new: Object generator for ssh authorized_keys files.

2019-05-20 16:40:47 +02:00 · 2019-05-20 16:40:47 +02:00 · 3b56b218b5
parent f55add5a6d
commit 3b56b218b5
4 changed files with 64 additions and 1 deletions
--- a/examples/add_ssh_authorized_keys.py
+++ b/examples/add_ssh_authorized_keys.py
@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from pymisp import PyMISP
+from pymisp.tools import SSHAuthorizedKeysObject
+import traceback
+from keys import misp_url, misp_key, misp_verifycert
+import glob
+import argparse
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Extract indicators out of authorized_keys file.')
+    parser.add_argument("-e", "--event", required=True, help="Event ID to update.")
+    parser.add_argument("-p", "--path", required=True, help="Path to process (expanded using glob).")
+    args = parser.parse_args()
+
+    pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)
+
+    for f in glob.glob(args.path):
+        try:
+            auth_keys = SSHAuthorizedKeysObject(f)
+        except Exception:
+            traceback.print_exc()
+            continue
+
+        template_id = pymisp.get_object_template_id(auth_keys.template_uuid)
+        response = pymisp.add_object(args.event, template_id, auth_keys)
+        for ref in auth_keys.ObjectReference:
+            r = pymisp.add_object_reference(ref)
--- a/pymisp/data/misp-objects
+++ b/pymisp/data/misp-objects
@ -1 +1 @@
-Subproject commit b656cc532d1656da8aa12b695fe0322f2d16c0fd
+Subproject commit 816f38c61ee3d68d1872a107bcca0646668f532e
--- a/pymisp/tools/init.py
+++ b/pymisp/tools/init.py
@ -20,3 +20,4 @@ if sys.version_info >= (3, 6):
    from .emailobject import EMailObject  # noqa
    from .vehicleobject import VehicleObject  # noqa
    from .csvloader import CSVLoader  # noqa
+    from .sshauthkeyobject import SSHAuthorizedKeysObject  # noqa
--- a/pymisp/tools/sshauthkeyobject.py
+++ b/pymisp/tools/sshauthkeyobject.py
@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from ..exceptions import InvalidMISPObject
+from .abstractgenerator import AbstractMISPObjectGenerator
+from io import StringIO
+import logging
+
+logger = logging.getLogger('pymisp')
+
+
+class SSHAuthorizedKeysObject(AbstractMISPObjectGenerator):
+
+    def __init__(self, authorized_keys_path=None, authorized_keys_pseudofile=None, standalone=True, **kwargs):
+        if authorized_keys_path:
+            with open(authorized_keys_path, 'r') as f:
+                self.__pseudofile = StringIO(f.read())
+        elif authorized_keys_pseudofile and isinstance(authorized_keys_pseudofile, StringIO):
+            self.__pseudofile = authorized_keys_path
+        else:
+            raise InvalidMISPObject('File buffer (StringIO) or a path is required.')
+        # PY3 way:
+        # super().__init__('file')
+        super(SSHAuthorizedKeysObject, self).__init__('ssh-authorized-keys', standalone=standalone, **kwargs)
+        self.__data = self.__pseudofile.getvalue()
+        self.generate_attributes()
+
+    def generate_attributes(self):
+        for l in self.__pseudofile:
+            if l.startswith('ssh') or l.startswith('ecdsa'):
+                key = l.split(' ')[1]
+                self.add_attribute('key', key)