FireMISP

FireEye Alert json files to MISP Malware information sharing plattform (Alpha)

Generate Convert Improve

Install / Use

/learn @jaegeral/FireMISP

About this skill

Quality Score

0/100

README

python script for interacting with misp

Inspired by: https://github.com/spcampbell/FireStic

Installation

update the values to your needs

modify the API Key:

cp config.example.cfg config.cfg
vi config.cfg
#change the values

Running

run the script (in that example 192.168.178 is the IP of MISP):

python firemisp/firemisp.py
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.178.71
DEBUG:requests.packages.urllib3.connectionpool:"GET /servers/getVersion HTTP/1.1" 200 20
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 10.50.12.71
DEBUG:requests.packages.urllib3.connectionpool:"GET /attributes/describeTypes.json HTTP/1.1" 200 4819
INFO:__main__:Starting HTTP server 127.0.0.1 8080

Testing

To test with real data put your *.json files in testing/real (they will be ignored by git)

    python testing/fmtest.py -d testing/real

To test with sample data:#

    python testing/fmtest.py -f testing/alert_details_fireeye_reducted.json

If you do not have a MISP instance, you can get a VM with MISP at https://www.circl.lu/services/misp-training-materials/ Once you have that MISP instance running and reachable from the system you are running FireMisp, get the API key at

$YOURIPOFMISP/users/view/me

And edit the config.cfg according to your needs.

To delete events that have been created for test purposes, uncomment the section in firemisp.py

   #clean the database for test purposes
    '''for i in range (200,1348,1):
        misp.delete_event(i)
    exit()
   '''

And adjust the id values to your need

Issues

There is no

DEBUG:requests.packages.urllib3.connectionpool:"GET /servers/getVersion HTTP/1.1" 200 20
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 10.50.12.71

After starting FireMisp.py

Instead:

pymisp.api.PyMISPError: Unable to connect to MISP (http://192.168.178.71). Please make sure the API key and the URL are correct (http/https is required): HTTPConnectionPool(host='192.168.178.71', port=80): Max retries exceeded with url: /servers/getVersion (Caused by <class 'socket.error'>: [Errno 110] Connection timed out)

That means the connection to the MISP instance.

Example:

To be done

Roadmap

There are obviously some things to be done in the future:

improve current mappings (pyFireEyeAlert.py)
make the mapping more robust (pyFireEyeAlert.py)
introduce new mappings (FireMisp.py + pyFireEyeAlert.py)
improve correlation (Feedback welcome)
test it with high volume of alerts
Python3 support
unittests
make LDAP a config part

Related Skills

node-connect

353.3k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

111.7k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

353.3k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

qqbot-media

353.3k

QQBot 富媒体收发能力。使用 <qqmedia> 标签，系统根据文件扩展名自动识别类型（图片/语音/视频/文件）。