valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e8477c8afa
SigmaHQ/tools/sigma/sigma2misp.py
Christian Clauss 9dc3940c07
Fix undefined names in sigma2misp.py 
create_new_event() -> create_new_event(args, misp) to fix:

flake8 testing of https://github.com/Neo23x0/sigma on Python 3.8.3

% _flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics_
```
./tools/sigma/sigma2misp.py:11:16: F821 undefined name 'misp'
    if hasattr(misp, "new_event"):
               ^
./tools/sigma/sigma2misp.py:12:16: F821 undefined name 'misp'
        return misp.new_event(info=args.info)["Event"]["id"]
               ^
./tools/sigma/sigma2misp.py:12:36: F821 undefined name 'args'
        return misp.new_event(info=args.info)["Event"]["id"]
                                   ^
./tools/sigma/sigma2misp.py:14:13: F821 undefined name 'misp'
    event = misp.MISPEvent()
            ^
./tools/sigma/sigma2misp.py:15:18: F821 undefined name 'args'
    event.info = args.info
                 ^
./tools/sigma/sigma2misp.py:16:12: F821 undefined name 'misp'
    return misp.add_event(event)["Event"]["id"]
           ^
6     F821 undefined name 'misp'
6
```
2020-06-28 07:02:41 +02:00

74 lines
2.9 KiB
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
# Import given Sigma rules to MISP
import argparse
import pathlib
import urllib3
urllib3.disable_warnings()
from pymisp import PyMISP
def create_new_event(args, misp):
if hasattr(misp, "new_event"):
return misp.new_event(info=args.info)["Event"]["id"]
event = misp.MISPEvent()
event.info = args.info
return misp.add_event(event)["Event"]["id"]
class MISPImportArgumentParser(argparse.ArgumentParser):
def __init__(self, *args, **kwargs):
super().__init__(
description="Import Sigma rules into MISP events",
epilog="Parameters can be read from a file by a @filename parameter. The file should contain one parameter per line. Dashes may be omitted.",
fromfile_prefix_chars="@",
)
def convert_arg_line_to_args(self, line : str):
return ("--" + line.lstrip("--")).split()
def main():
argparser = MISPImportArgumentParser()
argparser.add_argument("--url", "-u", default="https://localhost", help="URL of MISP instance")
argparser.add_argument("--key", "-k", required=True, help="API key")
argparser.add_argument("--insecure", "-I", action="store_false", help="Disable TLS certifcate validation.")
argparser.add_argument("--event", "-e", type=int, help="Add Sigma rule to event with this ID. If not set, create new event.")
argparser.add_argument("--same-event", "-s", action="store_true", help="Import all Sigma rules to the same event, if no event is set.")
argparser.add_argument("--info", "-i", default="Sigma import", help="Event Information field for newly created MISP event.")
argparser.add_argument("--recursive", "-r", action="store_true", help="Recursive traversal of directory")
argparser.add_argument("sigma", nargs="+", help="Sigma rule file that should be imported")
args = argparser.parse_args()
if args.recursive:
paths = [ p for pathname in args.sigma for p in pathlib.Path(pathname).glob("**/*") if p.is_file() ]
else:
paths = [ pathlib.Path(sigma) for sigma in args.sigma ]
misp = PyMISP(args.url, args.key, args.insecure)
if args.event:
if hasattr(misp, "get"):
eventid = misp.get(args.event)["Event"]["id"]
else:
eventid = misp.get_event(args.event)["Event"]["id"]
first = True
for sigma in paths:
if not args.event and (first or not args.same_event):
eventid = create_new_event(args, misp)
print("Importing Sigma rule {} into MISP event {}...".format(sigma, eventid, end=""))
f = sigma.open("rt")
if hasattr(misp, "add_named_attribute"):
misp.add_named_attribute(eventid, "sigma", f.read())
else:
event = misp.get_event(eventid, pythonify=True)
event.add_attribute("sigma", f.read())
misp.update_event(event)
f.close()
first = False
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink