Skip to content
Snippets Groups Projects
Commit 8d8d4e51 authored by Pavel Eis's avatar Pavel Eis
Browse files

Some fixes to misp.py 

Added origdata and test option to to_idea.
Fixed CreateTime conversion, when publish_timestamp = 0.
Fixed DetectTime converstion, when there are no Attributes or Objects in MISP event.
parent e28b0f6f
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 25 additions and 6 deletions
idea/misp.py
+ 25
6
View file @ 8d8d4e51
...@@ -6,6 +6,7 @@ ...@@ -6,6 +6,7 @@
from uuid import uuid4 from uuid import uuid4
import time import time
import itertools import itertools
from _datetime import datetime
misp_to_idea_dictionary = {} misp_to_idea_dictionary = {}
...@@ -221,18 +222,19 @@ def process_misp_object(misp_object, attach_counter): ...@@ -221,18 +222,19 @@ def process_misp_object(misp_object, attach_counter):
return None, None return None, None
def to_idea(misp_event, idea_id=None): def to_idea(misp_event, idea_id=None, test=False, origdata=False):
""" """
Creates whole IDEA message from MISP event Creates whole IDEA message from MISP event
:param misp_event: the misp event :param misp_event: the misp event
:param idea_id: uuid of IDEA message (when needs to be preset) :param idea_id: uuid of IDEA message (when needs to be preset)
:param test: add Test into IDEA['Category']
:param origdata: add original data to attachment
:return: new converted IDEA message :return: new converted IDEA message
""" """
idea_event = { idea_event = {
'Format': "IDEA0", 'Format': "IDEA0",
'ID': str(idea_id) if idea_id is not None else str(uuid4()), 'ID': str(idea_id) if idea_id is not None else str(uuid4()),
'Category': [], 'Category': [],
'CreateTime': convert_epoch_to_utc(misp_event['publish_timestamp']),
'Description': misp_event['info'], 'Description': misp_event['info'],
'Source': [], 'Source': [],
'Target': [], 'Target': [],
...@@ -251,15 +253,24 @@ def to_idea(misp_event, idea_id=None): ...@@ -251,15 +253,24 @@ def to_idea(misp_event, idea_id=None):
# cannot determine IDEA Category, cannot convert # cannot determine IDEA Category, cannot convert
if not idea_event['Category']: if not idea_event['Category']:
return None return None
if test:
idea_event['Category'].append("Test")
if not int(misp_event['publish_timestamp']):
idea_event['CreateTime'] = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ")
else:
idea_event['CreateTime'] = convert_epoch_to_utc(misp_event['publish_timestamp'])
attach_counter = 0 attach_counter = 0
timestamps = itertools.chain(find('timestamp', misp_event['Attribute']), timestamps = itertools.chain(find('timestamp', misp_event['Attribute']),
find('timestamp', misp_event['Object'])) find('timestamp', misp_event['Object']))
try:
oldest_timestamp = min(map(int, timestamps)) oldest_timestamp = min(map(int, timestamps))
# fill it to IDEA
idea_event['DetectTime'] = convert_epoch_to_utc(oldest_timestamp) idea_event['DetectTime'] = convert_epoch_to_utc(oldest_timestamp)
except ValueError:
# no object and attributes --> min() ValueError for empty sequence
idea_event['DetectTime'] = misp_event['date'] + "T00:00:00Z"
# fill in info about organizations # fill in info about organizations
idea_event['Node'] = [ idea_event['Node'] = [
...@@ -287,4 +298,12 @@ def to_idea(misp_event, idea_id=None): ...@@ -287,4 +298,12 @@ def to_idea(misp_event, idea_id=None):
if key == "Attach": if key == "Attach":
attach_counter += 1 attach_counter += 1
if origdata:
idea_event['Attach'].append({
'Handle': "att" + str(attach_counter),
'Note': "original data",
'Content': misp_event
})
attach_counter += 1
return idea_event return idea_event
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment