MISP
/
PyMISP
mirror of https://github.com/MISP/PyMISP
2
0
Fork 0
Code Issues Releases Wiki Activity

Add netflow filter output 

- get event data for event with “—event X”
- get netflow filter with “—netflow”
   simple host X or host X
pull/2/merge
Koen Van Impe 2015-08-04 23:25:15 +02:00
parent bef354ac44
commit 2e1da3b777
1 changed files with 65 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
examples/get_network_activity.py
View File

@ -5,10 +5,19 @@
Python script to extract network activity from MISP database Python script to extract network activity from MISP database
Koen Van Impe 20141116 Koen Van Impe 20141116
netflow 20150804
Feed it a list of event_id's (1 id per line) with the option "-f". Feed it a list of event_id's (1 id per line) with the option "-f".
Use --no-comment to get a flat list of entries without event id and title information Use --no-comment to get a flat list of entries without event id and title information
Usage
./get_network_activity.py --netflow --event 8
get netflow filter for event 8
./get_network_activity.py -f get_network_activity.event_id --netflow
get netflow filter for events in id file
./get_network_activity.py -f get_network_activity.event_id
get output with comments
""" """
from pymisp import PyMISP from pymisp import PyMISP
@ -35,7 +44,7 @@ def get_event(event_id):
:event_id the id of the event :event_id the id of the event
""" """
global network_ip_src, network_ip_dst, network_hostname, network_domain global network_ip_src, network_ip_dst, network_hostname, network_domain
global app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only global app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printcomment, app_netflow
event_id = int(event_id) event_id = int(event_id)
if event_id > 0: if event_id > 0:
@ -59,16 +68,21 @@ def get_event(event_id):
value = attribute["value"] value = attribute["value"]
title = event_core["info"] title = event_core["info"]
if attribute["type"] == "ip-src" and app_ip_src: if app_netflow:
network_ip_src.append([build_entry(value, event_id, title, "ip-src")]) app_printcomment = False
elif attribute["type"] == "ip-dst" and app_ip_dst: if attribute["type"] == "ip-dst" and app_ip_dst:
network_ip_dst.append([build_entry(value, event_id, title, "ip-dst")]) network_ip_dst.append([build_entry(value, event_id, title, "ip-dst")])
elif attribute["type"] == "domain" and app_domain:
network_domain.append([build_entry(value, event_id, title, "domain")])
elif attribute["type"] == "hostname" and app_hostname:
network_hostname.append([build_entry(value, event_id, title, "hostname")])
else: else:
continue if attribute["type"] == "ip-src" and app_ip_src:
network_ip_src.append([build_entry(value, event_id, title, "ip-src")])
elif attribute["type"] == "ip-dst" and app_ip_dst:
network_ip_dst.append([build_entry(value, event_id, title, "ip-dst")])
elif attribute["type"] == "domain" and app_domain:
network_domain.append([build_entry(value, event_id, title, "domain")])
elif attribute["type"] == "hostname" and app_hostname:
network_hostname.append([build_entry(value, event_id, title, "hostname")])
else:
continue
else: else:
print("Not a valid ID") print("Not a valid ID")
return return
@ -99,20 +113,29 @@ def print_events():
Print the events from the result arrays Print the events from the result arrays
""" """
global network_ip_src, network_ip_dst, network_domain, network_hostname global network_ip_src, network_ip_dst, network_domain, network_hostname
global app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printcomment, app_printtitle global app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printcomment, app_printtitle, app_netflow
if app_ip_src: if app_netflow:
for ip in network_ip_src: firsthost = True
print(ip[0])
if app_ip_dst:
for ip in network_ip_dst: for ip in network_ip_dst:
print(ip[0]) if firsthost:
if app_domain: firsthost = False
for ip in network_domain: else:
print(ip[0]) print " or "
if app_hostname: print "host %s" % ip[0]
for ip in network_hostname: else:
print(ip[0]) if app_ip_src:
for ip in network_ip_src:
print(ip[0])
if app_ip_dst:
for ip in network_ip_dst:
print(ip[0])
if app_domain:
for ip in network_domain:
print(ip[0])
if app_hostname:
for ip in network_hostname:
print(ip[0])
if __name__ == '__main__': if __name__ == '__main__':
@ -141,17 +164,27 @@ if __name__ == '__main__':
help='Include IDS and non-IDS attribures.') help='Include IDS and non-IDS attribures.')
parser.add_argument('--no-titles', action='store_true', default=False, parser.add_argument('--no-titles', action='store_true', default=False,
help='Do not include titles') help='Do not include titles')
parser.add_argument('--netflow', action='store_true', default=False,
help='Netflow (nfdump) output')
parser.add_argument('--event', type=int, default=0,
help='EventID to parse (not using filename)')
args = parser.parse_args() args = parser.parse_args()
if args.filename is not None: init()
init() app_printcomment = args.no_comment
app_printcomment = args.no_comment app_hostname = args.hostname
app_hostname = args.hostname app_domain = args.domain
app_domain = args.domain app_ip_src = not(args.no_ip_src)
app_ip_src = not(args.no_ip_src) app_ip_dst = not(args.no_ip_dst)
app_ip_dst = not(args.no_ip_dst) app_ids_only = args.no_ids_only
app_ids_only = args.no_ids_only app_printtitle = not(args.no_titles)
app_printtitle = not(args.no_titles) app_netflow = args.netflow
app_event = args.event
if app_event > 0:
get_event(app_event)
print_events()
elif args.filename is not None:
# print "app_printcomment %s app_hostname %s app_domain %s app_ip_src %s app_ip_dst %s app_ids_only %s app_printtitle %s" % (app_printcomment,app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printtitle) # print "app_printcomment %s app_hostname %s app_domain %s app_ip_src %s app_ip_dst %s app_ids_only %s app_printtitle %s" % (app_printcomment,app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printtitle)
with open(args.filename, 'r') as line: with open(args.filename, 'r') as line:
for event_id in line: for event_id in line: