Merge pull request #197 from RichieB2B/misp2cef

Add misp2cef example
2018-02-26 17:26:54 +01:00 · 2018-02-26 17:26:54 +01:00 · 7195c6580a
parent d7d5fb37ec 7dd2f54196
commit 7195c6580a
1 changed files with 71 additions and 0 deletions
--- a/examples/misp2cef.py
+++ b/examples/misp2cef.py
@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# Export IOC's from MISP in CEF format
+# Based on cef_export.py MISP module by Hannah Ward
+
+import sys
+import datetime
+from pymisp import PyMISP, MISPAttribute
+from keys import misp_url, misp_key
+
+cefconfig  = {"Default_Severity":1, "Device_Vendor":"MISP", "Device_Product":"MISP", "Device_Version":1}
+
+cefmapping = {"ip-src":"src", "ip-dst":"dst", "hostname":"dhost", "domain":"destinationDnsDomain",
+              "md5":"fileHash", "sha1":"fileHash", "sha256":"fileHash",
+              "filename|md5":"fileHash", "filename|sha1":"fileHash", "filename|sha256":"fileHash",
+              "url":"request"}
+
+mispattributes = {'input':list(cefmapping.keys())}
+
+
+def make_cef(event):
+  for attr in event["Attribute"]:
+    if attr["to_ids"] and attr["type"] in cefmapping:
+      if '|' in attr["type"] and '|' in attr["value"]:
+        value = attr["value"].split('|')[1]
+      else:
+        value = attr["value"]
+      response = "{} host CEF:0|{}|{}|{}|{}|{}|{}|msg={} customerURI={} externalId={} {}={}".format(
+                      datetime.datetime.fromtimestamp(int(attr["timestamp"])).strftime("%b %d %H:%M:%S"),
+                      cefconfig["Device_Vendor"],
+                      cefconfig["Device_Product"],
+                      cefconfig["Device_Version"],
+                      attr["category"],
+                      attr["category"],
+                      cefconfig["Default_Severity"],
+                      event["info"].replace("\\","\\\\").replace("=","\\=").replace('\n','\\n') + "(MISP Event #" + event["id"] + ")",
+                      misp_url + 'events/view/' + event["id"],
+                      attr["uuid"],
+                      cefmapping[attr["type"]],
+                      value,
+               )
+      print(str(bytes(response, 'utf-8'), 'utf-8'))
+                        
+
+def init_misp():
+  global mymisp
+  mymisp = PyMISP(misp_url, misp_key)
+
+
+def echeck(r):
+  if r.get('errors'):
+    if r.get('message') == 'No matches.':
+      return
+    else:
+      print(r['errors'])
+      sys.exit(1)
+
+
+def find_events():
+  r = mymisp.search(controller='events', published=True, to_ids=True)
+  echeck(r)
+  if not r.get('response'):
+    return
+  for ev in r['response']:
+    make_cef(ev['Event'])
+
+
+if __name__ == '__main__':
+  init_misp()
+  find_events()