forked from Te-k/analyst-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmisp2sig.py
More file actions
executable file
·53 lines (47 loc) · 1.85 KB
/
Copy pathmisp2sig.py
File metadata and controls
executable file
·53 lines (47 loc) · 1.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import argparse
import sys
import ConfigParser
import urllib
from collections import Counter
from misp import MispServer, MispEvent
from misplib import parse_config
"""Tool to create signatures from MISP events
Author : Tek <tek@randhome.io>
Date : 01/02/2017
"""
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Command line interface to MISP servers')
parser.add_argument('--server', '-s', help='Server used for the request', required=True)
parser.add_argument('--event', '-e', help='Event infos', type=int, required=True)
parser.add_argument('--dst', '-d', choices=['gmailsearch'], required=True,
help='Search for attributes of this type')
args = parser.parse_args()
config = parse_config()
if args.server is not None:
if args.server.lower() in config.keys():
server = MispServer(url=config[args.server.lower()]['url'],
apikey=config[args.server.lower()]['key'],
ssl_chain=False)
else:
print("Server not found, quitting...")
sys.exit(1)
else:
if 'default' not in config.keys():
print("No default severs in MISP conf, quitting...")
sys.exit(1)
else:
server = MispServer(url=config['default']['url'],
apikey=config['default']['key'],
ssl_chain=False)
if args.dst == "gmailsearch":
event = server.events.get(args.event)
attributes = filter(
lambda x:x.type in ['domain', 'email-src', 'email-subject'] and x.to_ids,
event.attributes
)
sig = " OR ".join(map(lambda x: '”' + x.value + '”', attributes))
print(sig)
print("\n")
print("https://mail.google.com/mail/u/0/#search/" + urllib.quote(sig))