chg: [feed-generator] Make the feature to exlude attribute type more generic

feature-feedgenerator-exclude-malwares
Sami Mokaddem 2021-11-17 12:38:25 +01:00
parent 820eb77cff
commit 57de6de139
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
2 changed files with 14 additions and 16 deletions

View File

@ -5,7 +5,7 @@ import sys
import json import json
import os import os
from pymisp import ExpandedPyMISP from pymisp import ExpandedPyMISP
from settings import entries, url, key, ssl, outputdir, filters, valid_attribute_distribution_levels from settings import url, key, ssl, outputdir, filters, valid_attribute_distribution_levels
try: try:
from settings import include_deleted from settings import include_deleted
@ -13,9 +13,9 @@ except ImportError:
include_deleted = False include_deleted = False
try: try:
from settings import exclude_malware_samples from settings import exclude_attribute_types
except ImportError: except ImportError:
exclude_malware_samples = False exclude_attribute_types = []
valid_attribute_distributions = [] valid_attribute_distributions = []
@ -62,7 +62,7 @@ def saveManifest(manifest):
if __name__ == '__main__': if __name__ == '__main__':
misp = init() misp = init()
try: try:
events = misp.search_index(minimal=True, limit=entries, **filters, pythonify=False) events = misp.search_index(minimal=True, **filters, pythonify=False)
except Exception as e: except Exception as e:
print(e) print(e)
sys.exit("Invalid response received from MISP.") sys.exit("Invalid response received from MISP.")
@ -74,14 +74,14 @@ if __name__ == '__main__':
total = len(events) total = len(events)
for event in events: for event in events:
try: try:
e = misp.get_event(event.uuid, deleted=include_deleted, pythonify=True) e = misp.get_event(event['uuid'], deleted=include_deleted, pythonify=True)
if exclude_malware_samples: if exclude_attribute_types:
for i, attribute in enumerate(e.attributes): for i, attribute in enumerate(e.attributes):
if attribute.type == 'malware-sample': if attribute.type in exclude_attribute_types:
del e.attributes[i] e.attributes.pop(i)
e_feed = e.to_feed(valid_distributions=valid_attribute_distributions, with_meta=True) e_feed = e.to_feed(valid_distributions=valid_attribute_distributions, with_meta=True)
except Exception as err: except Exception as err:
print(err, event.uuid) print(err, event['uuid'])
continue continue
if not e_feed: if not e_feed:
print(f'Invalid distribution {e.distribution}, skipping') print(f'Invalid distribution {e.distribution}, skipping')

View File

@ -12,9 +12,6 @@ ssl = False
# sure that you use a directory dedicated to the feed # sure that you use a directory dedicated to the feed
outputdir = 'output' outputdir = 'output'
# Determine the number of entries to output
entries = 200
# The filters to be used for by the feed. You can use any filter that # The filters to be used for by the feed. You can use any filter that
# you can use on the event index, such as organisation, tags, etc. # you can use on the event index, such as organisation, tags, etc.
# It uses the same joining and condition rules as the API parameters # It uses the same joining and condition rules as the API parameters
@ -42,9 +39,10 @@ include_deleted = False
# 5: Inherit Event # 5: Inherit Event
valid_attribute_distribution_levels = ['0', '1', '2', '3', '4', '5'] valid_attribute_distribution_levels = ['0', '1', '2', '3', '4', '5']
# By default, all attribute passing the filtering rules will be exported. # By default, all attribute passing the filtering rules will be exported.
# This setting can be used to filter out attributes being of the type `malaware-sample`. # This setting can be used to filter out any attributes being of the type contained in the list.
# Warning: Keep in mind that if you propagate data (via synchronisation/feeds/...), recipients # Warning: Keep in mind that if you propagate data (via synchronisation/feeds/...), recipients
# will not be able to get the malware samples back. # will not be able to get these attributes back unless their events get updated.
exclude_malware_samples = False # For example:
# exclude_attribute_types = ['malware-sample']
exclude_attribute_types = []