diff --git a/examples/feed-generator-from-redis/ObjectConstructor/CowrieMISPObject.py b/examples/feed-generator-from-redis/ObjectConstructor/CowrieMISPObject.py index 6c1a40b..3474a70 100644 --- a/examples/feed-generator-from-redis/ObjectConstructor/CowrieMISPObject.py +++ b/examples/feed-generator-from-redis/ObjectConstructor/CowrieMISPObject.py @@ -17,9 +17,9 @@ class CowrieMISPObject(AbstractMISPObjectGenerator): self.generate_attributes() def generate_attributes(self): - skip_list = ['time', 'duration', 'isError', 'ttylog'] + valid_object_attributes = self._definition['attributes'].keys() for object_relation, value in self._dico_val.items(): - if object_relation in skip_list or 'log_' in object_relation: + if object_relation not in valid_object_attributes: continue if object_relation == 'timestamp': @@ -29,4 +29,7 @@ class CowrieMISPObject(AbstractMISPObjectGenerator): if isinstance(value, dict): self.add_attribute(object_relation, **value) else: + # uniformize value, sometimes empty array + if len(value) == 0: + value = '' self.add_attribute(object_relation, value=value) diff --git a/examples/feed-generator-from-redis/fromredis.py b/examples/feed-generator-from-redis/fromredis.py index d84fca1..26b2ee6 100755 --- a/examples/feed-generator-from-redis/fromredis.py +++ b/examples/feed-generator-from-redis/fromredis.py @@ -27,7 +27,8 @@ class RedisToMISPFeed: SUFFIX_SIGH = '_sighting' SUFFIX_ATTR = '_attribute' SUFFIX_OBJ = '_object' - SUFFIX_LIST = [SUFFIX_SIGH, SUFFIX_ATTR, SUFFIX_OBJ] + SUFFIX_NO = '' + SUFFIX_LIST = [SUFFIX_SIGH, SUFFIX_ATTR, SUFFIX_OBJ, SUFFIX_NO] def __init__(self): self.host = settings.host @@ -100,8 +101,33 @@ class RedisToMISPFeed: self.update_last_action("Error while adding object") else: - # Suffix not valid - self.update_last_action("Redis key suffix not supported") + # Suffix not provided, try to add anyway + if settings.fallback_MISP_type == 'attribute': + new_key = key + self.SUFFIX_ATTR + # Add atribute type from the config + if 'type' not in data and settings.fallback_attribute_type: + data['type'] = settings.fallback_attribute_type + else: + new_key = None + + elif settings.fallback_MISP_type == 'object': + new_key = key + self.SUFFIX_OBJ + # Add object template name from the config + if 'name' not in data and settings.fallback_object_template_name: + data['name'] = settings.fallback_object_template_name + else: + new_key = None + + elif settings.fallback_MISP_type == 'sighting': + new_key = key + self.SUFFIX_SIGH + + else: + new_key = None + + if new_key is None: + self.update_last_action("Redis key suffix not supported and automatic not configured") + else: + self.perform_action(new_key, data) # OTHERS def update_last_action(self, action): diff --git a/examples/feed-generator-from-redis/settings.default.py b/examples/feed-generator-from-redis/settings.default.py index 0f6457c..db1a964 100755 --- a/examples/feed-generator-from-redis/settings.default.py +++ b/examples/feed-generator-from-redis/settings.default.py @@ -4,10 +4,15 @@ host='127.0.0.1' port=6379 db=0 ## The keynames to POP element from -#keyname_pop='misp_feed_generator_key' keyname_pop=['cowrie'] # OTHERS +## If key prefix not provided, data will be added as either object, attribute or sighting +fallback_MISP_type = 'object' +### How to handle the fallback +fallback_object_template_name = 'cowrie' # MISP-Object only +fallback_attribute_category = 'comment' # MISP-Attribute only + ## How frequent the event should be written on disk flushing_interval=5*60 ## The redis list keyname in which to put items that generated an error