Merge pull request #93 from RichieB2B/ncsc-nl/misp2clamav

Convert MISP file hashes to ClamAV hdb file
2017-03-27 17:12:13 +02:00 · 2017-03-27 17:12:13 +02:00 · 23c9347341
parent a7e66ca5db 9fb9715c8e
commit 23c9347341
1 changed files with 50 additions and 0 deletions
--- a/examples/misp2clamav.py
+++ b/examples/misp2clamav.py
@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# vim: tabstop=4 shiftwidth=4 expandtab
+# 
+# Export file hashes from MISP to ClamAV hdb file
+
+import sys
+from pymisp import PyMISP
+from keys import misp_url, misp_key
+
+def init_misp():
+    global mymisp
+    mymisp = PyMISP(misp_url, misp_key)
+
+def echeck(r):
+    if r.get('errors'):
+        if r.get('message') == 'No matches.':
+            return
+        else:
+            print(r['errors'])
+            sys.exit(1)
+
+def find_hashes(htype):
+    r = mymisp.search(type_attribute = htype)
+    echeck(r)
+    if r.get('response'):
+        c = ''
+        v = ''
+        for e in r['response']:
+            for a in e['Event']['Attribute']:
+                if a['type'] == htype:
+                    if '|' in htype and '|' in v:
+                        s = v.split('|')
+                        c = s[0]
+                        v = s[1]
+                    else:
+                        c = a['comment']
+                        v = a['value']
+                    mhash = v.replace(':',';')
+                    mfile = 'MISP event ' + e['Event']['id'] + ' ' + c.replace(':',';').replace('\r', '').replace('\n', '')
+                    print('{}:*:{}:73'.format(mhash, mfile))
+
+if __name__ == '__main__':
+    init_misp()
+    find_hashes('md5')
+    find_hashes('sha1')
+    find_hashes('sha256')
+    find_hashes('filename|md5')
+    find_hashes('filename|sha1')
+    find_hashes('filename|sha256')