├── .gitignore ├── LICENSE ├── MISP2CBR.py ├── README.md └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | keys.py 106 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 eCrimeLabs 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /MISP2CBR.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | This application will create a HTTPS webserver fetching data from MISP Threat Sharing Platform 4 | and expoxing it in a format that CarbonBlack Response understand and can import. 5 | 6 | MIT License 7 | 8 | Copyright (c) 2019 Dennis Rand (https://www.ecrimelabs.com) 9 | 10 | Permission is hereby granted, free of charge, to any person obtaining a copy 11 | of this software and associated documentation files (the "Software"), to deal 12 | in the Software without restriction, including without limitation the rights 13 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 14 | copies of the Software, and to permit persons to whom the Software is 15 | furnished to do so, subject to the following conditions: 16 | The above copyright notice and this permission notice shall be included in all 17 | copies or substantial portions of the Software. 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | """ 26 | 27 | import argparse 28 | import pprint 29 | import json 30 | from pymisp import PyMISP 31 | import time 32 | import hashlib 33 | import socket 34 | import re 35 | from keys import misp_url, misp_key, misp_verifycert, misp_tag, proxies, flask_cert, flask_key, app_debug 36 | from flask import Flask, Response 37 | app = Flask(__name__) 38 | 39 | __author__ = "Dennis Rand - eCrimeLabs" 40 | __copyright__ = "Copyright (c) 2022, eCrimeLabs" 41 | __version__ = "1.0.1" 42 | __maintainer__ = "Dennis Rand" 43 | 44 | def is_valid_ipv4_address(address): 45 | try: 46 | socket.inet_pton(socket.AF_INET, address) 47 | except AttributeError: # no inet_pton here, sorry 48 | try: 49 | socket.inet_aton(address) 50 | except socket.error: 51 | return False 52 | return address.count('.') == 3 53 | except socket.error: # not a valid address 54 | return False 55 | 56 | return True 57 | 58 | def is_valid_ipv6_address(address): 59 | try: 60 | socket.inet_pton(socket.AF_INET6, address) 61 | except socket.error: # not a valid address 62 | return False 63 | return True 64 | 65 | def splash(): 66 | print ("\r\n") 67 | print ('Expose MISP attributes to CarbonBlack Response') 68 | print ('(c)2022 eCrimeLabs') 69 | print ('https://www.ecrimelabs.com') 70 | print ("----------------------------------------\r\n") 71 | 72 | def GetMISPData(): 73 | reports = {} 74 | relative_path = 'attributes/restSearch' 75 | body = { 76 | "returnFormat":"json", 77 | "type":["ip-src","ip-dst","domain","hostname","md5","sha256"], 78 | "tags":misp_tag, 79 | "enforceWarninglist":"true", 80 | "to_ids":"true" 81 | } 82 | misp = PyMISP(misp_url, misp_key, misp_verifycert) 83 | data = misp.direct_call(relative_path, body) 84 | iocs_dns, iocs_ipv4, iocs_ipv6, iocs_md5, iocs_sha256 = [],[],[],[],[] 85 | 86 | try: 87 | data_blob = data['Attribute'] 88 | except: 89 | print (" - Error in communication with MISP") 90 | sys.exit(1) 91 | 92 | for e in data['Attribute']: 93 | try: 94 | if (e['type'] == 'domain' or e['type'] == 'hostname'): 95 | iocs_dns.append(e['value']) 96 | elif (e['type'] == 'ip-src' or e['type'] == 'ip-dst'): 97 | if (is_valid_ipv4_address(e['value'])): 98 | iocs_ipv4.append(e['value']) 99 | if (is_valid_ipv6_address(e['value'])): 100 | iocs_ipv6.append(e['value']) 101 | elif (e['type'] == 'md5'): 102 | if re.search("([a-f0-9][32,32])", e['value'], re.IGNORECASE | re.MULTILINE): 103 | iocs_md5.append(e['value']) 104 | elif (e['type'] == 'sha256'): 105 | if re.search("([a-f0-9][64,64])", e['value'], re.IGNORECASE | re.MULTILINE): 106 | iocs_sha256.append(e['value']) 107 | except: 108 | pass 109 | 110 | return(Build_CB_Feed(iocs_dns, iocs_ipv4, iocs_ipv6, iocs_md5, iocs_sha256)) 111 | 112 | def Build_CB_Feed(iocs_dns, iocs_ipv4, iocs_ipv6, iocs_md5, iocs_sha256): 113 | cbr_title = "MISP Threat Feed (" + misp_tag + ")" 114 | feed_id = hashlib.md5(cbr_title.encode('utf-8')).hexdigest() 115 | feed_timestamp = int(time.time()) 116 | feed = { 117 | "feedinfo": { 118 | "provider_url": "https://www.misp-project.org", 119 | "display_name": "MISP Threat Feed", 120 | "name": "MISP", 121 | "tech_data": "There are no requirements to share any data to receive this feed.", 122 | "summary": "MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing", 123 | "icon": "iVBORw0KGgoAAAANSUhEUgAAAGAAAABgCAYAAADimHc4AAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwAADqYAAAOpgAABdwnLpRPAAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAAPYQAAD2EBqD+naQAADJZJREFUeNrtnHmQVNUVxn+3Z2HYUUQBARFB3MK4EmLUaGk0AZeoWYwpGaRwCcY/MIuJFavMYhIxpalKWYpGmAYMLkUqxphyiUtIjIbEsArBEVRWZdGBYZmt380f33mZN81MTzPdPdNj3lf1ip5337vL+e499yz3ATFixIgRI0aMGDFixIgRI0aMGDFixIgRI0aMGDEKCtfdHegIlcmasJ8jgJOBwwrYbw98BKwEtw08K6rGFXR8RU2ACb8P8BXgJkRAeYGbbQDeBGbjeRFHUEgSipaAyvk1AKV4ZgJ3oZnflVgLTPfwRgmOZVVjC9JIoosHlT084DkJuJWuFz7AicDUBJQH+II1UrwECCOBod3Y/mgPvQrZQLET0N39S1BgNd3dA/y/R0xAN6O0uzvQSXhgNfAyMBj4ov0bLV8BvAocBXyB1ht5ACwDlgBHA5cAAzO0NbgyWTMZaAL+BawHfD7M0566At4FbgF3G3AjcB/QGClfB9yMD24DbgAeAJoj5W/Ze98GZgAPA6l22goQST8CkkA1UAkwobom54H0VALeApaBD4ADwCvAnkj5KmAlLuGBfWil1EXKl3vV4e3+K/ZcJpQgJ/Bs4HIAl4ftuacSMBIY7gGamgHGI485xChgqFnvDjgB6B0pH+3gSCtNWHlFlm074Gg8pflwD3rqHnAK8EsHiykrHYLUSJSA0638aWC4lUcF/GngXuBZPKOs/FBCHAk8Lh8Gak8loBS4FLgYqYb0cZQBVwJT2ikvB74KfMnKSrpzID0Vjsxeaq7lXYKeugd8YhAT0M2ICehmFDsBKShgLLgI2i92At4Bcnc3O4cAWOVT1FPAiGjREuCABL4GuAP4G/J4u2o17AWeAua4EgKgH60dubyhaM3Q5VXjqEzWeLx7AefXAJ8FrgEu4+CJswv4K7CD3GZrAOxEgbpXgZ31QIUcu4E51NsuipYAIDyR4CuTNZu89086504Brog80oAE/wCK5zTk2qaDlNflHFRUwLkooFeQwwBFTUArwTg3ADjD/gxQ0vxRD4+XwraUQsqX59pOGD9yWkmHA5NQbKmNx3JHjyEAOAY4CamZJ4CHPawBUoHKR3DoMZ3OYjeOVD625qLdhENMmP92+HMM8A9gKvBdYNXKqnGpVFNZOB1fAF6k8Bt1LfA6jiAfplHRngsKMWF+DUECV5JiBFDP1N47WHiAFde1ZKMqF9Tg6h2+3I9Hx1jOR+qjs+MrAwbROkjXAGwEFgC/AurykREregKyReVDm6HfXkiVVADDkAA7Mz6PzM4rkdU1zO6vAm7AsQxPY75Oy31iCMgn7EhkBbKAZqIN/iNkgb2Zz6OKRU9A1bTp4c/eKLEeJl4agH14X0eisQlfSrI6SdX10/HO4QJfTmYjI5WA5lpIDQUerJ7bqrAyWQPOg3eDUd7geuAhYCGQt0O7HRJgAhiJHKD0+PlK5LCkkjYAe76vPT+clk3RAduB3yNP81Skq12kfKeVK7+bSEAQDAMmAxcC42hRLfvs+beB14Al4Dc7mahlHncL8Dn0dzo88qw/QLnh18GtB9+cbIuIRMIRBGON/JXk6UTEoRBwAbAYzcCoQFcC19ogorgamIOOikSfX4GyVFvQZnkfLRuds3ouA97V5ONM4CdGVKac7QGkox8BFiUImgMS84CvZyGDBnTMZB7wG6A2nQQRsa7V3yuqxueFgEPxA0KTNUrap9Cx8dtNCCB7/BZazumkkxw1E11a+f9+e8co4Bdo5neE3sBE6+PLwGbanvltoRfyL36MVtfdVdOmH0gnIV8Cb0+onYVDlsJF9ncJUAWck0Od3ni4Ajjv4DLqgf0cfI5nNzDH68xQZ8bVG4UcznHAdVUzchRNdsiHJzwE+BawFHmr05EdnQN8OTq5kF7PGnSaYbe1NQlZKkOBx4AnHD6TI/Yf4HnkLZ8KnJnWxpHAhQHBSwmX9QrKCfkKRZyHzLUxduWKEmSLp6MPcrDWoI03iY6onA8sAlfnMjvCyz3c4bSKjkV7xgVpz4x2JMrRMwVHvgioAGblrT5PI45tbZQcC8xG4ef1aNNeCvwB2JhFFMKblRTg2YhjAwcT0KXIZzCuf57qcSRI4XkWuIrwBFvrPh9l19loz3kPBejm4N0WXLtE9HIw2EMzjokox5COTR4au8pByoWARrvaUhUBsvX70ZkNUfL7M/BTFHgbmeHpcuB44AfAGO+Y5VqfE43iXA9PIstnFNq/otgFvOIg6CoXNRcraCewiNaHXkOsRWohl42s3sODyJZ/EOn9ugx1lqIVMyVDnUPQqjmDg4XfZONZApCcN5euQC4rIIWW/QDga5H7+1GGqjfZOULtwklIvdBXkn2QvX4asl4moFkcHUNvYKLHLSb7sLRHHvpjyMLam7tYs0cuBCTQKrgfOIsW6+dPiJiqHPs2ECXkr0Fx/kXo44hXkdo5Hfg1IiWKCtpf2XuAbWjy1KPkzgrgOeAN4EBbXnAhkesmnEBJkoeAu5EHej+KHHZWi3oHZR5uRgGwvmglTQY22FWLPO3h6e+iDbmxnfaXIK+9HmgAvxfN+FSyel6hZJwR+bKCFiCn6J+IkFzgvU49z0LCDzEQqZ/TMry7BXjJ4VO+bf7rEIH1XT3T20O+CPgAWSt7aP9Tn2zhgPfRbJ1MaxIyoRappKW0f9y86MLv2RLg2rnnAGw2bYBW8XvXxnvRe5nKVwPfRB/XXY32mCPQhhx9xyMVshp95/UU0ORxJWgihFc41maKDNkSsA1ZCX1s0A7p+Z0Z3lmNPmhL2DsJlFPdb+Vr2ijfQotZuwvcY+CfAY5DnxEdh0IRfVEYeRvyht/0nq3O4hAe1+TgUbRhh/11wHovc7NokG0+IIHISp99zYT/q4OsjzKUKAmQGkhXBdF3Mpan6+jrps0AEjiaSxwknMM7r8Oz5hgk7IoeqK2wPte3VWcW43bImUxhRyPzvXd0uAKS1XOpmjY9QJbFRJSsDpd4wn4vRTb7Z5BHuilZPTe6/NtCR+VRdXYCBMdB8HfgY6s7LC9F8ZzJJqwPkLf7NnAnWrU/pOOvINvCQGTdbUU+QmMn6siIrDaliCAuRgmY4cgZ2mADfRGph0uBLyOXfg/aGMtRouMActrqkfo6HJmStUiVBUi1hM5XLbLTS02AU5Fp+rrVHc7yM5AVtgupo2HAb4FnjIh+9m7C6ttnfRpiZWFqshE5cgPsmUHWxjesfwvt+VClDUAOXKhSBxlhH1k9+zGnLtOqOVQr6GVknVxkHXoK+DlSG3dbp24HxqKPpb+Hgmn3WGeHIyftfZRD6G+EzDGBXY8SMaVGyAPAhyjEMAz4GcoZ30PLOdARVvYsSivWGkHO6hiJZu94myh32eT5jgmqwu7fi4Jz30f+zAgU7j4BrYB+KGs2ykgbD/zRxj3ayo62cR+L9sxHOhJoVrGgZPXc8Go2gYXpx0abLQ20nKdZZ0RNQUmVvsiKGYtm6ntINQwF5qPZeKcJahnyeJ+2wcxEM/sNtDkvMKKi1sxKmxRTjZz7UZgC61N/dLx9LfKqx5uAFwOPG1nh/8Y1CKnRISg/XIPSrmPR/nY8WnF/QZm3a+1eFcqJzLe6J3Gwk9gmOusHuLR/w9/bbVAjUGZskN1rNuHMQ5moY4zEyWgP2WsdvgSpuY1IDQ02AdXY80uAZWknMN43AZ6O8sehvrzV+lRjxHkrH4TU5U3Wt/Coy+H2Xr09v8iI8JHLIettoRE7yd4bg1bJ7+z3jdkKMldHLJ2AZmTm+bTy0F4H6cjtJtBQMEeg1XQVMi2TaFmX02LF9EGzc0fVtOmbIm2cilTHcjTTr0SqJWy7iRbLyBuxU9CKu88IP5kWbZCi9Ybt0q6GSH0J6/c76AjM1WjlDiDLYGBnCdiPNuBdkXs70WxsipTvNkGH8RvQEp2NTk7MMtLWovj/8+h/Pplqzx+w8teAf6PZXYo83tCCKkdHWWaYcHeglVZnZO5Be0EtUhu11tZZ9s4eZEiEQt8Q+Z0CNlk9zchPCSfYx/ZsHfJnRqOY1fYISR3ikF1zW/Z9kMr4OEJCaFVsRvpymJHSaM/uipBQYveOss5usbr6ow1sj90vs7KU1T+IFuvIR+o6wuoqR5v2VhP6cBvjVjQrB9vvFFIVYUS3n73nrJ4P0YotQTO6yQQ7zNrdhiyew6x/RwKft7GejVbCTLTPZLSCii420tNgE/JEZEiEB9GeQ554XUeOW0/6QKOYsQ6p1L5IbdYSOa4ZI0aMGDFixIgRI0aMGDFixIgRI0aMGDFixIgRI0aMGDFixOgG/Be1A50tqJE6/gAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAxNy0wNi0wMlQwNzozODoyMyswMDowMIFXcrIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMTctMDYtMDJUMDc6Mzg6MjMrMDA6MDDwCsoOAAAARnRFWHRzb2Z0d2FyZQBJbWFnZU1hZ2ljayA2LjcuOC05IDIwMTQtMDUtMTIgUTE2IGh0dHA6Ly93d3cuaW1hZ2VtYWdpY2sub3Jn3IbtAAAAABh0RVh0VGh1bWI6OkRvY3VtZW50OjpQYWdlcwAxp/+7LwAAABh0RVh0VGh1bWI6OkltYWdlOjpoZWlnaHQAMTkyDwByhQAAABd0RVh0VGh1bWI6OkltYWdlOjpXaWR0aAAxOTLTrCEIAAAAGXRFWHRUaHVtYjo6TWltZXR5cGUAaW1hZ2UvcG5nP7JWTgAAABd0RVh0VGh1bWI6Ok1UaW1lADE0OTYzODkxMDMDQTScAAAAD3RFWHRUaHVtYjo6U2l6ZQAwQkKUoj7sAAAAVnRFWHRUaHVtYjo6VVJJAGZpbGU6Ly8vbW50bG9nL2Zhdmljb25zLzIwMTctMDYtMDIvM2IxYjgxNGMwMzJkYTBkOTM4ODZlM2M5YTFiOTk1MjQuaWNvLnBuZw3tGoMAAAAASUVORK5CYII=", 124 | "icon_small": "iVBORw0KGgoAAAANSUhEUgAAAGAAAABgCAYAAADimHc4AAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwAADqYAAAOpgAABdwnLpRPAAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAAPYQAAD2EBqD+naQAADJZJREFUeNrtnHmQVNUVxn+3Z2HYUUQBARFB3MK4EmLUaGk0AZeoWYwpGaRwCcY/MIuJFavMYhIxpalKWYpGmAYMLkUqxphyiUtIjIbEsArBEVRWZdGBYZmt380f33mZN81MTzPdPdNj3lf1ip5337vL+e499yz3ATFixIgRI0aMGDFixIgRI0aMGDFixIgRI0aMGDEKCtfdHegIlcmasJ8jgJOBwwrYbw98BKwEtw08K6rGFXR8RU2ACb8P8BXgJkRAeYGbbQDeBGbjeRFHUEgSipaAyvk1AKV4ZgJ3oZnflVgLTPfwRgmOZVVjC9JIoosHlT084DkJuJWuFz7AicDUBJQH+II1UrwECCOBod3Y/mgPvQrZQLET0N39S1BgNd3dA/y/R0xAN6O0uzvQSXhgNfAyMBj4ov0bLV8BvAocBXyB1ht5ACwDlgBHA5cAAzO0NbgyWTMZaAL+BawHfD7M0566At4FbgF3G3AjcB/QGClfB9yMD24DbgAeAJoj5W/Ze98GZgAPA6l22goQST8CkkA1UAkwobom54H0VALeApaBD4ADwCvAnkj5KmAlLuGBfWil1EXKl3vV4e3+K/ZcJpQgJ/Bs4HIAl4ftuacSMBIY7gGamgHGI485xChgqFnvDjgB6B0pH+3gSCtNWHlFlm074Gg8pflwD3rqHnAK8EsHiykrHYLUSJSA0638aWC4lUcF/GngXuBZPKOs/FBCHAk8Lh8Gak8loBS4FLgYqYb0cZQBVwJT2ikvB74KfMnKSrpzID0Vjsxeaq7lXYKeugd8YhAT0M2ICehmFDsBKShgLLgI2i92At4Bcnc3O4cAWOVT1FPAiGjREuCABL4GuAP4G/J4u2o17AWeAua4EgKgH60dubyhaM3Q5VXjqEzWeLx7AefXAJ8FrgEu4+CJswv4K7CD3GZrAOxEgbpXgZ31QIUcu4E51NsuipYAIDyR4CuTNZu89086504Brog80oAE/wCK5zTk2qaDlNflHFRUwLkooFeQwwBFTUArwTg3ADjD/gxQ0vxRD4+XwraUQsqX59pOGD9yWkmHA5NQbKmNx3JHjyEAOAY4CamZJ4CHPawBUoHKR3DoMZ3OYjeOVD625qLdhENMmP92+HMM8A9gKvBdYNXKqnGpVFNZOB1fAF6k8Bt1LfA6jiAfplHRngsKMWF+DUECV5JiBFDP1N47WHiAFde1ZKMqF9Tg6h2+3I9Hx1jOR+qjs+MrAwbROkjXAGwEFgC/AurykREregKyReVDm6HfXkiVVADDkAA7Mz6PzM4rkdU1zO6vAm7AsQxPY75Oy31iCMgn7EhkBbKAZqIN/iNkgb2Zz6OKRU9A1bTp4c/eKLEeJl4agH14X0eisQlfSrI6SdX10/HO4QJfTmYjI5WA5lpIDQUerJ7bqrAyWQPOg3eDUd7geuAhYCGQt0O7HRJgAhiJHKD0+PlK5LCkkjYAe76vPT+clk3RAduB3yNP81Skq12kfKeVK7+bSEAQDAMmAxcC42hRLfvs+beB14Al4Dc7mahlHncL8Dn0dzo88qw/QLnh18GtB9+cbIuIRMIRBGON/JXk6UTEoRBwAbAYzcCoQFcC19ogorgamIOOikSfX4GyVFvQZnkfLRuds3ouA97V5ONM4CdGVKac7QGkox8BFiUImgMS84CvZyGDBnTMZB7wG6A2nQQRsa7V3yuqxueFgEPxA0KTNUrap9Cx8dtNCCB7/BZazumkkxw1E11a+f9+e8co4Bdo5neE3sBE6+PLwGbanvltoRfyL36MVtfdVdOmH0gnIV8Cb0+onYVDlsJF9ncJUAWck0Od3ni4Ajjv4DLqgf0cfI5nNzDH68xQZ8bVG4UcznHAdVUzchRNdsiHJzwE+BawFHmr05EdnQN8OTq5kF7PGnSaYbe1NQlZKkOBx4AnHD6TI/Yf4HnkLZ8KnJnWxpHAhQHBSwmX9QrKCfkKRZyHzLUxduWKEmSLp6MPcrDWoI03iY6onA8sAlfnMjvCyz3c4bSKjkV7xgVpz4x2JMrRMwVHvgioAGblrT5PI45tbZQcC8xG4ef1aNNeCvwB2JhFFMKblRTg2YhjAwcT0KXIZzCuf57qcSRI4XkWuIrwBFvrPh9l19loz3kPBejm4N0WXLtE9HIw2EMzjokox5COTR4au8pByoWARrvaUhUBsvX70ZkNUfL7M/BTFHgbmeHpcuB44AfAGO+Y5VqfE43iXA9PIstnFNq/otgFvOIg6CoXNRcraCewiNaHXkOsRWohl42s3sODyJZ/EOn9ugx1lqIVMyVDnUPQqjmDg4XfZONZApCcN5euQC4rIIWW/QDga5H7+1GGqjfZOULtwklIvdBXkn2QvX4asl4moFkcHUNvYKLHLSb7sLRHHvpjyMLam7tYs0cuBCTQKrgfOIsW6+dPiJiqHPs2ECXkr0Fx/kXo44hXkdo5Hfg1IiWKCtpf2XuAbWjy1KPkzgrgOeAN4EBbXnAhkesmnEBJkoeAu5EHej+KHHZWi3oHZR5uRgGwvmglTQY22FWLPO3h6e+iDbmxnfaXIK+9HmgAvxfN+FSyel6hZJwR+bKCFiCn6J+IkFzgvU49z0LCDzEQqZ/TMry7BXjJ4VO+bf7rEIH1XT3T20O+CPgAWSt7aP9Tn2zhgPfRbJ1MaxIyoRappKW0f9y86MLv2RLg2rnnAGw2bYBW8XvXxnvRe5nKVwPfRB/XXY32mCPQhhx9xyMVshp95/UU0ORxJWgihFc41maKDNkSsA1ZCX1s0A7p+Z0Z3lmNPmhL2DsJlFPdb+Vr2ijfQotZuwvcY+CfAY5DnxEdh0IRfVEYeRvyht/0nq3O4hAe1+TgUbRhh/11wHovc7NokG0+IIHISp99zYT/q4OsjzKUKAmQGkhXBdF3Mpan6+jrps0AEjiaSxwknMM7r8Oz5hgk7IoeqK2wPte3VWcW43bImUxhRyPzvXd0uAKS1XOpmjY9QJbFRJSsDpd4wn4vRTb7Z5BHuilZPTe6/NtCR+VRdXYCBMdB8HfgY6s7LC9F8ZzJJqwPkLf7NnAnWrU/pOOvINvCQGTdbUU+QmMn6siIrDaliCAuRgmY4cgZ2mADfRGph0uBLyOXfg/aGMtRouMActrqkfo6HJmStUiVBUi1hM5XLbLTS02AU5Fp+rrVHc7yM5AVtgupo2HAb4FnjIh+9m7C6ttnfRpiZWFqshE5cgPsmUHWxjesfwvt+VClDUAOXKhSBxlhH1k9+zGnLtOqOVQr6GVknVxkHXoK+DlSG3dbp24HxqKPpb+Hgmn3WGeHIyftfZRD6G+EzDGBXY8SMaVGyAPAhyjEMAz4GcoZ30PLOdARVvYsSivWGkHO6hiJZu94myh32eT5jgmqwu7fi4Jz30f+zAgU7j4BrYB+KGs2ykgbD/zRxj3ayo62cR+L9sxHOhJoVrGgZPXc8Go2gYXpx0abLQ20nKdZZ0RNQUmVvsiKGYtm6ntINQwF5qPZeKcJahnyeJ+2wcxEM/sNtDkvMKKi1sxKmxRTjZz7UZgC61N/dLx9LfKqx5uAFwOPG1nh/8Y1CKnRISg/XIPSrmPR/nY8WnF/QZm3a+1eFcqJzLe6J3Gwk9gmOusHuLR/w9/bbVAjUGZskN1rNuHMQ5moY4zEyWgP2WsdvgSpuY1IDQ02AdXY80uAZWknMN43AZ6O8sehvrzV+lRjxHkrH4TU5U3Wt/Coy+H2Xr09v8iI8JHLIettoRE7yd4bg1bJ7+z3jdkKMldHLJ2AZmTm+bTy0F4H6cjtJtBQMEeg1XQVMi2TaFmX02LF9EGzc0fVtOmbIm2cilTHcjTTr0SqJWy7iRbLyBuxU9CKu88IP5kWbZCi9Ybt0q6GSH0J6/c76AjM1WjlDiDLYGBnCdiPNuBdkXs70WxsipTvNkGH8RvQEp2NTk7MMtLWovj/8+h/Pplqzx+w8teAf6PZXYo83tCCKkdHWWaYcHeglVZnZO5Be0EtUhu11tZZ9s4eZEiEQt8Q+Z0CNlk9zchPCSfYx/ZsHfJnRqOY1fYISR3ikF1zW/Z9kMr4OEJCaFVsRvpymJHSaM/uipBQYveOss5usbr6ow1sj90vs7KU1T+IFuvIR+o6wuoqR5v2VhP6cBvjVjQrB9vvFFIVYUS3n73nrJ4P0YotQTO6yQQ7zNrdhiyew6x/RwKft7GejVbCTLTPZLSCii420tNgE/JEZEiEB9GeQ554XUeOW0/6QKOYsQ6p1L5IbdYSOa4ZI0aMGDFixIgRI0aMGDFixIgRI0aMGDFixIgRI0aMGDFixOgG/Be1A50tqJE6/gAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAxNy0wNi0wMlQwNzozODoyMyswMDowMIFXcrIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMTctMDYtMDJUMDc6Mzg6MjMrMDA6MDDwCsoOAAAARnRFWHRzb2Z0d2FyZQBJbWFnZU1hZ2ljayA2LjcuOC05IDIwMTQtMDUtMTIgUTE2IGh0dHA6Ly93d3cuaW1hZ2VtYWdpY2sub3Jn3IbtAAAAABh0RVh0VGh1bWI6OkRvY3VtZW50OjpQYWdlcwAxp/+7LwAAABh0RVh0VGh1bWI6OkltYWdlOjpoZWlnaHQAMTkyDwByhQAAABd0RVh0VGh1bWI6OkltYWdlOjpXaWR0aAAxOTLTrCEIAAAAGXRFWHRUaHVtYjo6TWltZXR5cGUAaW1hZ2UvcG5nP7JWTgAAABd0RVh0VGh1bWI6Ok1UaW1lADE0OTYzODkxMDMDQTScAAAAD3RFWHRUaHVtYjo6U2l6ZQAwQkKUoj7sAAAAVnRFWHRUaHVtYjo6VVJJAGZpbGU6Ly8vbW50bG9nL2Zhdmljb25zLzIwMTctMDYtMDIvM2IxYjgxNGMwMzJkYTBkOTM4ODZlM2M5YTFiOTk1MjQuaWNvLnBuZw3tGoMAAAAASUVORK5CYII=" 125 | }, 126 | "reports": [{ 127 | "title": cbr_title, 128 | "timestamp": feed_timestamp, 129 | "id": feed_id, 130 | "link": misp_url, 131 | "score": 100, 132 | "iocs": {} 133 | }] 134 | } 135 | 136 | if not len(iocs_dns) == 0: 137 | feed['reports'][0]['iocs']['dns'] = iocs_dns 138 | if not len(iocs_ipv4) == 0: 139 | feed['reports'][0]['iocs']['ipv4'] = iocs_ipv4 140 | if not len(iocs_ipv6) == 0: 141 | feed['reports'][0]['iocs']['ipv6'] = iocs_ipv6 142 | if not len(iocs_md5) == 0: 143 | feed['reports'][0]['iocs']['md5'] = iocs_md5 144 | if not len(iocs_sha256) == 0: 145 | feed['reports'][0]['iocs']['sha256'] = iocs_sha256 146 | 147 | return(feed) 148 | 149 | @app.route("/") 150 | def fetch_and_deliver(): 151 | feed = GetMISPData() 152 | return Response(json.dumps(feed), mimetype='application/json') 153 | 154 | 155 | 156 | if __name__ == "__main__": 157 | splash() 158 | """Intake data from MISP and makes it avaliable in Carbon Black Response .""" 159 | desc = "Providing Threat Data from MISP to Cb Response EDR tool" 160 | parser = argparse.ArgumentParser(description=(desc)) 161 | parser.add_argument("-i", "--ip", help="Hostname or IP of the service (default 127.0.0.1)", default="127.0.0.1") 162 | parser.add_argument("-p", "--port", help="Portname the service will listen on (default 8443)", default="8443") 163 | 164 | args = parser.parse_args() 165 | app.debug = app_debug 166 | if (len(flask_cert) == 0 or len(flask_key) == 0): 167 | app.run(ssl_context='adhoc', host=args.ip, port=args.port) 168 | else: 169 | app.run(ssl_context=(flask_cert, flask_key), host=args.ip, port=args.port) 170 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MISP Threat Feed into CarbonBlack Response 2 | 3 | Utilizing your Threat data from a MISP instance into CarbonBlack Response by exposing the data in the Threat Intelligence Feed. 4 | 5 | Read more on eCrimeLabs Blog post: 6 | https://www.ecrimelabs.com/blog/2019/6/4/encriching-carbonblack-response-with-threat-data-from-misp 7 | 8 | The following data types from MISP is exported into the feed 9 | - ip-src 10 | - ip-dst 11 | - domain 12 | - hostname 13 | - md5 checksum 14 | - sha256 checksum 15 | 16 | The above MISP data types are converted into CarbonBlack's data types 17 | - IPv4 18 | - IPv6 19 | - DNS 20 | - MD5 21 | - SHA256 22 | 23 | ### Remember to create the file "keys.py": 24 | ``` 25 | #!/usr/bin/env python3 26 | # -*- coding: utf-8 -*- 27 | 28 | misp_url = 'https://misp_instance' 29 | misp_key = 'auth_key_value' 30 | misp_verifycert = True 31 | misp_tag = 'CarbonBlackResponse' 32 | 33 | flask_cert = '' 34 | flask_key = '' 35 | app_debug = False 36 | 37 | proxies = { 38 | 'https://127.0.0.1:8090', 39 | 'http://127.0.0.1:8090', 40 | } 41 | ``` 42 | 43 | ###Installation: 44 | ``` 45 | pip3 install -r requirements.txt 46 | ``` 47 | 48 | You can choose to add your own certificates, alternate these will be autogenerated. 49 | To use ad hoc certificates with Flask, you need to install an additional dependency in your environment: 50 | ``` 51 | pip install pyopenssl 52 | ``` 53 | 54 | ### Sample Usage: 55 | ``` 56 | ~# # python3 MISP2CBR.py -h 57 | 58 | Expose MISP attributes to CarbonBlack Response 59 | (c)2022 eCrimeLabs 60 | https://www.ecrimelabs.com 61 | ---------------------------------------- 62 | 63 | usage: MISP2CBR.py [-h] [-i IP] [-p PORT] 64 | 65 | Providing Threat Data from MISP to Cb Response EDR tool 66 | 67 | optional arguments: 68 | -h, --help show this help message and exit 69 | -i IP, --ip IP Hostname or IP of the service (default 127.0.0.1) 70 | -p PORT, --port PORT Portname the service will listen on (default 8443) 71 | ``` 72 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | argparse 2 | pymisp 3 | flask 4 | cryptography 5 | --------------------------------------------------------------------------------