mirror of https://github.com/MISP/PyMISP
new: [freedFromRedis] try to create an object/attribute out of the incoming data even if not added with the helper
parent
220b7bffff
commit
186ad41381
|
@ -17,9 +17,9 @@ class CowrieMISPObject(AbstractMISPObjectGenerator):
|
||||||
self.generate_attributes()
|
self.generate_attributes()
|
||||||
|
|
||||||
def generate_attributes(self):
|
def generate_attributes(self):
|
||||||
skip_list = ['time', 'duration', 'isError', 'ttylog']
|
valid_object_attributes = self._definition['attributes'].keys()
|
||||||
for object_relation, value in self._dico_val.items():
|
for object_relation, value in self._dico_val.items():
|
||||||
if object_relation in skip_list or 'log_' in object_relation:
|
if object_relation not in valid_object_attributes:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if object_relation == 'timestamp':
|
if object_relation == 'timestamp':
|
||||||
|
@ -29,4 +29,7 @@ class CowrieMISPObject(AbstractMISPObjectGenerator):
|
||||||
if isinstance(value, dict):
|
if isinstance(value, dict):
|
||||||
self.add_attribute(object_relation, **value)
|
self.add_attribute(object_relation, **value)
|
||||||
else:
|
else:
|
||||||
|
# uniformize value, sometimes empty array
|
||||||
|
if len(value) == 0:
|
||||||
|
value = ''
|
||||||
self.add_attribute(object_relation, value=value)
|
self.add_attribute(object_relation, value=value)
|
||||||
|
|
|
@ -27,7 +27,8 @@ class RedisToMISPFeed:
|
||||||
SUFFIX_SIGH = '_sighting'
|
SUFFIX_SIGH = '_sighting'
|
||||||
SUFFIX_ATTR = '_attribute'
|
SUFFIX_ATTR = '_attribute'
|
||||||
SUFFIX_OBJ = '_object'
|
SUFFIX_OBJ = '_object'
|
||||||
SUFFIX_LIST = [SUFFIX_SIGH, SUFFIX_ATTR, SUFFIX_OBJ]
|
SUFFIX_NO = ''
|
||||||
|
SUFFIX_LIST = [SUFFIX_SIGH, SUFFIX_ATTR, SUFFIX_OBJ, SUFFIX_NO]
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self.host = settings.host
|
self.host = settings.host
|
||||||
|
@ -100,8 +101,33 @@ class RedisToMISPFeed:
|
||||||
self.update_last_action("Error while adding object")
|
self.update_last_action("Error while adding object")
|
||||||
|
|
||||||
else:
|
else:
|
||||||
# Suffix not valid
|
# Suffix not provided, try to add anyway
|
||||||
self.update_last_action("Redis key suffix not supported")
|
if settings.fallback_MISP_type == 'attribute':
|
||||||
|
new_key = key + self.SUFFIX_ATTR
|
||||||
|
# Add atribute type from the config
|
||||||
|
if 'type' not in data and settings.fallback_attribute_type:
|
||||||
|
data['type'] = settings.fallback_attribute_type
|
||||||
|
else:
|
||||||
|
new_key = None
|
||||||
|
|
||||||
|
elif settings.fallback_MISP_type == 'object':
|
||||||
|
new_key = key + self.SUFFIX_OBJ
|
||||||
|
# Add object template name from the config
|
||||||
|
if 'name' not in data and settings.fallback_object_template_name:
|
||||||
|
data['name'] = settings.fallback_object_template_name
|
||||||
|
else:
|
||||||
|
new_key = None
|
||||||
|
|
||||||
|
elif settings.fallback_MISP_type == 'sighting':
|
||||||
|
new_key = key + self.SUFFIX_SIGH
|
||||||
|
|
||||||
|
else:
|
||||||
|
new_key = None
|
||||||
|
|
||||||
|
if new_key is None:
|
||||||
|
self.update_last_action("Redis key suffix not supported and automatic not configured")
|
||||||
|
else:
|
||||||
|
self.perform_action(new_key, data)
|
||||||
|
|
||||||
# OTHERS
|
# OTHERS
|
||||||
def update_last_action(self, action):
|
def update_last_action(self, action):
|
||||||
|
|
|
@ -4,10 +4,15 @@ host='127.0.0.1'
|
||||||
port=6379
|
port=6379
|
||||||
db=0
|
db=0
|
||||||
## The keynames to POP element from
|
## The keynames to POP element from
|
||||||
#keyname_pop='misp_feed_generator_key'
|
|
||||||
keyname_pop=['cowrie']
|
keyname_pop=['cowrie']
|
||||||
|
|
||||||
# OTHERS
|
# OTHERS
|
||||||
|
## If key prefix not provided, data will be added as either object, attribute or sighting
|
||||||
|
fallback_MISP_type = 'object'
|
||||||
|
### How to handle the fallback
|
||||||
|
fallback_object_template_name = 'cowrie' # MISP-Object only
|
||||||
|
fallback_attribute_category = 'comment' # MISP-Attribute only
|
||||||
|
|
||||||
## How frequent the event should be written on disk
|
## How frequent the event should be written on disk
|
||||||
flushing_interval=5*60
|
flushing_interval=5*60
|
||||||
## The redis list keyname in which to put items that generated an error
|
## The redis list keyname in which to put items that generated an error
|
||||||
|
|
Loading…
Reference in New Issue