- toids-remove.py (this script)
- keys.py (the configuration file)
- MISP 2.4.152
- PyMISP 2.4.152
- Python 3.8
- VirusTotal APIv3
- AbuseIPDB APIv2
- Greynoise APIv3
- contextlib (contextmanager)
- sys
- os
- shutil
- time
- argparse
- prettytable (PrettyTable)
- pymisp (ExpandedPyMISP)
- urllib3
- requests
- base64
- requests
- re
This script it's used to disable the attribute 'to_ids' on MISP events, features removal of the IDS tag on old events or based on VirusTotal scan results. An idea developed from this article: https://www.vanimpe.eu/2019/09/24/tracking-false-positives-and-disabling-to_ids-in-misp/
toids_removev1.6.mp4
- Implemented sightsonly for Reputation mode: populate only sightings without removing IDS tags;
- Implemented sightsrem for Reputation mode: remove IDS tags based on sightings\false positive percentage;
- Removal of redundant code;
- Overhaul of script messages (for better understanding).
- Testing sightings mode;
- Further code optimization.
- Added sightings based on reputation results.
- Minor changes to the code;
- Added further VTotal tags to maltag.
- Added Greynoise API to reputation mode;
- Added tabled results at the end of the script;
- Removed unnecessary script header informations.
- Added AbuseIPDB to the vt mode;
- vt mode now is reputation mode;
- remold mode is now rem mode;
- Added minimal error handling for AbuseIPDB API.
- Implemented VirusTotal Mode (vt);
- Implemented Remove Old Mode (remold);
- Included arguments to launch the script;
- Moved some variables to keys.py for better configuration;
- Included the 'published=True' search constraint (this should speed up the queries);
- Removed mintime and maxtime from keys.py, substituted with arguments --mintime --maxtime;
- Overall revamp of the code.
- Preparing for VirusTotal API implementation
- Removed old search string (it was not getting all the attributes);
- Added filtering based on event tags through build_complex_query (thanks Giuseppe for the idea);
- Various code revamp (not necessary linked to the aforemended changes);
- Moved misp_client_cert to keys.py;
- Added: misp_excluded_tags (for tag exclusion), mintime and maxtime (for time reference regarding the query on MISP) on keys.py;
- Added basic error handling;
- Added the creation of a default 'keys.py' if not present.
First release
- Add more API's (for domain\url);
- Better error handling.