intelmq.bots.parsers.misp package

Submodules

intelmq.bots.parsers.misp.parser module

intelmq.bots.parsers.misp.parser.BOT

alias of intelmq.bots.parsers.misp.parser.MISPParserBot

class intelmq.bots.parsers.misp.parser.MISPParserBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)

Bases: intelmq.lib.bot.Bot

Parse MISP events

MISP_TAXONOMY_MAPPING = {'ecsirt:abusive-content="spam"': 'spam', 'ecsirt:availability="ddos"': 'ddos', 'ecsirt:fraud="phishing"': 'phishing', 'ecsirt:information-content-security="dropzone"': 'other', 'ecsirt:information-gathering="scanner"': 'scanner', 'ecsirt:intrusion-attempts="brute-force"': 'brute-force', 'ecsirt:intrusion-attempts="exploit"': 'exploit', 'ecsirt:intrusion-attempts="ids-alert"': 'ids-alert', 'ecsirt:intrusions="backdoor"': 'system-compromise', 'ecsirt:intrusions="compromised"': 'system-compromise', 'ecsirt:intrusions="defacement"': 'unauthorised-information-modification', 'ecsirt:malicious-code="botnet-drone"': 'infected-system', 'ecsirt:malicious-code="c2server"': 'c2-server', 'ecsirt:malicious-code="malware"': 'infected-system', 'ecsirt:malicious-code="malware-configuration"': 'malware-configuration', 'ecsirt:malicious-code="ransomware"': 'infected-system', 'ecsirt:other="blacklist"': 'blacklist', 'ecsirt:other="unknown"': 'undetermined', 'ecsirt:test="test"': 'test', 'ecsirt:vulnerable="vulnerable-service"': 'vulnerable-system'}
MISP_TYPE_MAPPING = {'domain': 'source.fqdn', 'email-src': 'source.account', 'hostname': 'source.fqdn', 'ip-dst': 'source.ip', 'ip-src': 'source.ip', 'md5': 'malware.hash.md5', 'sha1': 'malware.hash.sha1', 'url': 'source.url'}
SUPPORTED_MISP_CATEGORIES = ['Payload delivery', 'Artifacts dropped', 'Payload installation', 'Network activity']
process()

Module contents