new: [freedFromRedis] try to create an object/attribute out of the incoming data even if not added with the helper

examples/feed-generator-from-redis/ObjectConstructor/CowrieMISPObject.py

@@ -17,9 +17,9 @@ class CowrieMISPObject(AbstractMISPObjectGenerator):
         self.generate_attributes()
 
     def generate_attributes(self):
-        skip_list = ['time', 'duration', 'isError', 'ttylog']
+        valid_object_attributes = self._definition['attributes'].keys()
         for object_relation, value in self._dico_val.items():
-            if object_relation in skip_list or 'log_' in object_relation:
+            if object_relation not in valid_object_attributes:
                 continue
 
             if object_relation == 'timestamp':
@@ -29,4 +29,7 @@ class CowrieMISPObject(AbstractMISPObjectGenerator):
             if isinstance(value, dict):
                 self.add_attribute(object_relation, **value)
             else:
+                # uniformize value, sometimes empty array
+                if len(value) == 0:
+                    value = ''
                 self.add_attribute(object_relation, value=value)

examples/feed-generator-from-redis/fromredis.py

@@ -27,7 +27,8 @@ class RedisToMISPFeed:
     SUFFIX_SIGH = '_sighting'
     SUFFIX_ATTR = '_attribute'
     SUFFIX_OBJ = '_object'
-    SUFFIX_LIST = [SUFFIX_SIGH, SUFFIX_ATTR, SUFFIX_OBJ]
+    SUFFIX_NO = ''
+    SUFFIX_LIST = [SUFFIX_SIGH, SUFFIX_ATTR, SUFFIX_OBJ, SUFFIX_NO]
 
     def __init__(self):
         self.host = settings.host
@@ -100,8 +101,33 @@ class RedisToMISPFeed:
                 self.update_last_action("Error while adding object")
 
         else:
-            # Suffix not valid
-            self.update_last_action("Redis key suffix not supported")
+            # Suffix not provided, try to add anyway
+            if settings.fallback_MISP_type == 'attribute':
+                new_key = key + self.SUFFIX_ATTR
+                # Add atribute type from the config
+                if 'type' not in data and settings.fallback_attribute_type:
+                    data['type'] = settings.fallback_attribute_type
+                else:
+                    new_key = None
+
+            elif settings.fallback_MISP_type == 'object':
+                new_key = key + self.SUFFIX_OBJ
+                # Add object template name from the config
+                if 'name' not in data and settings.fallback_object_template_name:
+                    data['name'] = settings.fallback_object_template_name
+                else:
+                    new_key = None
+
+            elif settings.fallback_MISP_type == 'sighting':
+                new_key = key + self.SUFFIX_SIGH
+
+            else:
+                new_key = None
+
+            if new_key is None:
+                self.update_last_action("Redis key suffix not supported and automatic not configured")
+            else:
+                self.perform_action(new_key, data)
 
     # OTHERS
     def update_last_action(self, action):

examples/feed-generator-from-redis/settings.default.py

@@ -4,10 +4,15 @@ host='127.0.0.1'
 port=6379
 db=0
 ## The keynames to POP element from
-#keyname_pop='misp_feed_generator_key'
 keyname_pop=['cowrie']
 
 # OTHERS
+## If key prefix not provided, data will be added as either object, attribute or sighting
+fallback_MISP_type = 'object'
+### How to handle the fallback
+fallback_object_template_name = 'cowrie' # MISP-Object only
+fallback_attribute_category = 'comment'  # MISP-Attribute only
+
 ## How frequent the event should be written on disk
 flushing_interval=5*60
 ## The redis list keyname in which to put items that generated an error