Merge branch 'main' of github.com:MISP/PyMISP into main

2020-10-09 12:54:18 +02:00 · 2020-10-09 12:54:18 +02:00 · bacd4c78cd
parent cce228564b ff7ed7a838
commit bacd4c78cd
11 changed files with 81 additions and 15 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -1295,7 +1295,7 @@ Other
  values, sanitization) [Falconieri]
 - Add: exportpdf tool working. [Falconieri]
 - General improvement : deisgn, exhaustiviness of mispEvent values
-  displayed, good pratice concerning paragraphe/table made. [Falconieri]
+  displayed, good practice concerning paragraphe/table made. [Falconieri]
 - Update with table basics. [Falconieri]
 - Structure of the improvements OK : test file, test folder, report
  generator. [Falconieri]
@ -2219,7 +2219,7 @@ Changes
 - Bump CHANGELOG. [Raphaël Vinot]
 - Bump misp-objects. [Raphaël Vinot]
 - Update readme for new logging system. [Raphaël Vinot]
- Small improvments in the logging system. [Raphaël Vinot]
+- Small improvements in the logging system. [Raphaël Vinot]
 - Properly use python logging module. [Raphaël Vinot]
 - Update asciidoctor generator. [Raphaël Vinot]
 - Remove warning if PyMISP is too new. [Raphaël Vinot]
@ -2547,7 +2547,7 @@ Other
 - Cleanup warning function. [Raphaël Vinot]
 - Fix typos. [Raphaël Vinot]
 - Remove unused variable. [Tristan METAYER]
- Remove category It will be automaticly detected
+- Remove category It will be automatically detected
  https://github.com/MISP/PyMISP/blob/master/pymisp/tools/openioc.py.
  [Tristan METAYER]
 - Revert tab to escape. [Tristan METAYER]
@ -2756,7 +2756,7 @@ Other
 - Bump version. [Raphaël Vinot]
 - Add orgs managment. [Raphaël Vinot]
 - Run on more python versions. [Raphaël Vinot]
- Exemple addtag (dirty) [Déborah Servili]
+- Example addtag (dirty) [Déborah Servili]
 - Fix last commit. [Raphaël Vinot]
 - Wrong use of API for dateuntil. [Koen Van Impe]

--- a/docs/tutorial/old/Search.ipynb
+++ b/docs/tutorial/old/Search.ipynb
@ -70,7 +70,7 @@
   "source": [
    "## Search unpublished events\n",
    "\n",
-    "**WARNING**: By default, the search query will only return all the events listed on teh index page"
+    "**WARNING**: By default, the search query will only return all the events listed on the index page"
   ]
  },
  {
--- a/examples/add_gitlab_user.py
+++ b/examples/add_gitlab_user.py
@ -0,0 +1,56 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import PyMISP
+from pymisp import MISPObject
+from pymisp.tools import update_objects
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+import requests
+import sys
+
+"""
+usage: add_gitlab_user.py [-h] -e EVENT [-f] -u USERNAME [-l LINK]
+
+Fetch GitLab user details and add it in object in MISP
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -e EVENT, --event EVENT
+                        Event ID to update
+  -f, --force-template-update
+  -u USERNAME, --username USERNAME
+                        GitLab username to add
+  -l LINK, --link LINK  Url to access the GitLab instance, Default is
+                        www.gitlab.com.
+"""
+
+default_url = "http://www.gitlab.com/"
+
+parser = argparse.ArgumentParser(description='Fetch GitLab user details and add it in object in MISP')
+parser.add_argument("-e", "--event", required=True, help="Event ID to update")
+parser.add_argument("-f", "--force-template-update", required=False, action="store_true")
+parser.add_argument("-u", "--username", required=True, help="GitLab username to add")
+parser.add_argument("-l", "--link", required=False, help="Url to access the GitLab instance, Default is www.gitlab.com.", default=default_url)
+args = parser.parse_args()
+
+
+r = requests.get("{}api/v4/users?username={}".format(args.link, args.username))
+if r.status_code != 200:
+    sys.exit("HTTP return is {} and not 200 as expected".format(r.status_code))
+if args.force_template_update:
+    print("Updating MISP Object templates...")
+    update_objects()
+
+gitlab_user = r.json()[0]
+pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
+print(gitlab_user)
+
+misp_object = MISPObject(name="gitlab-user")
+misp_object.add_attribute('username', gitlab_user['username'])
+misp_object.add_attribute('id', gitlab_user['id'])
+misp_object.add_attribute('name', gitlab_user['name'])
+misp_object.add_attribute('state', gitlab_user['state'])
+misp_object.add_attribute('avatar_url', gitlab_user['avatar_url'])
+misp_object.add_attribute('web_url', gitlab_user['web_url'])
+retcode = pymisp.add_object(args.event, misp_object)
--- a/examples/delete_user.py
+++ b/examples/delete_user.py
@ -7,7 +7,7 @@ import argparse


 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Delete the user with the given id. Keep in mind that disabling users (by setting the disabled flag via an edit) is always prefered to keep user associations to events intact.')
+    parser = argparse.ArgumentParser(description='Delete the user with the given id. Keep in mind that disabling users (by setting the disabled flag via an edit) is always preferred to keep user associations to events intact.')
    parser.add_argument("-i", "--user_id", help="The id of the user you want to delete.")
    args = parser.parse_args()

--- a/examples/feed-generator-from-redis/README.md
+++ b/examples/feed-generator-from-redis/README.md
@ -11,7 +11,7 @@

 ````
 #  Feed generator
-git clone https://github.com/CIRCL/PyMISP
+git clone https://github.com/MISP/PyMISP
 cd examples/feed-generator-from-redis
 cp settings.default.py settings.py
 vi settings.py  # adjust your settings
@ -66,7 +66,7 @@ python3 server.py
 >>> obj_data = { "session": "session_id", "username": "admin", "password": "admin", "protocol": "telnet" }
 >>> generator.add_object_to_event(obj_name, **obj_data)

-# Immediatly write the event to the disk (Bypassing the default flushing behavior)
+# Immediately write the event to the disk (Bypassing the default flushing behavior)
 >>> generator.flush_event()
 ```

--- a/examples/feed-generator-from-redis/fromredis.py
+++ b/examples/feed-generator-from-redis/fromredis.py
@ -107,7 +107,7 @@ class RedisToMISPFeed:
            # Suffix not provided, try to add anyway
            if settings.fallback_MISP_type == 'attribute':
                new_key = key + self.SUFFIX_ATTR
-                # Add atribute type from the config
+                # Add attribute type from the config
                if 'type' not in data and settings.fallback_attribute_type:
                    data['type'] = settings.fallback_attribute_type
                else:
--- a/examples/situational-awareness/README.md
+++ b/examples/situational-awareness/README.md
@ -4,8 +4,8 @@
 * It will also generate a html document with a table (attribute\_table.html) containing count for each type of attribute.
 * test\_attribute\_treemap.html is a quick page made to visualize both treemap and table at the same time.

-* tags\_count.py is a script that count the number of occurences of every tags in a fetched sample of Events in a given period of time.
-* tag\_search.py is a script that count the number of occurences of a given tag  in a fetched sample of Events in a given period of time.
+* tags\_count.py is a script that count the number of occurrences of every tags in a fetched sample of Events in a given period of time.
+* tag\_search.py is a script that count the number of occurrences of a given tag  in a fetched sample of Events in a given period of time.
    * Events will be fetched from _days_ days ago to today.
    * _begindate_ is the beginning of the studied period. If it is later than today, an error will be raised.
    * _enddate_ is the end of the studied period. If it is earlier than _begindate_, an error will be raised.
--- a/examples/vmray_automation.py
+++ b/examples/vmray_automation.py
@ -129,7 +129,7 @@ def search_vmray_incomplete(m, url, wait_period, module_import_url, module_impor
                    if module_DEBUG and req is not None:
                        print("Response code from submitting to MISP modules %s" % (req.status_code))

-                    # Succesful response from the misp modules?
+                    # Successful response from the misp modules?
                    if req.status_code == 200:
                        req_json = req.json()
                        if "error" in req_json:
--- a/pymisp/api.py
+++ b/pymisp/api.py
@ -1917,7 +1917,7 @@ class PyMISP:
        :param timestamp: Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute's timestamp will be used for the lookup.
        :param published: Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
        :param enforce_warninglist: Remove any attributes from the result that would cause a hit on a warninglist entry.
-        :param to_ids: By default all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.
+        :param to_ids: By default all attributes are returned that match the other filter parameters, regardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.
        :param deleted: If this parameter is set to 1, it will only return soft-deleted attributes. ["0", "1"] will return the active ones as well as the soft-deleted ones.
        :param include_event_uuid: Instead of just including the event ID, also include the event UUID in each of the attributes.
        :param include_event_tags: Include the event level tags in each of the attributes.
--- a/pymisp/data/describeTypes.json
+++ b/pymisp/data/describeTypes.json
@ -36,6 +36,7 @@
        "comment",
        "cookie",
        "filename",
+        "filename-pattern",
        "filename|authentihash",
        "filename|impfuzzy",
        "filename|imphash",
@ -128,6 +129,7 @@
        "domain",
        "domain|ip",
        "filename",
+        "filename-pattern",
        "filename|md5",
        "filename|sha1",
        "filename|sha256",
@ -214,6 +216,7 @@
        "email-src",
        "email-subject",
        "eppn",
+        "filename-pattern",
        "hassh-md5",
        "hasshserver-md5",
        "hex",
@ -283,6 +286,7 @@
        "email-thread-index",
        "email-x-mailer",
        "filename",
+        "filename-pattern",
        "filename|authentihash",
        "filename|impfuzzy",
        "filename|imphash",
@ -361,6 +365,7 @@
        "chrome-extension-id",
        "comment",
        "filename",
+        "filename-pattern",
        "filename|authentihash",
        "filename|impfuzzy",
        "filename|imphash",
@ -942,6 +947,10 @@
        "default_category": "Person",
        "to_ids": 0
      },
+      "pattern-filename": {
+        "default_category": "Payload installation",
+        "to_ids": 1
+      },
      "pattern-in-file": {
        "default_category": "Payload installation",
        "to_ids": 1
@ -1329,6 +1338,7 @@
      "passport-country",
      "passport-expiration",
      "passport-number",
+      "pattern-filename",
      "pattern-in-file",
      "pattern-in-memory",
      "pattern-in-traffic",
--- a/pymisp/tools/fileobject.py
+++ b/pymisp/tools/fileobject.py
@ -79,10 +79,10 @@ class FileObject(AbstractMISPObjectGenerator):
        if len(data) == 0:
            return 0.0

-        occurences = Counter(bytearray(data))
+        occurrences = Counter(bytearray(data))

        entropy = 0.0
-        for x in occurences.values():
+        for x in occurrences.values():
            p_x = float(x) / len(data)
            entropy -= p_x * math.log(p_x, 2)