Merge branch 'main' of github.com:MISP/PyMISP into main

MISP · Oct 9, 2020 · bacd4c7 · bacd4c7
2 parents cce2285 + ff7ed7a
commit bacd4c7
Show file tree

Hide file tree

Showing 11 changed files with 81 additions and 15 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1295,7 +1295,7 @@ Other
   values, sanitization) [Falconieri]
 - Add: exportpdf tool working. [Falconieri]
 - General improvement : deisgn, exhaustiviness of mispEvent values
-  displayed, good pratice concerning paragraphe/table made. [Falconieri]
+  displayed, good practice concerning paragraphe/table made. [Falconieri]
 - Update with table basics. [Falconieri]
 - Structure of the improvements OK : test file, test folder, report
   generator. [Falconieri]
@@ -2219,7 +2219,7 @@ Changes
 - Bump CHANGELOG. [Raphaël Vinot]
 - Bump misp-objects. [Raphaël Vinot]
 - Update readme for new logging system. [Raphaël Vinot]
-- Small improvments in the logging system. [Raphaël Vinot]
+- Small improvements in the logging system. [Raphaël Vinot]
 - Properly use python logging module. [Raphaël Vinot]
 - Update asciidoctor generator. [Raphaël Vinot]
 - Remove warning if PyMISP is too new. [Raphaël Vinot]
@@ -2547,7 +2547,7 @@ Other
 - Cleanup warning function. [Raphaël Vinot]
 - Fix typos. [Raphaël Vinot]
 - Remove unused variable. [Tristan METAYER]
-- Remove category It will be automaticly detected
+- Remove category It will be automatically detected
   https://github.com/MISP/PyMISP/blob/master/pymisp/tools/openioc.py.
   [Tristan METAYER]
 - Revert tab to escape. [Tristan METAYER]
@@ -2756,7 +2756,7 @@ Other
 - Bump version. [Raphaël Vinot]
 - Add orgs managment. [Raphaël Vinot]
 - Run on more python versions. [Raphaël Vinot]
-- Exemple addtag (dirty) [Déborah Servili]
+- Example addtag (dirty) [Déborah Servili]
 - Fix last commit. [Raphaël Vinot]
 - Wrong use of API for dateuntil. [Koen Van Impe]
 

diff --git a/docs/tutorial/old/Search.ipynb b/docs/tutorial/old/Search.ipynb
@@ -70,7 +70,7 @@
    "source": [
     "## Search unpublished events\n",
     "\n",
-    "**WARNING**: By default, the search query will only return all the events listed on teh index page"
+    "**WARNING**: By default, the search query will only return all the events listed on the index page"
    ]
   },
   {

diff --git a/examples/add_gitlab_user.py b/examples/add_gitlab_user.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from pymisp import PyMISP
+from pymisp import MISPObject
+from pymisp.tools import update_objects
+from keys import misp_url, misp_key, misp_verifycert
+import argparse
+import requests
+import sys
+
+"""
+usage: add_gitlab_user.py [-h] -e EVENT [-f] -u USERNAME [-l LINK]
+
+Fetch GitLab user details and add it in object in MISP
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -e EVENT, --event EVENT
+                        Event ID to update
+  -f, --force-template-update
+  -u USERNAME, --username USERNAME
+                        GitLab username to add
+  -l LINK, --link LINK  Url to access the GitLab instance, Default is
+                        www.gitlab.com.
+"""
+
+default_url = "http://www.gitlab.com/"
+
+parser = argparse.ArgumentParser(description='Fetch GitLab user details and add it in object in MISP')
+parser.add_argument("-e", "--event", required=True, help="Event ID to update")
+parser.add_argument("-f", "--force-template-update", required=False, action="store_true")
+parser.add_argument("-u", "--username", required=True, help="GitLab username to add")
+parser.add_argument("-l", "--link", required=False, help="Url to access the GitLab instance, Default is www.gitlab.com.", default=default_url)
+args = parser.parse_args()
+
+
+r = requests.get("{}api/v4/users?username={}".format(args.link, args.username))
+if r.status_code != 200:
+    sys.exit("HTTP return is {} and not 200 as expected".format(r.status_code))
+if args.force_template_update:
+    print("Updating MISP Object templates...")
+    update_objects()
+
+gitlab_user = r.json()[0]
+pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
+print(gitlab_user)
+
+misp_object = MISPObject(name="gitlab-user")
+misp_object.add_attribute('username', gitlab_user['username'])
+misp_object.add_attribute('id', gitlab_user['id'])
+misp_object.add_attribute('name', gitlab_user['name'])
+misp_object.add_attribute('state', gitlab_user['state'])
+misp_object.add_attribute('avatar_url', gitlab_user['avatar_url'])
+misp_object.add_attribute('web_url', gitlab_user['web_url'])
+retcode = pymisp.add_object(args.event, misp_object)
diff --git a/examples/delete_user.py b/examples/delete_user.py
@@ -7,7 +7,7 @@
 
 
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Delete the user with the given id. Keep in mind that disabling users (by setting the disabled flag via an edit) is always prefered to keep user associations to events intact.')
+    parser = argparse.ArgumentParser(description='Delete the user with the given id. Keep in mind that disabling users (by setting the disabled flag via an edit) is always preferred to keep user associations to events intact.')
     parser.add_argument("-i", "--user_id", help="The id of the user you want to delete.")
     args = parser.parse_args()
 

diff --git a/examples/feed-generator-from-redis/README.md b/examples/feed-generator-from-redis/README.md
@@ -11,7 +11,7 @@
 
 ````
 #  Feed generator
-git clone https://github.com/CIRCL/PyMISP
+git clone https://github.com/MISP/PyMISP
 cd examples/feed-generator-from-redis
 cp settings.default.py settings.py
 vi settings.py  # adjust your settings
@@ -66,7 +66,7 @@ python3 server.py
 >>> obj_data = { "session": "session_id", "username": "admin", "password": "admin", "protocol": "telnet" }
 >>> generator.add_object_to_event(obj_name, **obj_data)
 
-# Immediatly write the event to the disk (Bypassing the default flushing behavior)
+# Immediately write the event to the disk (Bypassing the default flushing behavior)
 >>> generator.flush_event()
 ```
 

diff --git a/examples/feed-generator-from-redis/fromredis.py b/examples/feed-generator-from-redis/fromredis.py
@@ -107,7 +107,7 @@ def perform_action(self, key, data):
             # Suffix not provided, try to add anyway
             if settings.fallback_MISP_type == 'attribute':
                 new_key = key + self.SUFFIX_ATTR
-                # Add atribute type from the config
+                # Add attribute type from the config
                 if 'type' not in data and settings.fallback_attribute_type:
                     data['type'] = settings.fallback_attribute_type
                 else:

diff --git a/examples/situational-awareness/README.md b/examples/situational-awareness/README.md
@@ -4,8 +4,8 @@
 * It will also generate a html document with a table (attribute\_table.html) containing count for each type of attribute.
 * test\_attribute\_treemap.html is a quick page made to visualize both treemap and table at the same time.
 
-* tags\_count.py is a script that count the number of occurences of every tags in a fetched sample of Events in a given period of time.
-* tag\_search.py is a script that count the number of occurences of a given tag  in a fetched sample of Events in a given period of time.
+* tags\_count.py is a script that count the number of occurrences of every tags in a fetched sample of Events in a given period of time.
+* tag\_search.py is a script that count the number of occurrences of a given tag  in a fetched sample of Events in a given period of time.
     * Events will be fetched from _days_ days ago to today.
     * _begindate_ is the beginning of the studied period. If it is later than today, an error will be raised.
     * _enddate_ is the end of the studied period. If it is earlier than _begindate_, an error will be raised.

diff --git a/examples/vmray_automation.py b/examples/vmray_automation.py
@@ -129,7 +129,7 @@ def search_vmray_incomplete(m, url, wait_period, module_import_url, module_impor
                     if module_DEBUG and req is not None:
                         print("Response code from submitting to MISP modules %s" % (req.status_code))
 
-                    # Succesful response from the misp modules?
+                    # Successful response from the misp modules?
                     if req.status_code == 200:
                         req_json = req.json()
                         if "error" in req_json:

diff --git a/pymisp/api.py b/pymisp/api.py
@@ -1917,7 +1917,7 @@ def search(self, controller: str = 'events', return_format: str = 'json',
         :param timestamp: Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute's timestamp will be used for the lookup.
         :param published: Set whether published or unpublished events should be returned. Do not set the parameter if you want both.
         :param enforce_warninglist: Remove any attributes from the result that would cause a hit on a warninglist entry.
-        :param to_ids: By default all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.
+        :param to_ids: By default all attributes are returned that match the other filter parameters, regardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. 0 for the ones with to_ids set to False.
         :param deleted: If this parameter is set to 1, it will only return soft-deleted attributes. ["0", "1"] will return the active ones as well as the soft-deleted ones.
         :param include_event_uuid: Instead of just including the event ID, also include the event UUID in each of the attributes.
         :param include_event_tags: Include the event level tags in each of the attributes.

diff --git a/pymisp/data/describeTypes.json b/pymisp/data/describeTypes.json
@@ -36,6 +36,7 @@
         "comment",
         "cookie",
         "filename",
+        "filename-pattern",
         "filename|authentihash",
         "filename|impfuzzy",
         "filename|imphash",
@@ -128,6 +129,7 @@
         "domain",
         "domain|ip",
         "filename",
+        "filename-pattern",
         "filename|md5",
         "filename|sha1",
         "filename|sha256",
@@ -214,6 +216,7 @@
         "email-src",
         "email-subject",
         "eppn",
+        "filename-pattern",
         "hassh-md5",
         "hasshserver-md5",
         "hex",
@@ -283,6 +286,7 @@
         "email-thread-index",
         "email-x-mailer",
         "filename",
+        "filename-pattern",
         "filename|authentihash",
         "filename|impfuzzy",
         "filename|imphash",
@@ -361,6 +365,7 @@
         "chrome-extension-id",
         "comment",
         "filename",
+        "filename-pattern",
         "filename|authentihash",
         "filename|impfuzzy",
         "filename|imphash",
@@ -942,6 +947,10 @@
         "default_category": "Person",
         "to_ids": 0
       },
+      "pattern-filename": {
+        "default_category": "Payload installation",
+        "to_ids": 1
+      },
       "pattern-in-file": {
         "default_category": "Payload installation",
         "to_ids": 1
@@ -1329,6 +1338,7 @@
       "passport-country",
       "passport-expiration",
       "passport-number",
+      "pattern-filename",
       "pattern-in-file",
       "pattern-in-memory",
       "pattern-in-traffic",

diff --git a/pymisp/tools/fileobject.py b/pymisp/tools/fileobject.py
@@ -79,10 +79,10 @@ def __entropy_H(self, data: bytes) -> float:
         if len(data) == 0:
             return 0.0
 
-        occurences = Counter(bytearray(data))
+        occurrences = Counter(bytearray(data))
 
         entropy = 0.0
-        for x in occurences.values():
+        for x in occurrences.values():
             p_x = float(x) / len(data)
             entropy -= p_x * math.log(p_x, 2)