From efd8b80adb7a7314a19f7cd732d1c92b55b9e427 Mon Sep 17 00:00:00 2001 From: 0x3c7 Date: Tue, 18 Jun 2019 16:10:20 +0200 Subject: [PATCH 1/7] [openioc] Allow the use of types in openioc content tags --- pymisp/tools/openioc.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pymisp/tools/openioc.py b/pymisp/tools/openioc.py index 6251b48..78f42c9 100755 --- a/pymisp/tools/openioc.py +++ b/pymisp/tools/openioc.py @@ -218,7 +218,11 @@ def set_values(value1, value2=None): compositeMapping = '{}|{}'.format(value1.find('context')['search'], value2.find('context')['search']) mapping = get_mapping(compositeMapping, mappingDict=iocMispCompositeMapping) else: - mapping = get_mapping(value1.find('context')['search']) + content_type = value1.find('content').get('type', None) + if content_type: + mapping = get_mapping(value1.find('context')['search'] + '/' + content_type) + else: + mapping = get_mapping(value1.find('context')['search']) if mapping: attribute_values.update(mapping) From 42a3dcf704d817a215d7f0acafc0523e17b1e390 Mon Sep 17 00:00:00 2001 From: 0x3c7 Date: Wed, 19 Jun 2019 07:38:15 +0200 Subject: [PATCH 2/7] Fixes other mapping to other types --- pymisp/tools/openioc.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pymisp/tools/openioc.py b/pymisp/tools/openioc.py index 78f42c9..a40299f 100755 --- a/pymisp/tools/openioc.py +++ b/pymisp/tools/openioc.py @@ -218,11 +218,12 @@ def set_values(value1, value2=None): compositeMapping = '{}|{}'.format(value1.find('context')['search'], value2.find('context')['search']) mapping = get_mapping(compositeMapping, mappingDict=iocMispCompositeMapping) else: + context_search = value1.find('context')['search'] content_type = value1.find('content').get('type', None) - if content_type: - mapping = get_mapping(value1.find('context')['search'] + '/' + content_type) + if "RouteEntryItem/Destination" in context_search and content_type: + mapping = get_mapping(context_search + '/' + content_type) else: - mapping = get_mapping(value1.find('context')['search']) + mapping = get_mapping(context_search) if mapping: attribute_values.update(mapping) From b7d15380c947e3978f7933c534f0052f8275023b Mon Sep 17 00:00:00 2001 From: 0x3c7 Date: Wed, 19 Jun 2019 07:39:15 +0200 Subject: [PATCH 3/7] [openioc] Changed mapping for RouteEntryItem/Destination/string to domain instead of url because UrlHistoryItem/URL is mostly used for urls --- pymisp/tools/openioc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pymisp/tools/openioc.py b/pymisp/tools/openioc.py index a40299f..769ef73 100755 --- a/pymisp/tools/openioc.py +++ b/pymisp/tools/openioc.py @@ -100,7 +100,7 @@ iocMispMapping = { 'RouteEntryItem/Destination': {'type': 'ip-dst'}, 'RouteEntryItem/Destination/IP': {'type': 'ip-dst', 'comment': 'RouteDestination. '}, - 'RouteEntryItem/Destination/string': {'type': 'url', 'comment': 'RouteDestination. '}, + 'RouteEntryItem/Destination/string': {'type': 'domain', 'comment': 'RouteDestination. '}, 'ServiceItem/name': {'type': 'windows-service-name'}, From ffcc7e0631eaa3fb28c20cf606ec81d4874d6976 Mon Sep 17 00:00:00 2001 From: Tom King Date: Wed, 19 Jun 2019 10:25:34 +0100 Subject: [PATCH 4/7] new: Introduce ability to create a sharing group --- pymisp/api.py | 18 +++++++++++++++++- pymisp/mispevent.py | 9 +++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/pymisp/api.py b/pymisp/api.py index 2b2c2db..70bd097 100644 --- a/pymisp/api.py +++ b/pymisp/api.py @@ -17,7 +17,7 @@ import zipfile from . import __version__, deprecated from .exceptions import PyMISPError, SearchError, NoURL, NoKey, PyMISPEmptyResponse -from .mispevent import MISPEvent, MISPAttribute, MISPUser, MISPOrganisation, MISPSighting, MISPFeed, MISPObject +from .mispevent import MISPEvent, MISPAttribute, MISPUser, MISPOrganisation, MISPSighting, MISPFeed, MISPObject, MISPSharingGroup from .abstract import AbstractMISP, MISPEncode logger = logging.getLogger('pymisp') @@ -2241,6 +2241,22 @@ class PyMISP(object): # ###################### # ### Sharing Groups ### # ###################### + def add_sharing_group(self, name, releasability, description, active=True, roaming=False): + """Add a new sharing group, which includes the organisation associated + with the API key and the local server + + :name: The name of the sharing group to create + :releasability: The releasibility information + :description: The description of the sharing group + :active: Should the sharing group be set to be active? + :roaming: Should the sharing group be allowed to roam? + """ + + new_sg = MISPSharingGroup() + new_sg.from_dict(name=name, releasability=releasability, + description=description, active=active, roaming=roaming) + + return self._rest_add('sharing_groups', new_sg) def sharing_group_org_add(self, sharing_group, organisation, extend=False): '''Add an organisation to a sharing group. diff --git a/pymisp/mispevent.py b/pymisp/mispevent.py index c660ed4..3ec8879 100644 --- a/pymisp/mispevent.py +++ b/pymisp/mispevent.py @@ -1176,3 +1176,12 @@ class MISPObject(AbstractMISP): if hasattr(self, 'name'): return '<{self.__class__.__name__}(name={self.name})'.format(self=self) return '<{self.__class__.__name__}(NotInitialized)'.format(self=self) + + +class MISPSharingGroup(AbstractMISP): + + def __init__(self): + super(MISPSharingGroup, self).__init__() + + def from_dict(self, **kwargs): + super(MISPSharingGroup, self).from_dict(**kwargs) From 709ba2c29cf4dc5e5655affa0fca784be8b59ede Mon Sep 17 00:00:00 2001 From: Tom King Date: Wed, 19 Jun 2019 10:38:38 +0100 Subject: [PATCH 5/7] chg: Remove roaming as it can't be set in this request --- pymisp/api.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pymisp/api.py b/pymisp/api.py index 70bd097..906b21c 100644 --- a/pymisp/api.py +++ b/pymisp/api.py @@ -2241,7 +2241,7 @@ class PyMISP(object): # ###################### # ### Sharing Groups ### # ###################### - def add_sharing_group(self, name, releasability, description, active=True, roaming=False): + def add_sharing_group(self, name, releasability, description, active=True): """Add a new sharing group, which includes the organisation associated with the API key and the local server @@ -2249,13 +2249,11 @@ class PyMISP(object): :releasability: The releasibility information :description: The description of the sharing group :active: Should the sharing group be set to be active? - :roaming: Should the sharing group be allowed to roam? """ new_sg = MISPSharingGroup() new_sg.from_dict(name=name, releasability=releasability, - description=description, active=active, roaming=roaming) - + description=description, active=active) return self._rest_add('sharing_groups', new_sg) def sharing_group_org_add(self, sharing_group, organisation, extend=False): From 7be58af56a5cfe3d7ad58397d70451ff3d8921d1 Mon Sep 17 00:00:00 2001 From: 0x3c7 Date: Wed, 19 Jun 2019 12:45:20 +0200 Subject: [PATCH 6/7] [openioc] changed default mapping for RouteEntryItem/Destination/string. --- pymisp/tools/openioc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pymisp/tools/openioc.py b/pymisp/tools/openioc.py index 769ef73..9d337b1 100755 --- a/pymisp/tools/openioc.py +++ b/pymisp/tools/openioc.py @@ -100,7 +100,7 @@ iocMispMapping = { 'RouteEntryItem/Destination': {'type': 'ip-dst'}, 'RouteEntryItem/Destination/IP': {'type': 'ip-dst', 'comment': 'RouteDestination. '}, - 'RouteEntryItem/Destination/string': {'type': 'domain', 'comment': 'RouteDestination. '}, + 'RouteEntryItem/Destination/string': {'type': 'hostname', 'comment': 'RouteDestination. '}, 'ServiceItem/name': {'type': 'windows-service-name'}, From fcfe05850912bc89c47f0bbcd3d076a82d46043b Mon Sep 17 00:00:00 2001 From: Tom King Date: Thu, 20 Jun 2019 09:11:51 +0100 Subject: [PATCH 7/7] chg: Allow for deletion of security group --- pymisp/api.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pymisp/api.py b/pymisp/api.py index 2b2c2db..86cf8c4 100644 --- a/pymisp/api.py +++ b/pymisp/api.py @@ -2284,6 +2284,12 @@ class PyMISP(object): response = self._prepare_request('POST', url, json.dumps(to_jsonify)) return self._check_response(response) + def delete_sharing_group(self, sharing_group): + """Delete a sharing group + :sharing_group: Sharing group's local instance ID, or Sharing group's global uuid + """ + return self._rest_delete("sharing_groups", sharing_group) + # ################### # ### Objects ### # ###################