MISP
/
PyMISP
mirror of https://github.com/MISP/PyMISP
2
0
Fork 0
Code Issues Releases Wiki Activity

Getting closed to a full support of a misp event as a Python Object

pull/34/head
Raphaël Vinot 2016-09-27 19:47:22 +02:00
parent cf257493f7
commit e035922949
10 changed files with 936 additions and 530 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MANIFEST.in Normal file
View File

@ -0,0 +1 @@
include pymisp/data/*

1
pymisp/__init__.py
View File

@ -2,3 +2,4 @@ __version__ = '2.4.51.1'
from .exceptions import PyMISPError, NewEventError, NewAttributeError, MissingDependency, NoURL, NoKey
from .api import PyMISP
from .mispevent import MISPEvent, MISPAttribute, EncodeUpdate, EncodeFull

51
pymisp/api.py
View File

@ -23,8 +23,8 @@ except ImportError:
HAVE_REQUESTS = False
from . import __version__
from .exceptions import PyMISPError, NewEventError, NewAttributeError, SearchError, MissingDependency, NoURL, NoKey
from .mispevent import MISPEvent, MISPAttribute
from .exceptions import PyMISPError, NewAttributeError, SearchError, MissingDependency, NoURL, NoKey
from .mispevent import MISPEvent, MISPAttribute, EncodeUpdate
# Least dirty way to support python 2 and 3
try:
@ -290,30 +290,17 @@ class PyMISP(object):
def _prepare_full_event(self, distribution, threat_level_id, analysis, info, date=None, published=False):
misp_event = MISPEvent(self.describe_types['result'])
misp_event.set_values(info, distribution, threat_level_id, analysis, date)
misp_event.set_all_values(info=info, distribution=distribution, threat_level_id=threat_level_id,
analysis=analysis, date=date)
if published:
misp_event.publish()
return misp_event.dump()
return json.dumps(misp_event, cls=EncodeUpdate)
def _prepare_full_attribute(self, category, type_value, value, to_ids, comment=None, distribution=5):
misp_attribute = MISPAttribute(self.categories, self.types, self.category_type_mapping)
misp_attribute.set_values(type_value, value, category, to_ids, comment, distribution)
return misp_attribute.dump()
def _prepare_update(self, event):
# Cleanup the received event to make it publishable
event['Event'].pop('locked', None)
event['Event'].pop('attribute_count', None)
event['Event'].pop('RelatedEvent', None)
event['Event'].pop('orgc', None)
event['Event'].pop('ShadowAttribute', None)
event['Event'].pop('org', None)
event['Event'].pop('proposal_email_lock', None)
event['Event'].pop('publish_timestamp', None)
event['Event'].pop('published', None)
event['Event'].pop('timestamp', None)
event['Event']['id'] = int(event['Event']['id'])
return event
misp_attribute.set_all_values(type=type_value, value=value, category=category,
to_ids=to_ids, comment=comment, distribution=distribution)
return json.dumps(misp_attribute, cls=EncodeUpdate)
def _one_or_more(self, value):
"""Returns a list/tuple of one or more items, regardless of input."""
@ -334,14 +321,16 @@ class PyMISP(object):
def publish(self, event):
if event['Event']['published']:
return {'error': 'Already published'}
event = self._prepare_update(event)
event['Event']['published'] = True
return self.update_event(event['Event']['id'], event)
e = MISPEvent(self.describe_types['result'])
e.load(event)
e.publish()
return self.update_event(event['Event']['id'], json.dumps(e, cls=EncodeUpdate))
def change_threat_level(self, event, threat_level_id):
event['Event']['threat_level_id'] = threat_level_id
self._prepare_update(event)
return self.update_event(event['Event']['id'], event)
e = MISPEvent(self.describe_types['result'])
e.load(event)
e.threat_level_id = threat_level_id
return self.update_event(event['Event']['id'], json.dumps(e, cls=EncodeUpdate))
def new_event(self, distribution=None, threat_level_id=None, analysis=None, info=None, date=None, published=False):
data = self._prepare_full_event(distribution, threat_level_id, analysis, info, date, published)
@ -365,12 +354,12 @@ class PyMISP(object):
if proposal:
response = self.proposal_add(event['Event']['id'], attributes)
else:
event = self._prepare_update(event)
for a in attributes:
e = MISPEvent(self.describe_types['result'])
e.load(event)
for a in e.attributes:
if a.get('distribution') is None:
a['distribution'] = 5
event['Event']['Attribute'] = attributes
response = self.update_event(event['Event']['id'], event)
response = self.update_event(event['Event']['id'], json.dumps(e, cls=EncodeUpdate))
return response
def add_named_attribute(self, event, category, type_value, value, to_ids=False, comment=None, distribution=None, proposal=False):

1
pymisp/data/describeTypes.json Normal file
View File

File diff suppressed because one or more lines are too long

322
pymisp/data/schema-lax.json Normal file
View File

@ -0,0 +1,322 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json",
"type": "object",
"properties": {
"Event": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/id",
"type": "string"
},
"orgc_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/orgc_id",
"type": "string"
},
"org_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/org_id",
"type": "string"
},
"date": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/date",
"type": "string"
},
"threat_level_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/threat_level_id",
"type": "string"
},
"info": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/info",
"type": "string"
},
"published": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/published",
"type": "boolean"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/uuid",
"type": "string"
},
"attribute_count": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/attribute_count",
"type": "string"
},
"analysis": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/analysis",
"type": "string"
},
"timestamp": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/timestamp",
"type": "string"
},
"distribution": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/distribution",
"type": "string"
},
"proposal_email_lock": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/proposal_email_lock",
"type": "boolean"
},
"locked": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/locked",
"type": "boolean"
},
"publish_timestamp": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/publish_timestamp",
"type": "string"
},
"sharing_group_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/sharing_group_id",
"type": "string"
},
"Org": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Org",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Org/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Org/name",
"type": "string"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Org/uuid",
"type": "string"
}
}
},
"Orgc": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Orgc",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Orgc/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Orgc/name",
"type": "string"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Orgc/uuid",
"type": "string"
}
}
},
"Attribute": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute",
"type": "array",
"items": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/id",
"type": "string"
},
"type": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/type",
"type": "string"
},
"category": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/category",
"type": "string"
},
"to_ids": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/to_ids",
"type": "boolean"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/uuid",
"type": "string"
},
"event_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/event_id",
"type": "string"
},
"distribution": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/distribution",
"type": "string"
},
"timestamp": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/timestamp",
"type": "string"
},
"comment": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/comment",
"type": "string"
},
"sharing_group_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/sharing_group_id",
"type": "string"
},
"value": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/value",
"type": "string"
},
"SharingGroup": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/SharingGroup",
"type": "array",
"items": {},
"additionalItems": false
},
"ShadowAttribute": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/ShadowAttribute",
"type": "array",
"items": {},
"additionalItems": false
}
}
},
"additionalItems": false
},
"ShadowAttribute": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/ShadowAttribute",
"type": "array",
"items": {},
"additionalItems": false
},
"RelatedEvent": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent",
"type": "array",
"items": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0",
"type": "object",
"properties": {
"Org": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Org",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Org/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Org/name",
"type": "string"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Org/uuid",
"type": "string"
}
}
},
"Orgc": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Orgc",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Orgc/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Orgc/name",
"type": "string"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Orgc/uuid",
"type": "string"
}
}
},
"Event": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event",
"type": "object",
"items": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/id",
"type": "string"
},
"date": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/date",
"type": "string"
},
"threat_level_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/threat_level_id",
"type": "string"
},
"info": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/info",
"type": "string"
},
"published": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/published",
"type": "boolean"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/uuid",
"type": "string"
},
"analysis": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/analysis",
"type": "string"
},
"timestamp": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/timestamp",
"type": "string"
},
"distribution": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/distribution",
"type": "string"
},
"org_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/org_id",
"type": "string"
},
"orgc_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/orgc_id",
"type": "string"
}
}
},
"additionalItems": false
}
}
},
"additionalItems": false
},
"Tag": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag",
"type": "array",
"items": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2/name",
"type": "string"
},
"colour": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2/colour",
"type": "string"
},
"exportable": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2/exportable",
"type": "boolean"
}
}
},
"additionalItems": false
}
},
"required": [
"info",
"Attribute"
]
}
},
"required": [
"Event"
]
}

327
pymisp/data/schema.json Normal file
View File

@ -0,0 +1,327 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json",
"type": "object",
"properties": {
"Event": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/id",
"type": "integer"
},
"orgc_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/orgc_id",
"type": "integer"
},
"org_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/org_id",
"type": "integer"
},
"date": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/date",
"type": "string"
},
"threat_level_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/threat_level_id",
"type": "integer"
},
"info": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/info",
"type": "string"
},
"published": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/published",
"type": "boolean"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/uuid",
"type": "string"
},
"attribute_count": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/attribute_count",
"type": "integer"
},
"analysis": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/analysis",
"type": "integer"
},
"timestamp": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/timestamp",
"type": "integer"
},
"distribution": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/distribution",
"type": "integer"
},
"proposal_email_lock": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/proposal_email_lock",
"type": "boolean"
},
"locked": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/locked",
"type": "boolean"
},
"publish_timestamp": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/publish_timestamp",
"type": "integer"
},
"sharing_group_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/sharing_group_id",
"type": "integer"
},
"Org": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Org",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Org/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Org/name",
"type": "string"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Org/uuid",
"type": "string"
}
}
},
"Orgc": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Orgc",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Orgc/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Orgc/name",
"type": "string"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Orgc/uuid",
"type": "string"
}
}
},
"Attribute": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute",
"type": "array",
"items": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/id",
"type": "string"
},
"type": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/type",
"type": "string"
},
"category": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/category",
"type": "string"
},
"to_ids": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/to_ids",
"type": "boolean"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/uuid",
"type": "string"
},
"event_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/event_id",
"type": "integer"
},
"distribution": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/distribution",
"type": "integer"
},
"timestamp": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/timestamp",
"type": "integer"
},
"comment": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/comment",
"type": "string"
},
"sharing_group_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/sharing_group_id",
"type": "integer"
},
"value": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/value",
"type": "string"
},
"SharingGroup": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/SharingGroup",
"type": "array",
"items": {},
"additionalItems": false
},
"ShadowAttribute": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Attribute/17/ShadowAttribute",
"type": "array",
"items": {},
"additionalItems": false
}
}
},
"additionalItems": false
},
"ShadowAttribute": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/ShadowAttribute",
"type": "array",
"items": {},
"additionalItems": false
},
"RelatedEvent": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent",
"type": "array",
"items": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0",
"type": "object",
"properties": {
"Org": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Org",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Org/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Org/name",
"type": "string"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Org/uuid",
"type": "string"
}
}
},
"Orgc": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Orgc",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Orgc/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Orgc/name",
"type": "string"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Orgc/uuid",
"type": "string"
}
}
},
"Event": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event",
"type": "object",
"items": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/id",
"type": "string"
},
"date": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/date",
"type": "string"
},
"threat_level_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/threat_level_id",
"type": "integer"
},
"info": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/info",
"type": "string"
},
"published": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/published",
"type": "boolean"
},
"uuid": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/uuid",
"type": "string"
},
"analysis": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/analysis",
"type": "string"
},
"timestamp": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/timestamp",
"type": "integer"
},
"distribution": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/distribution",
"type": "string"
},
"org_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/org_id",
"type": "integer"
},
"orgc_id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/RelatedEvent/0/Event/0/orgc_id",
"type": "integer"
}
}
},
"additionalItems": false
}
}
},
"additionalItems": false
},
"Tag": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag",
"type": "array",
"items": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2",
"type": "object",
"properties": {
"id": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2/id",
"type": "string"
},
"name": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2/name",
"type": "string"
},
"colour": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2/colour",
"type": "string"
},
"exportable": {
"id": "https://www.github.com/MISP/MISP/format/2.4/schema.json/Event/Tag/2/exportable",
"type": "boolean"
}
}
},
"additionalItems": false
}
},
"required": [
"date",
"threat_level_id",
"info",
"published",
"analysis",
"distribution",
"Attribute"
]
}
},
"required": [
"Event"
]
}

366
pymisp/mispevent.py
View File

@ -4,6 +4,17 @@
import datetime
import time
import json
from json import JSONEncoder
import os
try:
from dateutil.parser import parse
except ImportError:
pass
try:
import jsonschema
except ImportError:
pass
from .exceptions import PyMISPError, NewEventError, NewAttributeError
@ -14,8 +25,9 @@ class MISPAttribute(object):
self.categories = categories
self.types = types
self.category_type_mapping = category_type_mapping
self.new = True
self._reinitialize_attribute()
def _reinitialize_attribute(self):
# Default values
self.category = None
self.type = None
@ -24,53 +36,106 @@ class MISPAttribute(object):
self.comment = ''
self.distribution = 5
def set_values(self, type_value, value, category, to_ids, comment, distribution):
self._validate(type_value, value, category, to_ids, comment, distribution)
self.type = type_value
self.value = value
self.category = category
self.to_ids = to_ids
self.comment = comment
self.distribution = distribution
# other possible values
self.id = None
self.uuid = None
self.timestamp = None
self.sharing_group_id = None
self.deleted = None
self.SharingGroup = []
self.ShadowAttribute = []
def set_values_existing_attribute(self, attribute_id, uuid, timestamp, sharing_group_id, deleted, SharingGroup, ShadowAttribute):
self.new = False
self.id = int(attribute_id)
self.uuid = uuid
self.timestamp = datetime.datetime.fromtimestamp(timestamp)
self.sharing_group_id = int(sharing_group_id)
self.deleted = deleted
self.SharingGroup = SharingGroup
self.ShadowAttribute = ShadowAttribute
def set_all_values(self, **kwargs):
# Default values
if kwargs.get('category', None):
self.category = kwargs['category']
if self.category not in self.categories:
raise NewAttributeError('{} is invalid, category has to be in {}'.format(self.category, (', '.join(self.categories))))
if kwargs.get('type', None):
self.type = kwargs['type']
if self.type not in self.types:
raise NewAttributeError('{} is invalid, type_value has to be in {}'.format(self.type, (', '.join(self.types))))
if self.type not in self.category_type_mapping[self.category]:
raise NewAttributeError('{} and {} is an invalid combinaison, type_value for this category has to be in {}'.capitalizeformat(self.type, self.category, (', '.join(self.category_type_mapping[self.category]))))
if kwargs.get('value', None):
self.value = kwargs['value']
if kwargs.get('to_ids', None):
self.to_ids = kwargs['to_ids']
if not isinstance(self.to_ids, bool):
raise NewAttributeError('{} is invalid, to_ids has to be True or False'.format(self.to_ids))
if kwargs.get('comment', None):
self.comment = kwargs['comment']
if kwargs.get('distribution', None):
self.distribution = int(kwargs['distribution'])
if self.distribution not in [0, 1, 2, 3, 5]:
raise NewAttributeError('{} is invalid, the distribution has to be in 0, 1, 2, 3, 5'.format(self.distribution))
def _validate(self, type_value, value, category, to_ids, comment, distribution):
if category not in self.categories:
raise NewAttributeError('{} is invalid, category has to be in {}'.format(category, (', '.join(self.categories))))
if type_value not in self.types:
raise NewAttributeError('{} is invalid, type_value has to be in {}'.format(type_value, (', '.join(self.types))))
if type_value not in self.category_type_mapping[category]:
raise NewAttributeError('{} and {} is an invalid combinaison, type_value for this category has to be in {}'.capitalizeformat(type_value, category, (', '.join(self.category_type_mapping[category]))))
if to_ids not in [True, False]:
raise NewAttributeError('{} is invalid, to_ids has to be True or False'.format(to_ids))
if distribution not in [0, 1, 2, 3, 5]:
raise NewAttributeError('{} is invalid, the distribution has to be in 0, 1, 2, 3, 5'.format(distribution))
# other possible values
if kwargs.get('id', None):
self.id = int(kwargs['id'])
if kwargs.get('uuid', None):
self.uuid = kwargs['uuid']
if kwargs.get('timestamp', None):
self.timestamp = datetime.datetime.fromtimestamp(int(kwargs['timestamp']))
if kwargs.get('sharing_group_id', None):
self.sharing_group_id = int(kwargs['sharing_group_id'])
if kwargs.get('deleted', None):
self.deleted = kwargs['deleted']
if kwargs.get('SharingGroup', None):
self.SharingGroup = kwargs['SharingGroup']
if kwargs.get('ShadowAttribute', None):
self.ShadowAttribute = kwargs['ShadowAttribute']
def dump(self):
def _json(self):
to_return = {'type': self.type, 'category': self.category, 'to_ids': self.to_ids,
'distribution': self.distribution, 'value': self.value,
'comment': self.comment}
if not self.new:
to_return.update(
{'id': self.id, 'uuid': self.uuid,
'timestamp': int(time.mktime(self.timestamp.timetuple())),
'sharing_group_id': self.sharing_group_id, 'deleted': self.deleted,
'SharingGroup': self.SharingGroup, 'ShadowAttribute': self.ShadowAttribute})
if self.sharing_group_id:
to_return['sharing_group_id'] = self.sharing_group_id
return to_return
def _json_full(self):
to_return = self._json()
if self.id:
to_return['id'] = self.id
if self.uuid:
to_return['uuid'] = self.uuid
if self.timestamp:
to_return['timestamp'] = int(time.mktime(self.timestamp.timetuple()))
if self.deleted is not None:
to_return['deleted'] = self.deleted
if self.ShadowAttribute:
to_return['ShadowAttribute'] = self.ShadowAttribute
if self.SharingGroup:
to_return['SharingGroup'] = self.SharingGroup
return to_return
class EncodeUpdate(JSONEncoder):
def default(self, obj):
try:
return obj._json()
except AttributeError:
return JSONEncoder.default(self, obj)
class EncodeFull(JSONEncoder):
def default(self, obj):
try:
return obj._json_full()
except AttributeError:
return JSONEncoder.default(self, obj)
class MISPEvent(object):
def __init__(self, describe_types):
def __init__(self, describe_types=None):
self.ressources_path = os.path.join(os.path.abspath(os.path.dirname(__file__)), 'data')
self.json_schema = json.load(open(os.path.join(self.ressources_path, 'schema.json'), 'r'))
self.json_schema_lax = json.load(open(os.path.join(self.ressources_path, 'schema-lax.json'), 'r'))
if not describe_types:
t = json.load(open(os.path.join(self.ressources_path, 'describeTypes.json'), 'r'))
describe_types = t['result']
self.categories = describe_types['categories']
self.types = describe_types['types']
self.category_type_mapping = describe_types['category_type_mappings']
@ -78,7 +143,10 @@ class MISPEvent(object):
self.new = True
self.dump_full = False
# Default values
self._reinitialize_event()
def _reinitialize_event(self):
# Default values for a valid event to send to a MISP instance
self.distribution = 3
self.threat_level_id = 2
self.analysis = 0
@ -87,104 +155,159 @@ class MISPEvent(object):
self.date = datetime.date.today()
self.attributes = []
def _validate(self, distribution, threat_level_id, analysis):
if distribution not in [0, 1, 2, 3]:
raise NewEventError('{} is invalid, the distribution has to be in 0, 1, 2, 3'.format(distribution))
if threat_level_id not in [1, 2, 3, 4]:
raise NewEventError('{} is invalid, the threat_level has to be in 1, 2, 3, 4'.format(threat_level_id))
if analysis not in [0, 1, 2]:
raise NewEventError('{} is invalid, the analysis has to be in 0, 1, 2'.format(analysis))
# All other keys
self.id = None
self.orgc_id = None
self.org_id = None
self.uuid = None
self.attribute_count = None
self.timestamp = None
self.proposal_email_lock = None
self.locked = None
self.publish_timestamp = None
self.sharing_group_id = None
self.Org = None
self.Orgc = None
self.ShadowAttribute = []
self.RelatedEvent = []
self.Tag = []
def load(self, json_event):
self.new = False
self.dump_full = True
loaded = json.loads(json_event)
if loaded.get('response'):
e = loaded.get('response')[0].get('Event')
if isinstance(json_event, str):
loaded = json.loads(json_event)
if loaded.get('response'):
event = loaded.get('response')[0]
else:
event = loaded
if not event:
raise PyMISPError('Invalid event')
else:
e = loaded.get('Event')
if not e:
raise PyMISPError('Invalid event')
try:
date = datetime.date(*map(int, e['date'].split('-')))
except:
raise NewEventError('{} is an invalid date.'.format(e['date']))
self.set_values(e['info'], int(e['distribution']), int(e['threat_level_id']), int(e['analysis']), date)
if e['published']:
self.publish()
self.set_values_existing_event(
e['id'], e['orgc_id'], e['org_id'], e['uuid'],
e['attribute_count'], e['proposal_email_lock'], e['locked'],
e['publish_timestamp'], e['sharing_group_id'], e['Org'], e['Orgc'],
e['ShadowAttribute'], e['RelatedEvent'])
self.attributes = []
for a in e['Attribute']:
attribute = MISPAttribute(self.categories, self.types, self.category_type_mapping)
attribute.set_values(a['type'], a['value'], a['category'], a['to_ids'],
a['comment'], int(a['distribution']))
attribute.set_values_existing_attribute(a['id'], a['uuid'], a['timestamp'],
a['sharing_group_id'], a['deleted'],
a['SharingGroup'], a['ShadowAttribute'])
self.attributes.append(attribute)
event = json_event
jsonschema.validate(event, self.json_schema_lax)
e = event.get('Event')
self._reinitialize_event()
self.set_all_values(**e)
def dump(self):
def set_all_values(self, **kwargs):
# Default values for a valid event to send to a MISP instance
if kwargs.get('distribution', None) is not None:
self.distribution = int(kwargs['distribution'])
if self.distribution not in [0, 1, 2, 3]:
raise NewEventError('{} is invalid, the distribution has to be in 0, 1, 2, 3'.format(self.distribution))
if kwargs.get('threat_level_id', None) is not None:
self.threat_level_id = int(kwargs['threat_level_id'])
if self.threat_level_id not in [1, 2, 3, 4]:
raise NewEventError('{} is invalid, the threat_level has to be in 1, 2, 3, 4'.format(self.threat_level_id))
if kwargs.get('analysis', None) is not None:
self.analysis = int(kwargs['analysis'])
if self.analysis not in [0, 1, 2]:
raise NewEventError('{} is invalid, the analysis has to be in 0, 1, 2'.format(self.analysis))
if kwargs.get('info', None):
self.info = kwargs['info']
if kwargs.get('published', None) is not None:
self.publish()
if kwargs.get('date', None):
if isinstance(kwargs['date'], str):
self.date = parse(kwargs['date'])
elif isinstance(kwargs['date'], datetime.datetime):
self.date = kwargs['date'].date()
elif isinstance(kwargs['date'], datetime.date):
self.date = kwargs['date']
else:
raise NewEventError('Invalid format for the date: {} - {}'.format(kwargs['date'], type(kwargs['date'])))
if kwargs.get('Attribute', None):
for a in kwargs['Attribute']:
attribute = MISPAttribute(self.categories, self.types, self.category_type_mapping)
attribute.set_all_values(**a)
self.attributes.append(attribute)
# All other keys
if kwargs.get('id', None):
self.id = int(kwargs['id'])
if kwargs.get('orgc_id', None):
self.orgc_id = int(kwargs['orgc_id'])
if kwargs.get('org_id', None):
self.org_id = int(kwargs['org_id'])
if kwargs.get('uuid', None):
self.uuid = kwargs['uuid']
if kwargs.get('attribute_count', None):
self.attribute_count = int(kwargs['attribute_count'])
if kwargs.get('timestamp', None):
self.timestamp = datetime.datetime.fromtimestamp(int(kwargs['timestamp']))
if kwargs.get('proposal_email_lock', None):
self.proposal_email_lock = kwargs['proposal_email_lock']
if kwargs.get('locked', None):
self.locked = kwargs['locked']
if kwargs.get('publish_timestamp', None):
self.publish_timestamp = datetime.datetime.fromtimestamp(int(kwargs['publish_timestamp']))
if kwargs.get('sharing_group_id', None):
self.sharing_group_id = int(kwargs['sharing_group_id'])
if kwargs.get('Org', None):
self.Org = kwargs['Org']
if kwargs.get('Orgc', None):
self.Orgc = kwargs['Orgc']
if kwargs.get('ShadowAttribute', None):
self.ShadowAttribute = kwargs['ShadowAttribute']
if kwargs.get('RelatedEvent', None):
self.RelatedEvent = kwargs['RelatedEvent']
if kwargs.get('Tag', None):
self.Tag = kwargs['Tag']
def _json(self):
to_return = {'Event': {}}
to_return['Event'] = {'distribution': self.distribution, 'info': self.info,
'date': self.date.isoformat(), 'published': self.published,
'threat_level_id': self.threat_level_id,
'analysis': self.analysis, 'Attribute': []}
if not self.new:
to_return['Event'].update(
{'id': self.id, 'orgc_id': self.orgc_id, 'org_id': self.org_id,
'uuid': self.uuid, 'sharing_group_id': self.sharing_group_id})
if self.dump_full:
to_return['Event'].update(
{'locked': self.locked, 'attribute_count': self.attribute_count,
'RelatedEvent': self.RelatedEvent, 'Orgc': self.Orgc,
'ShadowAttribute': self.ShadowAttribute, 'Org': self.Org,
'proposal_email_lock': self.proposal_email_lock,
'publish_timestamp': int(time.mktime(self.publish_timestamp.timetuple()))})
to_return['Event']['Attribute'] = [a.dump() for a in self.attributes]
return json.dumps(to_return)
if self.id:
to_return['Event']['id'] = self.id
if self.orgc_id:
to_return['Event']['orgc_id'] = self.orgc_id
if self.org_id:
to_return['Event']['org_id'] = self.org_id
if self.uuid:
to_return['Event']['uuid'] = self.uuid
if self.sharing_group_id:
to_return['Event']['sharing_group_id'] = self.sharing_group_id
if self.Tag:
to_return['Event']['Tag'] = self.Tag
to_return['Event']['Attribute'] = [a._json() for a in self.attributes]
jsonschema.validate(to_return, self.json_schema)
return to_return
def set_values(self, info, distribution=3, threat_level_id=2, analysis=0, date=None):
self._validate(distribution, threat_level_id, analysis)
self.info = info
self.distribution = distribution
self.threat_level_id = threat_level_id
self.analysis = analysis
if not date:
self.date = datetime.date.today()
else:
self.date = date
def set_values_existing_event(self, event_id, orgc_id, org_id, uuid, attribute_count,
proposal_email_lock, locked, publish_timestamp,
sharing_group_id, Org, Orgc, ShadowAttribute,
RelatedEvent):
self.id = int(event_id)
self.orgc_id = int(orgc_id)
self.org_id = int(org_id)
self.uuid = uuid
self.attribute_count = int(attribute_count)
self.proposal_email_lock = proposal_email_lock
self.locked = locked
self.publish_timestamp = datetime.datetime.fromtimestamp(publish_timestamp)
self.sharing_group_id = int(sharing_group_id)
self.Org = Org
self.Orgc = Orgc
self.ShadowAttribute = ShadowAttribute
self.RelatedEvent = RelatedEvent
def _json_full(self):
to_return = self._json()
if self.locked is not None:
to_return['Event']['locked'] = self.locked
if self.attribute_count:
to_return['Event']['attribute_count'] = self.attribute_count
if self.RelatedEvent:
to_return['Event']['RelatedEvent'] = self.RelatedEvent
if self.Org:
to_return['Event']['Org'] = self.Org
if self.Orgc:
to_return['Event']['Orgc'] = self.Orgc
if self.ShadowAttribute:
to_return['Event']['ShadowAttribute'] = self.ShadowAttribute
if self.proposal_email_lock is not None:
to_return['Event']['proposal_email_lock'] = self.proposal_email_lock
if self.locked is not None:
to_return['Event']['locked'] = self.locked
if self.publish_timestamp:
to_return['Event']['publish_timestamp'] = int(time.mktime(self.publish_timestamp.timetuple()))
if self.timestamp:
to_return['Event']['timestamp'] = int(time.mktime(self.timestamp.timetuple()))
to_return['Event']['Attribute'] = [a._json_full() for a in self.attributes]
jsonschema.validate(to_return, self.json_schema)
return to_return
def publish(self):
self.publish = True
self.published = True
def unpublish(self):
self.publish = False
def prepare_for_update(self):
self.unpublish()
self.dump_full = False
self.published = False
def add_attribute(self, type_value, value, **kwargs):
if not self.sane_default.get(type_value):
@ -207,5 +330,6 @@ class MISPEvent(object):
else:
distribution = 5
attribute = MISPAttribute(self.categories, self.types, self.category_type_mapping)
attribute.set_values(type_value, value, category, to_ids, comment, distribution)
attribute.set_all_values(type=type_value, value=value, category=category,
to_ids=to_ids, comment=comment, distribution=distribution)
self.attributes.append(attribute)

4
setup.py
View File

@ -27,5 +27,7 @@ setup(
'Topic :: Internet',
],
test_suite="tests",
install_requires=['requests'],
install_requires=['requests', 'python-dateutil', 'jsonschema'],
include_package_data=True,
package_data={'data': ['schema.json', 'schema-lax.json', 'describeTypes.json']},
)

368
tests/describeTypes.json
View File

@ -1,368 +0,0 @@
{
"result": {
"types": [
"md5",
"sha1",
"sha256",
"filename",
"pdb",
"filename|md5",
"filename|sha1",
"filename|sha256",
"ip-src",
"ip-dst",
"hostname",
"domain",
"domain|ip",
"email-src",
"email-dst",
"email-subject",
"email-attachment",
"url",
"http-method",
"user-agent",
"regkey",
"regkey|value",
"AS",
"snort",
"pattern-in-file",
"pattern-in-traffic",
"pattern-in-memory",
"yara",
"vulnerability",
"attachment",
"malware-sample",
"link",
"comment",
"text",
"other",
"named pipe",
"mutex",
"target-user",
"target-email",
"target-machine",
"target-org",
"target-location",
"target-external",
"btc",
"iban",
"bic",
"bank-account-nr",
"aba-rtn",
"bin",
"cc-number",
"prtn",
"threat-actor",
"campaign-name",
"campaign-id",
"malware-type",
"uri",
"authentihash",
"ssdeep",
"imphash",
"pehash",
"sha224",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"tlsh",
"filename|authentihash",
"filename|ssdeep",
"filename|imphash",
"filename|pehash",
"filename|sha224",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|tlsh",
"windows-scheduled-task",
"windows-service-name",
"windows-service-displayname",
"whois-registrant-email",
"whois-registrant-phone",
"whois-registrant-name",
"whois-registrar",
"whois-creation-date",
"targeted-threat-index",
"mailslot",
"pipe",
"ssl-cert-attributes",
"x509-fingerprint-sha1"
],
"categories": [
"Internal reference",
"Targeting data",
"Antivirus detection",
"Payload delivery",
"Artifacts dropped",
"Payload installation",
"Persistence mechanism",
"Network activity",
"Payload type",
"Attribution",
"External analysis",
"Financial fraud",
"Other"
],
"category_type_mappings": {
"Internal reference": [
"link",
"comment",
"text",
"other"
],
"Targeting data": [
"target-user",
"target-email",
"target-machine",
"target-org",
"target-location",
"target-external",
"comment"
],
"Antivirus detection": [
"link",
"comment",
"text",
"attachment",
"other"
],
"Payload delivery": [
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"ssdeep",
"imphash",
"authentihash",
"pehash",
"tlsh",
"filename",
"filename|md5",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|authentihash",
"filename|ssdeep",
"filename|tlsh",
"filename|imphash",
"filename|pehash",
"ip-src",
"ip-dst",
"hostname",
"domain",
"email-src",
"email-dst",
"email-subject",
"email-attachment",
"url",
"user-agent",
"AS",
"pattern-in-file",
"pattern-in-traffic",
"yara",
"attachment",
"malware-sample",
"link",
"malware-type",
"comment",
"text",
"vulnerability",
"x509-fingerprint-sha1",
"other"
],
"Artifacts dropped": [
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"ssdeep",
"imphash",
"authentihash",
"filename",
"filename|md5",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|authentihash",
"filename|ssdeep",
"filename|tlsh",
"filename|imphash",
"filename|pehash",
"regkey",
"regkey|value",
"pattern-in-file",
"pattern-in-memory",
"pdb",
"yara",
"attachment",
"malware-sample",
"named pipe",
"mutex",
"windows-scheduled-task",
"windows-service-name",
"windows-service-displayname",
"comment",
"text",
"x509-fingerprint-sha1",
"other"
],
"Payload installation": [
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"ssdeep",
"imphash",
"authentihash",
"pehash",
"tlsh",
"filename",
"filename|md5",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|authentihash",
"filename|ssdeep",
"filename|tlsh",
"filename|imphash",
"filename|pehash",
"pattern-in-file",
"pattern-in-traffic",
"pattern-in-memory",
"yara",
"vulnerability",
"attachment",
"malware-sample",
"malware-type",
"comment",
"text",
"x509-fingerprint-sha1",
"other"
],
"Persistence mechanism": [
"filename",
"regkey",
"regkey|value",
"comment",
"text",
"other"
],
"Network activity": [
"ip-src",
"ip-dst",
"hostname",
"domain",
"domain|ip",
"email-dst",
"url",
"uri",
"user-agent",
"http-method",
"AS",
"snort",
"pattern-in-file",
"pattern-in-traffic",
"attachment",
"comment",
"text",
"x509-fingerprint-sha1",
"other"
],
"Payload type": [
"comment",
"text",
"other"
],
"Attribution": [
"threat-actor",
"campaign-name",
"campaign-id",
"whois-registrant-phone",
"whois-registrant-email",
"whois-registrant-name",
"whois-registrar",
"whois-creation-date",
"comment",
"text",
"x509-fingerprint-sha1",
"other"
],
"External analysis": [
"md5",
"sha1",
"sha256",
"filename",
"filename|md5",
"filename|sha1",
"filename|sha256",
"ip-src",
"ip-dst",
"hostname",
"domain",
"domain|ip",
"url",
"user-agent",
"regkey",
"regkey|value",
"AS",
"snort",
"pattern-in-file",
"pattern-in-traffic",
"pattern-in-memory",
"vulnerability",
"attachment",
"malware-sample",
"link",
"comment",
"text",
"x509-fingerprint-sha1",
"other"
],
"Financial fraud": [
"btc",
"iban",
"bic",
"bank-account-nr",
"aba-rtn",
"bin",
"cc-number",
"prtn",
"comment",
"text",
"other"
],
"Other": [
"comment",
"text",
"other"
]
}
}
}

25
tests/test_offline.py
View File

@ -4,9 +4,14 @@
import unittest
import requests_mock
import json
import os
import pymisp as pm
from pymisp import PyMISP
from pymisp import NewEventError
from pymisp import MISPEvent
from pymisp import EncodeUpdate
from pymisp import EncodeFull
@requests_mock.Mocker()
@ -18,7 +23,8 @@ class TestOffline(unittest.TestCase):
self.key = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
self.event = {'Event': json.load(open('tests/misp_event.json', 'r'))}
self.new_misp_event = {'Event': json.load(open('tests/new_misp_event.json', 'r'))}
self.types = json.load(open('tests/describeTypes.json', 'r'))
self.ressources_path = os.path.join(os.path.abspath(os.path.dirname(__file__)), '../pymisp/data')
self.types = json.load(open(os.path.join(self.ressources_path, 'describeTypes.json'), 'r'))
self.sharing_groups = json.load(open('tests/sharing_groups.json', 'r'))
self.auth_error_msg = {"name": "Authentication failed. Please make sure you pass the API key of an API enabled user along in the Authorization header.",
"message": "Authentication failed. Please make sure you pass the API key of an API enabled user along in the Authorization header.",
@ -70,10 +76,10 @@ class TestOffline(unittest.TestCase):
def test_publish(self, m):
self.initURI(m)
pymisp = PyMISP(self.domain, self.key)
e = pymisp.publish(self.event)
e = pymisp.publish(self.event) # requests-mock always return the non-published event
pub = self.event
pub['Event']['published'] = True
self.assertEqual(e, pub)
# self.assertEqual(e, pub) FIXME: broken test, not-published event returned
e = pymisp.publish(self.event)
self.assertEqual(e, {'error': 'Already published'})
@ -104,12 +110,6 @@ class TestOffline(unittest.TestCase):
error_empty_info_flatten = {u'message': u'The event could not be saved.', u'name': u'Add event failed.', u'errors': [u"Error in info: Info cannot be empty."], u'url': u'/events/add'}
self.initURI(m)
pymisp = PyMISP(self.domain, self.key)
with self.assertRaises(pm.api.NewEventError):
pymisp.new_event()
with self.assertRaises(pm.api.NewEventError):
pymisp.new_event(0)
with self.assertRaises(pm.api.NewEventError):
pymisp.new_event(0, 1)
m.register_uri('POST', self.domain + 'events', json=error_empty_info)
response = pymisp.new_event(0, 1, 0)
self.assertEqual(response, error_empty_info_flatten)
@ -117,6 +117,13 @@ class TestOffline(unittest.TestCase):
response = pymisp.new_event(0, 1, 0, "This is a test.", '2016-08-26', False)
self.assertEqual(response, self.new_misp_event)
def test_eventObject(self, m):
self.initURI(m)
pymisp = PyMISP(self.domain, self.key)
misp_event = MISPEvent(pymisp.describe_types['result'])
misp_event.load(open('tests/57c4445b-c548-4654-af0b-4be3950d210f.json', 'r').read())
json.dumps(misp_event, cls=EncodeUpdate)
json.dumps(misp_event, cls=EncodeFull)
if __name__ == '__main__':
unittest.main()