forked from securitydistractions/elastimispstash
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rubyfilter-example.conf
50 lines (45 loc) · 1.57 KB
/
rubyfilter-example.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
filter {
if [misp][feed][domain]
{
ruby {
init => "
require 'net/http'
require 'uri'
require 'json'
"
code => "
uri = URI.parse('https://***************/attributes/restSearch') #insert your MISP address here
request = Net::HTTP::Post.new(uri)
request.content_type = 'application/json'
request['Accept'] = 'application/json'
request['Authorization'] = '*************************' #insert your MISP API key here
request.body = JSON.dump({
'returnFormat' => 'json',
'includeEventTags' => 'yes',
'value' => event.get('[destination][domain]')
})
req_options = {
use_ssl: uri.scheme == 'https',
verify_mode: OpenSSL::SSL::VERIFY_NONE,
}
response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
http.request(request)
end
if response.code == '200'
result = JSON.parse(response.body)
#event.set('MISP.all', result)
mispeventinfoarr = []
mispattributetagarr = []
for e in result['response']['Attribute']
for t in e['Tag']
mispattributetagarr.push(t['name'])
end
mispeventinfoarr.push(e['Event']['info'])
end
event.set('[misp][tag]', mispattributetagarr.uniq)
event.set('[misp][eventinfo]', mispeventinfoarr.uniq)
end
"
}
}
}