Added the option to filter out attributes based on distribution level

pull/12/head
Iglocska 2016-04-11 15:18:05 +02:00 committed by Déborah Servili
parent b573daf86d
commit 423757530b
2 changed files with 34 additions and 1 deletions

View File

@ -5,7 +5,7 @@ import sys
import json import json
import os import os
from pymisp import PyMISP from pymisp import PyMISP
from settings import url, key, ssl, outputdir, filters from settings import *
objectsToSave = { objectsToSave = {
@ -29,8 +29,16 @@ fieldsToSave = ['uuid', 'info', 'threat_level_id', 'analysis',
'timestamp', 'publish_timestamp', 'published', 'timestamp', 'publish_timestamp', 'published',
'date'] 'date']
valid_attribute_distributions = []
def init(): def init():
# If we have an old settings.py file then this variable won't exist
global valid_attribute_distributions
try:
valid_attribute_distributions = valid_attribute_distribution_levels
except:
valid_attribute_distributions = ['0', '1', '2', '3', '4', '5']
return PyMISP(url, key, ssl, 'json') return PyMISP(url, key, ssl, 'json')
@ -61,11 +69,20 @@ def __cleanupEventFields(event, temp):
return event return event
def __blockAttributeByDistribution(attribute):
if attribute['distribution'] not in valid_attribute_distributions:
return True
return False
def __cleanupEventObjects(event, temp): def __cleanupEventObjects(event, temp):
for objectType in objectsToSave.keys(): for objectType in objectsToSave.keys():
if objectsToSave[objectType]['multiple'] is True: if objectsToSave[objectType]['multiple'] is True:
if objectType in temp['Event']: if objectType in temp['Event']:
for objectInstance in temp['Event'][objectType]: for objectInstance in temp['Event'][objectType]:
if objectType is 'Attribute':
if __blockAttributeByDistribution(objectInstance):
continue
tempObject = {} tempObject = {}
for field in objectsToSave[objectType]['fields']: for field in objectsToSave[objectType]['fields']:
if field in objectInstance.keys(): if field in objectInstance.keys():

View File

@ -21,3 +21,19 @@ outputdir = 'output'
# tlp:white and/or feed-export but exclude anything tagged privint # tlp:white and/or feed-export but exclude anything tagged privint
filters = {} filters = {}
# By default all attributes will be included in the feed generation
# Remove the levels that you do not wish to include in the feed
# Use this to further narrow down what gets exported, for example:
# Setting this to ['3', '5'] will exclude any attributes from the feed that
# are not exportable to all or inherit the event
#
# The levels are as follows:
# 0: Your Organisation Only
# 1: This Community Only
# 2: Connected Communities
# 3: All
# 4: Sharing Group
# 5: Inherit Event
valid_attribute_distribution_levels = ['0', '1', '2', '3', '4', '5']