[Bro] [bro] misp2bro

David André elhoim at gmail.com
Sun Apr 17 08:52:48 PDT 2016


I took a peak, there is no field "attribute_count" under event in XML.
Commenting out line #168 to stop checking for that, and it works for me.

To get it working, I also had to manually create the tmp directory
since it is used to indicate the filename for logs, but if it does not
exists, it is created after the logger object creation which fails
because it does not exist. :(

I created a pull request for it: https://github.com/thnyheim/misp2bro/pull/1

On Sun, Apr 17, 2016 at 10:15 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
> Thanks, I'll try to hit up the creator again and see if it can be fixed
>
> On Sun, Apr 17, 2016 at 10:50 AM, David André <elhoim at gmail.com> wrote:
>>
>> Then it is probably the fact that the misp2bro script is exepcting an
>> old format of XML from MISP.
>> Given the date of creation of the script, I would say it expects v2.3
>> file format, while you are probably using a v2.4 MISP.
>>
>> On Sun, Apr 17, 2016 at 9:35 AM, Tim Desrochers <tgdesrochers at gmail.com>
>> wrote:
>> > I've attached the error log and the xml.  I don't see any issues with
>> > the
>> > XML and the error log just shows that it started processing the XML.
>> > The
>> > script errors out after beginning to process the XML so thats why I
>> > assume
>> > there are no more entries in the log.
>> >
>> > Thanks for the pointer to the PyMISP.  I will look into it
>> >
>> >
>> >
>> > On Sun, Apr 17, 2016 at 10:28 AM, David André <elhoim at gmail.com> wrote:
>> >>
>> >> Is there an error message in the xml file?
>> >> If yes, could you post it?
>> >>
>> >> If you want to write your own script to download IOCs, there is the
>> >> PyMISP library  @ https://github.com/MISP/PyMISP/
>> >> This library is really great because it abstracts most of the details
>> >> needed to create a script for interacting with a MISP instance.
>> >>
>> >> Then you can just grep your bro logs, or generate bro IOCs lists that
>> >> can be used to match.
>> >>
>> >> On Sun, Apr 17, 2016 at 6:19 AM, Tim Desrochers
>> >> <tgdesrochers at gmail.com>
>> >> wrote:
>> >> > Anyone using MISP?  I installed MISP as a test and it seems pretty
>> >> > useful.
>> >> > What I can't seem to get working is the misp2bro script written to
>> >> > export
>> >> > indicators in MISP to bro format.
>> >> >
>> >> > https://github.com/unusedPhD/misp2bro
>> >> >
>> >> > When I run the script it appears to crash and give the error:
>> >> > Traceback (most recent call last):
>> >> >   File "misp2bro.py", line 288, in <module>
>> >> >     if makeBroFiles(parseXML(EXPORT_FILE)):
>> >> >   File "misp2bro.py", line 168, in makeBroFiles
>> >> >     if int(event.find('attribute_count').text):
>> >> > AttributeError: 'NoneType' object has no attribute 'text'
>> >> >
>> >> > If I run it again there is no crash but that is because the md5 it
>> >> > generates
>> >> > matches the previous hash so no action is taken on the downloaded
>> >> > xml.
>> >> >
>> >> > Has anyone used this, I could use a hand getting it working.
>> >> >
>> >> > Thanks
>> >> > Tim
>> >> >
>> >> > _______________________________________________
>> >> > Bro mailing list
>> >> > bro at bro-ids.org
>> >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >
>> >
>
>



More information about the Bro mailing list