2019-04-15 15:17:27 +02:00
|
|
|
######################################################
|
|
|
|
# #
|
|
|
|
# Author: Stanislav Klevtsov, Ukraine; Feb 2019. #
|
|
|
|
# #
|
|
|
|
# #
|
|
|
|
# Script was tested on the following configuration: #
|
|
|
|
# MISP v2.4.90 #
|
|
|
|
# Cisco Firesight Manager Console v6.2.3 (bld 84) #
|
|
|
|
# #
|
|
|
|
######################################################
|
|
|
|
|
|
|
|
import json
|
|
|
|
import base64
|
|
|
|
from urllib.parse import quote
|
|
|
|
|
|
|
|
misperrors = {'error': 'Error'}
|
|
|
|
|
|
|
|
moduleinfo = {'version': '1', 'author': 'Stanislav Klevtsov',
|
2019-04-16 11:25:39 +02:00
|
|
|
'description': 'Export malicious network activity attributes of the MISP event to Cisco firesight manager block rules',
|
|
|
|
'module-type': ['export']}
|
2019-04-15 15:17:27 +02:00
|
|
|
|
|
|
|
|
|
|
|
moduleconfig = ['fmc_ip_addr', 'fmc_login', 'fmc_pass', 'domain_id', 'acpolicy_id']
|
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
fsmapping = {"ip-dst": "dst", "url": "request"}
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
mispattributes = {'input': list(fsmapping.keys())}
|
2019-04-15 15:17:27 +02:00
|
|
|
|
|
|
|
# options: event, attribute, event-collection, attribute-collection
|
|
|
|
inputSource = ['event']
|
|
|
|
|
|
|
|
outputFileExtension = 'sh'
|
|
|
|
responseType = 'application/txt'
|
|
|
|
|
|
|
|
# .sh file templates
|
|
|
|
SH_FILE_HEADER = """#!/bin/sh\n\n"""
|
|
|
|
|
|
|
|
BLOCK_JSON_TMPL = """
|
|
|
|
BLOCK_RULE='{{ "action": "BLOCK", "enabled": true, "type": "AccessRule", "name": "{rule_name}", "destinationNetworks": {{ "literals": [ {dst_networks} ] }}, "urls": {{ "literals": [ {urls} ] }}, "newComments": [ "{event_info_comment}" ] }}'\n
|
|
|
|
"""
|
|
|
|
|
|
|
|
BLOCK_DST_JSON_TMPL = """{{ "type": "Host", "value": "{ipdst}" }} """
|
|
|
|
BLOCK_URL_JSON_TMPL = """{{ "type": "Url", "url": "{url}" }} """
|
|
|
|
|
|
|
|
CURL_ADD_RULE_TMPL = """
|
|
|
|
curl -X POST -v -k -H 'Content-Type: application/json' -H \"Authorization: Basic $LOGINPASS_BASE64\" -H \"X-auth-access-token: $ACC_TOKEN\" -i \"https://$FIRESIGHT_IP_ADDR/api/fmc_config/v1/domain/$DOMAIN_ID/policy/accesspolicies/$ACPOLICY_ID/accessrules\" --data \"$BLOCK_RULE\" """
|
|
|
|
|
|
|
|
|
|
|
|
def handler(q=False):
|
2019-04-16 11:25:39 +02:00
|
|
|
if q is False:
|
|
|
|
return False
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
r = {'results': []}
|
|
|
|
request = json.loads(q)
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
if "config" in request:
|
|
|
|
config = request["config"]
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
# check if config is empty
|
|
|
|
if not config['fmc_ip_addr']:
|
|
|
|
config['fmc_ip_addr'] = "0.0.0.0"
|
|
|
|
if not config['fmc_login']:
|
|
|
|
config['fmc_login'] = "login"
|
|
|
|
if not config['fmc_pass']:
|
|
|
|
config['fmc_pass'] = "password"
|
|
|
|
if not config['domain_id']:
|
|
|
|
config['domain_id'] = "SET_FIRESIGHT_DOMAIN_ID"
|
|
|
|
if not config['acpolicy_id']:
|
|
|
|
config['acpolicy_id'] = "SET_FIRESIGHT_ACPOLICY_ID"
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
data = request["data"]
|
|
|
|
output = ""
|
|
|
|
ipdst = []
|
|
|
|
urls = []
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
# populate the ACL rule with attributes
|
|
|
|
for ev in data:
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
event = ev["Attribute"]
|
|
|
|
event_id = ev["Event"]["id"]
|
|
|
|
event_info = ev["Event"]["info"]
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
for index, attr in enumerate(event):
|
|
|
|
if attr["to_ids"] is True:
|
|
|
|
if attr["type"] in fsmapping:
|
|
|
|
if attr["type"] == "ip-dst":
|
|
|
|
ipdst.append(BLOCK_DST_JSON_TMPL.format(ipdst=attr["value"]))
|
|
|
|
else:
|
|
|
|
urls.append(BLOCK_URL_JSON_TMPL.format(url=quote(attr["value"], safe='@/:;?&=-_.,+!*')))
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
# building the .sh file
|
|
|
|
output += SH_FILE_HEADER
|
|
|
|
output += "FIRESIGHT_IP_ADDR='{}'\n".format(config['fmc_ip_addr'])
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
output += "LOGINPASS_BASE64=`echo -n '{}:{}' | base64`\n".format(config['fmc_login'], config['fmc_pass'])
|
|
|
|
output += "DOMAIN_ID='{}'\n".format(config['domain_id'])
|
|
|
|
output += "ACPOLICY_ID='{}'\n\n".format(config['acpolicy_id'])
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
output += "ACC_TOKEN=`curl -X POST -v -k -sD - -o /dev/null -H \"Authorization: Basic $LOGINPASS_BASE64\" -i \"https://$FIRESIGHT_IP_ADDR/api/fmc_platform/v1/auth/generatetoken\" | grep -i x-auth-acc | sed 's/.*:\\ //g' | tr -d '[:space:]' | tr -d '\\n'`\n"
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
output += BLOCK_JSON_TMPL.format(rule_name="misp_event_{}".format(event_id),
|
|
|
|
dst_networks=', '.join(ipdst),
|
|
|
|
urls=', '.join(urls),
|
|
|
|
event_info_comment=event_info) + "\n"
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
output += CURL_ADD_RULE_TMPL
|
|
|
|
# END building the .sh file
|
2019-04-15 15:17:27 +02:00
|
|
|
|
2019-04-16 11:25:39 +02:00
|
|
|
r = {"data": base64.b64encode(output.encode('utf-8')).decode('utf-8')}
|
|
|
|
return r
|
2019-04-15 15:17:27 +02:00
|
|
|
|
|
|
|
|
|
|
|
def introspection():
|
2019-04-16 11:25:39 +02:00
|
|
|
modulesetup = {}
|
|
|
|
try:
|
|
|
|
responseType
|
|
|
|
modulesetup['responseType'] = responseType
|
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
userConfig
|
|
|
|
modulesetup['userConfig'] = userConfig
|
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
outputFileExtension
|
|
|
|
modulesetup['outputFileExtension'] = outputFileExtension
|
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
inputSource
|
|
|
|
modulesetup['inputSource'] = inputSource
|
|
|
|
except NameError:
|
|
|
|
pass
|
|
|
|
return modulesetup
|
2019-04-15 15:17:27 +02:00
|
|
|
|
|
|
|
|
|
|
|
def version():
|
2019-04-16 11:25:39 +02:00
|
|
|
moduleinfo['config'] = moduleconfig
|
|
|
|
return moduleinfo
|