-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d40312e
commit 95f5c09
Showing
2 changed files
with
86 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
|
|
||
| # version 1.2 | ||
| # updated 2019/03/19 | ||
| # added check for last 30 days of data as per Deloitte response | ||
|
|
||
| import json | ||
| import datetime | ||
|
|
||
| # The URL of the MISP instance to connect to | ||
|
|
||
| misp_url = 'http://192.168.254.28:80' | ||
|
|
||
| # Can be found in the MISP web interface under | ||
| # http://+MISP_URL+/users/view/me -> Authkey | ||
| misp_key = 'amHOHq5J3rMzeo4NyDELCv4GwEkX1G0yi0lZuuxh' | ||
|
|
||
| # Should PyMISP verify the MISP certificate | ||
| misp_verifycert = False | ||
|
|
||
| from pymisp import PyMISP | ||
|
|
||
| misp = PyMISP(misp_url, misp_key, debug=False) | ||
|
|
||
| #get the last 30 days window to only get indicators for that period | ||
| relevant_date = (datetime.datetime.now() - datetime.timedelta(days=60)).strftime('%Y-%m-%d') | ||
|
|
||
|
|
||
| # In[2]: | ||
|
|
||
|
|
||
| # print out various debug options while building code | ||
|
|
||
| #r = misp.search_index(published=False) | ||
| #print(r) | ||
|
|
||
|
|
||
| # In[4]: | ||
|
|
||
|
|
||
| # original query without date limiter | ||
| #r = misp.search(controller='attributes', type_attribute= ['domain'], deleted='False', to_ids=True) | ||
|
|
||
| # limiter to grab the last 30 days of indicators | ||
| r = misp.search(controller='attributes', type_attribute=['domain'], deleted='False', to_ids=True, enforceWarninglist=True, date_from=relevant_date) | ||
|
|
||
|
|
||
| # In[5]: | ||
|
|
||
|
|
||
| #r = misp.search(controller='attributes', type_attribute= ['ip-dst'], deleted='False', to_ids=True) | ||
|
|
||
| # limiter to grab the last 30 days of indicators | ||
| r = misp.search(controller='attributes', type_attribute=['ip-dst'], deleted='False', to_ids=True, enforceWarninglist=True, date_from=relevant_date) | ||
|
|
||
|
|
||
| # In[6]: | ||
|
|
||
|
|
||
| #r | ||
|
|
||
|
|
||
| # In[8]: | ||
|
|
||
|
|
||
| #for ev in r['response']['Attribute']: | ||
| #print(ev) | ||
|
|
||
|
|
||
| # In[6]: | ||
|
|
||
|
|
||
| for ev in r['response']['Attribute']: | ||
| print(ev['event_id']+','+ev['comment']+','+ev['value']+',misp,'+ev['type']) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm | ||
| yum install python-pip | ||
| OWB_FORCE_FIPS_MODE_OFF=1 python | ||
| OWB_FORCE_FIPS_MODE_OFF=1 pip install pymisp | ||
| OWB_FORCE_FIPS_MODE_OFF=1 pip install --upgrade pip | ||
| OWB_FORCE_FIPS_MODE_OFF=1 ./get-misp.py | ||
| yum repolist | ||
| vi /etc/yum.repos.d/epel.repo | ||
| change enabled from 1 to 0 | ||
|
|
||
| 23 3 * * * OWB_FORCE_FIPS_MODE_OFF=1 /root/rsa-misp/get-misp.py > /var/lib/netwitness/common/repo/misp-ip-dst.csv |