Merge branch 'main' of github.com:MISP/PyMISP into main

pull/664/head
Raphaël Vinot 2020-10-09 12:54:18 +02:00
commit bacd4c78cd
11 changed files with 81 additions and 15 deletions

View File

@ -1295,7 +1295,7 @@ Other
values, sanitization) [Falconieri]
- Add: exportpdf tool working. [Falconieri]
- General improvement : deisgn, exhaustiviness of mispEvent values
displayed, good pratice concerning paragraphe/table made. [Falconieri]
displayed, good practice concerning paragraphe/table made. [Falconieri]
- Update with table basics. [Falconieri]
- Structure of the improvements OK : test file, test folder, report
generator. [Falconieri]
@ -2219,7 +2219,7 @@ Changes
- Bump CHANGELOG. [Raphaël Vinot]
- Bump misp-objects. [Raphaël Vinot]
- Update readme for new logging system. [Raphaël Vinot]
- Small improvments in the logging system. [Raphaël Vinot]
- Small improvements in the logging system. [Raphaël Vinot]
- Properly use python logging module. [Raphaël Vinot]
- Update asciidoctor generator. [Raphaël Vinot]
- Remove warning if PyMISP is too new. [Raphaël Vinot]
@ -2547,7 +2547,7 @@ Other
- Cleanup warning function. [Raphaël Vinot]
- Fix typos. [Raphaël Vinot]
- Remove unused variable. [Tristan METAYER]
- Remove category It will be automaticly detected
- Remove category It will be automatically detected
https://github.com/MISP/PyMISP/blob/master/pymisp/tools/openioc.py.
[Tristan METAYER]
- Revert tab to escape. [Tristan METAYER]
@ -2756,7 +2756,7 @@ Other
- Bump version. [Raphaël Vinot]
- Add orgs managment. [Raphaël Vinot]
- Run on more python versions. [Raphaël Vinot]
- Exemple addtag (dirty) [Déborah Servili]
- Example addtag (dirty) [Déborah Servili]
- Fix last commit. [Raphaël Vinot]
- Wrong use of API for dateuntil. [Koen Van Impe]

View File

@ -70,7 +70,7 @@
"source": [
"## Search unpublished events\n",
"\n",
"**WARNING**: By default, the search query will only return all the events listed on teh index page"
"**WARNING**: By default, the search query will only return all the events listed on the index page"
]
},
{

56
examples/add_gitlab_user.py Executable file
View File

@ -0,0 +1,56 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pymisp import PyMISP
from pymisp import MISPObject
from pymisp.tools import update_objects
from keys import misp_url, misp_key, misp_verifycert
import argparse
import requests
import sys
"""
usage: add_gitlab_user.py [-h] -e EVENT [-f] -u USERNAME [-l LINK]
Fetch GitLab user details and add it in object in MISP
optional arguments:
-h, --help show this help message and exit
-e EVENT, --event EVENT
Event ID to update
-f, --force-template-update
-u USERNAME, --username USERNAME
GitLab username to add
-l LINK, --link LINK Url to access the GitLab instance, Default is
www.gitlab.com.
"""
default_url = "http://www.gitlab.com/"
parser = argparse.ArgumentParser(description='Fetch GitLab user details and add it in object in MISP')
parser.add_argument("-e", "--event", required=True, help="Event ID to update")
parser.add_argument("-f", "--force-template-update", required=False, action="store_true")
parser.add_argument("-u", "--username", required=True, help="GitLab username to add")
parser.add_argument("-l", "--link", required=False, help="Url to access the GitLab instance, Default is www.gitlab.com.", default=default_url)
args = parser.parse_args()
r = requests.get("{}api/v4/users?username={}".format(args.link, args.username))
if r.status_code != 200:
sys.exit("HTTP return is {} and not 200 as expected".format(r.status_code))
if args.force_template_update:
print("Updating MISP Object templates...")
update_objects()
gitlab_user = r.json()[0]
pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
print(gitlab_user)
misp_object = MISPObject(name="gitlab-user")
misp_object.add_attribute('username', gitlab_user['username'])
misp_object.add_attribute('id', gitlab_user['id'])
misp_object.add_attribute('name', gitlab_user['name'])
misp_object.add_attribute('state', gitlab_user['state'])
misp_object.add_attribute('avatar_url', gitlab_user['avatar_url'])
misp_object.add_attribute('web_url', gitlab_user['web_url'])
retcode = pymisp.add_object(args.event, misp_object)

View File

@ -7,7 +7,7 @@ import argparse
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Delete the user with the given id. Keep in mind that disabling users (by setting the disabled flag via an edit) is always prefered to keep user associations to events intact.')
parser = argparse.ArgumentParser(description='Delete the user with the given id. Keep in mind that disabling users (by setting the disabled flag via an edit) is always preferred to keep user associations to events intact.')
parser.add_argument("-i", "--user_id", help="The id of the user you want to delete.")
args = parser.parse_args()

View File

@ -11,7 +11,7 @@
````
# Feed generator
git clone https://github.com/CIRCL/PyMISP
git clone https://github.com/MISP/PyMISP
cd examples/feed-generator-from-redis
cp settings.default.py settings.py
vi settings.py # adjust your settings
@ -66,7 +66,7 @@ python3 server.py
>>> obj_data = { "session": "session_id", "username": "admin", "password": "admin", "protocol": "telnet" }
>>> generator.add_object_to_event(obj_name, **obj_data)
# Immediatly write the event to the disk (Bypassing the default flushing behavior)
# Immediately write the event to the disk (Bypassing the default flushing behavior)
>>> generator.flush_event()
```

View File

@ -107,7 +107,7 @@ class RedisToMISPFeed:
# Suffix not provided, try to add anyway
if settings.fallback_MISP_type == 'attribute':
new_key = key + self.SUFFIX_ATTR
# Add atribute type from the config
# Add attribute type from the config
if 'type' not in data and settings.fallback_attribute_type:
data['type'] = settings.fallback_attribute_type
else:

View File

@ -4,8 +4,8 @@
* It will also generate a html document with a table (attribute\_table.html) containing count for each type of attribute.
* test\_attribute\_treemap.html is a quick page made to visualize both treemap and table at the same time.
* tags\_count.py is a script that count the number of occurences of every tags in a fetched sample of Events in a given period of time.
* tag\_search.py is a script that count the number of occurences of a given tag in a fetched sample of Events in a given period of time.
* tags\_count.py is a script that count the number of occurrences of every tags in a fetched sample of Events in a given period of time.
* tag\_search.py is a script that count the number of occurrences of a given tag in a fetched sample of Events in a given period of time.
* Events will be fetched from _days_ days ago to today.
* _begindate_ is the beginning of the studied period. If it is later than today, an error will be raised.
* _enddate_ is the end of the studied period. If it is earlier than _begindate_, an error will be raised.

View File

@ -129,7 +129,7 @@ def search_vmray_incomplete(m, url, wait_period, module_import_url, module_impor
if module_DEBUG and req is not None:
print("Response code from submitting to MISP modules %s" % (req.status_code))
# Succesful response from the misp modules?
# Successful response from the misp modules?
if req.status_code == 200:
req_json = req.json()
if "error" in req_json:

View File

@ -1917,7 +1917,7 @@ class PyMISP:
:param timestamp: Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute's timestamp will be used for the lookup.
:param published: Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
:param enforce_warninglist: Remove any attributes from the result that would cause a hit on a warninglist entry.
:param to_ids: By default all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.
:param to_ids: By default all attributes are returned that match the other filter parameters, regardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.
:param deleted: If this parameter is set to 1, it will only return soft-deleted attributes. ["0", "1"] will return the active ones as well as the soft-deleted ones.
:param include_event_uuid: Instead of just including the event ID, also include the event UUID in each of the attributes.
:param include_event_tags: Include the event level tags in each of the attributes.

View File

@ -36,6 +36,7 @@
"comment",
"cookie",
"filename",
"filename-pattern",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
@ -128,6 +129,7 @@
"domain",
"domain|ip",
"filename",
"filename-pattern",
"filename|md5",
"filename|sha1",
"filename|sha256",
@ -214,6 +216,7 @@
"email-src",
"email-subject",
"eppn",
"filename-pattern",
"hassh-md5",
"hasshserver-md5",
"hex",
@ -283,6 +286,7 @@
"email-thread-index",
"email-x-mailer",
"filename",
"filename-pattern",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
@ -361,6 +365,7 @@
"chrome-extension-id",
"comment",
"filename",
"filename-pattern",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
@ -942,6 +947,10 @@
"default_category": "Person",
"to_ids": 0
},
"pattern-filename": {
"default_category": "Payload installation",
"to_ids": 1
},
"pattern-in-file": {
"default_category": "Payload installation",
"to_ids": 1
@ -1329,6 +1338,7 @@
"passport-country",
"passport-expiration",
"passport-number",
"pattern-filename",
"pattern-in-file",
"pattern-in-memory",
"pattern-in-traffic",

View File

@ -79,10 +79,10 @@ class FileObject(AbstractMISPObjectGenerator):
if len(data) == 0:
return 0.0
occurences = Counter(bytearray(data))
occurrences = Counter(bytearray(data))
entropy = 0.0
for x in occurences.values():
for x in occurrences.values():
p_x = float(x) / len(data)
entropy -= p_x * math.log(p_x, 2)