Python MISPEvent.load方法代码示例

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
    def _dump(self, event=None):
        event_path = os.path.join(self.cur_path, 'misp_events')
        if not os.path.exists(event_path):
            os.makedirs(event_path)

        if not event:
            to_dump = __sessions__.current.misp_event.event
        elif isinstance(event, MISPEvent):
            to_dump = event
        else:
            to_dump = MISPEvent()
            to_dump.load(event)
        if to_dump.id:
            filename = str(to_dump.id)
        elif (__sessions__.is_attached_misp(True) and
                __sessions__.current.misp_event.current_dump_file):
            filename = __sessions__.current.misp_event.current_dump_file
        else:
            i = 1
            while True:
                filename = 'new_event_{}.json'.format(i)
                if not os.path.exists(os.path.join(event_path, filename)):
                    break
                i += 1

        path = os.path.join(event_path, filename)
        with open(path, 'w') as f:
            f.write(to_dump.to_json())
        self.log('success', '{} stored successfully.'.format(filename.rstrip('.json')))
        return filename

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
 def test_eventObject(self, m):
     self.initURI(m)
     pymisp = PyMISP(self.domain, self.key)
     misp_event = MISPEvent(pymisp.describe_types)
     misp_event.load(open('tests/57c4445b-c548-4654-af0b-4be3950d210f.json', 'r').read())
     json.dumps(misp_event, cls=EncodeUpdate)
     json.dumps(misp_event, cls=EncodeFull)

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
def download(self):
    if self.offline_mode:
        self.log('error', 'Offline mode, unable to dodnload a sample')
        return
    ok = False
    data = None
    if self.args.hash:
        ok, data = self.misp.download_samples(sample_hash=self.args.hash)
    elif self.args.list is not None:
        list_events = []
        if len(self.args.list) == 0:
            event_path = os.path.join(self.cur_path, 'misp_events')
            for eid, path, title in self._get_local_events(event_path):
                list_events.append(eid)
        else:
            list_events = self.args.list

        all_data = []
        for eid in list_events:
            me = MISPEvent()
            me.load(self.misp.get(eid))
            ok, data = self.misp.download_samples(event_id=me.id)
            if not ok:
                self.log('error', data)
                continue
            if data:
                all_data += data
        data = all_data
    else:
        event_id = self._get_eventid()
        if event_id is None:
            return
        ok, data = self.misp.download_samples(event_id=event_id)

        if not ok:
            self.log('error', data)
            return
    to_print = []
    samples_path = os.path.join(self.cur_path, 'misp_samples')
    for d in data:
        eid, filename, payload = d
        path = os.path.join(samples_path, eid, filename)
        if not os.path.exists(os.path.dirname(path)):
            os.makedirs(os.path.dirname(path))
        with open(path, 'wb') as f:
            f.write(payload.getvalue())
        to_print.append((eid, path))

    if len(to_print) == 1:
        self.log('success', 'The sample has been downloaded from Event {}'.format(to_print[0][0]))
        event = self.misp.get(to_print[0][0])
        if not self._has_error_message(event):
            return __sessions__.new(to_print[0][1], MispEvent(event, self.offline_mode))
    elif len(to_print) > 1:
        self.log('success', 'The following files have been downloaded:')
        self._display_tmp_files()
    else:
        self.log('warning', 'No samples available.')

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
def _change_event(self):
    if self.offline_mode:
        self._dump()
    else:
        if __sessions__.current.misp_event.event.id:
            event = self.misp.update(__sessions__.current.misp_event.event)
        else:
            event = self.misp.add_event(__sessions__.current.misp_event.event)
        if self._has_error_message(event):
            return
        try:
            me = MISPEvent()
            me.load(event)
            self._check_add(me)
        except Exception as e:
            self.log('error', e)

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
class MispEvent(object):
    def __init__(self, event, offline=False):
        if isinstance(event, MISPEvent):
            self.event = event
        else:
            self.event = MISPEvent()
            if isinstance(event, six.string_types) and os.path.exists(event):
                self.event.load_file(event)
            else:
                self.event.load(event)
        self.off = offline
        if self.event.id:
            self.current_dump_file = '{}.json'.format(self.event.id)
        else:
            self.current_dump_file = None

    def online(self):
        self.off = False

    def offline(self):
        self.off = True

    def get_all_ips(self):
        return [a.value for a in self.event.attributes if a.type in ['ip-dst', 'ip-src']]

    def get_all_domains(self):
        return [a.value for a in self.event.attributes if a.type in ['domain', 'hostname']]

    def get_all_urls(self):
        return [a.value for a in self.event.attributes if a.type == 'url']

    def get_all_hashes(self):
        event_hashes = []
        sample_hashes = []
        for a in self.event.attributes:
            h = None
            if a.type in ('md5', 'sha1', 'sha256'):
                h = a.value
                event_hashes.append(h)
            elif a.type in ('filename|md5', 'filename|sha1', 'filename|sha256'):
                h = a.value.split('|')[1]
                event_hashes.append(h)
            elif a.type == 'malware-sample':
                h = a.value.split('|')[1]
                sample_hashes.append(h)
        return event_hashes, sample_hashes

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
    def _search(self, query):
        if self.offline_mode:
            self.log('error', 'Offline mode, unable to search')
            return
        result = self.misp.search_all(query)

        if self._has_error_message(result):
            return
        self.log('success', '{} matches on the following events:'.format(query))
        for e in result['response']:
            nb_samples = 0
            nb_hashes = 0
            me = MISPEvent()
            me.load(e)
            for a in me.attributes + [attribute for obj in me.objects for attribute in obj.attributes]:
                if a.type == 'malware-sample':
                    nb_samples += 1
                if a.type in ('md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'):
                    nb_hashes += 1
            self.log('item', '{} ({} samples, {} hashes) - {}{}{}'.format(me.info, nb_samples, nb_hashes, self.url, '/events/view/', me.id))

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
 def _search_local_hashes(self, event, open_session=True):
     local = []
     samples_count = 0
     if isinstance(event, MISPEvent):
         misp_event = event
     elif event.get('Event') is None:
         self.log('error', event)
         return
     else:
         misp_event = MISPEvent()
         misp_event.load(event)
     if not hasattr(misp_event, 'id'):
         # The event doesn't exists upstream, breaking.
         return
     for a in misp_event.attributes + [attribute for obj in misp_event.objects for attribute in obj.attributes]:
         row = None
         if a.type == 'malware-sample':
             samples_count += 1
         if a.type in ('md5', 'sha1', 'sha256'):
             row = Database().find(key=a.type, value=a.value)
         elif a.type in ('filename|md5', 'filename|sha1', 'filename|sha256'):
             row = Database().find(key=a.type.split('|')[1], value=a.value.split('|')[1])
         elif a.type == 'malware-sample':
             row = Database().find(key='md5', value=a.value.split('|')[1])
         if row:
             local.append(row[0])
     self.log('info', 'Event {} contains {} samples.'.format(misp_event.id, samples_count))
     if not open_session:
         return
     shas = set([l.sha256 for l in local])
     if len(shas) == 1:
         __sessions__.new(get_sample_path(shas.pop()), MispEvent(misp_event, self.offline_mode))
     elif len(shas) > 1:
         self.log('success', 'The following samples are in this viper instance:')
         __sessions__.new(misp_event=MispEvent(misp_event, self.offline_mode))
         for s in shas:
             self.log('item', s)
     else:
         __sessions__.new(misp_event=MispEvent(misp_event, self.offline_mode))
         self.log('info', 'No known (in Viper) samples in that event.')

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
 def load_events_directory(self, directory):
     self.events = []
     for path in glob.glob(os.path.join(directory, '*.json')):
         e = MISPEvent()
         e.load(path)
         self.import_event(e)

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
def check_hashes(self):
    if self.offline_mode:
        self.log('error', 'Offline mode, unable to query VirusTotal')
        return
    event_id = self._get_eventid()
    if event_id is None:
        return
    event = self.misp.get(event_id)
    if self._has_error_message(event):
        return

    misp_event = MISPEvent()
    misp_event.load(event)
    event_hashes = []
    sample_hashes = []
    base_new_attributes = {}
    for a in misp_event.attributes:
        h = None
        if a.type in ('md5', 'sha1', 'sha256'):
            h = a.value
            event_hashes.append(h)
        elif a.type in ('filename|md5', 'filename|sha1', 'filename|sha256', 'malware-sample'):
            h = a.value.split('|')[1]
            event_hashes.append(h)
        if h is not None:
            base_new_attributes[h] = {"category": a.category,
                                      "comment": '{} - Xchecked via VT: {}'.format(a.comment, h),
                                      "to_ids": a.to_ids,
                                      "Tag": a.Tag,
                                      "distribution": a.distribution}

    unk_vt_hashes = []
    vt_request = {'apikey': cfg.virustotal.virustotal_key}
    # Make sure to start getting reports for the longest possible hashes (reduce risks of collisions)
    hashes_to_check = sorted(event_hashes, key=len)
    original_attributes = len(misp_event.attributes)
    if cfg.virustotal.virustotal_has_private_key is False:
        quota = 4
        timeout = datetime.datetime.now() + datetime.timedelta(minutes=1)

    while len(hashes_to_check) > 0:
        vt_request['resource'] = hashes_to_check.pop()
        try:
            response = requests.post(cfg.misp.misp_vturl, data=vt_request, proxies=cfg.virustotal.proxies)
        except requests.ConnectionError:
            self.log('error', 'Failed to connect to VT for {}'.format(vt_request['resource']))
            return
        if response.status_code == 403:
            self.log('error', 'This command requires virustotal API key')
            self.log('error', 'Please check that your key have the right permissions')
            return
        try:
            result = response.json()
        except:
            self.log('error', 'Unable to get the report of {}'.format(vt_request['resource']))
            continue
        if result['response_code'] == 1:
            md5 = result['md5']
            sha1 = result['sha1']
            sha256 = result['sha256']
            hashes_to_check = [eh for eh in hashes_to_check if eh not in (md5, sha1, sha256)]
            link = [False, result['permalink']]
            # Do not re-add a link
            for a in misp_event.attributes:
                if a.value == link[1]:
                    link[0] = True
            if md5 in sample_hashes:
                self.log('success', 'Sample available in MISP:')
            else:
                self.log('success', 'Sample available in VT:')
            if self.args.populate:
                misp_event = self._prepare_attributes(md5, sha1, sha256, link, base_new_attributes, event_hashes, sample_hashes, misp_event)
            self.log('item', '{}\n\t{}\n\t{}\n\t{}'.format(link[1], md5, sha1, sha256))
            if cfg.virustotal.virustotal_has_private_key is False:
                if quota > 0:
                    quota -= 1
                else:
                    waiting_time = (timeout - datetime.datetime.now()).seconds
                    if waiting_time > 0:
                        self.log('warning', 'No private API key, 4 queries/min is the limit. Waiting for {} seconds.'.format(waiting_time))
                        time.sleep(waiting_time)
                    quota = 4
                    timeout = datetime.datetime.now() + datetime.timedelta(minutes=1)
        else:
            unk_vt_hashes.append(vt_request['resource'])

    if self.args.populate:
        self.__populate(misp_event, original_attributes)
    if len(unk_vt_hashes) > 0:
        self.log('error', 'Unknown on VT:')
        for h in unk_vt_hashes:
            self.log('item', '{}'.format(h))

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
def check_hashes(self):
    if self.offline_mode:
        self.log('error', 'Offline mode, unable to query VirusTotal')
        return
    event_id = self._get_eventid()
    if event_id is None:
        return
    event = self.misp.get(event_id)
    if self._has_error_message(event):
        return

    misp_event = MISPEvent()
    misp_event.load(event)
    hashes_to_expand = {}
    hashes_expanded = []  # Thoses hashes are known and already processed
    local_samples_hashes = []
    partial_objects = {}
    for o in misp_event.Object:
        if o.name != 'file':
            continue
        if o.has_attributes_by_relation(['md5', 'sha1', 'sha256']):
            # This object has all the hashes we care about
            tmphashes = []
            tmphashes += [h.value for h in o.get_attributes_by_relation('md5')]
            tmphashes += [h.value for h in o.get_attributes_by_relation('sha1')]
            tmphashes += [h.value for h in o.get_attributes_by_relation('sha256')]
            # Make sure to query VT for the sha256, even if expanded locally
            hashes_to_expand[o.get_attributes_by_relation('sha256')[0].value] = o.get_attributes_by_relation('sha256')[0]
            if o.has_attributes_by_relation(['malware-sample']):
                # ... and it has a malware sample
                local_samples_hashes += tmphashes
            hashes_expanded += tmphashes
        elif o.has_attributes_by_relation(['malware-sample']):
            # This object has a malware sample, but is missing hashes. We can expand locally.
            # get the MD5 from the malware-sample attribute
            malware_sample = o.get_attributes_by_relation('malware-sample')[0]  # at most one sample/file object
            local_samples_hashes.append(malware_sample.value.split('|')[1])
            local_samples_hashes += [h.value for h in o.get_attributes_by_relation('md5')]
            local_samples_hashes += [h.value for h in o.get_attributes_by_relation('sha1')]
            local_samples_hashes += [h.value for h in o.get_attributes_by_relation('sha256')]
            if self.args.populate:
                # The object is missing hashes, keeping track of it for expansion if it isn't already done.
                partial_objects[o.uuid] = malware_sample

        else:
            sha256 = {attribute.value: attribute for attribute in o.get_attributes_by_relation('sha256')}
            sha1 = {attribute.value: attribute for attribute in o.get_attributes_by_relation('sha1')}
            md5 = {attribute.value: attribute for attribute in o.get_attributes_by_relation('md5')}
            if sha256:
                hashes_to_expand.update(sha256)
            elif sha1:
                hashes_to_expand.update(sha1)
            elif md5:
                hashes_to_expand.update(md5)

    for ref_uuid, sample in partial_objects.items():
        if sample.value.split('|')[1] in hashes_expanded:
            # Already expanded in an other object
            continue
        new_obj, hashes = self._expand_local_sample(pseudofile=sample.malware_binary,
                                                    filename=sample.value.split('|')[0],
                                                    refobj=ref_uuid,
                                                    default_attributes_paramaters=sample)
        misp_event.Object += new_obj
        local_samples_hashes += hashes
        # Make sure to query VT for the sha256, even if expanded locally
        hashes_to_expand[hashes[0]] = sample

    hashes_expanded += local_samples_hashes
    for a in misp_event.attributes:
        if a.type == 'malware-sample' and a.value.split('|')[1] not in hashes_expanded:
            new_obj, hashes = self._expand_local_sample(pseudofile=a.malware_binary,
                                                        filename=a.value.split('|')[0],
                                                        default_attributes_paramaters=a)
            misp_event.Object += new_obj
            local_samples_hashes += hashes
            # Make sure to query VT for the sha256, even if expanded locally
            hashes_to_expand[hashes[0]] = a
        elif a.type in ('filename|md5', 'filename|sha1', 'filename|sha256'):
            # We don't care if the hashes are in hashes_expanded or hashes_to_expand: they are firtered out later anyway
            fname, hashval = a.value.split('|')
            hashes_to_expand[hashval] = a
        elif a.type in ('md5', 'sha1', 'sha256'):
            # We don't care if the hashes are in hashes_expanded or hashes_to_expand: they are firtered out later anyway
            hashes_to_expand[a.value] = a

    unk_vt_hashes = []
    if cfg.virustotal.virustotal_has_private_key is False:
        quota = 4
        timeout = datetime.datetime.now() + datetime.timedelta(minutes=1)

    hashes_expanded += local_samples_hashes
    processed_on_vt = []
    # Make sure to start getting reports for the longest possible hashes (reduce risks of collisions)
    for to_expand in sorted(list(set(hashes_to_expand)), key=len):
        if to_expand in processed_on_vt:
            # Always run VT, once per sample
            continue
        original_attribute = hashes_to_expand[to_expand]
        if original_attribute.get('object_id'):
#.........这里部分代码省略.........

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
    def store(self):
        try:
            event_path = os.path.join(self.cur_path, 'misp_events')
            if not os.path.exists(event_path):
                os.mkdir(event_path)
            if self.args.list:
                header = ['Event ID', 'Title']
                rows = []
                for eid, path, title in self._get_local_events(event_path):
                    rows.append((eid, title))
                self.log('table', dict(header=header, rows=sorted(rows, key=lambda i: (int(i[0].split('_')[-1])))))
            elif self.args.update:
                if self.offline_mode:
                    self.log('error', 'Offline mode, cannot update locally stored events.')
                    return
                for eid, path, title in self._get_local_events(event_path):
                    event = self.misp.get(eid)
                    with open(path, 'w') as f:
                        f.write(json.dumps(event))
                    self.log('success', '{} updated successfully.'.format(eid))
            elif self.args.sync:
                if self.offline_mode:
                    self.log('error', 'Offline mode, cannot synchronize locally stored events.')
                    return
                for eid, path, title in self._get_local_events(event_path):
                    __sessions__.close()
                    event = MISPEvent()
                    event.load(path)
                    if 'new_event_' in path:
                        event = self.misp.add_event(json.dumps(event, cls=EncodeUpdate))
                        try:
                            self._dump(event)
                            os.remove(path)
                        except Exception as e:
                            self.log('error', 'Unable to create new event: {}.'.format(e))
                    else:
                        eid = event.id
                        try:
                            event = self.misp.update(event._json())
                        except Exception as e:
                            self.log('error', 'Unable to update event {}: {}.'.format(eid, e))

                    if self._has_error_message(event):
                        return
            elif self.args.delete:
                path = os.path.join(event_path, '{}.json'.format(self.args.delete))
                if os.path.exists(path):
                    os.remove(path)
                    self.log('success', '{} removed successfully.'.format(self.args.delete))
                else:
                    self.log('error', '{} does not exists.'.format(self.args.delete))
            elif self.args.open:
                filename = '{}.json'.format(self.args.open)
                path = os.path.join(event_path, filename)
                if os.path.exists(path):
                    try:
                        with open(path, 'r') as f:
                            e_json = json.load(f)
                        __sessions__.new(misp_event=MispEvent(e_json, self.offline_mode))
                        __sessions__.current.misp_event.current_dump_file = filename
                    except Exception as e:
                        self.log('error', 'Unable to open {}: {}'.format(path, e))
                else:
                    self.log('error', '{} does not exists.'.format(self.args.open))
            elif __sessions__.is_attached_misp():
                self._dump()
        except IOError as e:
            self.log('error', e.strerror)

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
WHERE rel_cnt > 5
MATCH (m)-[r:has]->(n)
RETURN m, n LIMIT 200;
"""

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Get all the events matching a value.')
    parser.add_argument("-s", "--search", required=True, help="String to search.")
    parser.add_argument("--host", default='localhost:7474', help="Host where neo4j is running.")
    parser.add_argument("-u", "--user", default='neo4j', help="User on neo4j.")
    parser.add_argument("-p", "--password", default='neo4j', help="Password on neo4j.")
    parser.add_argument("-d", "--deleteall", action="store_true", default=False, help="Delete all nodes from the database")
    args = parser.parse_args()

    neo4j = Neo4j(args.host, args.user, args.password)
    if args.deleteall:
        neo4j.del_all()
    misp = PyMISP(misp_url, misp_key)
    result = misp.search_all(args.search)
    for json_event in result['response']:
        if not json_event['Event']:
            print(json_event)
            continue
        print('Importing', json_event['Event']['info'], json_event['Event']['id'])
        try:
            misp_event = MISPEvent()
            misp_event.load(json_event)
            neo4j.import_event(misp_event)
        except:
            print('broken')

# 需要导入模块: from pymisp import MISPEvent [as 别名]
# 或者: from pymisp.MISPEvent import load [as 别名]
class ReportGenerator():
    def __init__(self, profile="daily_report"):
        self.taxonomies = Taxonomies()
        self.report = ''
        profile_name = "profiles.{}".format(profile)
        self.template = importlib.import_module(name=profile_name)

    def from_remote(self, event_id):
        from pymisp import PyMISP
        from keys import misp_url, misp_key, misp_verifycert
        misp = PyMISP(misp_url, misp_key, misp_verifycert)
        result = misp.get(event_id)
        self.misp_event = MISPEvent()
        self.misp_event.load(result)

    def from_file(self, path):
        self.misp_event = MISPEvent()
        self.misp_event.load_file(path)

    def attributes(self):
        if not self.misp_event.attributes:
            return ''
        list_attributes = []
        for attribute in self.misp_event.attributes:
            if attribute.type in self.template.types_to_attach:
                list_attributes.append("* {}".format(defang(attribute.value)))
        for obj in self.misp_event.Object:
            if obj.name in self.template.objects_to_attach:
                for attribute in obj.Attribute:
                    if attribute.type in self.template.types_to_attach:
                        list_attributes.append("* {}".format(defang(attribute.value)))
        return self.template.attributes.format(list_attributes="\n".join(list_attributes))

    def _get_tag_info(self, machinetag):
        return self.taxonomies.revert_machinetag(machinetag)

    def report_headers(self):
        content = {'org_name': 'name',
                   'date': date.today().isoformat()}
        self.report += self.template.headers.format(**content)

    def event_level_tags(self):
        if not self.misp_event.Tag:
            return ''
        for tag in self.misp_event.Tag:
            # Only look for TLP for now
            if tag['name'].startswith('tlp'):
                tax, predicate = self._get_tag_info(tag['name'])
                return self.template.event_level_tags.format(value=predicate.predicate.upper(), expanded=predicate.expanded)

    def title(self):
        internal_id = ''
        summary = ''
        # Get internal refs for report
        for obj in self.misp_event.Object:
            if obj.name != 'report':
                continue
            for a in obj.Attribute:
                if a.object_relation == 'case-number':
                    internal_id = a.value
                if a.object_relation == 'summary':
                    summary = a.value

        return self.template.title.format(internal_id=internal_id, title=self.misp_event.info,
                                          summary=summary)

    def asciidoc(self, lang='en'):
        self.report += self.title()
        self.report += self.event_level_tags()
        self.report += self.attributes()