Merge branch 'iceone23-patch-1'

pull/302/head
Raphaël Vinot 2019-04-16 11:26:08 +02:00
commit 30f8e59f5a
2 changed files with 193 additions and 53 deletions

106
Pipfile.lock generated
View File

@ -111,10 +111,10 @@
}, },
"click-plugins": { "click-plugins": {
"hashes": [ "hashes": [
"sha256:b1ee1ccc9421c73007fe290680d97984eb6eaf5f4512b7620c6aa46031d6cb6b", "sha256:46ab999744a9d831159c3411bb0c79346d94a444df9a3a3742e9ed63645f264b",
"sha256:dfed74b5063546a137de99baaaf742b4de4337ad2b3e1df5ec7c8a256adc0847" "sha256:5d262006d3222f5057fd81e1623d4443e41dcda5dc815c06b442aa3c02889fc8"
], ],
"version": "==1.0.4" "version": "==1.1.1"
}, },
"colorama": { "colorama": {
"hashes": [ "hashes": [
@ -300,7 +300,7 @@
"pybgpranking": { "pybgpranking": {
"editable": true, "editable": true,
"git": "https://github.com/D4-project/BGP-Ranking.git/", "git": "https://github.com/D4-project/BGP-Ranking.git/",
"ref": "019ef1c40aad1e5bb5c5072c9a998c6a8f0271f3", "ref": "86180c080ba5f83a5160a8295ebc263709aa4eba",
"subdirectory": "client" "subdirectory": "client"
}, },
"pydnstrails": { "pydnstrails": {
@ -331,13 +331,13 @@
"pyipasnhistory": { "pyipasnhistory": {
"editable": true, "editable": true,
"git": "https://github.com/D4-project/IPASN-History.git/", "git": "https://github.com/D4-project/IPASN-History.git/",
"ref": "0c4f11792061417b77ca6e22d2ece18109d74c75", "ref": "1009124c39e9cc3b362f0f9ce4d272817b9a5186",
"subdirectory": "client" "subdirectory": "client"
}, },
"pymisp": { "pymisp": {
"editable": true, "editable": true,
"git": "https://github.com/MISP/PyMISP.git", "git": "https://github.com/MISP/PyMISP.git",
"ref": "64bcaad0e578129543cdffad532a232722615f6c" "ref": "13445b51748524195bb15aec2c1c6176bcb6bd95"
}, },
"pyonyphe": { "pyonyphe": {
"editable": true, "editable": true,
@ -346,10 +346,10 @@
}, },
"pyparsing": { "pyparsing": {
"hashes": [ "hashes": [
"sha256:66c9268862641abcac4a96ba74506e594c884e3f57690a696d21ad8210ed667a", "sha256:1873c03321fc118f4e9746baf201ff990ceb915f433f23b395f5580d1840cb2a",
"sha256:f6c5ef0d7480ad048c054c37632c67fca55299990fff127850181659eea33fc3" "sha256:9b6323ef4ab914af344ba97510e966d64ba91055d6b9afa6b30799340e89cc03"
], ],
"version": "==2.3.1" "version": "==2.4.0"
}, },
"pypdns": { "pypdns": {
"hashes": [ "hashes": [
@ -417,37 +417,37 @@
}, },
"reportlab": { "reportlab": {
"hashes": [ "hashes": [
"sha256:0135bc54a463db5315c93bba4182fb83dc088fefaa7da18784ecd2a0c4a9c068", "sha256:1c228a3ac2c405f7fc16eac43ba92aec448bc25438902f30590ad021e8828097",
"sha256:09e167e01458ea1e0cf3acff634ae9ecc1f1757e7585060d039c90b762859cfd", "sha256:2210fafd3bb06308a84876fe6d19172b645373edce2b6d7501378cb9c768f825",
"sha256:0dfcea18ba3ca1fac55cb273d056a8a43a48bd04d419299b3267e1994c72455a", "sha256:232fb2037b7c3df259685f1c5ecb7826f55742dc81f0713837b84a152307483e",
"sha256:1a61e56593ea1a8a38135eedfb40f79dcad13164fff034313ebf2a30e200ca79", "sha256:2c4f25e63fa75f3064871cf435696a4e19b7bd4901d922b766ae58a447b5b6da",
"sha256:1bdd871c2087d3853a0e9a3a573b1a7535500f3341944b1e34e68f3213cd28b8", "sha256:47951166d897b60e9e7ca349db82a2b689e6478ac6078e2c7c88ca8becbb0c7d",
"sha256:26878a4b9c45f046c635b5695681188c19806f08b04129ea01c9ed51c7754039", "sha256:526ab1193ea8e97c4838135917890e66de5f777d04283008007229b139f3c094",
"sha256:27c62264c758aa30113df105da816223d149e4e87ee778ad49469725b79be2eb", "sha256:5a9cc8470623ec5b76c7e59f56b7d1fcf0254896cd61842dbdbd278934cc50f4",
"sha256:29a9dd3954465b9e4efb129ffda9ab3e6a4f06488e8aa2efd5aff8ad332f13c2", "sha256:5ddc1a4a74f225e35a7f60e2eae10de6878dddc9960dad2d9cadc49092f8850d",
"sha256:5740e3218ca98c1bc86bd2d2e2a8c1d23e7c97d949d6377ac30aaf449f01c363", "sha256:6b594f6d7d71bc5778e19adb1c699a598c69b9a7bcf97fa638d8762279f9d80a",
"sha256:605892bb3f822a1e7342ce2b461d645ab8e4d13875127c0ae5377f76853db422", "sha256:6e8c89b46cfaf9ae40b7db87e9f29c9e5d32d18d25f9cd10d423a5241e8ec453",
"sha256:6dacc72552bc0dd50286e856f09a5e646a007d9345598bf6f75b117a200bfd9d", "sha256:71f4f3e3975b91ddbfc1b36a537b46d07533ca7f31945e990a75db5f9bd7a0ba",
"sha256:7021b7c8ba6d8e69e4c68c9473067482aaa40b9094270b45dbf798fcb0e09bd4", "sha256:763654dc346eeb66fa726a88d27f911339950d20a25303dfc098f3b59ba26614",
"sha256:8acd950dad5b20a417579d1253c1065222dde48f9412e71533b052ab3dd98632", "sha256:7bae4b33363f44343e0fac5004c8e44576c3ed00885be4eee1f2260802c116c3",
"sha256:8b8fb3b0dd1e2124aba24544a02c95bff1fffa966b0581f30abf4fb28e414005", "sha256:8a4b8a0fd0547f3b436b548284aa604ba183bfac26f41a7ffb23d0ff5db8c658",
"sha256:920c61c942eb1cc446e1647a04978f4afe31993ed403b74576a018c3ca526394", "sha256:8b08d68e4cb498eabf85411beda5c32e591ef8d0a6d18c948c3f80ed5d2c6e31",
"sha256:928e8d99befe064e28e9a29a4fd9afcf2066dcd758b0903280e67e221527422a", "sha256:9840f27948b54aefa3c6386e5ed0f124d641eb54fa2f2bc9aebcb270598487fc",
"sha256:a04787eee401a74c80b65e539b5fe9226fdeabe25caa3d216c21dc990b2f8a01", "sha256:9ae8f822370e47486ba1880f7580669058a41e64bdaa41019f4617317489f884",
"sha256:a5bb6bd7753cba854425fcf7ecf04627a17de78d47ef9e8fac615887c5658da3", "sha256:9db49197080646a113059eba1c0758161164de1bc57315e7422bbf8c86e03dcf",
"sha256:a70d970619014dc83b4406bcfed7e2f9d5aaf5f521aad808f5560d90ea896fb4", "sha256:a08d23fa3f23f13a1cc6dca3b3c431d08ae48e52384e6bf47bbefb22fde58e61",
"sha256:ae468fe82c8af3d1987113f03c1f87d01daa5b4c85c1f10da126be84423a744d", "sha256:ac111bc47733dbfa3e34d61282c91b69b1f66800b0c72b7b86dc2534faa09bef",
"sha256:b278d83a7f76410bd310b368309e6e4b19664ffa686abfa9f0696130b09c17d3", "sha256:bc3c69707c0bf9308193612d34ca87249d6fc91a35ce0873102321395d39024a",
"sha256:b6623e9a96db3edc4b384e036e67c7bc87bbd7e5dc2d72ce66efa0043f9383b0", "sha256:c375759a763c1c93d5b4f36620390440d9fa6dec6fcf88bce8234701d88b339c",
"sha256:dc15cfa577bb25f0a598d483cf6dcc5ecad576ba723fe9bec63b6ec720dab2a3", "sha256:c8a5988d73ec93a54f22660b64c5f3d2018163dd9ca4a5cdde8022a7e4fcb345",
"sha256:dffdb4f6b34ce791e67365f3f96ab3c45b4cdd2c70d212fac98fb146dc75ac80", "sha256:eba2bc7c28a3b2b0a3c24caff33e4d8708db008f480b03a6ea39c28661663746",
"sha256:e84020e3482856da733e1359cb7b84e6bac09179bd3af860e70468a9c3cb43e3", "sha256:ee187977d587b9b81929e08022f385eb11274efd75795d59d99eb23b3fa9b055",
"sha256:edda09668e8474d5acb1a37fb64599557b43a714f1469bd49a058e95b5b410ff", "sha256:f3ef7616ffc27c150ffec61ac820739495f6a9ca5d8532047102756ebb27e8d1",
"sha256:f77e9835873931d25f836a3c107e53e0f7d3c0b4906b13063815308cf5ca1fac", "sha256:f46f223fcae09c8bf2746b4eb2f351294faae04b262429cc480d34c69b133fd9",
"sha256:f91d16ff07d5d3c92303f64c6864d74d3b6a491dde186bfef90c58088f932998" "sha256:fd9f6429a68a246fb466696d97d1240752c889b5bfdc219fea15ae787cf366a6"
], ],
"index": "pypi", "index": "pypi",
"version": "==3.5.17" "version": "==3.5.19"
}, },
"requests": { "requests": {
"hashes": [ "hashes": [
@ -466,10 +466,10 @@
}, },
"shodan": { "shodan": {
"hashes": [ "hashes": [
"sha256:f93b7199e89eecf5c84647f66316c2c044c3aebfc1fe4d9caa43dfda07f74c4e" "sha256:c30baebce853ad67677bf002dde96a1ca1a9729bdd300fbb3c5e5d889547a639"
], ],
"index": "pypi", "index": "pypi",
"version": "==1.11.1" "version": "==1.12.1"
}, },
"sigmatools": { "sigmatools": {
"hashes": [ "hashes": [
@ -487,10 +487,10 @@
}, },
"soupsieve": { "soupsieve": {
"hashes": [ "hashes": [
"sha256:3aef141566afd07201b525c17bfaadd07580a8066f82b57f7c9417f26adbd0a3", "sha256:6898e82ecb03772a0d82bd0d0a10c0d6dcc342f77e0701d0ec4a8271be465ece",
"sha256:e41a65e99bd125972d84221022beb1e4b5cfc68fa12c170c39834ce32d1b294c" "sha256:b20eff5e564529711544066d7dc0f7661df41232ae263619dede5059799cdfca"
], ],
"version": "==1.9" "version": "==1.9.1"
}, },
"sparqlwrapper": { "sparqlwrapper": {
"hashes": [ "hashes": [
@ -555,12 +555,12 @@
}, },
"vulners": { "vulners": {
"hashes": [ "hashes": [
"sha256:6617d5904b5369507bc34105071d312e9e1c38d73654505e7b15b9a3f1325915", "sha256:6506f3ad45bf3fd72f9cd1ebd5fbc13f814e7cf62faed6897e33db949fe4584a",
"sha256:8b05d12a9dd7cbc07198a13281299a6e014ec348522e214b1efd097e194b7568", "sha256:a0e86015343ecf1c3313f6101567749988b5eb5299a672f19fd2974121817444",
"sha256:a19b02e0a112d70951e10c5abc1993f7f029234212828e1b617ab35f4e460a24" "sha256:f243fe025a84b85bd6f37e45d6cf693e24697d30661695fe5d29b652dff6a5a1"
], ],
"index": "pypi", "index": "pypi",
"version": "==1.4.7" "version": "==1.4.9"
}, },
"wand": { "wand": {
"hashes": [ "hashes": [
@ -572,10 +572,10 @@
}, },
"xlsxwriter": { "xlsxwriter": {
"hashes": [ "hashes": [
"sha256:de9ef46088489915eaaee00c7088cff93cf613e9990b46b933c98eb46f21b47f", "sha256:3a4e4a24a6753f046dc5a5e5bc5f443fce6a18988486885a258db6963eb54163",
"sha256:df96eafc3136d9e790e35d6725b473e46ada6f585c1f6519da69b27f5c8873f7" "sha256:92a2ba339ca939815f0e125fcde728e94ccdb3e97e1acd3275ecf25a3cacfdc6"
], ],
"version": "==1.1.5" "version": "==1.1.6"
}, },
"yara-python": { "yara-python": {
"hashes": [ "hashes": [
@ -760,11 +760,11 @@
}, },
"pytest": { "pytest": {
"hashes": [ "hashes": [
"sha256:13c5e9fb5ec5179995e9357111ab089af350d788cbc944c628f3cde72285809b", "sha256:3773f4c235918987d51daf1db66d51c99fac654c81d6f2f709a046ab446d5e5d",
"sha256:f21d2f1fb8200830dcbb5d8ec466a9c9120e20d8b53c7585d180125cce1d297a" "sha256:b7802283b70ca24d7119b32915efa7c409982f59913c1a6c0640aacf118b95f5"
], ],
"index": "pypi", "index": "pypi",
"version": "==4.4.0" "version": "==4.4.1"
}, },
"requests": { "requests": {
"hashes": [ "hashes": [

View File

@ -0,0 +1,140 @@
######################################################
# #
# Author: Stanislav Klevtsov, Ukraine; Feb 2019. #
# #
# #
# Script was tested on the following configuration: #
# MISP v2.4.90 #
# Cisco Firesight Manager Console v6.2.3 (bld 84) #
# #
######################################################
import json
import base64
from urllib.parse import quote
misperrors = {'error': 'Error'}
moduleinfo = {'version': '1', 'author': 'Stanislav Klevtsov',
'description': 'Export malicious network activity attributes of the MISP event to Cisco firesight manager block rules',
'module-type': ['export']}
moduleconfig = ['fmc_ip_addr', 'fmc_login', 'fmc_pass', 'domain_id', 'acpolicy_id']
fsmapping = {"ip-dst": "dst", "url": "request"}
mispattributes = {'input': list(fsmapping.keys())}
# options: event, attribute, event-collection, attribute-collection
inputSource = ['event']
outputFileExtension = 'sh'
responseType = 'application/txt'
# .sh file templates
SH_FILE_HEADER = """#!/bin/sh\n\n"""
BLOCK_JSON_TMPL = """
BLOCK_RULE='{{ "action": "BLOCK", "enabled": true, "type": "AccessRule", "name": "{rule_name}", "destinationNetworks": {{ "literals": [ {dst_networks} ] }}, "urls": {{ "literals": [ {urls} ] }}, "newComments": [ "{event_info_comment}" ] }}'\n
"""
BLOCK_DST_JSON_TMPL = """{{ "type": "Host", "value": "{ipdst}" }} """
BLOCK_URL_JSON_TMPL = """{{ "type": "Url", "url": "{url}" }} """
CURL_ADD_RULE_TMPL = """
curl -X POST -v -k -H 'Content-Type: application/json' -H \"Authorization: Basic $LOGINPASS_BASE64\" -H \"X-auth-access-token: $ACC_TOKEN\" -i \"https://$FIRESIGHT_IP_ADDR/api/fmc_config/v1/domain/$DOMAIN_ID/policy/accesspolicies/$ACPOLICY_ID/accessrules\" --data \"$BLOCK_RULE\" """
def handler(q=False):
if q is False:
return False
r = {'results': []}
request = json.loads(q)
if "config" in request:
config = request["config"]
# check if config is empty
if not config['fmc_ip_addr']:
config['fmc_ip_addr'] = "0.0.0.0"
if not config['fmc_login']:
config['fmc_login'] = "login"
if not config['fmc_pass']:
config['fmc_pass'] = "password"
if not config['domain_id']:
config['domain_id'] = "SET_FIRESIGHT_DOMAIN_ID"
if not config['acpolicy_id']:
config['acpolicy_id'] = "SET_FIRESIGHT_ACPOLICY_ID"
data = request["data"]
output = ""
ipdst = []
urls = []
# populate the ACL rule with attributes
for ev in data:
event = ev["Attribute"]
event_id = ev["Event"]["id"]
event_info = ev["Event"]["info"]
for index, attr in enumerate(event):
if attr["to_ids"] is True:
if attr["type"] in fsmapping:
if attr["type"] == "ip-dst":
ipdst.append(BLOCK_DST_JSON_TMPL.format(ipdst=attr["value"]))
else:
urls.append(BLOCK_URL_JSON_TMPL.format(url=quote(attr["value"], safe='@/:;?&=-_.,+!*')))
# building the .sh file
output += SH_FILE_HEADER
output += "FIRESIGHT_IP_ADDR='{}'\n".format(config['fmc_ip_addr'])
output += "LOGINPASS_BASE64=`echo -n '{}:{}' | base64`\n".format(config['fmc_login'], config['fmc_pass'])
output += "DOMAIN_ID='{}'\n".format(config['domain_id'])
output += "ACPOLICY_ID='{}'\n\n".format(config['acpolicy_id'])
output += "ACC_TOKEN=`curl -X POST -v -k -sD - -o /dev/null -H \"Authorization: Basic $LOGINPASS_BASE64\" -i \"https://$FIRESIGHT_IP_ADDR/api/fmc_platform/v1/auth/generatetoken\" | grep -i x-auth-acc | sed 's/.*:\\ //g' | tr -d '[:space:]' | tr -d '\\n'`\n"
output += BLOCK_JSON_TMPL.format(rule_name="misp_event_{}".format(event_id),
dst_networks=', '.join(ipdst),
urls=', '.join(urls),
event_info_comment=event_info) + "\n"
output += CURL_ADD_RULE_TMPL
# END building the .sh file
r = {"data": base64.b64encode(output.encode('utf-8')).decode('utf-8')}
return r
def introspection():
modulesetup = {}
try:
responseType
modulesetup['responseType'] = responseType
except NameError:
pass
try:
userConfig
modulesetup['userConfig'] = userConfig
except NameError:
pass
try:
outputFileExtension
modulesetup['outputFileExtension'] = outputFileExtension
except NameError:
pass
try:
inputSource
modulesetup['inputSource'] = inputSource
except NameError:
pass
return modulesetup
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo