mirror of https://github.com/MISP/PyMISP
chg: [feed-generator] Make the feature to exlude attribute type more generic
parent
820eb77cff
commit
57de6de139
|
@ -5,7 +5,7 @@ import sys
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
from pymisp import ExpandedPyMISP
|
from pymisp import ExpandedPyMISP
|
||||||
from settings import entries, url, key, ssl, outputdir, filters, valid_attribute_distribution_levels
|
from settings import url, key, ssl, outputdir, filters, valid_attribute_distribution_levels
|
||||||
|
|
||||||
try:
|
try:
|
||||||
from settings import include_deleted
|
from settings import include_deleted
|
||||||
|
@ -13,9 +13,9 @@ except ImportError:
|
||||||
include_deleted = False
|
include_deleted = False
|
||||||
|
|
||||||
try:
|
try:
|
||||||
from settings import exclude_malware_samples
|
from settings import exclude_attribute_types
|
||||||
except ImportError:
|
except ImportError:
|
||||||
exclude_malware_samples = False
|
exclude_attribute_types = []
|
||||||
|
|
||||||
valid_attribute_distributions = []
|
valid_attribute_distributions = []
|
||||||
|
|
||||||
|
@ -62,7 +62,7 @@ def saveManifest(manifest):
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
misp = init()
|
misp = init()
|
||||||
try:
|
try:
|
||||||
events = misp.search_index(minimal=True, limit=entries, **filters, pythonify=False)
|
events = misp.search_index(minimal=True, **filters, pythonify=False)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print(e)
|
print(e)
|
||||||
sys.exit("Invalid response received from MISP.")
|
sys.exit("Invalid response received from MISP.")
|
||||||
|
@ -74,14 +74,14 @@ if __name__ == '__main__':
|
||||||
total = len(events)
|
total = len(events)
|
||||||
for event in events:
|
for event in events:
|
||||||
try:
|
try:
|
||||||
e = misp.get_event(event.uuid, deleted=include_deleted, pythonify=True)
|
e = misp.get_event(event['uuid'], deleted=include_deleted, pythonify=True)
|
||||||
if exclude_malware_samples:
|
if exclude_attribute_types:
|
||||||
for i, attribute in enumerate(e.attributes):
|
for i, attribute in enumerate(e.attributes):
|
||||||
if attribute.type == 'malware-sample':
|
if attribute.type in exclude_attribute_types:
|
||||||
del e.attributes[i]
|
e.attributes.pop(i)
|
||||||
e_feed = e.to_feed(valid_distributions=valid_attribute_distributions, with_meta=True)
|
e_feed = e.to_feed(valid_distributions=valid_attribute_distributions, with_meta=True)
|
||||||
except Exception as err:
|
except Exception as err:
|
||||||
print(err, event.uuid)
|
print(err, event['uuid'])
|
||||||
continue
|
continue
|
||||||
if not e_feed:
|
if not e_feed:
|
||||||
print(f'Invalid distribution {e.distribution}, skipping')
|
print(f'Invalid distribution {e.distribution}, skipping')
|
||||||
|
|
|
@ -12,9 +12,6 @@ ssl = False
|
||||||
# sure that you use a directory dedicated to the feed
|
# sure that you use a directory dedicated to the feed
|
||||||
outputdir = 'output'
|
outputdir = 'output'
|
||||||
|
|
||||||
# Determine the number of entries to output
|
|
||||||
entries = 200
|
|
||||||
|
|
||||||
# The filters to be used for by the feed. You can use any filter that
|
# The filters to be used for by the feed. You can use any filter that
|
||||||
# you can use on the event index, such as organisation, tags, etc.
|
# you can use on the event index, such as organisation, tags, etc.
|
||||||
# It uses the same joining and condition rules as the API parameters
|
# It uses the same joining and condition rules as the API parameters
|
||||||
|
@ -42,9 +39,10 @@ include_deleted = False
|
||||||
# 5: Inherit Event
|
# 5: Inherit Event
|
||||||
valid_attribute_distribution_levels = ['0', '1', '2', '3', '4', '5']
|
valid_attribute_distribution_levels = ['0', '1', '2', '3', '4', '5']
|
||||||
|
|
||||||
|
|
||||||
# By default, all attribute passing the filtering rules will be exported.
|
# By default, all attribute passing the filtering rules will be exported.
|
||||||
# This setting can be used to filter out attributes being of the type `malaware-sample`.
|
# This setting can be used to filter out any attributes being of the type contained in the list.
|
||||||
# Warning: Keep in mind that if you propagate data (via synchronisation/feeds/...), recipients
|
# Warning: Keep in mind that if you propagate data (via synchronisation/feeds/...), recipients
|
||||||
# will not be able to get the malware samples back.
|
# will not be able to get these attributes back unless their events get updated.
|
||||||
exclude_malware_samples = False
|
# For example:
|
||||||
|
# exclude_attribute_types = ['malware-sample']
|
||||||
|
exclude_attribute_types = []
|
Loading…
Reference in New Issue