~cedric/pyHIDS

c7c8c65b23b75227bb936641d7d57af4ee8c482d — Cédric Bonhomme 7 months ago b639f21
chg: [MISP export] The SHA1 values are now submitted in a single query. A new arguments lets the user specify if the final output must be returned as a list of PyMISP Objects instead of the plain json output.
2 files changed, 24 insertions(+), 15 deletions(-)

M bin/main.py
M pyhids/misp.py
M bin/main.py => bin/main.py +7 -2
@@ 74,9 74,14 @@ def main():
    )

    # Subparser: MISP
    subparsers.add_parser(
    parser_misp = subparsers.add_parser(
        "misp", help="Uses MISP in order to verify the hashes of the files."
    )
    parser_misp.add_argument(
        "--pythonify",
        action="store_true",
        help="Returns a list of PyMISP Objects instead of the plain json output.",
    )

    # Subparser: Yara
    subparsers.add_parser("yara", help="Uses Yara in order to verify the files.")


@@ 110,7 115,7 @@ def main():
    elif arguments.command == "pandora":
        pandora()
    elif arguments.command == "misp":
        misp()
        misp(arguments.pythonify)
    elif arguments.command == "yara":
        yara()
    elif arguments.command == "export":

M pyhids/misp.py => pyhids/misp.py +17 -13
@@ 12,25 12,29 @@ misp_url = conf.MISP_URL
misp_key = conf.MISP_KEY
misp_verifycert = True
relative_path = "attributes/restSearch"
body = {
    # "org": "CIRCL",
    "returnFormat": "json",
    "type": "filename|sha1",
}
# body = {
#     # "org": "CIRCL",
#     "returnFormat": "json",
#     "type": "filename|sha1",
# }
values = {}


def main():
def main(pythonify: bool = False):
    misp = PyMISP(misp_url, misp_key, misp_verifycert)
    alerts = []
    # alerts = []
    base = utils.load_base()
    i = 0
    for _path, sha1 in list(base["files"].items()):
        i += 1
        # filename = os.path.basename(_path)
        body["value"] = sha1
        result = misp.direct_call(relative_path, body)
        if result["Attribute"]:
            alerts.append(result)
    if alerts:
        print(alerts)
        values[f"value{i}"] = sha1
        # result = misp.direct_call(relative_path, body)
        # if result["Attribute"]:
        #     alerts.append(result)
    result = misp.search(controller="attributes", value=values, pythonify=pythonify)
    if result:
        print(result)


if __name__ == "__main__":