From 8ebb963adfdc26aadc195820c3efe7933f6283d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Mon, 26 Mar 2018 12:07:40 +0200
Subject: [PATCH] new: add preliminary fail2ban object

---
 examples/add_fail2ban_object.py | 48 +++++++++++++++++++++++++++++++++
 pymisp/data/misp-objects        |  2 +-
 pymisp/tools/__init__.py        |  2 ++
 pymisp/tools/fail2banobject.py  | 34 +++++++++++++++++++++++
 4 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100755 examples/add_fail2ban_object.py
 create mode 100644 pymisp/tools/fail2banobject.py

diff --git a/examples/add_fail2ban_object.py b/examples/add_fail2ban_object.py
new file mode 100755
index 0000000..d299d54
--- /dev/null
+++ b/examples/add_fail2ban_object.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from pymisp import PyMISP, MISPEvent
+from pymisp.tools import Fail2BanObject
+import argparse
+from base64 import b64decode
+
+try:
+    from keys import misp_url, misp_key, misp_verifycert
+except Exception:
+    misp_url = 'URL'
+    misp_key = 'AUTH_KEY'
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Add Fail2ban object.')
+    parser.add_argument("-b", "--banned_ip", required=True, help="Banned IP address.")
+    parser.add_argument("-a", "--attack_type", required=True, help="Type of attack.")
+    parser.add_argument("-p", "--processing_timestamp", help="Processing timestamp.")
+    parser.add_argument("-f", "--failures", help="Amount of failures that lead to the ban.")
+    parser.add_argument("-s", "--sensor", help="Sensor identifier.")
+    parser.add_argument("-v", "--victim", help="Victim identifier.")
+    parser.add_argument("-l", "--logline", help="Logline (base64 encoded).")
+    parser.add_argument("-ap", "--aggregation_period", required=True, help="Max time of the event (1d, 1h, ...).")
+    parser.add_argument("-t", "--tag", required=True, help="Tag to search on MISP.")
+    args = parser.parse_args()
+
+    pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)
+
+    response = pymisp.search(tags=args.tag, last=args.aggregation_period, published=False)
+    me = MISPEvent()
+    if 'response' in response and response['response']:
+        me.load(response['response'][1])
+    else:
+        me.add_tag(args.tag)
+    parameters = {'banned-ip': args.banned_ip, 'attack-type': args.attack_type, 'processing-timestamp': args.processing_timestamp}
+    if args.failures:
+        parameters['failures'] = args.failures
+    if args.sensor:
+        parameters['sensor'] = args.sensor
+    if args.victim:
+        parameters['victim'] = args.victim
+    if args.logline:
+        parameters['logline'] = b64decode(args.logline).decode()
+    f2b = Fail2BanObject(parameters=parameters, standalone=False)
+    me.add_object(f2b)
+    pymisp.add_event(me)
diff --git a/pymisp/data/misp-objects b/pymisp/data/misp-objects
index c92ee2e..7c2e07a 160000
--- a/pymisp/data/misp-objects
+++ b/pymisp/data/misp-objects
@@ -1 +1 @@
-Subproject commit c92ee2e46179f2b30ff1011950f16af38e0f94fc
+Subproject commit 7c2e07a50b944d265f92cfba712d872091c1c199
diff --git a/pymisp/tools/__init__.py b/pymisp/tools/__init__.py
index 87154ec..a9940cb 100644
--- a/pymisp/tools/__init__.py
+++ b/pymisp/tools/__init__.py
@@ -9,3 +9,5 @@ from .abstractgenerator import AbstractMISPObjectGenerator  # noqa
 from .genericgenerator import GenericObjectGenerator  # noqa
 from .openioc import load_openioc, load_openioc_file  # noqa
 from .sbsignatureobject import SBSignatureObject  # noqa
+from .emailobject import EMailObject  # noqa
+from .fail2banobject import Fail2BanObject  # noqa
diff --git a/pymisp/tools/fail2banobject.py b/pymisp/tools/fail2banobject.py
new file mode 100644
index 0000000..3d7890a
--- /dev/null
+++ b/pymisp/tools/fail2banobject.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from datetime import datetime
+from .abstractgenerator import AbstractMISPObjectGenerator
+import logging
+from dateutil.parser import parse
+
+logger = logging.getLogger('pymisp')
+
+
+class Fail2BanObject(AbstractMISPObjectGenerator):
+
+    def __init__(self, parameters, standalone=True, **kwargs):
+        super(Fail2BanObject, self).__init__('fail2ban', standalone=standalone, **kwargs)
+        self.__parameters = parameters
+        self.generate_attributes()
+
+    def generate_attributes(self):
+        self.add_attribute('banned-ip', value=self.__parameters['banned-ip'])
+        self.add_attribute('attack-type', value=self.__parameters['attack-type'])
+        try:
+            timestamp = parse(self.__parameters['processing-timestamp'])
+        except Exception:
+            timestamp = datetime.now()
+
+        self.add_attribute('processing-timestamp', value=timestamp.isoformat())
+
+        if 'failures' in self.__parameters:
+            self.add_attribute('failures', value=self.__parameters['failures'])
+        if 'sensor' in self.__parameters:
+            self.add_attribute('', value=self.__parameters['sensor'])
+        if 'victim' in self.__parameters:
+            self.add_attribute('victim', value=self.__parameters['victim'])