mirror of https://github.com/MISP/PyMISP
131 lines
4.1 KiB
Python
Executable File
131 lines
4.1 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
import sys
|
|
import json
|
|
import os
|
|
from pymisp import ExpandedPyMISP
|
|
from settings import url, key, ssl, outputdir, filters, valid_attribute_distribution_levels
|
|
try:
|
|
from settings import with_distribution
|
|
except ImportError:
|
|
with_distribution = False
|
|
|
|
try:
|
|
from settings import with_signatures
|
|
except ImportError:
|
|
with_signatures = False
|
|
|
|
try:
|
|
from settings import with_local_tags
|
|
except ImportError:
|
|
with_local_tags = True
|
|
|
|
try:
|
|
from settings import include_deleted
|
|
except ImportError:
|
|
include_deleted = False
|
|
|
|
try:
|
|
from settings import exclude_attribute_types
|
|
except ImportError:
|
|
exclude_attribute_types = []
|
|
|
|
valid_attribute_distributions = []
|
|
|
|
|
|
def init():
|
|
# If we have an old settings.py file then this variable won't exist
|
|
global valid_attribute_distributions
|
|
try:
|
|
valid_attribute_distributions = [int(v) for v in valid_attribute_distribution_levels]
|
|
except Exception:
|
|
valid_attribute_distributions = [0, 1, 2, 3, 4, 5]
|
|
return ExpandedPyMISP(url, key, ssl)
|
|
|
|
|
|
def saveEvent(event, misp):
|
|
stringified_event = json.dumps(event, indent=2)
|
|
if with_signatures and event['Event'].get('protected'):
|
|
signature = getSignature(stringified_event, misp)
|
|
try:
|
|
with open(os.path.join(outputdir, f'{event["Event"]["uuid"]}.asc'), 'w') as f:
|
|
f.write(signature)
|
|
except Exception as e:
|
|
print(e)
|
|
sys.exit('Could not create the event signature dump.')
|
|
|
|
try:
|
|
with open(os.path.join(outputdir, f'{event["Event"]["uuid"]}.json'), 'w') as f:
|
|
f.write(stringified_event)
|
|
except Exception as e:
|
|
print(e)
|
|
sys.exit('Could not create the event dump.')
|
|
|
|
|
|
def getSignature(stringified_event, misp):
|
|
try:
|
|
signature = misp.sign_blob(stringified_event)
|
|
return signature
|
|
except Exception as e:
|
|
print(e)
|
|
sys.exit('Could not get the signature for the event from the MISP instance. Perhaps the user does not have the necessary permissions.')
|
|
|
|
|
|
def saveHashes(hashes):
|
|
try:
|
|
with open(os.path.join(outputdir, 'hashes.csv'), 'w') as hashFile:
|
|
for element in hashes:
|
|
hashFile.write(f'{element[0]},{element[1]}\n')
|
|
except Exception as e:
|
|
print(e)
|
|
sys.exit('Could not create the quick hash lookup file.')
|
|
|
|
|
|
def saveManifest(manifest):
|
|
try:
|
|
manifestFile = open(os.path.join(outputdir, 'manifest.json'), 'w')
|
|
manifestFile.write(json.dumps(manifest))
|
|
manifestFile.close()
|
|
except Exception as e:
|
|
print(e)
|
|
sys.exit('Could not create the manifest file.')
|
|
|
|
|
|
if __name__ == '__main__':
|
|
misp = init()
|
|
try:
|
|
events = misp.search_index(minimal=True, **filters, pythonify=False)
|
|
except Exception as e:
|
|
print(e)
|
|
sys.exit("Invalid response received from MISP.")
|
|
if len(events) == 0:
|
|
sys.exit("No events returned.")
|
|
manifest = {}
|
|
hashes = []
|
|
signatures = []
|
|
counter = 1
|
|
total = len(events)
|
|
for event in events:
|
|
try:
|
|
e = misp.get_event(event['uuid'], deleted=include_deleted, pythonify=True)
|
|
if exclude_attribute_types:
|
|
for i, attribute in enumerate(e.attributes):
|
|
if attribute.type in exclude_attribute_types:
|
|
e.attributes.pop(i)
|
|
e_feed = e.to_feed(valid_distributions=valid_attribute_distributions, with_meta=True, with_distribution=with_distribution, with_local_tags=with_local_tags)
|
|
except Exception as err:
|
|
print(err, event['uuid'])
|
|
continue
|
|
if not e_feed:
|
|
print(f'Invalid distribution {e.distribution}, skipping')
|
|
continue
|
|
hashes += [[h, e.uuid] for h in e_feed['Event'].pop('_hashes')]
|
|
manifest.update(e_feed['Event'].pop('_manifest'))
|
|
saveEvent(e_feed, misp)
|
|
print("Event " + str(counter) + "/" + str(total) + " exported.")
|
|
counter += 1
|
|
saveManifest(manifest)
|
|
print('Manifest saved.')
|
|
saveHashes(hashes)
|
|
print('Hashes saved. Feed creation completed.')
|