2018-03-13 17:26:55 +01:00
|
|
|
# Generic MISP feed generator
|
|
|
|
## Description
|
2018-03-08 12:01:35 +01:00
|
|
|
|
2018-03-12 16:40:06 +01:00
|
|
|
- ``generator.py`` exposes a class allowing to generate a MISP feed in real time, where each items can be added on daily generated events.
|
2018-03-12 15:41:02 +01:00
|
|
|
- ``fromredis.py`` uses ``generator.py`` to generate a MISP feed based on data stored in redis.
|
2018-03-12 16:13:34 +01:00
|
|
|
- ``server.py`` is a simple script using *Flask_autoindex* to serve data to MISP.
|
|
|
|
- ``MISPItemToRedis.py`` permits to push (in redis) items to be added in MISP by the ``fromredis.py`` script.
|
2018-03-12 15:41:02 +01:00
|
|
|
|
2018-03-08 12:01:35 +01:00
|
|
|
|
2018-03-13 17:26:55 +01:00
|
|
|
## Installation
|
2018-03-08 12:01:35 +01:00
|
|
|
|
|
|
|
````
|
2018-03-12 15:34:12 +01:00
|
|
|
# Feed generator
|
2018-03-08 12:01:35 +01:00
|
|
|
git clone https://github.com/CIRCL/PyMISP
|
|
|
|
cd examples/feed-generator-from-redis
|
2018-03-12 15:34:12 +01:00
|
|
|
cp settings.default.py settings.py
|
2018-03-09 15:39:19 +01:00
|
|
|
vi settings.py # adjust your settings
|
2018-03-12 15:34:12 +01:00
|
|
|
|
2018-03-09 15:39:19 +01:00
|
|
|
python3 fromredis.py
|
2018-03-12 15:34:12 +01:00
|
|
|
|
|
|
|
# Serving file to MISP
|
|
|
|
bash install.sh
|
|
|
|
. ./serv-env/bin/activate
|
|
|
|
python3 server.py
|
2018-03-08 12:01:35 +01:00
|
|
|
````
|
2018-03-12 16:40:06 +01:00
|
|
|
|
|
|
|
|
2018-03-13 17:26:55 +01:00
|
|
|
## Usage
|
2018-03-12 16:40:06 +01:00
|
|
|
|
2018-03-12 16:55:21 +01:00
|
|
|
```
|
|
|
|
# Activate virtualenv
|
|
|
|
. ./serv-env/bin/activate
|
|
|
|
```
|
|
|
|
|
2018-03-12 16:40:06 +01:00
|
|
|
### Adding items to MISP
|
|
|
|
|
|
|
|
```
|
|
|
|
# create helper object
|
|
|
|
>>> helper = MISPItemToRedis("redis_list_keyname")
|
|
|
|
|
|
|
|
# push an attribute to redis
|
|
|
|
>>> helper.push_attribute("ip-src", "8.8.8.8", category="Network activity")
|
|
|
|
|
|
|
|
# push an object to redis
|
|
|
|
>>> helper.push_object({ "name": "cowrie", "session": "session_id", "username": "admin", "password": "admin", "protocol": "telnet" })
|
|
|
|
|
|
|
|
# push a sighting to redis
|
|
|
|
>>> helper.push_sighting(uuid="5a9e9e26-fe40-4726-8563-5585950d210f")
|
|
|
|
```
|
|
|
|
|
2018-03-12 16:55:21 +01:00
|
|
|
### Generate the feed
|
2018-03-12 16:40:06 +01:00
|
|
|
|
|
|
|
```
|
|
|
|
# Create the FeedGenerator object using the configuration provided in the file settings.py
|
|
|
|
# It will create daily event in which attributes and object will be added
|
2018-03-12 16:55:21 +01:00
|
|
|
>>> generator = FeedGenerator()
|
2018-03-12 16:40:06 +01:00
|
|
|
|
|
|
|
# Add an attribute to the daily event
|
2018-03-12 16:55:21 +01:00
|
|
|
>>> attr_type = "ip-src"
|
|
|
|
>>> attr_value = "8.8.8.8"
|
|
|
|
>>> additional_data = {}
|
|
|
|
>>> generator.add_attribute_to_event(attr_type, attr_value, **additional_data)
|
2018-03-12 16:40:06 +01:00
|
|
|
|
|
|
|
# Add a cowrie object to the daily event
|
2018-03-12 16:55:21 +01:00
|
|
|
>>> obj_name = "cowrie"
|
|
|
|
>>> obj_data = { "session": "session_id", "username": "admin", "password": "admin", "protocol": "telnet" }
|
|
|
|
>>> generator.add_object_to_event(obj_name, **obj_data)
|
2018-03-13 17:24:19 +01:00
|
|
|
|
|
|
|
# Immediatly write the event to the disk (Bypassing the default flushing behavior)
|
|
|
|
>>> generator.flush_event()
|
2018-03-12 16:55:21 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
### Consume stored data in redis
|
|
|
|
|
|
|
|
```
|
|
|
|
# Configuration provided in the file settings.py
|
|
|
|
>>> python3 fromredis.py
|
|
|
|
```
|
|
|
|
|
|
|
|
### Serve data to MISP
|
|
|
|
|
|
|
|
```
|
|
|
|
>>> python3 server.py
|
2018-03-12 16:40:06 +01:00
|
|
|
```
|