From 94e3419c39e29c3549892abc511f53e1f045118a Mon Sep 17 00:00:00 2001 From: garanews Date: Fri, 20 Oct 2017 09:55:46 +0200 Subject: [PATCH 1/3] Created add_generic_object.py usage: add_generic_object.py [-h] -e EVENT -t TYPE -d DICT Examples: python3 add_generic_object.py -e 1683 -t email -d '{"subject":"The Pink Letter", "to":"jon@snow.org"}' python3 add_generic_object.py -e 2343 -t person -d '{"first-name":"Daenerys", "last-name":"Targaryen", "place-of-birth":"Dragonstone"}' python3 add_generic_object.py -e 3596 -t "domain|ip" -d '{"domain":"stormborn.org", "ip":"50.63.202.33"}' --- examples/add_generic_object.py | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 examples/add_generic_object.py diff --git a/examples/add_generic_object.py b/examples/add_generic_object.py new file mode 100644 index 0000000..308a1a3 --- /dev/null +++ b/examples/add_generic_object.py @@ -0,0 +1,33 @@ +import json +from pymisp import PyMISP +from pymisp.tools.abstractgenerator import AbstractMISPObjectGenerator +from keys import misp_url, misp_key, misp_verifycert +import argparse + +class GenericObject(AbstractMISPObjectGenerator): + def __init__(self, type, data_dict): + super(GenericObject, self).__init__(type) + self.__data = data_dict + self.generate_attributes() + + def generate_attributes(self): + for key, value in self.__data.items(): + self.add_attribute(key, value=value) + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='Create a MISP Object selectable by type starting from a dictionary') + parser.add_argument("-e", "--event", required=True, help="Event ID to update") + parser.add_argument("-t", "--type", required=True, help="Type of the generic object") + parser.add_argument("-d", "--dict", required=True, help="Dict ") + args = parser.parse_args() + + pymisp = PyMISP(misp_url, misp_key, misp_verifycert) + try: + template_id = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == args.type][0] + except IndexError: + valid_types = ", ".join([x['ObjectTemplate']['name'] for x in pymisp.get_object_templates_list()]) + print ("Template for type %s not found! Valid types are: %s" % (args.type, valid_types)) + exit() + + misp_object = GenericObject(args.type.replace("|", "-"), json.loads(args.dict)) + r = pymisp.add_object(args.event, template_id, misp_object) From 6517081fabbf2e313c1f82d3628a2303711132b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 24 Oct 2017 18:09:10 -0400 Subject: [PATCH 2/3] chg: Add simple asciidoc generator for MISP event --- examples/asciidoc_generator.py | 139 +++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100755 examples/asciidoc_generator.py diff --git a/examples/asciidoc_generator.py b/examples/asciidoc_generator.py new file mode 100755 index 0000000..156a7ff --- /dev/null +++ b/examples/asciidoc_generator.py @@ -0,0 +1,139 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +from pymisp import MISPEvent +from defang import defang +import argparse +from pytaxonomies import Taxonomies +from datetime import date + +headers = """ +:toc: right +:toclevels: 1 +:toc-title: Daily Report +:icons: font +:sectanchors: +:sectlinks: += Daily report by {org_name} +{date} + +:icons: font + +""" + +event_level_tags = """ +IMPORTANT: This event is classified TLP:{value}. + +{expanded} + +""" + +attributes = """ +=== Indicator(s) of compromise + +{list_attributes} + +""" + +title = """ +== ({internal_id}) {title} + +{summary} + +""" + +types_to_attach = ['ip-dst', 'url', 'domain'] +objects_to_attach = ['domain-ip'] + +class ReportGenerator(): + + def __init__(self): + self.taxonomies = Taxonomies() + self.report = '' + + def from_remote(self, event_id): + from pymisp import PyMISP + from keys import misp_url, misp_key, misp_verifycert + misp = PyMISP(misp_url, misp_key, misp_verifycert) + result = misp.get(event_id) + self.misp_event = MISPEvent() + self.misp_event.load(result) + + def from_file(self, path): + self.misp_event = MISPEvent() + self.misp_event.load_file(path) + + def attributes(self): + if not self.misp_event.attributes: + return '' + list_attributes = '' + for attribute in self.misp_event.attributes: + if attribute.type in types_to_attach: + list_attributes += "\n* {}\n".format(defang(attribute.value)) + for obj in self.misp_event.Object: + for attribute in obj.Attribute: + if attribute.type in types_to_attach: + list_attributes += "\n* {}\n".format(defang(attribute.value)) + return attributes.format(list_attributes=list_attributes) + + def _get_tag_info(self, machinetag): + return self.taxonomies.revert_machinetag(machinetag) + + def report_headers(self): + content = {'org_name': 'name', + 'date': date.today().isoformat()} + self.report += headers.format(**content) + + def event_level_tags(self): + if not self.misp_event.Tag: + return '' + for tag in self.misp_event.Tag: + # Only look for TLP for now + if tag['name'].startswith('tlp'): + tax, predicate = self._get_tag_info(tag['name']) + return event_level_tags.format(value=predicate.predicate.upper(), expanded=predicate.expanded) + + def title(self): + internal_id = '' + summary = '' + # Get internal refs for report + for obj in self.misp_event.Object: + if obj.name != 'report': + continue + for a in obj.Attribute: + if a.object_relation == 'case-number': + internal_id = a.value + if a.object_relation == 'summary': + summary = a.value + + return title.format(internal_id=internal_id, title=self.misp_event.info, + summary=summary) + + + def asciidoc(self, lang='en'): + self.report += self.title() + self.report += self.event_level_tags() + self.report += self.attributes() + +if __name__ == '__main__': + + parser = argparse.ArgumentParser(description='Create a human-readable report out of a MISP event') + group = parser.add_mutually_exclusive_group(required=True) + group.add_argument("-e", "--event", default=[], nargs='+', help="Event ID to get.") + group.add_argument("-p", "--path", default=[], nargs='+', help="Path to the JSON dump.") + + args = parser.parse_args() + + report = ReportGenerator() + report.report_headers() + + if args.event: + for eid in args.event: + report.from_remote(eid) + report.asciidoc() + else: + for f in args.path: + report.from_file(f) + report.asciidoc() + + print(report.report) From a8daa9b97268aece5ae90cd7255f379480d5f056 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 25 Oct 2017 11:17:25 -0400 Subject: [PATCH 3/3] Fix test suite --- tests/test_offline.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_offline.py b/tests/test_offline.py index 47e43a5..70f8e3e 100644 --- a/tests/test_offline.py +++ b/tests/test_offline.py @@ -47,7 +47,7 @@ class TestOffline(unittest.TestCase): m.register_uri('POST', self.domain + 'events/5758ebf5-c898-48e6-9fe9-5665c0a83866', json=self.event) m.register_uri('DELETE', self.domain + 'events/2', json={'message': 'Event deleted.'}) m.register_uri('DELETE', self.domain + 'events/3', json={'errors': ['Invalid event'], 'message': 'Invalid event', 'name': 'Invalid event', 'url': '/events/3'}) - m.register_uri('DELETE', self.domain + 'attributes/2', json={'message': 'Attribute deleted.'}) + m.register_uri('GET', self.domain + 'attributes/delete/2', json={'message': 'Attribute deleted.'}) m.register_uri('POST', self.domain + 'events/index', json=self.search_index_result) def test_getEvent(self, m):