import json import base64 import datetime misperrors = {'error': 'Error'} # possible module-types: 'expansion', 'hover' or both moduleinfo = {'version': '1', 'author': 'Hannah Ward', 'description': 'Export a module in CEF format', 'module-type': ['export']} # config fields that your code expects from the site admin moduleconfig = ["Default_Severity", "Device_Vendor", "Device_Product", "Device_Version"] cefmapping = {"ip-src":"src", "ip-dst":"dst", "hostname":"dhost", "domain":"dhost", "md5":"fileHash", "sha1":"fileHash", "sha256":"fileHash", "url":"request"} mispattributes = {'input':list(cefmapping.keys())} outputFileExtension = "cef" responseType = "application/txt" def handler(q=False): if q is False: return False request = json.loads(q) if "config" in request: config = request["config"] else: config = {"Default_Severity":1, "Device_Vendor":"MISP", "Device_Product":"MISP", "Device_Version":1} data = request["data"] response = "" for ev in data: event = ev["Attribute"] for attr in event: if attr["type"] in cefmapping: response += "{} host CEF:0|{}|{}|{}|{}|{}|{}|{}={}\n".format( datetime.datetime.fromtimestamp(int(attr["timestamp"])).strftime("%b %d %H:%M:%S"), config["Device_Vendor"], config["Device_Product"], config["Device_Version"], attr["category"], attr["category"], config["Default_Severity"], cefmapping[attr["type"]], attr["value"], ) r = {"response":[], "data":str(base64.b64encode(bytes(response, 'utf-8')), 'utf-8')} return r def introspection(): modulesetup = {} try: responseType modulesetup['responseType'] = responseType except NameError: pass try: userConfig modulesetup['userConfig'] = userConfig except NameError: pass try: outputFileExtension modulesetup['outputFileExtension'] = outputFileExtension except NameError: pass try: inputSource modulesetup['inputSource'] = inputSource except NameError: pass return modulesetup def version(): moduleinfo['config'] = moduleconfig return moduleinfo