fix: Make flake8 happy.

pull/302/head
Raphaël Vinot 2019-04-16 11:25:39 +02:00
parent d24a6e2e24
commit f5167c2f23
1 changed files with 76 additions and 71 deletions

View File

@ -11,21 +11,20 @@
import json import json
import base64 import base64
import csv
from urllib.parse import quote from urllib.parse import quote
misperrors = {'error': 'Error'} misperrors = {'error': 'Error'}
moduleinfo = {'version': '1', 'author': 'Stanislav Klevtsov', moduleinfo = {'version': '1', 'author': 'Stanislav Klevtsov',
'description': 'Export malicious network activity attributes of the MISP event to Cisco firesight manager block rules', 'description': 'Export malicious network activity attributes of the MISP event to Cisco firesight manager block rules',
'module-type': ['export']} 'module-type': ['export']}
moduleconfig = ['fmc_ip_addr', 'fmc_login', 'fmc_pass', 'domain_id', 'acpolicy_id'] moduleconfig = ['fmc_ip_addr', 'fmc_login', 'fmc_pass', 'domain_id', 'acpolicy_id']
fsmapping = {"ip-dst":"dst", "url":"request"} fsmapping = {"ip-dst": "dst", "url": "request"}
mispattributes = {'input':list(fsmapping.keys())} mispattributes = {'input': list(fsmapping.keys())}
# options: event, attribute, event-collection, attribute-collection # options: event, attribute, event-collection, attribute-collection
inputSource = ['event'] inputSource = ['event']
@ -48,88 +47,94 @@ curl -X POST -v -k -H 'Content-Type: application/json' -H \"Authorization: Basic
def handler(q=False): def handler(q=False):
if q is False: if q is False:
return False return False
r = {'results': []}
request = json.loads(q)
if "config" in request: r = {'results': []}
config = request["config"] request = json.loads(q)
#check if config is empty if "config" in request:
if not config['fmc_ip_addr']: config['fmc_ip_addr'] = "0.0.0.0" config = request["config"]
if not config['fmc_login']: config['fmc_login'] = "login"
if not config['fmc_pass']: config['fmc_pass'] = "password"
if not config['domain_id']: config['domain_id'] = "SET_FIRESIGHT_DOMAIN_ID"
if not config['acpolicy_id']: config['acpolicy_id'] = "SET_FIRESIGHT_ACPOLICY_ID"
data = request["data"] # check if config is empty
output = "" if not config['fmc_ip_addr']:
ipdst = [] config['fmc_ip_addr'] = "0.0.0.0"
urls = [] if not config['fmc_login']:
config['fmc_login'] = "login"
if not config['fmc_pass']:
config['fmc_pass'] = "password"
if not config['domain_id']:
config['domain_id'] = "SET_FIRESIGHT_DOMAIN_ID"
if not config['acpolicy_id']:
config['acpolicy_id'] = "SET_FIRESIGHT_ACPOLICY_ID"
#populate the ACL rule with attributes data = request["data"]
for ev in data: output = ""
ipdst = []
urls = []
event = ev["Attribute"] # populate the ACL rule with attributes
event_id = ev["Event"]["id"] for ev in data:
event_info = ev["Event"]["info"]
for index, attr in enumerate(event): event = ev["Attribute"]
if attr["to_ids"] is True: event_id = ev["Event"]["id"]
event_info = ev["Event"]["info"]
if attr["type"] in fsmapping: for index, attr in enumerate(event):
if attr["type"] in "ip-dst": if attr["to_ids"] is True:
ipdst.append(BLOCK_DST_JSON_TMPL.format(ipdst=attr["value"])) if attr["type"] in fsmapping:
else: if attr["type"] == "ip-dst":
urls.append(BLOCK_URL_JSON_TMPL.format(url=quote(attr["value"], safe='@/:;?&=-_.,+!*'))) ipdst.append(BLOCK_DST_JSON_TMPL.format(ipdst=attr["value"]))
else:
urls.append(BLOCK_URL_JSON_TMPL.format(url=quote(attr["value"], safe='@/:;?&=-_.,+!*')))
# building the .sh file
output += SH_FILE_HEADER
output += "FIRESIGHT_IP_ADDR='{}'\n".format(config['fmc_ip_addr'])
#building the .sh file output += "LOGINPASS_BASE64=`echo -n '{}:{}' | base64`\n".format(config['fmc_login'], config['fmc_pass'])
output += SH_FILE_HEADER output += "DOMAIN_ID='{}'\n".format(config['domain_id'])
output += "FIRESIGHT_IP_ADDR='" + config['fmc_ip_addr'] + "'\n" output += "ACPOLICY_ID='{}'\n\n".format(config['acpolicy_id'])
output += "LOGINPASS_BASE64=`echo -n '" + config['fmc_login'] + ":" + config['fmc_pass'] + "' | base64`\n" output += "ACC_TOKEN=`curl -X POST -v -k -sD - -o /dev/null -H \"Authorization: Basic $LOGINPASS_BASE64\" -i \"https://$FIRESIGHT_IP_ADDR/api/fmc_platform/v1/auth/generatetoken\" | grep -i x-auth-acc | sed 's/.*:\\ //g' | tr -d '[:space:]' | tr -d '\\n'`\n"
output += "DOMAIN_ID='" + config['domain_id'] + "'\n"
output += "ACPOLICY_ID='" + config['acpolicy_id'] + "'\n\n"
output += "ACC_TOKEN=`curl -X POST -v -k -sD - -o /dev/null -H \"Authorization: Basic $LOGINPASS_BASE64\" -i \"https://$FIRESIGHT_IP_ADDR/api/fmc_platform/v1/auth/generatetoken\" | grep -i x-auth-acc | sed 's/.*:\\ //g' | tr -d '[:space:]' | tr -d '\\n'`" + "\n"
output += BLOCK_JSON_TMPL.format(rule_name="misp_event_"+event_id,dst_networks=', '.join(ipdst), urls=', '.join(urls), event_info_comment=event_info) + "\n" output += BLOCK_JSON_TMPL.format(rule_name="misp_event_{}".format(event_id),
dst_networks=', '.join(ipdst),
urls=', '.join(urls),
event_info_comment=event_info) + "\n"
output += CURL_ADD_RULE_TMPL output += CURL_ADD_RULE_TMPL
# END building the .sh file # END building the .sh file
r = {"data":base64.b64encode(output.encode('utf-8')).decode('utf-8')} r = {"data": base64.b64encode(output.encode('utf-8')).decode('utf-8')}
return r return r
def introspection(): def introspection():
modulesetup = {} modulesetup = {}
try: try:
responseType responseType
modulesetup['responseType'] = responseType modulesetup['responseType'] = responseType
except NameError: except NameError:
pass pass
try: try:
userConfig userConfig
modulesetup['userConfig'] = userConfig modulesetup['userConfig'] = userConfig
except NameError: except NameError:
pass pass
try: try:
outputFileExtension outputFileExtension
modulesetup['outputFileExtension'] = outputFileExtension modulesetup['outputFileExtension'] = outputFileExtension
except NameError: except NameError:
pass pass
try: try:
inputSource inputSource
modulesetup['inputSource'] = inputSource modulesetup['inputSource'] = inputSource
except NameError: except NameError:
pass pass
return modulesetup return modulesetup
def version(): def version():
moduleinfo['config'] = moduleconfig moduleinfo['config'] = moduleconfig
return moduleinfo return moduleinfo