Skip to content
/ FireMISP Public

FireEye Alert json files to MISP Malware information sharing plattform (Alpha)

License

MIT license
32 stars 10 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jaegeral/FireMISP

BranchesTags

Repository files navigation

python script for interacting with misp

Inspired by: https://github.com/spcampbell/FireStic

Installation

update the values to your needs

modify the API Key:

cp config.example.cfg config.cfg
vi config.cfg
#change the values

Running

run the script (in that example 192.168.178 is the IP of MISP):

python firemisp/firemisp.py
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.178.71
DEBUG:requests.packages.urllib3.connectionpool:"GET /servers/getVersion HTTP/1.1" 200 20
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 10.50.12.71
DEBUG:requests.packages.urllib3.connectionpool:"GET /attributes/describeTypes.json HTTP/1.1" 200 4819
INFO:__main__:Starting HTTP server 127.0.0.1 8080

Testing

To test with real data put your *.json files in testing/real (they will be ignored by git)

    python testing/fmtest.py -d testing/real

To test with sample data:#

    python testing/fmtest.py -f testing/alert_details_fireeye_reducted.json

If you do not have a MISP instance, you can get a VM with MISP at https://www.circl.lu/services/misp-training-materials/ Once you have that MISP instance running and reachable from the system you are running FireMisp, get the API key at

$YOURIPOFMISP/users/view/me

And edit the config.cfg according to your needs.

To delete events that have been created for test purposes, uncomment the section in firemisp.py

   #clean the database for test purposes
    '''for i in range (200,1348,1):
        misp.delete_event(i)
    exit()
   '''

And adjust the id values to your need

Issues

There is no

DEBUG:requests.packages.urllib3.connectionpool:"GET /servers/getVersion HTTP/1.1" 200 20
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 10.50.12.71

After starting FireMisp.py

Instead:

pymisp.api.PyMISPError: Unable to connect to MISP (http://192.168.178.71). Please make sure the API key and the URL are correct (http/https is required): HTTPConnectionPool(host='192.168.178.71', port=80): Max retries exceeded with url: /servers/getVersion (Caused by <class 'socket.error'>: [Errno 110] Connection timed out)

That means the connection to the MISP instance.

Example:

To be done

Roadmap

There are obviously some things to be done in the future:

  • improve current mappings (pyFireEyeAlert.py)
  • make the mapping more robust (pyFireEyeAlert.py)
  • introduce new mappings (FireMisp.py + pyFireEyeAlert.py)
  • improve correlation (Feedback welcome)
  • test it with high volume of alerts
  • Python3 support
  • unittests
  • make LDAP a config part

About

FireEye Alert json files to MISP Malware information sharing plattform (Alpha)

Topics

cybersecurity misp threatintel cyber misp-instance misp-api fireeye-alert fireeye

Resources

Readme

License

MIT license
Activity

Stars

32 stars

Watchers

6 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages