[Bro] [bro] misp2bro
David André
elhoim at gmail.com
Sun Apr 17 07:50:28 PDT 2016
Then it is probably the fact that the misp2bro script is exepcting an
old format of XML from MISP.
Given the date of creation of the script, I would say it expects v2.3
file format, while you are probably using a v2.4 MISP.
On Sun, Apr 17, 2016 at 9:35 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
> I've attached the error log and the xml. I don't see any issues with the
> XML and the error log just shows that it started processing the XML. The
> script errors out after beginning to process the XML so thats why I assume
> there are no more entries in the log.
>
> Thanks for the pointer to the PyMISP. I will look into it
>
>
>
> On Sun, Apr 17, 2016 at 10:28 AM, David André <elhoim at gmail.com> wrote:
>>
>> Is there an error message in the xml file?
>> If yes, could you post it?
>>
>> If you want to write your own script to download IOCs, there is the
>> PyMISP library @ https://github.com/MISP/PyMISP/
>> This library is really great because it abstracts most of the details
>> needed to create a script for interacting with a MISP instance.
>>
>> Then you can just grep your bro logs, or generate bro IOCs lists that
>> can be used to match.
>>
>> On Sun, Apr 17, 2016 at 6:19 AM, Tim Desrochers <tgdesrochers at gmail.com>
>> wrote:
>> > Anyone using MISP? I installed MISP as a test and it seems pretty
>> > useful.
>> > What I can't seem to get working is the misp2bro script written to
>> > export
>> > indicators in MISP to bro format.
>> >
>> > https://github.com/unusedPhD/misp2bro
>> >
>> > When I run the script it appears to crash and give the error:
>> > Traceback (most recent call last):
>> > File "misp2bro.py", line 288, in <module>
>> > if makeBroFiles(parseXML(EXPORT_FILE)):
>> > File "misp2bro.py", line 168, in makeBroFiles
>> > if int(event.find('attribute_count').text):
>> > AttributeError: 'NoneType' object has no attribute 'text'
>> >
>> > If I run it again there is no crash but that is because the md5 it
>> > generates
>> > matches the previous hash so no action is taken on the downloaded xml.
>> >
>> > Has anyone used this, I could use a hand getting it working.
>> >
>> > Thanks
>> > Tim
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
More information about the Bro
mailing list