MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Using PyMISP attributes 

wip: Waiting for some PyMISP issues to be fixed
pull/2600/head
chrisr3d 2017-10-24 11:55:55 +02:00
parent 0530fe86ed
commit 6a79bfe859
1 changed files with 39 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
app/files/scripts/stix2/misp2stix2.py
View File

@ -16,7 +16,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys, json, os, datetime, re import sys, json, os, datetime, re
import pymisp import pymisp
from stix2 import * from stix2 import *
namespace = ['https://github.com/MISP/MISP', 'MISP'] namespace = ['https://github.com/MISP/MISP', 'MISP']
@ -178,7 +178,7 @@ def setIdentity(event):
def readAttributes(event, identity, object_refs, external_refs): def readAttributes(event, identity, object_refs, external_refs):
attributes = [] attributes = []
for attribute in event.attributes: for attribute in event.attributes:
attr_type = attribute['type'] attr_type = attribute.type
if attr_type not in mispTypesMapping: if attr_type not in mispTypesMapping:
continue continue
if attr_type in non_indicator_attributes: if attr_type in non_indicator_attributes:
@ -189,12 +189,12 @@ def readAttributes(event, identity, object_refs, external_refs):
else: else:
handleNonIndicatorAttribute(object_refs, attributes, attribute, identity) handleNonIndicatorAttribute(object_refs, attributes, attribute, identity)
else: else:
if attribute['to_ids']: if attribute.to_ids:
handleIndicatorAttribute(object_refs, attributes, attribute, identity) handleIndicatorAttribute(object_refs, attributes, attribute, identity)
else: else:
addObservedData(object_refs, attributes, attribute, identity) addObservedData(object_refs, attributes, attribute, identity)
if event['Galaxy']: if event.Galaxy:
galaxies = event['Galaxy'] galaxies = event.Galaxy
for galaxy in galaxies: for galaxy in galaxies:
galaxyType = galaxy['type'] galaxyType = galaxy['type']
if 'attack-pattern' in galaxyType: if 'attack-pattern' in galaxyType:
@ -212,10 +212,10 @@ def readAttributes(event, identity, object_refs, external_refs):
return attributes return attributes
def handleLink(attribute, external_refs): def handleLink(attribute, external_refs):
url = attribute['value'] url = attribute.value
source = 'url' source = 'url'
if 'comment' in attribute: if 'comment' in attribute:
source += ' - {}'.format(attribute['comment']) source += ' - {}'.format(attribute.comment)
link = {'source_name': source, 'url': url} link = {'source_name': source, 'url': url}
external_refs.append(link) external_refs.append(link)
@ -265,27 +265,26 @@ def addCourseOfAction(object_refs, attributes, galaxy, identity):
object_refs.append(courseOfAction_id) object_refs.append(courseOfAction_id)
def addCustomObject(object_refs, attributes, attribute, identity): def addCustomObject(object_refs, attributes, attribute, identity):
customObject_id = "x-misp-object--{}".format(attribute['uuid']) customObject_id = "x-misp-object--{}".format(attribute.uuid)
timestamp = attribute['timestamp'] timestamp = attribute.timestamp
customObject_type = 'x-misp-object'.format(attribute['type']) customObject_type = 'x-misp-object'.format(attribute.type)
to_ids = attribute['to_ids'] value = attribute.value
value = attribute['value'] labels = 'misp:to_ids=\"{}\"'.format(attribute.to_ids)
labels = 'misp:to_ids=\"{}\"'.format(attribute['to_ids'])
customObject_args = {'type': customObject_type, 'id': customObject_id, 'timestamp': timestamp, customObject_args = {'type': customObject_type, 'id': customObject_id, 'timestamp': timestamp,
'to_ids': to_ids, 'value': value, 'created_by_ref': identity, 'labels': labels} 'to_ids': to_ids, 'value': value, 'created_by_ref': identity, 'labels': labels}
if attribute['comment']: if attribute.comment:
customObject_args['comment'] = attribute['comment'] customObject_args['comment'] = attribute.comment
# At the moment, we skip it # At the moment, we skip it
# attributes.append(customObject_args) # attributes.append(customObject_args)
# object_refs.append(customObject_id) # object_refs.append(customObject_id)
def addIdentity(object_refs, attributes, attribute, identity): def addIdentity(object_refs, attributes, attribute, identity):
identity_id = "identity--{}".format(attribute['uuid']) identity_id = "identity--{}".format(attribute.uuid)
name = attribute['value'] name = attribute.value
identityClass = defineIdentityClass(attribute['type']) identityClass = defineIdentityClass(attribute.type)
identity_args = {'id': identity, 'type': 'identity', 'name': name, 'created_by_ref': identity, 'identity_class': identityClass} identity_args = {'id': identity, 'type': 'identity', 'name': name, 'created_by_ref': identity, 'identity_class': identityClass}
if 'comment' in attribute: if 'comment' in attribute:
identity_args['descritpion'] = attribute['comment'] identity_args['descritpion'] = attribute.comment
identityObject = Identity(**identity_args) identityObject = Identity(**identity_args)
attributes.append(identityObject) attributes.append(identityObject)
object_refs.append(identityObject) object_refs.append(identityObject)
@ -330,12 +329,12 @@ def addMalware(object_refs, attributes, galaxy, identity):
# object_refs.append(note) # object_refs.append(note)
def addObservedData(object_refs, attributes, attribute, identity): def addObservedData(object_refs, attributes, attribute, identity):
observedData_id = "observed-data--{}".format(attribute['uuid']) observedData_id = "observed-data--{}".format(attribute.uuid)
timestamp = attribute['timestamp'] timestamp = attribute.timestamp
attr_type = attribute['type'] attr_type = attribute.type
attr_val = attribute['value'] attr_val = attribute.value
objects = defineObservableObject(attr_type, attr_val) objects = defineObservableObject(attr_type, attr_val)
labels = 'misp:to_ids=\"{}\"'.format(attribute['to_ids']) labels = 'misp:to_ids=\"{}\"'.format(attribute.to_ids)
observedData_args = {'id': observedData_id, 'type': 'observed-data', 'number_observed': 1, observedData_args = {'id': observedData_id, 'type': 'observed-data', 'number_observed': 1,
'first_observed': timestamp, 'last_observed': timestamp, 'objects': objects, 'first_observed': timestamp, 'last_observed': timestamp, 'objects': objects,
'created_by_ref': identity, 'labels': labels} 'created_by_ref': identity, 'labels': labels}
@ -376,11 +375,11 @@ def addTool(object_refs, attributes, galaxy, identity):
object_refs.append(tool_id) object_refs.append(tool_id)
def addVulnerability(object_refs, attributes, attribute, identity): def addVulnerability(object_refs, attributes, attribute, identity):
vuln_id = "vulnerability--{}".format(attribute['uuid']) vuln_id = "vulnerability--{}".format(attribute.uuid)
name = attribute['value'] name = attribute.value
ext_refs = [{'source_name': 'cve', ext_refs = [{'source_name': 'cve',
'external_id': name}] 'external_id': name}]
labels = 'misp:to_ids=\"{}\"'.format(attribute['to_ids']) labels = 'misp:to_ids=\"{}\"'.format(attribute.to_ids)
vuln_args = {'type': 'vulnerability', 'id': vuln_id, 'external_references': ext_refs, 'name': name, vuln_args = {'type': 'vulnerability', 'id': vuln_id, 'external_references': ext_refs, 'name': name,
'created_by_ref': identity, 'labels': labels} 'created_by_ref': identity, 'labels': labels}
vulnerability = Vulnerability(**vuln_args) vulnerability = Vulnerability(**vuln_args)
@ -394,25 +393,25 @@ def addAliases(meta, argument):
argument['aliases'] = aliases argument['aliases'] = aliases
def handleNonIndicatorAttribute(object_refs, attributes, attribute, identity): def handleNonIndicatorAttribute(object_refs, attributes, attribute, identity):
attr_type = attribute['type'] attr_type = attribute.type
if attr_type == "vulnerability": if attr_type == "vulnerability":
addVulnerability(object_refs, attributes, attribute, identity) addVulnerability(object_refs, attributes, attribute, identity)
else: else:
addObservedData(object_refs, attributes, attribute, identity) addObservedData(object_refs, attributes, attribute, identity)
def handleIndicatorAttribute(object_refs, attributes, attribute, identity): def handleIndicatorAttribute(object_refs, attributes, attribute, identity):
indic_id = "indicator--{}".format(attribute['uuid']) indic_id = "indicator--{}".format(attribute.uuid)
category = attribute['category'] category = attribute.category
killchain = [{'kill_chain_name': 'misp-category', killchain = [{'kill_chain_name': 'misp-category',
'phase_name': category}] 'phase_name': category}]
labels = 'misp:to_ids=\"{}\"'.format(attribute['to_ids']) labels = 'misp:to_ids=\"{}\"'.format(attribute.to_ids)
attr_type = attribute['type'] attr_type = attribute.type
attr_val = attribute['value'] attr_val = attribute.value
args_indicator = {'valid_from': attribute['timestamp'], 'type': 'indicator', args_indicator = {'valid_from': attribute['timestamp'], 'type': 'indicator',
'labels': labels, 'pattern': [definePattern(attr_type, attr_val)], 'id': indic_id, 'labels': labels, 'pattern': [definePattern(attr_type, attr_val)], 'id': indic_id,
'created_by_ref': identity, 'kill_chain_phases': killchain} 'created_by_ref': identity, 'kill_chain_phases': killchain}
if attribute['comment']: if attribute.comment:
args_indicator['description'] = attribute['comment'] args_indicator['description'] = attribute.comment
indicator = Indicator(**args_indicator) indicator = Indicator(**args_indicator)
attributes.append(indicator) attributes.append(indicator)
object_refs.append(indic_id) object_refs.append(indic_id)
@ -498,15 +497,15 @@ def defineIdentityClass(attr_type):
return identityClass return identityClass
def eventReport(event, identity, object_refs, external_refs): def eventReport(event, identity, object_refs, external_refs):
timestamp = event["publish_timestamp"] timestamp = event.publish_timestamp
name = event["info"] name = event.info
labels = [] labels = []
if 'Tag' in event: if 'Tag' in event:
tags = event['Tag'] tags = event.Tag
for tag in tags: for tag in tags:
labels.append(tag['name']) labels.append(tag['name'])
args_report = {'type': "report", 'id': "report--{}".format(event["uuid"]), 'created_by_ref': identity["id"], args_report = {'type': "report", 'id': "report--{}".format(event.uuid), 'created_by_ref': identity["id"],
'name': name, 'published': timestamp} 'name': name, 'published': timestamp}
if labels: if labels:
@ -522,7 +521,7 @@ def eventReport(event, identity, object_refs, external_refs):
return report return report
def generateEventPackage(event, SDOs): def generateEventPackage(event, SDOs):
bundle_id = event['uuid'] bundle_id = event.uuid
bundle_args = {'type': "bundle", 'spec_version': "2.0", 'id': "bundle--{}".format(bundle_id), 'objects': SDOs} bundle_args = {'type': "bundle", 'spec_version': "2.0", 'id': "bundle--{}".format(bundle_id), 'objects': SDOs}
bundle = Bundle(**bundle_args) bundle = Bundle(**bundle_args)
return bundle return bundle