From 6dc422de72c09074a07b487d4b1ba35c8124e5b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Mon, 27 Mar 2017 17:43:11 +0200
Subject: [PATCH] Cleanup misp2clamav

---
 examples/misp2clamav.py | 40 +++++++++++++++++++++-------------------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/examples/misp2clamav.py b/examples/misp2clamav.py
index 06522ed..84b3e85 100755
--- a/examples/misp2clamav.py
+++ b/examples/misp2clamav.py
@@ -1,17 +1,19 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # vim: tabstop=4 shiftwidth=4 expandtab
-# 
+#
 # Export file hashes from MISP to ClamAV hdb file
 
 import sys
-from pymisp import PyMISP
+from pymisp import PyMISP, MISPAttribute
 from keys import misp_url, misp_key
 
+
 def init_misp():
     global mymisp
     mymisp = PyMISP(misp_url, misp_key)
 
+
 def echeck(r):
     if r.get('errors'):
         if r.get('message') == 'No matches.':
@@ -20,25 +22,25 @@ def echeck(r):
             print(r['errors'])
             sys.exit(1)
 
+
 def find_hashes(htype):
-    r = mymisp.search(type_attribute = htype)
+    r = mymisp.search(controller='attributes', type_attribute=htype)
     echeck(r)
-    if r.get('response'):
-        c = ''
-        v = ''
-        for e in r['response']:
-            for a in e['Event']['Attribute']:
-                if a['type'] == htype:
-                    if '|' in htype and '|' in v:
-                        s = v.split('|')
-                        c = s[0]
-                        v = s[1]
-                    else:
-                        c = a['comment']
-                        v = a['value']
-                    mhash = v.replace(':',';')
-                    mfile = 'MISP event ' + e['Event']['id'] + ' ' + c.replace(':',';').replace('\r', '').replace('\n', '')
-                    print('{}:*:{}:73'.format(mhash, mfile))
+    if not r.get('response'):
+        return
+    for a in r['response']['Attribute']:
+        attribute = MISPAttribute(mymisp.describe_types)
+        attribute.set_all_values(**a)
+        if '|' in attribute.type and '|' in attribute.value:
+            c, value = attribute.value.split('|')
+            comment = '{} - {}'.format(attribute.comment, c)
+        else:
+            comment = attribute.comment
+            value = attribute.value
+        mhash = value.replace(':', ';')
+        mfile = 'MISP event {} {}'.format(a['event_id'], comment.replace(':', ';').replace('\r', '').replace('\n', ''))
+        print('{}:*:{}:73'.format(mhash, mfile))
+
 
 if __name__ == '__main__':
     init_misp()