MISP
/
PyMISP
mirror of https://github.com/MISP/PyMISP
2
0
Fork 0
Code Issues Releases Wiki Activity

Cleanup misp2clamav

pull/66/head
Raphaël Vinot 2017-03-27 17:43:11 +02:00
parent 0e39a204f6
commit 6dc422de72
1 changed files with 21 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
examples/misp2clamav.py
View File

@ -1,17 +1,19 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# vim: tabstop=4 shiftwidth=4 expandtab # vim: tabstop=4 shiftwidth=4 expandtab
# #
# Export file hashes from MISP to ClamAV hdb file # Export file hashes from MISP to ClamAV hdb file
import sys import sys
from pymisp import PyMISP from pymisp import PyMISP, MISPAttribute
from keys import misp_url, misp_key from keys import misp_url, misp_key
def init_misp(): def init_misp():
global mymisp global mymisp
mymisp = PyMISP(misp_url, misp_key) mymisp = PyMISP(misp_url, misp_key)
def echeck(r): def echeck(r):
if r.get('errors'): if r.get('errors'):
if r.get('message') == 'No matches.': if r.get('message') == 'No matches.':
@ -20,25 +22,25 @@ def echeck(r):
print(r['errors']) print(r['errors'])
sys.exit(1) sys.exit(1)
def find_hashes(htype): def find_hashes(htype):
r = mymisp.search(type_attribute = htype) r = mymisp.search(controller='attributes', type_attribute=htype)
echeck(r) echeck(r)
if r.get('response'): if not r.get('response'):
c = '' return
v = '' for a in r['response']['Attribute']:
for e in r['response']: attribute = MISPAttribute(mymisp.describe_types)
for a in e['Event']['Attribute']: attribute.set_all_values(**a)
if a['type'] == htype: if '|' in attribute.type and '|' in attribute.value:
if '|' in htype and '|' in v: c, value = attribute.value.split('|')
s = v.split('|') comment = '{} - {}'.format(attribute.comment, c)
c = s[0] else:
v = s[1] comment = attribute.comment
else: value = attribute.value
c = a['comment'] mhash = value.replace(':', ';')
v = a['value'] mfile = 'MISP event {} {}'.format(a['event_id'], comment.replace(':', ';').replace('\r', '').replace('\n', ''))
mhash = v.replace(':',';') print('{}:*:{}:73'.format(mhash, mfile))
mfile = 'MISP event ' + e['Event']['id'] + ' ' + c.replace(':',';').replace('\r', '').replace('\n', '')
print('{}:*:{}:73'.format(mhash, mfile))
if __name__ == '__main__': if __name__ == '__main__':
init_misp() init_misp()