misp-taxonomies/tools/machinetag.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Python script parsing the MISP taxonomies expressed in Machine Tags (Triple
# Tags) to list all valid tags from a specific taxonomy.
#
# Copyright (c) 2015-2016 Alexandre Dulaunoy - a@foo.be
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
#    1. Redistributions of source code must retain the above copyright notice,
#       this list of conditions and the following disclaimer.
#    2. Redistributions in binary form must reproduce the above copyright notice,
#       this list of conditions and the following disclaimer in the documentation
#       and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
# OF THE POSSIBILITY OF SUCH DAMAGE.

import json
import os.path
import argparse

taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'iep', 'kill-chain', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'europol-events', 'europol-incident', 'nato', 'euci', 'osint', 'first_csirt_case_classification', 'malware', 'de-vs', 'fr-classification','eu-critical-sectors','dhs-ciip-sectors','estimative-language', 'ms-caro-malware', 'information-security-indicators', 'open-threat']
argParser = argparse.ArgumentParser(description='Dump Machine Tags (Triple Tags) from MISP taxonomies', epilog='Available taxonomies are {0}'.format(taxonomies))
argParser.add_argument('-e', action='store_true', help='Include expanded tags')
argParser.add_argument('-a', action='store_true', help='Generate asciidoctor document from MISP taxonomies')
argParser.add_argument('-v', action='store_true', help='Include descriptions')
argParser.add_argument('-n', default=False, help='Show only the specified namespace')
args = argParser.parse_args()

doc = ''
if args.a:
    doc = doc + ":toc: right\n"
    doc = doc + ":icons: font\n"
    doc = doc + ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/master/INSTALL/logos/\n"
    doc = doc + "= MISP taxonomies and classification as machine tags\n\n"
    doc = doc + "Generated from https://github.com/MISP/misp-taxonomies.\n\n"
    doc = doc + "\nimage::{images-cdn}misp-logo.png[MISP logo]\n"
    doc = doc + "Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.\n"
    doc = doc + "\n\n"

if args.n:
    del taxonomies[:]
    taxonomies.append(args.n)

def asciidoc(content=False, adoc=doc, t='title'):
    if not args.a:
        return False
    adoc = adoc + "\n"
    if t == 'title':
        content = '==== ' + content
    elif t == 'predicate':
        content = '=== ' + content
    elif t == 'namespace':
        content = '== ' + content + '\n'
        content = content + 'NOTE: ' + namespace + ' namespace available in JSON format at https://github.com/MISP/misp-taxonomies/blob/master/' + namespace + '/machinetag.json[*this location*]. The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP] taxonomy.'
    elif t == 'description':
        content = '\n'+content+'\n'
    adoc = adoc + content
    return adoc

def machineTag(namespace=False, predicate=False, value=None):

    if namespace is False or predicate is False:
        return None
    if value is None:
        return (u'{0}:{1}'.format(namespace, predicate))
    else:
        return (u'{0}:{1}=\"{2}\"'.format(namespace, predicate, value))

for taxonomy in taxonomies:
    filename = os.path.join("../", taxonomy, "machinetag.json")
    with open(filename) as fp:
        t = json.load(fp)
    namespace = t['namespace']
    if t.get('expanded'):
        expanded_namespace = t['expanded']
    else:
        expanded_namespace = namespace
    if args.a:
       doc = asciidoc(content=t['namespace'], adoc=doc, t='namespace')
       doc = asciidoc(content=t['description'], adoc=doc, t='description')
    if args.v:
        print ('{0}'.format(t['description']))
    for predicate in t['predicates']:
        if args.a:
            doc = asciidoc(content=predicate['value'], adoc=doc, t='predicate')
        if t.get('values') is None:
            if args.a:
                doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['value']), adoc=doc)
                doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['expanded']), adoc=doc, t='description')
                if predicate.get('description'):
                    doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['description']), adoc=doc, t='description')
            else:
                print (machineTag(namespace=namespace, predicate=predicate['value']))
            if args.e:
                 print ("--> " + machineTag(namespace=expanded_namespace, predicate=predicate['expanded']))
                 if predicate.get('description'):
                     print ("--> " + predicate['description'])
        else:
            for e in t['values']:
                if e['predicate'] == predicate['value']:
                    if 'expanded' in predicate:
                        expanded = predicate['expanded']
                    for v in e['entry']:
                        if args.a and 'expanded' in v:
                            doc = asciidoc(content=machineTag(namespace=namespace, predicate=e['predicate'], value=v['value']), adoc=doc)
                            doc = asciidoc(content=machineTag(namespace=namespace, predicate=v['expanded']), adoc=doc, t='description')
                        else:
                            print (machineTag(namespace=namespace, predicate=e['predicate'], value=v['value']))
                        if args.e:
                            if'expanded' in v:
                                print ("--> " + machineTag(namespace=namespace, predicate=expanded, value=v['expanded']))

if args.a:
    print (doc)