diff --git a/examples/get_network_activity.py b/examples/get_network_activity.py index f3be10f..3b11513 100755 --- a/examples/get_network_activity.py +++ b/examples/get_network_activity.py @@ -5,10 +5,19 @@ Python script to extract network activity from MISP database Koen Van Impe 20141116 - + netflow 20150804 Feed it a list of event_id's (1 id per line) with the option "-f". Use --no-comment to get a flat list of entries without event id and title information + Usage + ./get_network_activity.py --netflow --event 8 + get netflow filter for event 8 + + ./get_network_activity.py -f get_network_activity.event_id --netflow + get netflow filter for events in id file + + ./get_network_activity.py -f get_network_activity.event_id + get output with comments """ from pymisp import PyMISP @@ -35,7 +44,7 @@ def get_event(event_id): :event_id the id of the event """ global network_ip_src, network_ip_dst, network_hostname, network_domain - global app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only + global app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printcomment, app_netflow event_id = int(event_id) if event_id > 0: @@ -59,16 +68,21 @@ def get_event(event_id): value = attribute["value"] title = event_core["info"] - if attribute["type"] == "ip-src" and app_ip_src: - network_ip_src.append([build_entry(value, event_id, title, "ip-src")]) - elif attribute["type"] == "ip-dst" and app_ip_dst: - network_ip_dst.append([build_entry(value, event_id, title, "ip-dst")]) - elif attribute["type"] == "domain" and app_domain: - network_domain.append([build_entry(value, event_id, title, "domain")]) - elif attribute["type"] == "hostname" and app_hostname: - network_hostname.append([build_entry(value, event_id, title, "hostname")]) + if app_netflow: + app_printcomment = False + if attribute["type"] == "ip-dst" and app_ip_dst: + network_ip_dst.append([build_entry(value, event_id, title, "ip-dst")]) else: - continue + if attribute["type"] == "ip-src" and app_ip_src: + network_ip_src.append([build_entry(value, event_id, title, "ip-src")]) + elif attribute["type"] == "ip-dst" and app_ip_dst: + network_ip_dst.append([build_entry(value, event_id, title, "ip-dst")]) + elif attribute["type"] == "domain" and app_domain: + network_domain.append([build_entry(value, event_id, title, "domain")]) + elif attribute["type"] == "hostname" and app_hostname: + network_hostname.append([build_entry(value, event_id, title, "hostname")]) + else: + continue else: print("Not a valid ID") return @@ -99,20 +113,29 @@ def print_events(): Print the events from the result arrays """ global network_ip_src, network_ip_dst, network_domain, network_hostname - global app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printcomment, app_printtitle + global app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printcomment, app_printtitle, app_netflow - if app_ip_src: - for ip in network_ip_src: - print(ip[0]) - if app_ip_dst: + if app_netflow: + firsthost = True for ip in network_ip_dst: - print(ip[0]) - if app_domain: - for ip in network_domain: - print(ip[0]) - if app_hostname: - for ip in network_hostname: - print(ip[0]) + if firsthost: + firsthost = False + else: + print " or " + print "host %s" % ip[0] + else: + if app_ip_src: + for ip in network_ip_src: + print(ip[0]) + if app_ip_dst: + for ip in network_ip_dst: + print(ip[0]) + if app_domain: + for ip in network_domain: + print(ip[0]) + if app_hostname: + for ip in network_hostname: + print(ip[0]) if __name__ == '__main__': @@ -141,17 +164,27 @@ if __name__ == '__main__': help='Include IDS and non-IDS attribures.') parser.add_argument('--no-titles', action='store_true', default=False, help='Do not include titles') + parser.add_argument('--netflow', action='store_true', default=False, + help='Netflow (nfdump) output') + parser.add_argument('--event', type=int, default=0, + help='EventID to parse (not using filename)') args = parser.parse_args() - if args.filename is not None: - init() - app_printcomment = args.no_comment - app_hostname = args.hostname - app_domain = args.domain - app_ip_src = not(args.no_ip_src) - app_ip_dst = not(args.no_ip_dst) - app_ids_only = args.no_ids_only - app_printtitle = not(args.no_titles) + init() + app_printcomment = args.no_comment + app_hostname = args.hostname + app_domain = args.domain + app_ip_src = not(args.no_ip_src) + app_ip_dst = not(args.no_ip_dst) + app_ids_only = args.no_ids_only + app_printtitle = not(args.no_titles) + app_netflow = args.netflow + app_event = args.event + + if app_event > 0: + get_event(app_event) + print_events() + elif args.filename is not None: # print "app_printcomment %s app_hostname %s app_domain %s app_ip_src %s app_ip_dst %s app_ids_only %s app_printtitle %s" % (app_printcomment,app_hostname, app_domain, app_ip_src, app_ip_dst, app_ids_only, app_printtitle) with open(args.filename, 'r') as line: for event_id in line: diff --git a/setup.py b/setup.py index 55b5aed..2c32e97 100644 --- a/setup.py +++ b/setup.py @@ -4,7 +4,7 @@ from setuptools import setup setup( name='pymisp', - version='1.0.1', + version='1.1', author='Raphaël Vinot', author_email='raphael.vinot@circl.lu', maintainer='Raphaël Vinot', @@ -21,6 +21,6 @@ setup( 'Programming Language :: Python', 'Topic :: Security', 'Topic :: Internet', - ], + ], install_requires=['requests'], - ) +)