MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge branch '2.4' of github.com:MISP/MISP into 2.4

pull/6031/head
iglocska 2020-07-13 12:34:52 +02:00
parent bf4610c947 ad0587fb71
commit a940e943d5
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
16 changed files with 111 additions and 252 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
INSTALL/INSTALL.sh
View File

@ -83,27 +83,33 @@ MISPvars () {
# RHEL/CentOS
if [[ -f "/etc/redhat-release" ]]; then
WWW_USER='apache'
SUDO_WWW="sudo -H -u ${WWW_USER} "
# Debian flavoured
elif [[ -f "/etc/debian_version" ]]; then
WWW_USER="www-data"
SUDO_WWW="sudo -H -u ${WWW_USER} "
# OpenBSD
elif [[ "$(uname -s)" == "OpenBSD" ]]; then
WWW_USER="www"
PATH_TO_MISP="/var/www/htdocs/MISP"
SUDO_WWW="doas -u www "
SUDO_CMD="doas "
# NetBSD
elif [[ "$(uname -s)" == "NetBSD" ]]; then
WWW_USER="www"
PATH_TO_MISP="/usr/pkg/share/httpd/htdocs/MISP"
SUDO_WWW="sudo -H -u ${WWW_USER} "
else
# I am feeling lucky
WWW_USER="www-data"
SUDO_WWW="sudo -H -u ${WWW_USER} "
fi
if [ -z "$FQDN" ]; then
if [ -z "${FQDN}" ]; then
FQDN="misp.local"
fi
if [ -z "$MISP_BASEURL" ]; then
if [ -z "${MISP_BASEURL}" ]; then
MISP_BASEURL='""'
fi
@ -118,13 +124,13 @@ MISPvars () {
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# OpenSSL configuration
OPENSSL_CN=$FQDN
OPENSSL_CN=${FQDN}
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS="info@$FQDN"
OPENSSL_EMAILADDRESS="info@${FQDN}"
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
@ -147,7 +153,7 @@ MISPvars () {
max_execution_time=300
memory_limit=2048M
CAKE="$PATH_TO_MISP/app/Console/cake"
CAKE="${PATH_TO_MISP}/app/Console/cake"
# sudo config to run $LUSER commands
if [[ "$(groups ${MISP_USER} |grep -o 'staff')" == "staff" ]]; then
@ -155,8 +161,7 @@ MISPvars () {
else
SUDO_CMD="sudo -H -u ${MISP_USER}"
fi
SUDO_WWW="sudo -H -u ${WWW_USER} "
echo "The following DB Passwords were generated..."
echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
echo "User (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
@ -1718,9 +1723,9 @@ mispmodules () {
sudo apt-get install cmake libcaca-dev liblua5.3-dev -y
## TODO: checkUsrLocalSrc in main doc
debug "Cloning misp-modules"
$SUDO_CMD git clone https://github.com/MISP/misp-modules.git
$SUDO_CMD git clone git://github.com/stricaud/gtcaca.git
$SUDO_CMD git clone git://github.com/stricaud/faup.git
false; while [[ $? -ne 0 ]]; do $SUDO_CMD git clone https://github.com/MISP/misp-modules.git; done
[[ ! -d "faup" ]] && false; while [[ $? -ne 0 ]]; do $SUDO_CMD git clone git://github.com/stricaud/faup.git faup; done
[[ ! -d "gtcaca" ]] && false; while [[ $? -ne 0 ]]; do $SUDO_CMD git clone git://github.com/stricaud/gtcaca.git gtcaca; done
sudo chown -R ${MISP_USER}:${MISP_USER} faup gtcaca
# Install gtcaca
cd gtcaca
@ -1805,7 +1810,7 @@ mispDashboard () {
sudo mkdir misp-dashboard
sudo chown $WWW_USER:$WWW_USER misp-dashboard
$SUDO_WWW git clone https://github.com/MISP/misp-dashboard.git
false; while [[ $? -ne 0 ]]; do $SUDO_WWW git clone https://github.com/MISP/misp-dashboard.git; done
cd misp-dashboard
sudo -H /var/www/misp-dashboard/install_dependencies.sh
sudo sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
@ -1889,9 +1894,9 @@ mail2misp () {
debug "Installing Mail2${LBLUE}MISP${NC}"
cd /usr/local/src/
sudo apt-get install cmake libcaca-dev liblua5.3-dev -y
$SUDO_CMD git clone https://github.com/MISP/mail_to_misp.git
[[ ! -d "faup" ]] && $SUDO_CMD git clone git://github.com/stricaud/faup.git faup
[[ ! -d "gtcaca" ]] && $SUDO_CMD git clone git://github.com/stricaud/gtcaca.git gtcaca
false; while [[ $? -ne 0 ]]; do $SUDO_CMD git clone https://github.com/MISP/mail_to_misp.git; done
[[ ! -d "faup" ]] && false; while [[ $? -ne 0 ]]; do $SUDO_CMD git clone git://github.com/stricaud/faup.git faup; done
[[ ! -d "gtcaca" ]] && false; while [[ $? -ne 0 ]]; do $SUDO_CMD git clone git://github.com/stricaud/gtcaca.git gtcaca; done
sudo chown -R ${MISP_USER}:${MISP_USER} faup mail_to_misp gtcaca
cd gtcaca
$SUDO_CMD mkdir -p build
@ -1949,8 +1954,8 @@ viper () {
fi
fi
echo "Cloning Viper"
$SUDO_CMD git clone https://github.com/viper-framework/viper.git
$SUDO_CMD git clone https://github.com/viper-framework/viper-web.git
false; while [[ $? -ne 0 ]]; do $SUDO_CMD git clone https://github.com/viper-framework/viper.git; done
false; while [[ $? -ne 0 ]]; do $SUDO_CMD git clone https://github.com/viper-framework/viper-web.git; done
sudo chown -R $MISP_USER:$MISP_USER viper
sudo chown -R $MISP_USER:$MISP_USER viper-web
cd viper
@ -2506,7 +2511,7 @@ mispmodulesRHEL () {
sudo chmod 2777 /usr/local/src
sudo chown root:users /usr/local/src
cd /usr/local/src/
$SUDO_WWW git clone https://github.com/MISP/misp-modules.git
false; while [[ $? -ne 0 ]]; do $SUDO_WWW git clone https://github.com/MISP/misp-modules.git; done
cd misp-modules
# pip install
$SUDO_WWW $PATH_TO_MISP/venv/bin/pip install -U -I -r REQUIREMENTS

6
INSTALL/INSTALL.sh.sfv
View File

@ -1,5 +1,5 @@
; Generated by RHash v1.3.9 on 2020-05-22 at 16:25.08
; Generated by RHash v1.3.8 on 2020-07-14 at 00:16.53
; Written by Kravchenko Aleksey (Akademgorodok) - http://rhash.sf.net/
;
; 133066 16:25.07 2020-05-22 INSTALL.sh
INSTALL.sh 79EF825B019669270DBCA0DD922C1E3DE6DA3D89 22A82CD073DA3312DF51089884DE4F3AF88ECD0E359D4C048915178C366327EC 4DA7D94FB036B2CC02120C1AC5AEBA9B57E4200FFC2940CB5BF8D9FE8C8600C72888DD2093590E7E77BB3A9F38D7F656 AA0CFD458A4B5CD84103EB641F59FFBBBB740890CB433108C6E0B8912F795DC521E3C75BD563496088862798D90A5C4D20B862ABA5152A84F62C037E889C3ED3
; 133682 00:16.53 2020-07-14 INSTALL.sh
INSTALL.sh 21C8C020434D4EE255FE6D036D06FA560F1C796F DF9FB13E430BC62D6DD59DC41C1DD500FC2D9ABB1E3D2566CD3C39C4FFA39495 919B195713BFBAB7194CB96AE74FF0B1A0A15CFF74A6F10E6B58FBDD100E9B2B8205F66D12E6CB3C68CF2154A9E3DBF9 8182EB20BF5C842A7B7BC9C345A5E92CDDDA6AD9FB806AF1D3FC64475CF89648547019FF486FF6668794AB1EAEFAA2B242CE9E3346BDED73E38787C3CBBC67C0

2
INSTALL/INSTALL.sh.sha1
View File

@ -1 +1 @@
79ef825b019669270dbca0dd922c1e3de6da3d89 INSTALL.sh
21c8c020434d4ee255fe6d036d06fa560f1c796f INSTALL.sh

2
INSTALL/INSTALL.sh.sha256
View File

@ -1 +1 @@
22a82cd073da3312df51089884de4f3af88ecd0e359d4c048915178c366327ec INSTALL.sh
df9fb13e430bc62d6dd59dc41c1dd500fc2d9abb1e3d2566cd3c39c4ffa39495 INSTALL.sh

2
INSTALL/INSTALL.sh.sha384
View File

@ -1 +1 @@
4da7d94fb036b2cc02120c1ac5aeba9b57e4200ffc2940cb5bf8d9fe8c8600c72888dd2093590e7e77bb3a9f38d7f656 INSTALL.sh
919b195713bfbab7194cb96ae74ff0b1a0a15cff74a6f10e6b58fbdd100e9b2b8205f66d12e6cb3c68cf2154a9e3dbf9 INSTALL.sh

2
INSTALL/INSTALL.sh.sha512
View File

@ -1 +1 @@
aa0cfd458a4b5cd84103eb641f59ffbbbb740890cb433108c6e0b8912f795dc521e3c75bd563496088862798d90a5c4d20b862aba5152a84f62c037e889c3ed3 INSTALL.sh
8182eb20bf5c842a7b7bc9c345a5e92cddda6ad9fb806af1d3fc64475cf89648547019ff486ff6668794ab1eaefaa2b242ce9e3346bded73e38787c3cbbc67c0 INSTALL.sh

4
app/Lib/Export/StixExport.php
View File

@ -97,7 +97,7 @@ class StixExport
$stix_event = ($this->__return_type == 'stix') ? $file->read() : substr($file->read(), 1, -1);
$file->close();
$file->delete();
unlink($this->__tmp_dir . $filename);
@unlink($this->__tmp_dir . $filename);
$this->__stix_file->append($stix_event . $this->__framing['separator']);
unset($stix_event);
}
@ -131,7 +131,7 @@ class StixExport
{
foreach ($this->__filenames as $f => $filename) {
if ($index >= $f) {
unlink($this->__tmp_dir . $filename);
@unlink($this->__tmp_dir . $filename);
}
}
$this->__stix_file->close();

64
app/Model/Attribute.php
View File

@ -936,13 +936,15 @@ class Attribute extends AppModel
public function validCategory($fields)
{
$validCategories = array_keys($this->categoryDefinitions);
if (in_array($fields['category'], $validCategories)) {
return true;
}
return false;
return isset($this->categoryDefinitions[$fields['category']]);
}
/**
* Check if the attribute already exists in the same event.
*
* @param array $fields
* @return bool
*/
public function valueIsUnique($fields)
{
if (isset($this->data['Attribute']['deleted']) && $this->data['Attribute']['deleted']) {
@ -952,31 +954,28 @@ class Attribute extends AppModel
if (!empty($this->data['Attribute']['object_relation'])) {
return true;
}
$value = $fields['value'];
if (strpos($value, '|')) {
$value = explode('|', $value);
$value = array(
'Attribute.value1' => $value[0],
'Attribute.value2' => $value[1]
);
} else {
$value = array(
'Attribute.value1' => $value,
);
}
$eventId = $this->data['Attribute']['event_id'];
$type = $this->data['Attribute']['type'];
$category = $this->data['Attribute']['category'];
// check if the attribute already exists in the same event
$eventId = $this->data['Attribute']['event_id'];
$category = $this->data['Attribute']['category'];
$type = $this->data['Attribute']['type'];
$conditions = array(
'Attribute.event_id' => $eventId,
'Attribute.type' => $type,
'Attribute.category' => $category,
'Attribute.deleted' => 0,
'Attribute.object_id' => 0
'Attribute.object_id' => 0,
);
$conditions = array_merge($conditions, $value);
$value = $fields['value'];
if (in_array($type, $this->getCompositeTypes())) {
$value = explode('|', $value);
$conditions['Attribute.value1'] = $value[0];
$conditions['Attribute.value2'] = $value[1];
} else {
$conditions['Attribute.value1'] = $value;
}
if (isset($this->data['Attribute']['id'])) {
$conditions['Attribute.id !='] = $this->data['Attribute']['id'];
}
@ -1626,14 +1625,17 @@ class Attribute extends AppModel
public function getCompositeTypes()
{
// build the list of composite Attribute.type dynamically by checking if type contains a |
// default composite types
$compositeTypes = array('malware-sample'); // TODO hardcoded composite
// dynamically generated list
foreach (array_keys($this->typeDefinitions) as $type) {
$pieces = explode('|', $type);
if (2 == count($pieces)) {
$compositeTypes[] = $type;
static $compositeTypes;
if ($compositeTypes === null) {
// build the list of composite Attribute.type dynamically by checking if type contains a |
// default composite types
$compositeTypes = array('malware-sample'); // TODO hardcoded composite
// dynamically generated list
foreach ($this->typeDefinitions as $type => $foo) {
if (strpos($type, '|') !== false) {
$compositeTypes[] = $type;
}
}
}
return $compositeTypes;

7
app/Model/Event.php
View File

@ -3652,7 +3652,7 @@ class Event extends AppModel
'conditions' => array('Event.id' => $this->id),
'recursive' => -1
));
if (isset($data['Event']['Attribute']) && !empty($data['Event']['Attribute'])) {
if (!empty($data['Event']['Attribute'])) {
foreach ($data['Event']['Attribute'] as $k => $attribute) {
$block = false;
for ($i = 0; $i < $k; $i++) {
@ -3779,7 +3779,8 @@ class Event extends AppModel
'Server.name',
'Server.id',
'Server.unpublish_event',
'Server.publish_without_email'
'Server.publish_without_email',
'Server.internal',
)
));
} else {
@ -5825,7 +5826,7 @@ class Event extends AppModel
$validationIssues = false;
$result = $this->_add($data, true, $user, '', null, false, null, $created_id, $validationIssues);
if ($result) {
if ($original_file) {
if ($original_file && !is_numeric($result)) {
$this->add_original_file($tempFile, $original_file, $created_id, $stix_version);
}
if ($publish && $user['Role']['perm_publish']) {

31
app/View/Attributes/add.ctp
View File

@ -91,30 +91,17 @@
)
));
if (!$ajax) {
echo $this->element('/genericElements/SideMenu/side_menu', array('menuList' => 'event-collection', 'menuItem' => $this->action === 'add' ? 'add' : 'editEvent'));
$event = ['Event' => ['id' => $event_id, 'published' => $published ]];
echo $this->element('/genericElements/SideMenu/side_menu', array('menuList' => 'event', 'menuItem' => 'addAttribute', 'event' => $event));
}
?>
<script type="text/javascript">
var notice_list_triggers = <?php echo $notice_list_triggers; ?>;
var composite_types = <?php echo json_encode($compositeTypes); ?>;
var category_type_mapping = new Array();
<?php
foreach ($categoryDefinitions as $category => $def) {
echo "category_type_mapping['" . addslashes($category) . "'] = {";
$first = true;
foreach ($def['types'] as $type) {
if ($first) {
$first = false;
} else {
echo ', ';
}
echo "'" . addslashes($type) . "' : '" . addslashes($type) . "'";
}
echo "}; \n";
}
?>
var category_type_mapping = <?php echo json_encode(array_map(function($value) {
return array_combine($value['types'], $value['types']);
}, $categoryDefinitions)); ?>;
$('#AttributeDistribution').change(function() {
checkSharingGroup('Attribute');
@ -133,7 +120,7 @@
checkNoticeList('attribute');
});
$(document).ready(function() {
$(function() {
<?php
if ($action == 'edit'):
?>
@ -143,7 +130,7 @@
?>
checkSharingGroup('Attribute');
var $form = $('#AttributeType').closest('form').submit(function( event ) {
$('#AttributeType').closest('form').submit(function( event ) {
if ($('#AttributeType').val() === 'datetime') {
// add timezone of the browser if not set
var allowLocalTZ = true;
@ -153,7 +140,7 @@
if (dateValue.creationData().format !== "YYYY-MM-DDTHH:mm:ssZ" && dateValue.creationData().format !== "YYYY-MM-DDTHH:mm:ss.SSSSZ") {
// Missing timezone data
var confirm_message = '<?php echo __('Timezone missing, auto-detected as: ') ?>' + dateValue.format('Z')
confirm_message += '<?php echo '\r\n' . __('The following value will be submited instead: '); ?>' + dateValue.toISOString(allowLocalTZ)
confirm_message += '<?php echo '\r\n' . __('The following value will be submitted instead: '); ?>' + dateValue.toISOString(allowLocalTZ)
if (confirm(confirm_message)) {
$valueInput.val(dateValue.toISOString(allowLocalTZ));
} else {
@ -161,7 +148,7 @@
}
}
} else {
textStatus = '<?php echo __('Value is not a valid datetime. Excpected format YYYY-MM-DDTHH:mm:ssZ') ?>'
textStatus = '<?php echo __('Value is not a valid datetime. Expected format YYYY-MM-DDTHH:mm:ssZ') ?>'
showMessage('fail', textStatus);
return false;
}

147
app/View/Attributes/edit.ctp
View File

@ -1,147 +0,0 @@
<div class="attributes <?php if (!isset($ajax) || !$ajax) echo 'form';?>">
<?php echo $this->Form->create('Attribute');?>
<fieldset>
<legend><?php echo __('Edit Attribute'); ?></legend>
<?php
echo $this->Form->hidden('event_id');
echo $this->Form->input('category', array(
'empty' => __('(choose one)'),
'label' => __('Category ') . $this->element('formInfo', array('type' => 'category'))
));
$typeInputData = array(
'empty' => __('(first choose category)'),
'label' => __('Type ') . $this->element('formInfo', array('type' => 'type')),
);
if ($objectAttribute) {
$typeInputData[] = __('disabled');
}
echo $this->Form->input('type', $typeInputData);
?>
<div class="input clear"></div>
<?php
echo $this->Form->input('distribution', array(
'options' => array($distributionLevels),
'label' => __('Distribution ') . $this->element('formInfo', array('type' => 'distribution'))
));
?>
<div id="SGContainer" style="display:none;">
<?php
if (!empty($sharingGroups)) {
echo $this->Form->input('sharing_group_id', array(
'options' => array($sharingGroups),
'label' => __('Sharing Group'),
));
}
?>
</div>
<?php
echo $this->Form->input('value', array(
'type' => 'textarea',
'error' => array('escape' => false),
'div' => 'input clear',
'class' => 'input-xxlarge'
));
echo $this->Form->input('comment', array(
'type' => 'text',
'label' => __('Contextual Comment'),
'error' => array('escape' => false),
'div' => 'input clear',
'class' => 'input-xxlarge'
));
?>
<div class="input clear"></div>
<?php
echo $this->Form->input('to_ids', array(
'label' => __('for Intrusion Detection System'),
));
if (!$objectAttribute) {
echo $this->Form->input('batch_import', array(
'type' => 'checkbox',
));
}
echo '<div class="input clear"></div>';
echo $this->Form->input('disable_correlation', array(
'type' => 'checkbox'
));
?>
</fieldset>
<p style="color:red;font-weight:bold;display:none;<?php if (isset($ajax) && $ajax) echo "text-align:center;";?> " id="warning-message"><?php echo __('Warning: You are about to share data that is of a sensitive nature (Attribution / targeting data). Make sure that you are authorised to share this.'); ?></p>
<?php
echo $this->Form->button('Submit', array('class' => 'btn btn-primary'));
echo $this->Form->end();
?>
</div>
<?php
if (!$ajax) {
$event['Event']['id'] = $this->request->data['Attribute']['event_id'];
$event['Event']['published'] = $published;
echo $this->element('/genericElements/SideMenu/side_menu', array('menuList' => 'event', 'menuItem' => 'addAttribute', 'event' => $event));
}
?>
<script type="text/javascript">
var fieldsArray = new Array('AttributeCategory', 'AttributeType', 'AttributeValue', 'AttributeDistribution', 'AttributeComment', 'AttributeToIds', 'AttributeBatchImport', 'AttributeSharingGroupId');
<?php
$formInfoTypes = array('distribution' => 'Distribution', 'category' => 'Category', 'type' => 'Type');
echo 'var formInfoFields = ' . json_encode($formInfoTypes) . PHP_EOL;
foreach ($formInfoTypes as $formInfoType => $humanisedName) {
echo 'var ' . $formInfoType . 'FormInfoValues = {' . PHP_EOL;
foreach ($info[$formInfoType] as $key => $formInfoData) {
echo '"' . $key . '": "<span class=\"blue bold\">' . h($formInfoData['key']) . '</span>: ' . h($formInfoData['desc']) . '<br />",' . PHP_EOL;
}
echo '}' . PHP_EOL;
}
?>
//
//Generate Category / Type filtering array
//
var category_type_mapping = new Array();
<?php
foreach ($categoryDefinitions as $category => $def) {
echo "category_type_mapping['" . addslashes($category) . "'] = {";
$first = true;
foreach ($def['types'] as $type) {
if ($first) $first = false;
else echo ', ';
echo "'" . addslashes($type) . "' : '" . addslashes($type) . "'";
}
echo "}; \n";
}
?>
$(document).ready(function() {
initPopoverContent('Attribute');
$('#AttributeDistribution').change(function() {
if ($('#AttributeDistribution').val() == 4) $('#SGContainer').show();
else $('#SGContainer').hide();
});
<?php
if (!$objectAttribute):
?>
$("#AttributeCategory").on('change', function(e) {
formCategoryChanged('Attribute');
if ($(this).val() === 'Attribution' || $(this).val() === 'Targeting data') {
$("#warning-message").show();
} else {
$("#warning-message").hide();
}
if ($(this).val() === 'Internal reference') {
$("#AttributeDistribution").val('0');
$('#SGContainer').hide();
}
});
var start = $("#AttributeType").val();
formCategoryChanged('Attribute');
$("#AttributeType").val(start);
<?php
endif;
?>
$("#AttributeCategory, #AttributeType, #AttributeDistribution").change(function() {
var start = $("#AttributeType").val();
initPopoverContent('Attribute');
$("#AttributeType").val(start);
});
});
</script>
<?php echo $this->Js->writeBuffer(); // Write cached scripts

2
app/files/scripts/misp2stix.py
View File

@ -7,6 +7,7 @@ import datetime
import re
import ntpath
import socket
import traceback
from misp2stix_mapping import *
from collections import defaultdict
from copy import deepcopy
@ -156,6 +157,7 @@ class StixBuilder(object):
print(json.dumps({'success': 1}))
except Exception as e:
print(json.dumps({'error': e.__str__()}))
traceback.print_tb()
def generate_package(self, event):
self.objects_to_parse = defaultdict(dict)

2
app/files/scripts/misp2stix_mapping.py
View File

@ -1,7 +1,7 @@
# mappings
status_mapping = {'0' : 'New', '1' : 'Open', '2' : 'Closed'}
threat_level_mapping = {'1' : 'High', '2' : 'Medium', '3' : 'Low', '4' : 'Undefined'}
TLP_order = {'RED' : 4, 'AMBER' : 3, 'GREEN' : 2, 'WHITE' : 1}
TLP_order = {'RED' : 4, 'AMBER' : 3, 'AMBER NATO ALLIANCE': 3, 'GREEN' : 2, 'WHITE' : 1}
confidence_mapping = {False : 'None', True : 'High'}
not_implemented_attributes = ('yara', 'snort', 'pattern-in-traffic', 'pattern-in-memory')

38
app/files/scripts/stix2/stix2misp.py
View File

@ -142,7 +142,7 @@ class StixParser():
else:
print(f'Unknown content disposition in the following email body: {body_multipart}', file=sys.stderr)
continue
if isinstance(reference, stix2.Artifact):
if isinstance(reference, stix2.v20.observables.Artifact):
attribute.update({
'value': body_multipart['content_disposition'].split('=')[-1].strip("'"),
'data': reference.payload_bin,
@ -216,9 +216,9 @@ class StixParser():
self.fill_misp_object(section_object, section, 'pe_section_mapping')
if hasattr(section, 'hashes'):
self.fill_misp_object(section_object, section.hashes, 'pe_section_mapping')
self.misp_event.add_object(section_object)
pe_object.add_reference(section_object.uuid, 'includes')
self.misp_event.add_object(**section_object)
self.misp_event.add_object(**pe_object)
self.misp_event.add_object(pe_object)
return pe_object.uuid
def parse_relationships(self):
@ -338,11 +338,11 @@ class StixParser():
@staticmethod
def _process_test_filter(value, main_type):
_is_main_process = any(feature in value for feature in ('parent_ref', 'child_refs'))
return isinstance(value, getattr(stix2, main_type)) and _is_main_process
return isinstance(value, getattr(stix2.v20.observables, main_type)) and _is_main_process
@staticmethod
def _standard_test_filter(value, main_type):
return isinstance(value, getattr(stix2, main_type))
return isinstance(value, getattr(stix2.v20.observables, main_type))
def update_marking_refs(self, attribute_uuid, marking_refs):
try:
@ -515,7 +515,7 @@ class StixFromMISPParser(StixParser):
misp_object.add_reference(target_uuid, 'includes')
for attribute in attributes:
misp_object.add_attribute(**attribute)
self.misp_event.add_object(**misp_object)
self.misp_event.add_object(misp_object)
def parse_observable_attribute(self, observable):
attribute = self.create_attribute_dict(observable)
@ -541,7 +541,7 @@ class StixFromMISPParser(StixParser):
misp_object.add_reference(target_uuid, 'includes')
for attribute in attributes:
misp_object.add_attribute(**attribute)
self.misp_event.add_object(**misp_object)
self.misp_event.add_object(misp_object)
def parse_vulnerability(self, vulnerability):
attributes = self.fill_observable_attributes(vulnerability, 'vulnerability_mapping')
@ -617,7 +617,7 @@ class StixFromMISPParser(StixParser):
attributes = []
mapping = 'asn_mapping'
for observable_object in observable.values():
if isinstance(observable_object, stix2.AutonomousSystem):
if isinstance(observable_object, stix2.v20.observables.AutonomousSystem):
attributes.extend(self.fill_observable_attributes(observable_object, mapping))
else:
attributes.append(self._parse_observable_reference(observable_object, mapping))
@ -855,7 +855,7 @@ class StixFromMISPParser(StixParser):
def parse_url_observable(observable):
attributes = []
for object in observable.values():
feature = 'dst_port' if isinstance(object, stix2.NetworkTraffic) else 'value'
feature = 'dst_port' if isinstance(object, stix2.v20.observables.NetworkTraffic) else 'value'
attribute = deepcopy(stix2misp_mapping.url_mapping[object._type])
attribute.update({'value': getattr(object, feature), 'to_ids': False})
attributes.append(attribute)
@ -1066,9 +1066,9 @@ class StixFromMISPParser(StixParser):
attribute = deepcopy(stix2misp_mapping.pe_section_mapping[feature])
attribute['value'] = value
pe_section.add_attribute(**attribute)
self.misp_event.add_object(pe_section)
pe.add_reference(pe_section.uuid, 'includes')
self.misp_event.add_object(**pe_section)
self.misp_event.add_object(**pe)
self.misp_event.add_object(pe)
return attributes, pe.uuid
def parse_process_pattern(self, pattern):
@ -1299,7 +1299,7 @@ class ExternalStixParser(StixParser):
@staticmethod
def _fetch_reference_type(references, object_type):
for key, reference in references.items():
if isinstance(reference, getattr(stix2, object_type)):
if isinstance(reference, getattr(stix2.v20.observables, object_type)):
return key
return None
@ -1342,7 +1342,7 @@ class ExternalStixParser(StixParser):
file.add_reference(pe_uuid, 'includes')
for attribute in attributes:
file.add_attribute(**attribute)
self.misp_event.add_object(**file)
self.misp_event.add_object(file)
@staticmethod
def _is_reference(network_traffic, reference):
@ -1422,7 +1422,7 @@ class ExternalStixParser(StixParser):
if references:
filename = file_object.name if hasattr(file_object, 'name') else 'unknown_filename'
for key, reference in references.items():
if isinstance(reference, stix2.Artifact):
if isinstance(reference, stix2.v20.observables.Artifact):
_is_content_ref = 'content_ref' in file_object and file_object.content_ref == key
attribute_type, value = self._handle_attachment_type(reference, _is_content_ref, filename)
attribute = {
@ -1434,7 +1434,7 @@ class ExternalStixParser(StixParser):
if hasattr(reference, 'payload_bin'):
attribute['data'] = reference.payload_bin
attributes.append(attribute)
elif isinstance(reference, stix2.Directory):
elif isinstance(reference, stix2.v20.observables.Directory):
attribute = {
'type': 'text',
'object_relation': 'path',
@ -1757,15 +1757,15 @@ class ExternalStixParser(StixParser):
pe_object = MISPObject('pe', misp_objects_path_custom=_misp_objects_path)
sections = self._get_sections(pe_extension)
self.fill_misp_object_from_dict(pe_object, pe_extension, 'pe_mapping')
file_object.add_reference(pe_object.uuid, 'includes')
if sections:
for section in sections:
section_object = MISPObject('pe-section')
self.fill_misp_object_from_dict(section_object, section, 'pe_section_mapping')
self.misp_event.add_object(section_object)
pe_object.add_reference(section_object.uuid, 'includes')
self.misp_event.add_object(**section_object)
self.misp_event.add_object(**pe_object)
self.misp_event.add_object(**file_object)
self.misp_event.add_object(pe_object)
file_object.add_reference(pe_object.uuid, 'includes')
self.misp_event.add_object(file_object)
def parse_ip_address_pattern(self, indicator, separator):
self.add_attributes_from_indicator(indicator, 'ip-dst', separator)

2
cti-python-stix2

@ -1 +1 @@
Subproject commit 808dd94f676243e2f1932878d511de6d74557918
Subproject commit 0d6db44c80afd81976f54f58c8cb02e4d33acc16

13
tools/misp_retention.py Normal file → Executable file
View File

@ -42,10 +42,19 @@ class misphelper(object):
print("Removing IDS flag in event '{}' on attr '{}'".format(mevent.id, attr["value"]))
changed = True
attr["to_ids"] = False
self.misp.update_attribute(attr)
for obj in mevent.objects:
for attr in obj.Attribute:
if (attr["type"] == "ip-dst" or attr["type"] == "ip-src") and attr["to_ids"]:
print("Removing IDS flag in event '{}' on attr '{}'".format(mevent.id, attr["value"]))
changed = True
attr["to_ids"] = False
self.misp.update_attribute(attr)
self.misp.tag(mevent, self.expiredTag, True)
if changed:
res = self.misp.update_event(mevent.id, mevent)
self.misp.update_event(mevent.id, mevent)
self.misp.publish(mevent)
def findEventsAfterRetention(self, events, retention):
for event in events:
@ -70,7 +79,7 @@ class misphelper(object):
for tag in res['entries']:
m = re.match(r"^retention:([0-9]+)([d,w,m,y])$", tag["tag"])
if m:
tagSearch = self.misp.build_complex_query(and_parameters = tag["tag"], not_parameters = self.expiredTag)
tagSearch = self.misp.build_complex_query(and_parameters = [tag["tag"]], not_parameters = [self.expiredTag])
events = self.misp.search(published=True, tags=tagSearch)
self.findEventsAfterRetention(events, (m.group(1), m.group(2)))