mirror of https://github.com/MISP/PyMISP
53 lines
1.5 KiB
Python
Executable File
53 lines
1.5 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
# vim: tabstop=4 shiftwidth=4 expandtab
|
|
#
|
|
# Export file hashes from MISP to ClamAV hdb file
|
|
|
|
import sys
|
|
from pymisp import PyMISP, MISPAttribute
|
|
from keys import misp_url, misp_key, misp_verifycert
|
|
|
|
|
|
def init_misp():
|
|
global mymisp
|
|
mymisp = PyMISP(misp_url, misp_key, misp_verifycert)
|
|
|
|
|
|
def echeck(r):
|
|
if r.get('errors'):
|
|
if r.get('message') == 'No matches.':
|
|
return
|
|
else:
|
|
print(r['errors'])
|
|
sys.exit(1)
|
|
|
|
|
|
def find_hashes(htype):
|
|
r = mymisp.search(controller='attributes', type_attribute=htype)
|
|
echeck(r)
|
|
if not r.get('response'):
|
|
return
|
|
for a in r['response']['Attribute']:
|
|
attribute = MISPAttribute(mymisp.describe_types)
|
|
attribute.from_dict(**a)
|
|
if '|' in attribute.type and '|' in attribute.value:
|
|
c, value = attribute.value.split('|')
|
|
comment = '{} - {}'.format(attribute.comment, c)
|
|
else:
|
|
comment = attribute.comment
|
|
value = attribute.value
|
|
mhash = value.replace(':', ';')
|
|
mfile = 'MISP event {} {}'.format(a['event_id'], comment.replace(':', ';').replace('\r', '').replace('\n', ''))
|
|
print('{}:*:{}:73'.format(mhash, mfile))
|
|
|
|
|
|
if __name__ == '__main__':
|
|
init_misp()
|
|
find_hashes('md5')
|
|
find_hashes('sha1')
|
|
find_hashes('sha256')
|
|
find_hashes('filename|md5')
|
|
find_hashes('filename|sha1')
|
|
find_hashes('filename|sha256')
|