misp2bro

Zeek
1

Anyone using MISP? I installed MISP as a test and it seems pretty useful. What I can’t seem to get working is the misp2bro script written to export indicators in MISP to bro format.

https://github.com/unusedPhD/misp2bro

When I run the script it appears to crash and give the error:

Traceback (most recent call last):
File “misp2bro.py”, line 288, in
if makeBroFiles(parseXML(EXPORT_FILE)):
File “misp2bro.py”, line 168, in makeBroFiles
if int(event.find(‘attribute_count’).text):
AttributeError: ‘NoneType’ object has no attribute ‘text’

If I run it again there is no crash but that is because the md5 it generates matches the previous hash so no action is taken on the downloaded xml.

Has anyone used this, I could use a hand getting it working.

Thanks

Tim

2

Is there an error message in the xml file?
If yes, could you post it?

If you want to write your own script to download IOCs, there is the
PyMISP library @ https://github.com/MISP/PyMISP/
This library is really great because it abstracts most of the details
needed to create a script for interacting with a MISP instance.

Then you can just grep your bro logs, or generate bro IOCs lists that
can be used to match.

3

I’ve attached the error log and the xml. I don’t see any issues with the XML and the error log just shows that it started processing the XML. The script errors out after beginning to process the XML so thats why I assume there are no more entries in the log.

Thanks for the pointer to the PyMISP. I will look into it

misp2bro.log (352 Bytes)

misp-export.xml (138 KB)

4

Then it is probably the fact that the misp2bro script is exepcting an
old format of XML from MISP.
Given the date of creation of the script, I would say it expects v2.3
file format, while you are probably using a v2.4 MISP.

5

Thanks, I’ll try to hit up the creator again and see if it can be fixed

6

I took a peak, there is no field "attribute_count" under event in XML.
Commenting out line #168 to stop checking for that, and it works for me.

To get it working, I also had to manually create the tmp directory
since it is used to indicate the filename for logs, but if it does not
exists, it is created after the logger object creation which fails
because it does not exist. :frowning:

I created a pull request for it: https://github.com/thnyheim/misp2bro/pull/1