From 45a989702037ad1475af9c7d2af5ef6842757ef1 Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <mokaddem.sami@gmail.com>
Date: Thu, 16 Nov 2017 09:52:37 +0100
Subject: [PATCH] Added draft support of MISP ail-leak object

---
 bin/ailleakOject.py | 25 +++++++++++++++++++++++++
 bin/alertHandler.py | 20 ++++++++++++++++++++
 mispKEYS.py.default |  6 ++++++
 3 files changed, 51 insertions(+)
 create mode 100644 bin/ailleakOject.py
 create mode 100644 mispKEYS.py.default

diff --git a/bin/ailleakOject.py b/bin/ailleakOject.py
new file mode 100644
index 00000000..03cb6c7f
--- /dev/null
+++ b/bin/ailleakOject.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+# -*-coding:UTF-8 -*
+
+from pymisp.tools import GenericObjectGenerator
+from packages import Paste
+
+class AilleakObject(AbstractMISPObjectGenerator):
+    def __init__(self, moduleName, path):
+        super(GenericObject, self).__init__('ail-leak')
+        self.moduleName = moduleName
+        self.path = path
+        self.paste = Paste.Paste(path)
+        self.generate_attributes()
+
+    def generate_attributes(self):
+        self.add_attribute('type', value=self.moduleName)
+        self.add_attribute('origin', value=self.paste.p_source)
+        self.add_attribute('last-seen', value=self.paste.p_date)
+        self.add_attribute('raw-data', value=self.paste.get_p_content())
+        '''
+        # duplicated
+        duplicate_list = json.loads(paste._get_p_duplicate())
+        is_duplicate = True if len(duplicate_list) > 0 else False
+        self.add_attribute('duplicate', value=is_duplicate)
+        '''
diff --git a/bin/alertHandler.py b/bin/alertHandler.py
index ba6bb4d4..cb654639 100755
--- a/bin/alertHandler.py
+++ b/bin/alertHandler.py
@@ -20,6 +20,10 @@ from packages import Paste
 from pubsublogger import publisher
 from Helper import Process
 
+from pymisp import PyMISP
+import ailleakObject
+from ../mispKEYS import misp_url, misp_key, misp_verifycert
+
 if __name__ == "__main__":
     publisher.port = 6380
     publisher.channel = "Script"
@@ -27,6 +31,9 @@ if __name__ == "__main__":
     config_section = 'alertHandler'
 
     p = Process(config_section)
+    pymisp = PyMISP(misp_url, misp_key, misp_verifycert)
+    eventID = "9356"
+    mispTYPE = 'ail-leak'
 
     # port generated automatically depending on the date
     curYear = datetime.now().year
@@ -55,3 +62,16 @@ if __name__ == "__main__":
 
             publisher.info('Saved warning paste {}'.format(p_path))
 
+            # Create MISP AIL-leak object
+            misp_object = AilleakObject(moduleName, path)
+            print('validate mispobj', misp_object._validate())
+            print(misp_object)
+
+            # Publish object to MISP
+            try:
+                    templateID = [x['ObjectTemplate']['id'] for x in pymisp.get_object_templates_list() if x['ObjectTemplate']['name'] == mispTYPE
+                except IndexError:
+                    valid_types = ", ".join([x['ObjectTemplate']['name'] for x in pymisp.get_object_templates_list()])
+                    print ("Template for type %s not found! Valid types are: %s" % (mispTYPE, valid_types))
+            continue
+            #r = pymisp.add_object(eventID, templateID, misp_object)
diff --git a/mispKEYS.py.default b/mispKEYS.py.default
new file mode 100644
index 00000000..42c534b8
--- /dev/null
+++ b/mispKEYS.py.default
@@ -0,0 +1,6 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+misp_url = ''
+misp_key = '' # The MISP auth key can be found on the MISP web interface under the automation section
+misp_verifycert = True