mof.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Extracts IOC's from MISP and generates a OSSEC rootcheck compatible file
#
# @author:        Xavier Mertens <xavier@rootshell.be>
# @copyright:     AGPLv3 (http://www.gnu.org/licenses/agpl.html)
#

from pymisp import PyMISP
from keys import misp_url, misp_key, misp_verifycert
import argparse
import os
import re
import sys
import time


def init(url, key):
    return PyMISP(url, key, misp_verifycert, 'json')


def searchevents(m, t, url, out=None):
        categories = ['Artifacts dropped', 'Payload delivery', 'Payload installation']
        result = m.search(last=t)

        if out is None:
                fh = sys.stdout
        else:
                fh = open(out, 'w')

        # Print header
        fh.write('''#
# OSSEC RootCheck IOC generated by MOF (MISP OSSEC Feeder)
# https://github.com/xme/
#
# Generated on: %s
# MISP url: %s
# Wayback time: %s
#

''' % (time.strftime('%c'), url, t))

        for e in result['response']:
                event = e['Event']
                first_attribute = 0
                for attribute in event["Attribute"]:
                        if attribute['category'] in categories and attribute['type'] == 'filename' and attribute["to_ids"] and re.match(r'^%\S+%\\.+', attribute['value'], re.I):
                                if first_attribute == 0:
                                        fh.write("[MISP_%s] [any] [%s]\n" % (event['id'], event['info'].replace('\n', ' ').replace('\r', ' ')))
                                        first_attribute += 1

                                # Hack: uppercase the string between '%'
                                words = attribute['value'].split('%')
                                value = '%' + words[1].upper() + '%' + words[2]
                                fh.write("f:%s;\n" % value)
                        if attribute['type'] == 'regkey' and attribute["to_ids"]:
                                if first_attribute == 0:
                                        fh.write("[MISP_%s] [any] [%s]\n" % (event['id'], event['info'].replace('\n', ' ').replace('\r', ' ')))
                                        first_attribute += 1
                                fh.write("r:%s;\n" % attribute['value'])

                # Separate events by a blank line
                if first_attribute > 0:
                        fh.write("\n")
        fh.close()


if __name__ == '__main__':
        parser = argparse.ArgumentParser(description='Extract IOC\'s from MISP and generate an OSSEC rootcheck file.')
        parser.add_argument("-t", "--time", required=True, help="Time machine (ex: 5d, 12h, 30m).")
        parser.add_argument("-o", "--output", help="Output file")

        args = parser.parse_args()

        if args.output is not None and os.path.exists(args.output):
                print('Aborted, output file already exists.')
                exit(1)

        misp = init(misp_url, misp_key)
        searchevents(misp, args.time, misp_url, args.output)