}'"},
'domain-ip': {'to_call': 'handle_usual_object_name',
'pattern': "domain-name:{0} = '{1}'"},
'email': {'to_call': 'handle_usual_object_name',
'observable': {'0': {'type': 'email-message'}},
'pattern': "email-{0}:{1} = '{2}'"},
'file': {'to_call': 'handle_usual_object_name',
'observable': {'0': {'type': 'file', 'hashes': {}}},
'pattern': "file:{0} = '{1}'"},
'ip-port': {'to_call': 'handle_usual_object_name',
'pattern': network_traffic_pattern},
'network-connection': {'to_call': 'handle_usual_object_name',
'pattern': network_traffic_pattern},
'network-socket': {'to_call': 'handle_usual_object_name',
'pattern': network_traffic_pattern},
'pe': {'to_call': 'populate_objects_to_parse'},
'pe-section': {'to_call': 'populate_objects_to_parse'},
'process': {'to_call': 'handle_usual_object_name',
'pattern': "process:{0} = '{1}'"},
'registry-key': {'to_call': 'handle_usual_object_name',
'observable': {'0': {'type': 'windows-registry-key'}},
'pattern': "windows-registry-key:{0} = '{1}'"},
'stix2-pattern': {'to_call': 'handle_usual_object_name'},
'url': {'to_call': 'handle_usual_object_name',
'observable': {'0': {'type': 'url'}},
'pattern': "url:{0} = '{1}'"},
'user-account': {'to_call': 'handle_usual_object_name',
'pattern': "user-account:{0} = '{1}'"},
'vulnerability': {'to_call': 'add_object_vulnerability'},
'x509': {'to_call': 'handle_usual_object_name',
'pattern': "x509-certificate:{0} = '{1}'"}
}
asnObjectMapping = {'asn': 'number', 'description': 'name', 'subnet-announced': 'value'}
attackPatternObjectMapping = {'name': 'name', 'summary': 'description'}
attack_pattern_reference_mapping = {'id': ('capec', 'external_id'),
'references': ('mitre-attack', 'url')}
credentialObjectMapping = {'password': 'credential', 'username': 'user_id'}
domainIpObjectMapping = {'ip-dst': 'resolves_to_refs[*].value', 'domain': 'value'}
email_attachment = {'email_type': 'message', 'stix_type': 'body_multipart[{}].body_raw_ref.name'}
emailObjectMapping = {'email-body': {'email_type': 'message', 'stix_type': 'body'},
'subject': {'email_type': 'message', 'stix_type': 'subject'},
'to': {'email_type': 'message', 'stix_type': 'to_refs'},
'cc': {'email_type': 'message', 'stix_type': 'cc_refs'},
'to-display-name': {'email_type': 'addr', 'stix_type': 'display_name'},
'from': {'email_type': 'message', 'stix_type': 'from_ref'},
'from-display-name': {'email_type': 'addr', 'stix_type': 'display_name'},
'reply-to': {'email_type': 'message', 'stix_type': 'additional_header_fields.reply_to'},
'attachment': email_attachment, 'screenshot': email_attachment,
'send-date': {'email_type': 'message', 'stix_type': 'date'},
'x-mailer': {'email_type': 'message', 'stix_type': 'additional_header_fields.x_mailer'}}
fileMapping = {'size-in-bytes': 'size', 'mime-type': 'mime_type', 'file-encoding': 'name_enc'}
hash_types = ('MD5', 'SHA-1', 'SHA-256', 'SHA-224', 'SHA-384', 'SHA-512', 'ssdeep', 'tlsh')
fileMapping.update({hash_type.replace('-', '').lower(): hash_type for hash_type in hash_types})
hash_types = tuple(hash_type.replace('-', '').lower() for hash_type in hash_types)
ipPortObjectMapping = {'ip': network_traffic_dst_ref,
'src-port': 'src_port', 'dst-port': 'dst_port',
'first-seen': 'start', 'last-seen': 'end',
'domain': 'value'}
networkTrafficMapping = {'address-family': 'address_family', 'domain-family': 'protocol_family',
'protocol': 'protocols', 'src-port': 'src_port', 'dst-port': 'dst_port',
'ip-src': network_traffic_src_ref, 'ip-dst': network_traffic_dst_ref,
'hostname-src': network_traffic_src_ref, 'hostname-dst': network_traffic_dst_ref}
peMapping = {'type': 'pe_type', 'number-sections': 'number_of_sections', 'imphash': 'imphash'}
peSectionMapping = {'name': 'name', 'size-in-bytes': 'size', 'entropy': 'entropy'}
processMapping = {'pid': 'pid', 'child-pid': 'child_refs[*].pid',
'name': 'name', 'parent-pid': 'parent_ref.pid',
'creation-time': 'created', 'image': 'binary_ref.name'}
regkeyMapping = {'data-type': 'data_type', 'data': 'data', 'name': 'name',
'last-modified': 'modified', 'key': 'key'}
urlMapping = {'url': 'value', 'domain': 'value', 'port': 'dst_port'}
userAccountMapping = {'account-type': 'account_type', 'can_escalate_privs': 'can_escalate_privs',
'created': 'account_created', 'disabled': 'is_disabled', 'display-name': 'display_name',
'expires': 'account_expires', 'first_login': 'account_first_login',
'is_service_account': 'is_service_account', 'last_login': 'account_last_login',
'password': 'credential', 'password_last_changed': 'credential_last_changed',
'privileged': 'is_privileged', 'username': 'account_login', 'user-id': 'user_id'}
unixAccountExtensionMapping = {'group': 'groups', 'group-id': 'gid', 'home_dir': 'home_dir', 'shell': 'shell'}
vulnerabilityMapping = {'id': 'name', 'summary': 'description'}
x509mapping = {'pubkey-info-algorithm': 'subject_public_key_algorithm', 'subject': 'subject',
'pubkey-info-exponent': 'subject_public_key_exponent', 'issuer': 'issuer',
'pubkey-info-modulus': 'subject_public_key_modulus', 'serial-number': 'serial_number',
'validity-not-before': 'validity_not_before', 'validity-not-after': 'validity_not_after',
'version': 'version',}
defineProtocols = {'80': 'http', '443': 'https'}
tlp_markings = {'tlp:white': 'TLP_WHITE', 'tlp:green': 'TLP_GREEN',
'tlp:amber': 'TLP_AMBER', 'tlp:red': 'TLP_RED'}
relationshipsSpecifications = {'attack-pattern': {'vulnerability': 'targets', 'identity': 'targets',
'malware': 'uses', 'tool': 'uses'},
'campaign': {'intrusion-set': 'attributed-to', 'threat-actor': 'attributed-to',
'identity': 'targets', 'vulnerability': 'targets',
'attack-pattern': 'uses', 'malware': 'uses',
'tool': 'uses'},
'course-of-action':{'attack-pattern': 'mitigates', 'malware': 'mitigates',
'tool': 'mitigates', 'vulnerability': 'mitigates'},
'intrusion-set': {'threat-actor': 'attributed-to', 'identity': 'targets',
'vulnerability': 'targets', 'attack-pattern': 'uses',
'malware': 'uses', 'tool': 'uses'},
'malware': {'identity': 'targets', 'vulnerability': 'targets',
'tool': 'uses', 'malware': 'variant-of'},
'threat-actor': {'identity': 'attributed-to', 'vulnerability': 'targets',
'attack-pattern': 'uses', 'malware': 'uses',
'tool': 'uses'},
'tool': {'identity': 'targets', 'vulnerability': 'targets'}
}
galaxy_types = ('attack-pattern', 'campaign', 'intrusion-set', 'malware', 'threat-actor', 'tool')
relationshipsSpecifications['indicator'] = {feature: 'indicates' for feature in galaxy_types}
relationshipsSpecifications['observed-data'] = {feature: 'observed-with' for feature in galaxy_types}

5
app/files/scripts/stix2/stix2misp.py
View File

@ -22,7 +22,6 @@ import os
import time
import io
import pymisp
import stix2
import stix2misp_mapping
from collections import defaultdict
from copy import deepcopy
@ -32,6 +31,10 @@ _misp_objects_path = _misp_dir / 'app' / 'files' / 'misp-objects' / 'objects'
_misp_types = pymisp.AbstractMISP().describe_types.get('types')
from pymisp import MISPEvent, MISPObject, MISPAttribute
_scripts_path = Path(__file__).resolve().parents[1]
sys.path.insert(0, str(_scripts_path / 'cti-python-stix2'))
import stix2
class StixParser():
_galaxy_types = ('intrusion-set', 'malware', 'threat-actor', 'tool')

13
app/files/scripts/stix2misp.py
View File

@ -23,11 +23,18 @@ import uuid
import base64
import pymisp
import stix2misp_mapping
from operator import attrgetter
from collections import defaultdict
from pathlib import Path
_current_path = Path(__file__).resolve().parent
sys.path.insert(0, str(_current_path / 'python-stix'))
sys.path.insert(1, str(_current_path / 'python-cybox'))
sys.path.insert(2, str(_current_path / 'mixbox'))
sys.path.insert(3, str(_current_path / 'python-maec'))
import stix.extensions.marking.ais
from mixbox.namespaces import NamespaceNotFoundError
from operator import attrgetter
from stix.core import STIXPackage
from collections import defaultdict
try:
import stix_edh
except ImportError:
@ -636,6 +643,8 @@ class StixParser():
def parse_pe_section(self, section):
section_object = MISPObject('pe-section', misp_objects_path_custom=_MISP_objects_path)
header_hashes = section.header_hashes
if header_hashes is None:
header_hashes = section.data_hashes
for h in header_hashes:
hash_type, hash_value, hash_relation = self.handle_hashes_attribute(h)
section_object.add_attribute(**{"type": hash_type, "value": hash_value, "object_relation": hash_relation})

1
app/files/scripts/stix2misp_mapping.py
View File

@ -112,6 +112,7 @@ cybox_to_misp_object = {
"EmailMessage": "email",
"NetworkConnection": "network-connection",
"NetworkSocket": "network-socket",
"Observable": "obsevrable",
"Process": "process",
"UnixUserAccount": "user-account",
"UserAccount": "user-account",

1
cti-python-stix2

@ -1 +0,0 @@
Subproject commit 52d806b349333d40c5dd75b62e8e64d6a18fcdf4

25
docs/INSTALL.rhel7.md
View File

@ -233,35 +233,10 @@ installCoreRHEL7 () {
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
cd $PATH_TO_MISP/app/files/scripts
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
UMASK=$(umask)
umask 0022
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install mixbox to accommodate the new STIX dependencies:
cd $PATH_TO_MISP/app/files/scripts/mixbox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install STIX2.0 library to support STIX 2.0 export:
cd $PATH_TO_MISP/cti-python-stix2
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install maec
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec
# install zmq
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq

28
docs/INSTALL.rhel8.md
View File

@ -265,13 +265,6 @@ installCoreRHEL8 () {
sudo chown $WWW_USER:$WWW_USER /usr/share/httpd/.cache
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U pip setuptools
cd $PATH_TO_MISP/app/files/scripts
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
([[ ${DISTRI} == 'fedora33' ]] || [[ ${DISTRI} == 'fedora34' ]] || [[ ${DISTRI} == 'rhel8.3' ]]) && sudo dnf install cmake3 -y && CMAKE_BIN='cmake3'
([[ ${DISTRI} == 'centos8stream' ]] || [[ ${DISTRI} == 'centos8' ]] || [[ ${DISTRI} == 'rocky8.4' ]]) && sudo dnf install cmake -y && CMAKE_BIN='cmake'
@ -279,25 +272,8 @@ installCoreRHEL8 () {
UMASK=$(umask)
umask 0022
cd $PATH_TO_MISP/app/files/scripts/python-cybox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install mixbox to accommodate the new STIX dependencies:
cd $PATH_TO_MISP/app/files/scripts/mixbox
$SUDO_WWW git config core.filemode false
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install STIX2.0 library to support STIX 2.0 export:
cd $PATH_TO_MISP/cti-python-stix2
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install .
# install maec, zmq, redis
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U maec zmq redis
# install zmq, redis
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U zmq redis
# install magic, pydeep
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U python-magic git+https://github.com/kbandla/pydeep.git plyara

14
docs/INSTALL.ubuntu1804.md
View File

@ -145,15 +145,6 @@ installCore () {
sudo mkdir /var/www/.cache/
sudo chown ${WWW_USER}:${WWW_USER} /var/www/.cache
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git clone https://github.com/${dependency}.git ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}; done
${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} config core.filemode false
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
done
debug "Install python-stix2"
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/cti-python-stix2
debug "Install PyMISP"
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/PyMISP
@ -195,12 +186,7 @@ installCore () {
false; while [[ $? -ne 0 ]]; do ${SUDO_WWW} git -C ${PATH_TO_MISP} submodule update --progress --init --recursive; done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U setuptools pip lief zmq redis python-magic plyara
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} pull; done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/cti-python-stix2
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/PyMISP
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U git+https://github.com/kbandla/pydeep.git; done
fi

16
docs/INSTALL.ubuntu2004.md
View File

@ -137,15 +137,6 @@ installCore () {
sudo mkdir /var/www/.cache/
sudo chown ${WWW_USER}:${WWW_USER} /var/www/.cache
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git clone https://github.com/${dependency}.git ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}; done
${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} config core.filemode false
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
done
debug "Install python-stix2"
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/cti-python-stix2
debug "Install PyMISP"
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install ${PATH_TO_MISP}/PyMISP
@ -186,13 +177,6 @@ installCore () {
${SUDO_WWW} git pull -C ${PATH_TO_MISP}
false; while [[ $? -ne 0 ]]; do ${SUDO_WWW} git -C ${PATH_TO_MISP} submodule update --progress --init --recursive; done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U setuptools pip lief zmq redis python-magic plyara
for dependency in CybOXProject/python-cybox STIXProject/python-stix MAECProject/python-maec CybOXProject/mixbox; do
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} git -C ${PATH_TO_MISP_SCRIPTS}/${dependency##*/} pull; done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP_SCRIPTS}/${dependency##*/}
done
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/cti-python-stix2
${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U ${PATH_TO_MISP}/PyMISP
false; while [[ $? -ne 0 ]]; do checkAptLock; ${SUDO_WWW} ${PATH_TO_MISP}/venv/bin/pip install -U git+https://github.com/kbandla/pydeep.git; done
fi