diff --git a/examples/make_neo4j.py b/examples/make_neo4j.py new file mode 100755 index 0000000..247a866 --- /dev/null +++ b/examples/make_neo4j.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +from pymisp import PyMISP +from pymisp import Neo4j +from pymisp import MISPEvent +from keys import misp_url, misp_key +import argparse + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Get all the events matching a value.') + parser.add_argument("-s", "--search", required=True, help="String to search.") + parser.add_argument("--host", default='localhost:7474', help="Host where neo4j is running.") + parser.add_argument("-u", "--user", default='neo4j', help="User on neo4j.") + parser.add_argument("-p", "--password", default='neo4j', help="Password on neo4j.") + args = parser.parse_args() + + neo4j = Neo4j(args.host, args.user, args.password) + neo4j.del_all() + misp = PyMISP(misp_url, misp_key) + result = misp.search_all(args.search) + for json_event in result['response']: + if not json_event['Event']: + print(json_event) + continue + print('Importing', json_event['Event']['info'], json_event['Event']['id']) + try: + misp_event = MISPEvent() + misp_event.load(json_event) + neo4j.import_event(misp_event) + except: + print('broken') diff --git a/pymisp/__init__.py b/pymisp/__init__.py index 7cbe0ee..e8553e2 100644 --- a/pymisp/__init__.py +++ b/pymisp/__init__.py @@ -3,3 +3,4 @@ __version__ = '2.4.53' from .exceptions import PyMISPError, NewEventError, NewAttributeError, MissingDependency, NoURL, NoKey from .api import PyMISP from .mispevent import MISPEvent, MISPAttribute, EncodeUpdate, EncodeFull +from .tools.neo4j import Neo4j diff --git a/pymisp/tools/__init__.py b/pymisp/tools/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/pymisp/tools/neo4j.py b/pymisp/tools/neo4j.py new file mode 100644 index 0000000..cb49df1 --- /dev/null +++ b/pymisp/tools/neo4j.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +import glob +import os +from pymisp import MISPEvent + +try: + from py2neo import authenticate, Graph, Node, Relationship + has_py2neo = True +except ImportError: + has_py2neo = False + + +class Neo4j(): + + def __init__(self, host='localhost:7474', username='neo4j', password='neo4j'): + if not has_py2neo: + raise Exception('py2neo is required, please install: pip install py2neo') + authenticate(host, username, password) + self.graph = Graph() + + def load_events_directory(self, directory): + self.events = [] + for path in glob.glob(os.path.join(directory, '*.json')): + e = MISPEvent() + e.load(path) + self.import_event(e) + + def del_all(self): + self.graph.delete_all() + + def import_event(self, event): + tx = self.graph.begin() + event_node = Node('Event', uuid=event.uuid) + event_node['name'] = event.info + # event_node['distribution'] = event.distribution + # event_node['threat_level_id'] = event.threat_level_id + # event_node['analysis'] = event.analysis + # event_node['published'] = event.published + # event_node['date'] = event.date.isoformat() + tx.create(event_node) + for a in event.attributes: + attr_node = Node('Attribute', a.type, uuid=a.uuid) + attr_node['category'] = a.category + attr_node['name'] = a.value + # attr_node['to_ids'] = a.to_ids + # attr_node['comment'] = a.comment + # attr_node['distribution'] = a.distribution + tx.create(attr_node) + member_rel = Relationship(event_node, "is member", attr_node) + tx.create(member_rel) + val = Node('Value', name=a.value) + ev = Relationship(event_node, "has", val) + av = Relationship(attr_node, "is", val) + s = val | ev | av + tx.merge(s) + tx.graph.push(s) + tx.commit()