PyPI - pymisp - Versions diffs - 2.5.3__py3-none-any.whl → 2.5.7__py3-none-any.whl - Mend

pymisp 2.5.3py3-none-any.whl → 2.5.7py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pymisp might be problematic. Click here for more details.

Files changed (162) hide show

CHANGELOG.txt +5380 -0
examples/__init__.py +0 -0
examples/add_attributes_from_csv.py +74 -0
examples/add_email_object.py +29 -0
examples/add_fail2ban_object.py +86 -0
examples/add_feed.py +25 -0
examples/add_file_object.py +47 -0
examples/add_filetype_object_from_csv.py +53 -0
examples/add_generic_object.py +26 -0
examples/add_github_user.py +65 -0
examples/add_gitlab_user.py +56 -0
examples/add_named_attribute.py +25 -0
examples/add_organisations.py +57 -0
examples/add_ssh_authorized_keys.py +29 -0
examples/add_user.py +22 -0
examples/add_vehicle_object.py +22 -0
examples/addtag2.py +45 -0
examples/asciidoc_generator.py +114 -0
examples/cache_all.py +10 -0
examples/copyTagsFromAttributesToEvent.py +68 -0
examples/copy_list.py +93 -0
examples/create_events.py +26 -0
examples/cytomic_orion.py +549 -0
examples/del.py +22 -0
examples/delete_user.py +16 -0
examples/edit_organisation.py +20 -0
examples/edit_user.py +20 -0
examples/falsepositive_disabletoids.py +136 -0
examples/fetch_events_feed.py +15 -0
examples/fetch_warninglist_hits.py +38 -0
examples/freetext.py +22 -0
examples/generate_file_objects.py +78 -0
examples/generate_meta_feed.py +15 -0
examples/get.py +37 -0
examples/get_csv.py +37 -0
examples/get_network_activity.py +187 -0
examples/last.py +48 -0
examples/load_csv.py +94 -0
examples/lookup.py +28 -0
examples/misp2cef.py +71 -0
examples/misp2clamav.py +52 -0
examples/openioc_to_misp.py +27 -0
examples/proofpoint_tap.py +203 -0
examples/proofpoint_vap.py +65 -0
examples/search.py +48 -0
examples/search_attributes_yara.py +40 -0
examples/search_sighting.py +42 -0
examples/server_sync_check_conn.py +32 -0
examples/sharing_groups.py +15 -0
examples/show_sightings.py +168 -0
examples/stats_report.py +405 -0
examples/sync_sighting.py +171 -0
examples/tags.py +25 -0
examples/test_sign.py +19 -0
examples/trustar_misp.py +59 -0
examples/up.py +21 -0
examples/upload.py +60 -0
examples/users_list.py +15 -0
examples/vmray_automation.py +281 -0
examples/vt_to_misp.py +182 -0
examples/warninglists.py +22 -0
examples/yara.py +38 -0
examples/yara_dump.py +98 -0
pymisp/api.py +33 -5
pymisp/data/misp-objects/objects/android-app/definition.json +8 -2
pymisp/data/misp-objects/objects/instagram-account/definition.json +66 -0
pymisp/data/misp-objects/objects/lnk/definition.json +13 -1
pymisp/data/misp-objects/objects/rmm/definition.json +88 -0
pymisp/data/misp-objects/objects/spambee-report/definition.json +54 -0
pymisp/data/misp-objects/objects/target-system/definition.json +2 -2
pymisp/data/misp-objects/objects/vulnerability/definition.json +5 -4
pymisp/data/misp-objects/relationships/definition.json +17 -1
pymisp/data/misp-objects/schema_objects.json +1 -1
pymisp/mispevent.py +95 -23
{pymisp-2.5.3.dist-info → pymisp-2.5.7.dist-info}/METADATA +23 -28
{pymisp-2.5.3.dist-info → pymisp-2.5.7.dist-info}/RECORD +144 -30
{pymisp-2.5.3.dist-info → pymisp-2.5.7.dist-info}/WHEEL +1 -1
tests/57c4445b-c548-4654-af0b-4be3950d210f.json +1 -0
tests/__init__.py +0 -0
tests/csv_testfiles/invalid_fieldnames.csv +11 -0
tests/csv_testfiles/valid_fieldnames.csv +4 -0
tests/email_testfiles/mail_1.eml.zip +0 -0
tests/email_testfiles/mail_1.msg +0 -0
tests/email_testfiles/mail_1_bom.eml +858 -0
tests/email_testfiles/mail_1_headers_only.eml +28 -0
tests/email_testfiles/mail_2.eml +32 -0
tests/email_testfiles/mail_3.eml +170 -0
tests/email_testfiles/mail_3.msg +0 -0
tests/email_testfiles/mail_4.msg +0 -0
tests/email_testfiles/mail_5.msg +0 -0
tests/email_testfiles/mail_multiple_to.eml +15 -0
tests/email_testfiles/source +1 -0
tests/git-vuln-finder-quagga.json +1493 -0
tests/misp_event.json +76 -0
tests/mispevent_testfiles/attribute.json +21 -0
tests/mispevent_testfiles/attribute_del.json +23 -0
tests/mispevent_testfiles/def_param.json +53 -0
tests/mispevent_testfiles/event.json +8 -0
tests/mispevent_testfiles/event_obj_attr_tag.json +57 -0
tests/mispevent_testfiles/event_obj_def_param.json +62 -0
tests/mispevent_testfiles/event_obj_tag.json +29 -0
tests/mispevent_testfiles/event_tags.json +18 -0
tests/mispevent_testfiles/existing_event.json +4599 -0
tests/mispevent_testfiles/existing_event_edited.json +4601 -0
tests/mispevent_testfiles/galaxy.json +25 -0
tests/mispevent_testfiles/malware.json +19 -0
tests/mispevent_testfiles/malware_exist.json +163 -0
tests/mispevent_testfiles/misp_custom_obj.json +38 -0
tests/mispevent_testfiles/overwrite_file/definition.json +457 -0
tests/mispevent_testfiles/proposals.json +35 -0
tests/mispevent_testfiles/shadow.json +148 -0
tests/mispevent_testfiles/sighting.json +5 -0
tests/mispevent_testfiles/simple.json +2 -0
tests/mispevent_testfiles/test_object_template/definition.json +29 -0
tests/new_misp_event.json +34 -0
tests/reportlab_testfiles/HTML_event.json +1 -0
tests/reportlab_testfiles/galaxy_1.json +1250 -0
tests/reportlab_testfiles/image_event.json +2490 -0
tests/reportlab_testfiles/japanese_test.json +156 -0
tests/reportlab_testfiles/japanese_test_heavy.json +318 -0
tests/reportlab_testfiles/long_event.json +3730 -0
tests/reportlab_testfiles/mainly_objects_1.json +1092 -0
tests/reportlab_testfiles/mainly_objects_2.json +977 -0
tests/reportlab_testfiles/sighting_1.json +305 -0
tests/reportlab_testfiles/sighting_2.json +221 -0
tests/reportlab_testfiles/to_delete1.json +804 -0
tests/reportlab_testfiles/to_delete2.json +1 -0
tests/reportlab_testfiles/to_delete3.json +1 -0
tests/reportlab_testfiles/very_long_event.json +1006 -0
tests/reportlab_testoutputs/to_delete1.json.pdf +391 -0
tests/reportlab_testoutputs/to_delete2.json.pdf +506 -0
tests/reportlab_testoutputs/to_delete3.json.pdf +277 -0
tests/search_index_result.json +69 -0
tests/sharing_groups.json +98 -0
tests/stix1.xml-utf8 +110 -0
tests/stix2.json +1 -0
tests/test_analyst_data.py +123 -0
tests/test_emailobject.py +157 -0
tests/test_fileobject.py +20 -0
tests/test_mispevent.py +473 -0
tests/test_reportlab.py +431 -0
tests/testlive_comprehensive.py +3734 -0
tests/testlive_sync.py +474 -0
pymisp/data/misp-objects/.git +0 -1
pymisp/data/misp-objects/.gitchangelog.rc +0 -289
pymisp/data/misp-objects/.github/workflows/codeql.yml +0 -41
pymisp/data/misp-objects/.github/workflows/nosetests.yml +0 -39
pymisp/data/misp-objects/.travis.yml +0 -16
pymisp/data/misp-objects/LICENSE-software-only.md +0 -661
pymisp/data/misp-objects/LICENSE.md +0 -36
pymisp/data/misp-objects/README.md +0 -566
pymisp/data/misp-objects/docs/time-related-objects.ods +0 -0
pymisp/data/misp-objects/docs/time-related-objects.pdf +0 -0
pymisp/data/misp-objects/jq_all_the_things.sh +0 -29
pymisp/data/misp-objects/tools/adoc_objects.py +0 -145
pymisp/data/misp-objects/tools/alfred_links_to_relarelationships.py +0 -48
pymisp/data/misp-objects/tools/list_of_objects.py +0 -50
pymisp/data/misp-objects/tools/updated.sh +0 -6
pymisp/data/misp-objects/tools/validate_opposites.sh +0 -17
pymisp/data/misp-objects/unique_uuid.py +0 -16
pymisp/data/misp-objects/validate_all.sh +0 -38
{pymisp-2.5.3.dist-info → pymisp-2.5.7.dist-info}/LICENSE +0 -0

examples/addtag2.py ADDED Viewed

@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+from pymisp import PyMISP
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+def init(url, key):
+    return PyMISP(url, key, misp_verifycert, 'json')
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Tag something.')
+    parser.add_argument("-u", "--uuid", help="UUID to tag.")
+    parser.add_argument("-e", "--event", help="Event ID to tag.")
+    parser.add_argument("-a", "--attribute", help="Attribute ID to tag")
+    parser.add_argument("-t", "--tag", required=True, help="Tag ID.")
+    args = parser.parse_args()
+    if not args.event and not args.uuid and not args.attribute:
+        print("Please provide at least one of the following : uuid, eventID or attribute ID, see --help")
+        exit()
+    misp = init(misp_url, misp_key)
+    if args.event and not args.attribute:
+        result = misp.search(eventid=args.event)
+        for event in result:
+            uuid = event['Event']['uuid']
+    if args.attribute:
+        if not args.event:
+            print("Please provide event ID also")
+            exit()
+        result = misp.search(eventid=args.event)
+        for event in result:
+            for attribute in event['Event']['Attribute']:
+                if attribute["id"] == args.attribute:
+                    uuid = attribute["uuid"]
+    if args.uuid:
+        uuid = args.uuid
+    print("UUID tagged: %s" % uuid)
+    misp.tag(uuid, args.tag)

examples/asciidoc_generator.py ADDED Viewed

@@ -0,0 +1,114 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+import argparse
+from datetime import date
+import importlib
+from pymisp import MISPEvent
+from defang import defang
+from pytaxonomies import Taxonomies
+class ReportGenerator():
+    def __init__(self, profile="daily_report"):
+        self.taxonomies = Taxonomies()
+        self.report = ''
+        profile_name = "profiles.{}".format(profile)
+        self.template = importlib.import_module(name=profile_name)
+    def from_remote(self, event_id):
+        from pymisp import PyMISP
+        from keys import misp_url, misp_key, misp_verifycert
+        misp = PyMISP(misp_url, misp_key, misp_verifycert)
+        result = misp.get(event_id)
+        self.misp_event = MISPEvent()
+        self.misp_event.load(result)
+    def from_file(self, path):
+        self.misp_event = MISPEvent()
+        self.misp_event.load_file(path)
+    def attributes(self):
+        if not self.misp_event.attributes:
+            return ''
+        list_attributes = []
+        for attribute in self.misp_event.attributes:
+            if attribute.type in self.template.types_to_attach:
+                list_attributes.append("* {}".format(defang(attribute.value)))
+        for obj in self.misp_event.Object:
+            if obj.name in self.template.objects_to_attach:
+                for attribute in obj.Attribute:
+                    if attribute.type in self.template.types_to_attach:
+                        list_attributes.append("* {}".format(defang(attribute.value)))
+        return self.template.attributes.format(list_attributes="\n".join(list_attributes))
+    def _get_tag_info(self, machinetag):
+        return self.taxonomies.revert_machinetag(machinetag)
+    def report_headers(self):
+        content = {'org_name': 'name',
+                   'date': date.today().isoformat()}
+        self.report += self.template.headers.format(**content)
+    def event_level_tags(self):
+        if not self.misp_event.Tag:
+            return ''
+        for tag in self.misp_event.Tag:
+            # Only look for TLP for now
+            if tag['name'].startswith('tlp'):
+                tax, predicate = self._get_tag_info(tag['name'])
+                return self.template.event_level_tags.format(value=predicate.predicate.upper(), expanded=predicate.expanded)
+    def title(self):
+        internal_id = ''
+        summary = ''
+        # Get internal refs for report
+        for obj in self.misp_event.Object:
+            if obj.name != 'report':
+                continue
+            for a in obj.Attribute:
+                if a.object_relation == 'case-number':
+                    internal_id = a.value
+                if a.object_relation == 'summary':
+                    summary = a.value
+        return self.template.title.format(internal_id=internal_id, title=self.misp_event.info,
+                                          summary=summary)
+    def asciidoc(self, lang='en'):
+        self.report += self.title()
+        self.report += self.event_level_tags()
+        self.report += self.attributes()
+if __name__ == '__main__':
+    try:
+        parser = argparse.ArgumentParser(description='Create a human-readable report out of a MISP event')
+        parser.add_argument("--profile", default="daily_report", help="Profile template to use")
+        parser.add_argument("-o", "--output", help="Output file to write to (generally ends in .adoc)")
+        group = parser.add_mutually_exclusive_group(required=True)
+        group.add_argument("-e", "--event", default=[], nargs='+', help="Event ID to get.")
+        group.add_argument("-p", "--path", default=[], nargs='+', help="Path to the JSON dump.")
+        args = parser.parse_args()
+        report = ReportGenerator(args.profile)
+        report.report_headers()
+        if args.event:
+            for eid in args.event:
+                report.from_remote(eid)
+                report.asciidoc()
+        else:
+            for f in args.path:
+                report.from_file(f)
+                report.asciidoc()
+        if args.output:
+            with open(args.output, "w") as ofile:
+                ofile.write(report.report)
+        else:
+            print(report.report)
+    except ModuleNotFoundError as err:
+        print(err)

examples/cache_all.py ADDED Viewed

@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from keys import misp_url, misp_key, misp_verifycert
+from pymisp import ExpandedPyMISP
+if __name__ == '__main__':
+    misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
+    misp.cache_all_feeds()

examples/copyTagsFromAttributesToEvent.py ADDED Viewed

@@ -0,0 +1,68 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from pymisp import PyMISP
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+import os
+SILENT = False
+def getTagToApplyToEvent(event):
+    tags_to_apply = set()
+    event_tags = { tag.name for tag in event.tags }
+    for galaxy in event.galaxies:
+        for cluster in galaxy.clusters:
+            event_tags.add(cluster.tag_name)
+    for attribute in event.attributes:
+        for attribute_tag in attribute.tags:
+            if attribute_tag.name not in event_tags:
+                tags_to_apply.add(attribute_tag.name)
+    return tags_to_apply
+def TagEvent(event, tags_to_apply):
+    for tag in tags_to_apply:
+        event.add_tag(tag)
+    return event
+def condPrint(text):
+    if not SILENT:
+        print(text)
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get an event from a MISP instance.')
+    parser.add_argument("-e", "--event", required=True, help="Event ID to get.")
+    parser.add_argument("-y", "--yes", required=False, default=False, action='store_true',  help="Automatically accept prompt.")
+    parser.add_argument("-s", "--silent", required=False, default=False, action='store_true', help="No output to stdin.")
+    args = parser.parse_args()
+    SILENT = args.silent
+    misp = PyMISP(misp_url, misp_key, misp_verifycert)
+    event = misp.get_event(args.event, pythonify=True)
+    tags_to_apply = getTagToApplyToEvent(event)
+    condPrint('Tag to apply at event level:')
+    for tag in tags_to_apply:
+        condPrint(f'- {tag}')
+    confirmed = False
+    if args.yes:
+        confirmed = True
+    else:
+        confirm = input('Confirm [Y/n]: ')
+        confirmed = len(confirm) == 0 or confirm == 'Y' or confirm == 'y'
+    if confirmed:
+        event = TagEvent(event, tags_to_apply)
+        condPrint(f'Updating event {args.event}')
+        misp.update_event(event)
+        condPrint(f'Event {args.event} tagged with {len(tags_to_apply)} tags')
+    else:
+        condPrint('Operation cancelled')

examples/copy_list.py ADDED Viewed

@@ -0,0 +1,93 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+import sys
+from pymisp import PyMISP
+from keys import cert, priv
+url_cert = 'https://misp.circl.lu'
+url_priv = 'https://misppriv.circl.lu'
+cert_cert = 'misp.circl.lu.crt'
+cert_priv = 'misppriv.circl.lu.crt'
+source = None
+destination = None
+def init(cert_to_priv=True):
+    global source
+    global destination
+    print(cert_to_priv)
+    if cert_to_priv:
+        source = PyMISP(url_cert, cert, cert_cert, 'xml')
+        destination = PyMISP(url_priv, priv, cert_priv, 'xml')
+    else:
+        source = PyMISP(url_priv, priv, cert_priv, 'xml')
+        destination = PyMISP(url_cert, cert, cert_cert, 'xml')
+def copy_event(event_id):
+    e = source.get_event(event_id)
+    return destination.add_event(e)
+def update_event(event_id, event_to_update):
+    e = source.get_event(event_id)
+    return destination.update_event(event_to_update, e)
+def list_copy(filename):
+    with open(filename, 'r') as f:
+        for l in f:
+            copy(l)
+def loop_copy():
+    while True:
+        line = sys.stdin.readline()
+        copy(line)
+def copy(eventid):
+    eventid = eventid.strip()
+    if len(eventid) == 0 or not eventid.isdigit():
+        print('empty line or NaN.')
+        return
+    eventid = int(eventid)
+    print(eventid, 'copying...')
+    r = copy_event(eventid)
+    if r.status_code >= 400:
+        loc = r.headers['location']
+        if loc is not None:
+            event_to_update = loc.split('/')[-1]
+            print('updating', event_to_update)
+            r = update_event(eventid, event_to_update)
+            if r.status_code >= 400:
+                print(r.status_code, r.headers)
+        else:
+            print(r.status_code, r.headers)
+    print(eventid, 'done.')
+def export_our_org():
+    circl = source.search(org='CIRCL')
+    return circl
+if __name__ == '__main__':
+    import argparse
+    parser = argparse.ArgumentParser(
+        description='Copy the events from one MISP instance to an other.')
+    parser.add_argument('-f', '--filename', type=str,
+                        help='File containing a list of event id.')
+    parser.add_argument(
+        '-l', '--loop', action='store_true',
+        help='Endless loop: eventid in the terminal and it will be copied.')
+    parser.add_argument('--priv_to_cert', action='store_false', default=True,
+                        help='Copy from MISP priv to MISP CERT.')
+    args = parser.parse_args()
+    init(args.priv_to_cert)
+    if args.filename is not None:
+        list_copy(args.filename)
+    else:
+        loop_copy()

examples/create_events.py ADDED Viewed

@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+from pymisp import ExpandedPyMISP, MISPEvent
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Create an event on MISP.')
+    parser.add_argument("-d", "--distrib", type=int, help="The distribution setting used for the attributes and for the newly created event, if relevant. [0-3].")
+    parser.add_argument("-i", "--info", help="Used to populate the event info field if no event ID supplied.")
+    parser.add_argument("-a", "--analysis", type=int, help="The analysis level of the newly created event, if applicable. [0-2]")
+    parser.add_argument("-t", "--threat", type=int, help="The threat level ID of the newly created event, if applicable. [1-4]")
+    args = parser.parse_args()
+    misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
+    event = MISPEvent()
+    event.distribution = args.distrib
+    event.threat_level_id = args.threat
+    event.analysis = args.analysis
+    event.info = args.info
+    event = misp.add_event(event, pythonify=True)
+    print(event)

pymisp 2.5.3__py3-none-any.whl → 2.5.7__py3-none-any.whl

Potentially problematic release.

pymisp 2.5.3py3-none-any.whl → 2.5.7py3-none-any.whl