pymisp 2.5.7.1__py3-none-any.whl → 2.5.8__py3-none-any.whl

examples/load_csv.py

@@ -1,94 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-import argparse
-from pathlib import Path
-
-from pymisp.tools import CSVLoader
-
-from pymisp import MISPEvent
-
-try:
-    from keys import misp_url, misp_key, misp_verifycert
-    from pymisp import PyMISP
-    offline = False
-except ImportError as e:
-    offline = True
-    print(f'Unable to import MISP parameters, unable to POST on MISP: {e}')
-
-'''
-Example:
-* If the CSV file has fieldnames matching the object-relation:
-
-    load_csv.py -n file -p /tmp/foo.csv
-
-    CSV sample file: tests/csv_testfiles/valid_fieldnames.csv
-
-
-* If you want to force the fieldnames:
-
-    load_csv.py -n file -p /tmp/foo.csv -f SHA1 fileName size-in-bytes
-
-    CSV sample file: tests/csv_testfiles/invalid_fieldnames.csv
-'''
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Load a CSV file as MISP objects')
-    parser.add_argument("-n", "--object_name", type=str, required=True, help="Template name of the objects in the CSV.")
-    parser.add_argument("-p", "--path", required=True, type=Path, help="Path to the CSV file.")
-    parser.add_argument("-f", "--fieldnames", nargs='*', default=[], help="Fieldnames of the CSV, have to match the object-relation allowed in the template. If empty, the fieldnames of the CSV have to match the template.")
-    parser.add_argument("-s", "--skip_fieldnames", action='store_true', help="Skip fieldnames in the CSV.")
-    parser.add_argument("-d", "--dump", action='store_true', help="(Debug) Dump the object in the terminal.")
-    parser.add_argument("--delimiter", type=str, default=',', help="Delimiter between firlds in the CSV. Default: ','.")
-    parser.add_argument("--quotechar", type=str, default='"', help="Quote character of the fields in the CSV. Default: '\"'.")
-
-    # Interact with MISP
-    misp_group = parser.add_mutually_exclusive_group()
-    misp_group.add_argument('-i', '--new_event', type=str, help="Info field of the new event")
-    misp_group.add_argument('-u', '--update_event', type=int, help="ID of the existing event to update")
-
-    args = parser.parse_args()
-
-    if not args.fieldnames:
-        has_fieldnames = True
-    else:
-        has_fieldnames = args.skip_fieldnames
-    csv_loader = CSVLoader(template_name=args.object_name, csv_path=args.path,
-                           fieldnames=args.fieldnames, has_fieldnames=has_fieldnames,
-                           delimiter=args.delimiter, quotechar=args.quotechar)
-
-    objects = csv_loader.load()
-    if args.dump:
-        for o in objects:
-            print(o.to_json())
-    else:
-        if offline:
-            print('You are in offline mode, quitting.')
-        else:
-            misp = PyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
-            if args.new_event:
-                event = MISPEvent()
-                event.info = args.new_event
-                for o in objects:
-                    event.add_object(**o)
-                new_event = misp.add_event(event, pythonify=True)
-                if isinstance(new_event, str):
-                    print(new_event)
-                elif 'id' in new_event:
-                    print(f'Created new event {new_event.id}')
-                else:
-                    print('Something went wrong:')
-                    print(new_event)
-            elif args.update_event:
-                for o in objects:
-                    new_object = misp.add_object(args.update_event, o, pythonify=True)
-                    if isinstance(new_object, str):
-                        print(new_object)
-                    elif new_object.attributes:
-                        print(f'New {new_object.name} object added to {args.update_event}')
-                    else:
-                        print('Something went wrong:')
-                        print(new_event)
-            else:
-                print('you need to pass either a event info field (flag -i), or the event ID you want to update (flag -u)')

examples/lookup.py

@@ -1,28 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-from pymisp.tools import ext_lookups
-import argparse
-
-
-if __name__ == '__main__':
-
-    parser = argparse.ArgumentParser(description='Search is galaxies or taxonomies.')
-    parser.add_argument("-q", "--query", help="Query.")
-
-    args = parser.parse_args()
-
-    tag_gal = ext_lookups.revert_tag_from_galaxies(args.query)
-    tag_tax = ext_lookups.revert_tag_from_taxonomies(args.query)
-
-    found_tax = ext_lookups.search_taxonomies(args.query)
-    found_gal = ext_lookups.search_galaxies(args.query)
-
-    if tag_gal:
-        print(tag_gal)
-    if tag_tax:
-        print(tag_tax)
-    if found_tax:
-        print(found_tax)
-    if found_gal:
-        print(found_gal)

examples/misp2cef.py

@@ -1,71 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-#
-# Export IOC's from MISP in CEF format
-# Based on cef_export.py MISP module by Hannah Ward
-
-import sys
-import datetime
-from pymisp import PyMISP, MISPAttribute
-from keys import misp_url, misp_key, misp_verifycert
-
-cefconfig  = {"Default_Severity":1, "Device_Vendor":"MISP", "Device_Product":"MISP", "Device_Version":1}
-
-cefmapping = {"ip-src":"src", "ip-dst":"dst", "hostname":"dhost", "domain":"destinationDnsDomain",
-              "md5":"fileHash", "sha1":"fileHash", "sha256":"fileHash",
-              "filename|md5":"fileHash", "filename|sha1":"fileHash", "filename|sha256":"fileHash",
-              "url":"request"}
-
-mispattributes = {'input':list(cefmapping.keys())}
-
-
-def make_cef(event):
-  for attr in event["Attribute"]:
-    if attr["to_ids"] and attr["type"] in cefmapping:
-      if '|' in attr["type"] and '|' in attr["value"]:
-        value = attr["value"].split('|')[1]
-      else:
-        value = attr["value"]
-      response = "{} host CEF:0|{}|{}|{}|{}|{}|{}|msg={} customerURI={} externalId={} {}={}".format(
-                      datetime.datetime.fromtimestamp(int(attr["timestamp"])).strftime("%b %d %H:%M:%S"),
-                      cefconfig["Device_Vendor"],
-                      cefconfig["Device_Product"],
-                      cefconfig["Device_Version"],
-                      attr["category"],
-                      attr["category"],
-                      cefconfig["Default_Severity"],
-                      event["info"].replace("\\","\\\\").replace("=","\\=").replace('\n','\\n') + "(MISP Event #" + event["id"] + ")",
-                      misp_url + 'events/view/' + event["id"],
-                      attr["uuid"],
-                      cefmapping[attr["type"]],
-                      value,
-               )
-      print(str(bytes(response, 'utf-8'), 'utf-8'))
-                        
-
-def init_misp():
-  global mymisp
-  mymisp = PyMISP(misp_url, misp_key, misp_verifycert)
-
-
-def echeck(r):
-  if r.get('errors'):
-    if r.get('message') == 'No matches.':
-      return
-    else:
-      print(r['errors'])
-      sys.exit(1)
-
-
-def find_events():
-  r = mymisp.search(controller='events', published=True, to_ids=True)
-  echeck(r)
-  if not r.get('response'):
-    return
-  for ev in r['response']:
-    make_cef(ev['Event'])
-
-
-if __name__ == '__main__':
-  init_misp()
-  find_events()

examples/misp2clamav.py

@@ -1,52 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-# vim: tabstop=4 shiftwidth=4 expandtab
-#
-# Export file hashes from MISP to ClamAV hdb file
-
-import sys
-from pymisp import PyMISP, MISPAttribute
-from keys import misp_url, misp_key, misp_verifycert
-
-
-def init_misp():
-    global mymisp
-    mymisp = PyMISP(misp_url, misp_key, misp_verifycert)
-
-
-def echeck(r):
-    if r.get('errors'):
-        if r.get('message') == 'No matches.':
-            return
-        else:
-            print(r['errors'])
-            sys.exit(1)
-
-
-def find_hashes(htype):
-    r = mymisp.search(controller='attributes', type_attribute=htype)
-    echeck(r)
-    if not r.get('response'):
-        return
-    for a in r['response']['Attribute']:
-        attribute = MISPAttribute(mymisp.describe_types)
-        attribute.from_dict(**a)
-        if '|' in attribute.type and '|' in attribute.value:
-            c, value = attribute.value.split('|')
-            comment = '{} - {}'.format(attribute.comment, c)
-        else:
-            comment = attribute.comment
-            value = attribute.value
-        mhash = value.replace(':', ';')
-        mfile = 'MISP event {} {}'.format(a['event_id'], comment.replace(':', ';').replace('\r', '').replace('\n', ''))
-        print('{}:*:{}:73'.format(mhash, mfile))
-
-
-if __name__ == '__main__':
-    init_misp()
-    find_hashes('md5')
-    find_hashes('sha1')
-    find_hashes('sha256')
-    find_hashes('filename|md5')
-    find_hashes('filename|sha1')
-    find_hashes('filename|sha256')

examples/openioc_to_misp.py

@@ -1,27 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-import argparse
-
-from pymisp import PyMISP
-from keys import misp_url, misp_key, misp_verifycert
-from pymisp.tools import load_openioc_file
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Convert an OpenIOC file to a MISPEvent. Optionnaly send it to MISP.')
-    parser.add_argument("-i", "--input", required=True, help="Input file")
-    group = parser.add_mutually_exclusive_group(required=True)
-    group.add_argument("-o", "--output", help="Output file")
-    group.add_argument("-m", "--misp", action='store_true', help="Create new event on MISP")
-
-    args = parser.parse_args()
-
-    misp_event = load_openioc_file(args.input)
-
-    if args.misp:
-        pymisp = PyMISP(misp_url, misp_key, misp_verifycert, debug=True)
-        pymisp.add_event(misp_event)
-    else:
-        with open(args.output, 'w') as f:
-            f.write(misp_event.to_json())

examples/proofpoint_tap.py

@@ -1,203 +0,0 @@
-import requests
-from requests.auth import HTTPBasicAuth
-import json
-from pymisp import ExpandedPyMISP, MISPEvent
-from keys import misp_url, misp_key, misp_verifycert, proofpoint_sp, proofpoint_secret
-import urllib3
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-
-if proofpoint_secret == '<proofpoint secret>':
-    print('Set the proofpoint_secret in keys.py before running.  Exiting...')
-    quit()
-
-# initialize PyMISP and set url for Panorama
-misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
-
-urlSiem = "https://tap-api-v2.proofpoint.com/v2/siem/all"
-
-alertType = ("messagesDelivered", "messagesBlocked", "clicksPermitted", "clicksBlocked")
-
-# max query is 1h, and we want Proofpoint TAP api to return json
-queryString = {
-    "sinceSeconds": "3600",
-    "format": "json"
-}
-
-
-
-responseSiem = requests.request("GET", urlSiem,  params=queryString, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret))
-if 'Credentials authentication failed' in responseSiem.text:
-    print('Credentials invalid, please edit keys.py and try again')
-    quit()
-
-jsonDataSiem = json.loads(responseSiem.text)
-
-for alert in alertType:
-    for messages in jsonDataSiem[alert]:
-        # initialize and set MISPEvent()
-        event = MISPEvent()
-        if alert == "messagesDelivered" or alert == "messagesBlocked":
-            if alert == "messagesDelivered":
-                event.info = alert
-                event.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
-                event.threat_level_id = 2  # setting this to 0 breaks the integration 
-                event.analysis = 0  # Optional, defaults to 0 (initial analysis)
-            else:
-                event.info = alert
-                event.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
-                event.threat_level_id = 2  # BLOCKED = LOW
-                event.analysis = 0  # Optional, defaults to 0 (initial analysis)
-
-            recipient = event.add_attribute('email-dst', messages["recipient"][0])
-            recipient.comment = 'recipient address'
-
-            sender = event.add_attribute('email-src', messages["sender"])
-            sender.comment = 'sender address'
-
-            if messages["fromAddress"] is not None and messages["fromAddress"] != "" :
-                fromAddress = event.add_attribute('email-src-display-name', messages["fromAddress"])
-
-            headerFrom = event.add_attribute('email-header', messages["headerFrom"])
-            headerFrom.comment = 'email header from'
-
-            senderIP = event.add_attribute('ip-src', messages["senderIP"])
-            senderIP.comment = 'sender IP'
-
-            subject = event.add_attribute('email-subject', messages["subject"])
-            subject.comment = 'email subject'
-
-            if messages["quarantineFolder"] is not None and messages["quarantineFolder"] != "":
-                quarantineFolder = event.add_attribute('comment', messages["quarantineFolder"])
-                quarantineFolder.comment = 'quarantine folder'
-
-            if messages["quarantineRule"] is not None and messages["quarantineRule"] != "":
-                quarantineRule = event.add_attribute('comment', messages["quarantineRule"])
-                quarantineRule.comment = 'quarantine rule'
-
-            messageSize = event.add_attribute('size-in-bytes', messages["messageSize"])
-            messageSize.comment = 'size of email in bytes'
-
-            malwareScore = event.add_attribute('comment', messages["malwareScore"])
-            malwareScore.comment = 'malware score'
-
-            phishScore = event.add_attribute('comment', messages["phishScore"])
-            phishScore.comment = 'phish score'
-
-            spamScore = event.add_attribute('comment', messages["spamScore"])
-            spamScore.comment = 'spam score'
-
-            imposterScore = event.add_attribute('comment', messages["impostorScore"])
-            imposterScore.comment = 'impostor score'
-
-            completelyRewritten = event.add_attribute('comment', messages["completelyRewritten"])
-            completelyRewritten.comment = 'proofpoint url defense'
-
-            # grab the threat info for each message in TAP
-            for threatInfo in messages["threatsInfoMap"]:
-                threat_type = {
-                    "url": "url",
-                    "attachment": "email-attachment",
-                    "message": "email-body"
-                }
-
-                threat = event.add_attribute(threat_type.get(threatInfo["threatType"]), threatInfo["threat"])
-                threat.comment = 'threat'
-
-                threatUrl = event.add_attribute('link', threatInfo["threatUrl"])
-                threatUrl.comment = 'link to threat in TAP'
-
-                threatStatus = event.add_attribute('comment', threatInfo["threatStatus"])
-                threatStatus.comment = "proofpoint's threat status"
-
-                event.add_tag(threatInfo["classification"])
-
-                # get campaignID from each TAP alert and query campaign API
-                if threatInfo["campaignID"] is not None and threatInfo["campaignID"] != "":
-                    urlCampaign = "https://tap-api-v2.proofpoint.com/v2/campaign/" + threatInfo["campaignID"]
-                    responseCampaign = requests.request("GET", urlCampaign, auth=HTTPBasicAuth(proofpoint_sp, proofpoint_secret))
-
-                    jsonDataCampaign = json.loads(responseCampaign.text)
-
-                    campaignType = ("actors", "families", "malware", "techniques")
-
-                    # loop through campaignType and grab tags to add to MISP event
-                    for tagType in campaignType:
-                        for tag in jsonDataCampaign[tagType]:
-                            event.add_tag(tag['name'])
-
-            # grab which policy route the message took
-            for policy in messages["policyRoutes"]:
-                policyRoute = event.add_attribute('comment', policy)
-                policyRoute.comment = 'email policy route'
-
-            # was the threat in the body of the email or is it an attachment?
-            for parts in messages["messageParts"]:
-                disposition = event.add_attribute('comment', parts["disposition"])
-                disposition.comment = 'email body or attachment'
-
-                # sha256 hash of threat
-                if parts["sha256"] is not None and parts["sha256"] != "":
-                    sha256 = event.add_attribute('sha256', parts["sha256"])
-                    sha256.comment = 'sha256 hash'
-
-                # md5 hash of threat
-                if parts["md5"] is not None and parts["md5"] != "":
-                    md5 = event.add_attribute('md5', parts["md5"])
-                    md5.comment = 'md5 hash'
-
-                # filename of threat
-                if parts["filename"] is not None and parts["filename"] != "":
-                    filename = event.add_attribute('filename', parts["filename"])
-                    filename.comment = 'filename'
-
-            misp.add_event(event.to_json())
-
-        if alert == "clicksPermitted" or alert == "clicksBlocked":
-            if alert == "clicksPermitted":
-                print(alert + " is a permitted click")
-                event.info = alert
-                event.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
-                event.threat_level_id = 2  # setting this to 0 breaks the integration
-                event.analysis = 0  # Optional, defaults to 0 (initial analysis)
-            else:
-                print(alert + " is a blocked click")
-                event.info = alert
-                event.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
-                event.threat_level_id = 2  # BLOCKED = LOW
-                event.analysis = 0  # Optional, defaults to 0 (initial analysis)
-
-            event.add_tag(messages["classification"])
-
-            campaignId = event.add_attribute('campaign-id', messages["campaignId"][0])
-            campaignId.comment = 'campaignId'
-
-            clickIP = event.add_attribute('ip-src', messages["clickIP"])
-            clickIP.comment = 'clickIP'
-
-            clickTime = event.add_attribute('datetime', messages["clickTime"])
-            clickTime.comment = 'clicked threat'
-
-            threatTime = event.add_attribute('datetime', messages["threatTime"])
-            threatTime.comment = 'identified threat'
-
-            GUID = event.add_attribute('comment', messages["GUID"])
-            GUID.comment = 'PPS message ID'
-
-            recipient = event.add_attribute('email-dst', messages["recipient"][0])
-            recipient.comment = 'recipient address'
-
-            sender = event.add_attribute('email-src', messages["sender"])
-            sender.comment = 'sender address'
-
-            senderIP = event.add_attribute('ip-src', messages["senderIP"])
-            senderIP.comment = 'sender IP'
-
-            threatURL = event.add_attribute('link', messages["threatURL"])
-            threatURL.comment = 'link to threat in TAP'
-
-            url = event.add_attribute('link', messages["url"])
-            url.comment = 'malicious url clicked'
-
-            userAgent = event.add_attribute('user-agent', messages["userAgent"])
-
-            misp.add_event(event.to_json())

examples/proofpoint_vap.py

@@ -1,65 +0,0 @@
-import requests
-import json
-from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation
-from keys import misp_url, misp_key, misp_verifycert, proofpoint_key
-
-# initialize PyMISP and set url for Panorama
-misp = ExpandedPyMISP(url=misp_url, key=misp_key, ssl=misp_verifycert)
-
-urlVap = "https://tap-api-v2.proofpoint.com/v2/people/vap?window=30"  # Window can be 14, 30, and 90 Days
-
-headers = {
-    'Authorization': "Basic " + proofpoint_key
-}
-
-responseVap = requests.request("GET", urlVap, headers=headers)
-
-jsonDataVap = json.loads(responseVap.text)
-
-for alert in jsonDataVap["users"]:
-    orgc = MISPOrganisation()
-    orgc.name = 'Proofpoint'
-    orgc.id = '#{ORGC.ID}'  # organisation id
-    orgc.uuid = '#{ORGC.UUID}'  # organisation uuid
-    # initialize and set MISPEvent()
-    event = MISPEvent()
-    event.Orgc = orgc
-    event.info = 'Very Attacked Person ' + jsonDataVap["interval"]
-    event.distribution = 0  # Optional, defaults to MISP.default_event_distribution in MISP config
-    event.threat_level_id = 2  # setting this to 0 breaks the integration
-    event.analysis = 0  # Optional, defaults to 0 (initial analysis)
-
-    totalVapUsers = event.add_attribute('counter', jsonDataVap["totalVapUsers"], comment="Total VAP Users")
-
-    averageAttackIndex = event.add_attribute('counter', jsonDataVap["averageAttackIndex"], comment="Average Attack Count")
-
-    vapAttackIndexThreshold = event.add_attribute('counter', jsonDataVap["vapAttackIndexThreshold"], comment="Attack Threshold")
-
-    emails = event.add_attribute('email-dst', alert["identity"]["emails"], comment="Email Destination")
-
-    attack = event.add_attribute('counter', alert["threatStatistics"]["attackIndex"], comment="Attack Count")
-
-    vip = event.add_attribute('other', str(alert["identity"]["vip"]), comment="VIP")
-
-    guid = event.add_attribute('other', alert["identity"]["guid"], comment="GUID")
-
-    if alert["identity"]["customerUserId"] is not None:
-        customerUserId = event.add_attribute('other', alert["identity"]["customerUserId"], comment="Customer User Id")
-
-    if alert["identity"]["department"] is not None:
-        department = event.add_attribute(alert['other', "identity"]["department"], comment="Department")
-
-    if alert["identity"]["location"] is not None:
-        location = event.add_attribute('other', alert["identity"]["location"], comment="Location")
-
-    if alert["identity"]["name"] is not None:
-
-        name = event.add_attribute('target-user', alert["identity"]["name"], comment="Name")
-
-    if alert["identity"]["title"] is not None:
-
-        title = event.add_attribute('other', alert["identity"]["title"], comment="Title")
-
-    event.add_tag("VAP")
-
-    misp.add_event(event.to_json())

examples/search.py

@@ -1,48 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-from pymisp import PyMISP
-from keys import misp_url, misp_key,misp_verifycert
-import argparse
-import os
-import json
-
-
-def init(url, key):
-    return PyMISP(url, key, misp_verifycert, 'json')
-
-
-def search(m, quiet, url, controller, out=None, **kwargs):
-    result = m.search(controller, **kwargs)
-    if quiet:
-        for e in result['response']:
-            print('{}{}{}\n'.format(url, '/events/view/', e['Event']['id']))
-    elif out is None:
-        print(json.dumps(result['response']))
-    else:
-        with open(out, 'w') as f:
-            f.write(json.dumps(result['response']))
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Get all the events matching a value for a given param.')
-    parser.add_argument("-p", "--param", required=True, help="Parameter to search (e.g. category, org, values, type_attribute, etc.)")
-    parser.add_argument("-s", "--search", required=True, help="String to search.")
-    parser.add_argument("-a", "--attributes", action='store_true', help="Search attributes instead of events")
-    parser.add_argument("-q", "--quiet", action='store_true', help="Only display URLs to MISP")
-    parser.add_argument("-o", "--output", help="Output file")
-
-    args = parser.parse_args()
-
-    if args.output is not None and os.path.exists(args.output):
-        print('Output file already exists, abort.')
-        exit(0)
-
-    misp = init(misp_url, misp_key)
-    kwargs = {args.param: args.search}
-
-    if args.attributes:
-        controller='attributes'
-    else:
-        controller='events'
-
-    search(misp, args.quiet, misp_url, controller, args.output, **kwargs)

examples/search_attributes_yara.py

@@ -1,40 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-# Example of specifying special attribute type in your search: here yara attribute
-
-from pymisp import PyMISP
-from keys import misp_url, misp_key,misp_verifycert
-import argparse
-import os
-import json
-
-def init(url, key):
-    return PyMISP(url, key, misp_verifycert, 'json')
-
-def search(m, quiet, url, out=None, custom_type_attribute="yara"):
-    controller='attributes'
-    result = m.search(controller, type_attribute = custom_type_attribute)
-    if quiet:
-        for e in result['response']:
-            print('{}{}{}\n'.format(url, '/events/view/', e['Event']['id']))
-    elif out is None:
-        print(json.dumps(result['response']))
-    else:
-        with open(out, 'w') as f:
-            f.write(json.dumps(result['response']))
-                
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Get all the events matching a value for a given param.')
-    parser.add_argument("-q", "--quiet", action='store_true', help="Only display URLs to MISP")
-    parser.add_argument("-o", "--output", help="Output file")
-
-    args = parser.parse_args()
-
-    if args.output is not None and os.path.exists(args.output):
-        print('Output file already exists, abort.')
-        exit(0)
-
-    misp = init(misp_url, misp_key)
-
-    search(misp, args.quiet, misp_url, args.output)

examples/search_sighting.py

@@ -1,42 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-from pymisp import PyMISP
-from keys import misp_url, misp_key, misp_verifycert
-import argparse
-import os
-import json
-
-
-def init(url, key):
-    return PyMISP(url, key, misp_verifycert, 'json')
-
-
-def search_sighting(m, context, out=None, **kwargs):
-
-    result = m.search_sightings(context, **kwargs)
-    if out is None:
-        print(json.dumps(result['response']))
-    else:
-        with open(out, 'w') as f:
-            f.write(json.dumps(result['response']))
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Get all the events matching a value.')
-    parser.add_argument("-c", "--context", default="", help="Context in which to search. Could be empty, attribute or event")
-    parser.add_argument("-i", "--id", type=int, help="If context is set, the ID in which the search should be done")
-    parser.add_argument("-o", "--output", help="Output file")
-
-    args = parser.parse_args()
-
-    if args.output is not None and os.path.exists(args.output):
-        print('Output file already exists, abord.')
-        exit(0)
-
-    misp = init(misp_url, misp_key)
-    kwargs = {}
-    if len(args.context) > 0:
-        kwargs['id'] = args.id
-
-    search_sighting(misp, args.context, args.output, **kwargs)