Wanted to send logs to MISP #1763

crazypeter10 · 2025-03-09T14:51:55Z

crazypeter10
Mar 9, 2025

Hey i would like to send logs to MISP platform via curl but the only data i get is "Test" and i dont see the indices via curl
`
root@honeypotpetru:/home/petru/tpotce/data# curl -X GET "http://localhost:9200/_cat/indices?v"
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open 1cf0aa9d61f185b59f643939f862c01f89b21360 d_g1c8IASCGdhuFwcEh5WA 1 1 30 0 13.1kb 13.1kb
yellow open db18744ea5570fa9bf868df44fecd4b58332ff24 _W3iCnnaQKyKnJsF7HD7Eg 1 1 6 0 4kb 4kb
root@honeypotpetru:/home/petru/tpotce/data#
``

Code im using
from pymisp import PyMISP
import requests
import json

MISP_URL = 'http://192.168.189.132'
MISP_API_KEY = '4SRadEN0ml3QgVQTMk1ObFeNn1IAvRwhrJgttX5y'
VERIFY_CERT = False

misp = PyMISP(MISP_URL, MISP_API_KEY, VERIFY_CERT)

def get_tpot_logs():
elasticsearch_url = "http://localhost:9200/logstash-*/_search?size=1000"
response = requests.get(elasticsearch_url)
if response.status_code == 200:
return response.json()
else:
return None

def create_misp_event(data):
event = {
"info": "T-Pot Honeypot Attack Detected",
"distribution": 1,
"threat_level_id": 3,
"analysis": 0
}
event = misp.add_event(event)

for entry in data:
    if 'src_ip' in entry['_source']:
        ip = entry['_source']['src_ip']
        misp.add_attribute(event, {'type': 'ip-src', 'value': ip})

print("Eveniment creat în MISP.")

logs = get_tpot_logs()
if logs:
create_misp_event(logs['hits']['hits'])

dmille6 · 2025-03-11T03:19:50Z

dmille6
Mar 11, 2025

I'm doing something similar.. I'm querying tpot every 15 min, pulling all the data, then dumping it into OpenCTI (alternative to MISP) which makes a stix/taxii feed I can distribute to different network devices.

here is my python code I'm using to query Elasticsearch: I run this script ON the tpot hive.. so I dont have to expose the Elasticsearch database. .. my code is kinda ugly.. but it'll give you an idea of an approach.. it works.. I just set a cron job to run the script every 15 min

import logging
from elasticsearch import Elasticsearch, exceptions

logging.basicConfig(filename='./pullTPOTDataForOTX.log',level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

class PullTPOTData:
    credentialsList=[]
    filesha256=[]
    all_results=[]

    def __init__(self, es_server_host, indexname, batch_size=1000, scroll_time='2m'):
        """Initialize the TPOT data puller."""
        self.ignore_list = ["Fatt", "P0f", "Suricata", "NGINX", "p0f", "fatt", "suricata", "nginx"]
        self.es_server_host = es_server_host
        self.indexname = indexname
        self.batch_size = batch_size
        self.scroll_time = scroll_time

        try:
            self.es = Elasticsearch(self.es_server_host)
            logging.info(f'Connected to Elasticsearch at {self.es_server_host}')
        except exceptions.ConnectionError as e:
            logging.error(f"Error connecting to Elasticsearch: {e}")
        except exceptions.ElasticsearchException as e:
            logging.error(f"General Elasticsearch error: {e}")

    def pull_tpot_data(self, time_delta_minutes=5):
        """Pull TPOT data from Elasticsearch within the specified time delta in minutes."""
        all_results = []
        time_delta = f"now-{time_delta_minutes}m"
        logging.info(f'Pulling TPOT data from {self.indexname} since {time_delta}')

        query = {
            "bool": {
                "must": [
                    {
                        "range": {
                            "@timestamp": {
                                "gte": time_delta,
                                "lte": "now",
                                "format": "strict_date_optional_time"
                            }
                        }
                    }
                ],
                "must_not": [
                    {
                        "terms": {
                            "type": self.ignore_list
                        }
                    }
                ]
            }
        }

        try:
            # Initialize the scroll
            response = self.es.search(
                index=self.indexname,
                body={"query": query},
                scroll=self.scroll_time,
                size=self.batch_size
            )
            scroll_id = response['_scroll_id']
            hits = response['hits']['hits']
            
                        # Loop through all the results
                        while hits:
                            all_results.extend(hits)
                            response = self.es.scroll(scroll_id=scroll_id, scroll=self.scroll_time)
                            scroll_id = response['_scroll_id']
                            hits = response['hits']['hits']
            
                        # Clean up the scroll when done
                        self.es.clear_scroll(scroll_id=scroll_id)
                        logging.info(f"Successfully pulled {len(all_results)} records from {self.indexname}")
            
                    except exceptions.NotFoundError as e:
                        logging.error(f"Index not found: {e}")
                    except exceptions.ConnectionTimeout as e:
                        logging.error(f"Connection timeout during query: {e}")
                    except exceptions.ElasticsearchException as e:
                        logging.error(f"Error during Elasticsearch query: {e}", exc_info=True)
                    except KeyError as e:
                        logging.error(f"KeyError: {e} - possibly missing expected fields in the response", exc_info=True)
                    except Exception as e:
                        logging.error(f"Unexpected error: {e}", exc_info=True)
            
                    self.all_results = all_results.copy()
                    return all_results
                    
                    ```

3 replies

dmille6 Mar 11, 2025

that class/method will just pull all the logs in a set amount of time excluding honeypot "types" in the exclude list. from there, it'll just return a python list of all the data returned.. from that point you can do whatever you want with it. I dump it into opencti and submit it to alienvault OTX.. but you could send it anywhere.

crazypeter10 Mar 11, 2025
Author

i tried with this code :
`import logging
import time
import requests
from elasticsearch import Elasticsearch, exceptions
from pymisp import PyMISP, MISPEvent, MISPAttribute

Configure logging

logging.basicConfig(filename='./pullTPOTDataForMISP.log', level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

class PullTPOTData:
def init(self, es_server_host, misp_url, misp_key, indexname, batch_size=1000, scroll_time='2m'):
"""Initialize TPOT data puller and MISP integration."""
self.ignore_list = ["Fatt", "P0f", "Suricata", "NGINX", "p0f", "fatt", "suricata", "nginx"]
self.es_server_host = es_server_host
self.indexname = indexname
self.batch_size = batch_size
self.scroll_time = scroll_time
self.misp_url = misp_url
self.misp_key = misp_key

    # Connect to Elasticsearch with retries
    max_retries = 3
    for attempt in range(max_retries):
        try:
            self.es = Elasticsearch(
                self.es_server_host,
                request_timeout=30,  # Increase timeout for long queries
            )
            logging.info(f'Connected to Elasticsearch at {self.es_server_host}')
            break
        except exceptions.ConnectionError as e:
            logging.error(f"Error connecting to Elasticsearch (attempt {attempt+1}/{max_retries}): {e}")
            time.sleep(5)
    else:
        logging.error("Failed to connect to Elasticsearch after multiple attempts.")
        return

    # Connect to MISP
    try:
        self.misp = PyMISP(self.misp_url, self.misp_key, ssl=False)  # FIXED: `verifycert=False` is incorrect
        logging.info(f'Connected to MISP at {self.misp_url}')
    except Exception as e:
        logging.error(f"Error connecting to MISP: {e}")

def pull_tpot_data(self, time_delta_minutes=15):
    """Pull TPOT data from Elasticsearch within the specified time delta in minutes."""
    all_results = []
    time_delta = f"now-{time_delta_minutes}m"
    logging.info(f'Pulling TPOT data from {self.indexname} since {time_delta}')

    query = {
        "query": {
            "bool": {
                "must": [
                    {
                        "range": {
                            "@timestamp": {
                                "gte": time_delta,
                                "lte": "now",
                                "format": "strict_date_optional_time"
                            }
                        }
                    }
                ],
                "must_not": [
                    {
                        "terms": {
                            "type": self.ignore_list
                        }
                    }
                ]
            }
        }
    }

    try:
        response = self.es.search(
            index=self.indexname,
            body=query,
            scroll=self.scroll_time,
            size=self.batch_size
        )
        scroll_id = response.get('_scroll_id')
        hits = response['hits']['hits']

        # Loop through all the results
        while hits:
            all_results.extend(hits)
            response = self.es.scroll(scroll_id=scroll_id, scroll=self.scroll_time)
            scroll_id = response.get('_scroll_id')
            hits = response['hits']['hits']

        # Clean up the scroll when done
        self.es.clear_scroll(scroll_id=scroll_id)
        logging.info(f"Successfully pulled {len(all_results)} records from {self.indexname}")

    except exceptions.ConnectionTimeout:
        logging.error("Connection timeout during query: Elasticsearch server is slow or unreachable.")
    except exceptions.NotFoundError as e:
        logging.error(f"Index not found: {e}")
    except exceptions.TransportError as e:
        logging.error(f"Transport error: {e}")
    except KeyError as e:
        logging.error(f"KeyError: {e} - possibly missing expected fields in the response", exc_info=True)
    except Exception as e:
        logging.error(f"Unexpected error: {e}", exc_info=True)

    return all_results

def push_to_misp(self, results):
    """Push extracted data into MISP as events."""
    if not results:
        logging.info("No data to push to MISP.")
        return

    misp_event = MISPEvent()
    misp_event.info = "TPOT Honeypot Data Ingestion"
    misp_event.add_tag("honeypot")

    for entry in results:
        source = entry["_source"]

        # Extract useful fields
        timestamp = source.get("@timestamp")
        src_ip = source.get("src_ip")
        dest_ip = source.get("dest_ip")
        event_type = source.get("type")
        src_port = source.get("src_port")
        dest_port = source.get("dest_port")
        geoip = source.get("geoip_ext", {})

        # Create MISP attributes
        if src_ip:
            attr = MISPAttribute()
            attr.type = "ip-src"
            attr.value = src_ip
            attr.comment = "Source IP from TPOT Honeypot"
            misp_event.add_attribute(attr)

        if dest_ip:
            attr = MISPAttribute()
            attr.type = "ip-dst"
            attr.value = dest_ip
            attr.comment = "Destination IP from TPOT Honeypot"
            misp_event.add_attribute(attr)

        if event_type:
            attr = MISPAttribute()
            attr.type = "text"
            attr.value = event_type
            attr.comment = f"Attack Type: {event_type}"
            misp_event.add_attribute(attr)

        if src_port and dest_port:
            attr = MISPAttribute()
            attr.type = "text"
            attr.value = f"{src_port} -> {dest_port}"
            attr.comment = "Port Mapping"
            misp_event.add_attribute(attr)

        if geoip:
            country = geoip.get("country_name")
            city = geoip.get("city_name")
            asn = geoip.get("as_org")

            if country:
                attr = MISPAttribute()
                attr.type = "text"
                attr.value = country
                attr.comment = f"GeoIP Country: {country}"
                misp_event.add_attribute(attr)

            if city:
                attr = MISPAttribute()
                attr.type = "text"
                attr.value = city
                attr.comment = f"GeoIP City: {city}"
                misp_event.add_attribute(attr)

            if asn:
                attr = MISPAttribute()
                attr.type = "text"
                attr.value = asn
                attr.comment = f"ASN: {asn}"
                misp_event.add_attribute(attr)

    try:
        event = self.misp.add_event(misp_event, pythonify=True)
        logging.info(f"Successfully pushed event to MISP: {event['id']}")
    except Exception as e:
        logging.error(f"Failed to push data to MISP: {e}", exc_info=True)

======= Main Execution =======

if name == "main":
# Define your TPOT Elasticsearch and MISP instance settings
ES_SERVER_HOST = "xxx" # Update with your Elasticsearch IP
MISP_URL = "xxxx" # Replace with your MISP server URL
MISP_KEY = "xxx" # Replace with your MISP API Key
INDEXNAME = "logstash-*" # Adjust index name if needed

# Initialize and pull data
tpot_puller = PullTPOTData(ES_SERVER_HOST, MISP_URL, MISP_KEY, INDEXNAME)
extracted_data = tpot_puller.pull_tpot_data(time_delta_minutes=15)  # Pull last 15 min data

# Push data to MISP
tpot_puller.push_to_misp(extracted_data)

`

and i got this
`(misp-venv) petru@honeypotpetru:~/script-comunicare$ python3 pull_tpot_to_misp.py
/home/petru/misp-venv/lib/python3.12/site-packages/urllib3/connectionpool.py:1064: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.189.132'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
/home/petru/misp-venv/lib/python3.12/site-packages/urllib3/connectionpool.py:1064: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.189.132'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
/home/petru/misp-venv/lib/python3.12/site-packages/urllib3/connectionpool.py:1064: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.189.132'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
/home/petru/script-comunicare/pull_tpot_to_misp.py:77: DeprecationWarning: The 'body' parameter is deprecated for the 'search' API and will be removed in a future version. Instead use API parameters directly. See elastic/elasticsearch-py#1698 for more information
response = self.es.search(

(misp-venv) petru@honeypotpetru:/script-comunicare$ cat pullTPOTDataForMISP.log
2025-03-11 17:51:26,355 - INFO - Connected to Elasticsearch at http://localhost:9200
2025-03-11 17:51:26,579 - INFO - Connected to MISP at http://192.168.189.132
2025-03-11 17:51:26,579 - INFO - Pulling TPOT data from logstash-* since now-15m
2025-03-11 17:51:26,586 - INFO - GET http://localhost:9200/ [status:200 request:0.006s]
2025-03-11 17:51:26,587 - ERROR - Unexpected error: The client noticed that the server is not Elasticsearch and we do not support this unknown product
Traceback (most recent call last):
File "/home/petru/script-comunicare/pull_tpot_to_misp.py", line 77, in pull_tpot_data
response = self.es.search(
^^^^^^^^^^^^^^^
File "/home/petru/misp-venv/lib/python3.12/site-packages/elasticsearch/client/utils.py", line 347, in _wrapped
return func(*args, params=params, headers=headers, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/petru/misp-venv/lib/python3.12/site-packages/elasticsearch/client/init.py", line 1821, in search
return self.transport.perform_request(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/petru/misp-venv/lib/python3.12/site-packages/elasticsearch/transport.py", line 421, in perform_request
_ProductChecker.raise_error(self._verified_elasticsearch)
File "/home/petru/misp-venv/lib/python3.12/site-packages/elasticsearch/transport.py", line 638, in raise_error
raise UnsupportedProductError(message)
elasticsearch.exceptions.UnsupportedProductError: The client noticed that the server is not Elasticsearch and we do not support this unknown product
2025-03-11 17:51:26,588 - INFO - No data to push to MISP.
(misp-venv) petru@honeypotpetru:/script-comunicare$ curl -X GET "http://localhost:9200"
{
"status" : 200,
"name" : "USNYES01",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "1.4.1",
"build_hash" : "b88f43fc40b0bcd7f173a1f9ee2e97816de80b19",
"build_timestamp" : "2015-07-29T09:54:16Z",
"build_snapshot" : false,
"lucene_version" : "4.10.4"
},
"tagline" : "You Know, for Search"
}(misp-venv) petru@honeypotpetru:/script-comunicare$ ^C
(misp-venv) petru@honeypotpetru:/script-comunicare$
`

crazypeter10 Mar 16, 2025
Author

(misp-venv) petru@honeypotpetru:~/script-comunicare$ python3 test.py
/home/petru/script-comunicare/test.py:59: DeprecationWarning: The 'body' parameter is deprecated for the 'search' API and will be removed in a future version. Instead use API parameters directly. See https://github.com/elastic/elasticsearch-py/issues/1698 for more information
  response = self.es.search(
Total records pulled: 0
[]
(misp-venv) petru@honeypotpetru:~/script-comunicare$ curl -X GET "http://localhost:9200/tpot/_search?pretty"
{
  "_shards" : {
    "failed" : 0,
    "skipped" : 0,
    "successful" : 1,
    "total" : 1
  },
  "hits" : {
    "hits" : [
      {
        "_id" : "1",
        "_score" : 1.0,
        "_source" : {
          "description" : "Test",
          "name" : "test"
        },
        "_type" : "_doc",
        "_index" : "tpot"
      }
    ],
    "max_score" : 1.0,
    "total" : {
      "relation" : "eq",
      "value" : 1
    }
  },
  "timed_out" : false,
  "took" : 8
}(misp-venv) petru@honeypotpetru:~/script-comunicare$

It says to me 0 Record but when i check the dashboard in kibana i see data AND with the curl always give me "Test"

Code but i dont think its a problem from this


import logging
from elasticsearch import Elasticsearch, exceptions

# Configurare log-uri
logging.basicConfig(filename='./pullTPOTDataForOTX.log', level=logging.INFO, 
                    format='%(asctime)s - %(levelname)s - %(message)s')

class PullTPOTData:
    def __init__(self, es_server_host, indexname, batch_size=1000, scroll_time='2m'):
        """Initializează extractorul de date TPOT."""
        self.ignore_list = ["Fatt", "P0f", "Suricata", "NGINX", "p0f", "fatt", "suricata", "nginx"]
        self.es_server_host = es_server_host
        self.indexname = indexname
        self.batch_size = batch_size
        self.scroll_time = scroll_time
        self.all_results = []

        try:
            self.es = Elasticsearch(self.es_server_host)
            logging.info(f'Connected to Elasticsearch at {self.es_server_host}')
        except exceptions.ConnectionError as e:
            logging.error(f"Error connecting to Elasticsearch: {e}")
        except exceptions.ElasticsearchException as e:
            logging.error(f"General Elasticsearch error: {e}")

    def pull_tpot_data(self, time_delta_minutes=5):
        """Extrage date TPOT din Elasticsearch pentru ultimele X minute."""
        all_results = []
        time_delta = f"now-{time_delta_minutes}m"
        logging.info(f'Pulling TPOT data from {self.indexname} since {time_delta}')

        query = {
            "query": {
                "bool": {
                    "must": [
                        {
                            "range": {
                                "@timestamp": {
                                    "gte": time_delta,
                                    "lte": "now",
                                    "format": "strict_date_optional_time"
                                }
                            }
                        }
                    ],
                    "must_not": [
                        {
                            "terms": {
                                "type": self.ignore_list
                            }
                        }
                    ]
                }
            }
        }

        try:
            # Inițializează scroll-ul
            response = self.es.search(
                index=self.indexname,
                body=query,
                scroll=self.scroll_time,
                size=self.batch_size
            )
            scroll_id = response['_scroll_id']
            hits = response['hits']['hits']

            # Loop prin toate rezultatele
            while hits:
                all_results.extend(hits)
                response = self.es.scroll(scroll_id=scroll_id, scroll=self.scroll_time)
                scroll_id = response['_scroll_id']
                hits = response['hits']['hits']

            # Curăță scroll-ul
            self.es.clear_scroll(scroll_id=scroll_id)
            logging.info(f"Successfully pulled {len(all_results)} records from {self.indexname}")

        except exceptions.NotFoundError as e:
            logging.error(f"Index not found: {e}")
        except exceptions.ConnectionTimeout as e:
            logging.error(f"Connection timeout during query: {e}")
        except exceptions.ElasticsearchException as e:
            logging.error(f"Error during Elasticsearch query: {e}", exc_info=True)
        except KeyError as e:
            logging.error(f"KeyError: {e} - possibly missing expected fields in the response", exc_info=True)
        except Exception as e:
            logging.error(f"Unexpected error: {e}", exc_info=True)

        self.all_results = all_results.copy()
        return all_results

if __name__ == "__main__":
    # Specifică adresa Elasticsearch și indexul TPOT
    es_host = 'http://localhost:9200'  # Schimbă cu IP-ul Elasticsearch dacă rulează remote
    index_name = 'tpot'
    
    # Inițializează clasa și rulează extragerea datelor
    tpot_puller = PullTPOTData(es_host, index_name)
    data = tpot_puller.pull_tpot_data(time_delta_minutes=5)

    # Afișează rezultatele
    print(f"Total records pulled: {len(data)}")
    print(data[:5])  # Afișează primele 5 înregistrări

dmille6 · 2025-03-12T22:02:50Z

dmille6
Mar 12, 2025

I'm sorry I can't debug your code for you. I gave you a snippet of my code that performs a query and returns the results as an example.. as a place to start. ChatGPT is really good and an amazing resource.

I'll ask a few questions in hopes of helping:

did the query I provided return the results from ES? can you:

print (f' Data: {extracted_data}')

if that works, my code works.. and the error is not in the query method?

4 replies

crazypeter10 Mar 20, 2025
Author

Well the extracted data only gives
Test

When i go into the app i see data in kibana dashboard. Maybe i need to configure something more ?

dmille6 Mar 24, 2025

you're trying to connect to http://:9200

with TSEC Tpot, its port forwarded through docker.. it should probably be something like 64298 or something like that.

crazypeter10 Apr 7, 2025
Author

yea woow thats the port
2025-04-07 17:30:26,461 - INFO - POST http://localhost:64298/_search/scroll [status:200 request:0.018s]
2025-04-07 17:30:26,490 - INFO - DELETE http://localhost:64298/_search/scroll [status:200 request:0.028s]
2025-04-07 17:30:26,490 - INFO - Successfully pulled 10688 records from logstash-*
2025-04-07 17:30:26,967 - INFO - Successfully pushed event to MISP: unknown

dmille6 Apr 8, 2025

good, thats progress.. keep going with it.. let me know how it turns out.. and how well it works.
checkout opencti, its another open source tool for organizing threat and security information.

crazypeter10 · 2025-04-19T12:14:08Z

crazypeter10
Apr 19, 2025
Author

Cool so i managed to get it to work this is a basic example on how to send data from tpot to misp server
`
#!/usr/bin/env python3
from future import annotations
from datetime import datetime, timezone
from typing import List, Dict, Any
import argparse, logging, os, sys, urllib3

from elasticsearch import Elasticsearch, helpers
from pymisp import PyMISP, MISPEvent

─────────────── PARSE CLI ───────────────

def args() -> argparse.Namespace:
p = argparse.ArgumentParser(description="Send T‑Pot data to MISP")
p.add_argument("--es", default="http://localhost:64298",
help="Elasticsearch URL (default http://localhost:64298)")
p.add_argument("--es-user", help="Elasticsearch basic‑auth user")
p.add_argument("--es-pass", help="Elasticsearch basic‑auth password")
p.add_argument("--misp", required=True, help="MISP URL")
p.add_argument("--key", required=True, help="MISP API key")
p.add_argument("--window", type=int, default=15, help="Minutes back (default 15)")
p.add_argument("--index", default="logstash-*", help="ES index pattern")
p.add_argument("--size", type=int, default=1000, help="Scroll page size")
p.add_argument("--verify-certs", choices=["true", "false"], default="false")
p.add_argument("--log", default="tpot_to_misp.log", help="Log file")
return p.parse_args()

A = args()
VERIFY = A.verify_certs.lower() == "true"
if not VERIFY:
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

─────────────── LOGGING ───────────────

logging.basicConfig(level=logging.INFO,
format="%(asctime)s [%(levelname)s] %(message)s",
handlers=[logging.FileHandler(A.log), logging.StreamHandler(sys.stdout)])

es_kw = dict(hosts=[A.es], verify_certs=VERIFY, timeout=30,
max_retries=3, retry_on_timeout=True)
if A.es_user and A.es_pass:
es_kw["http_auth"] = (A.es_user, A.es_pass)
es = Elasticsearch(**es_kw)

misp = PyMISP(A.misp, A.key, ssl=VERIFY, timeout=30)

def pull_docs() -> List[Dict[str, Any]]:
q = {
"query": {"range": {"@timestamp": {
"gte": f"now-{A.window}m", "lt": "now"}}},
"sort": ["_doc"]
}
return list(helpers.scan(es, index=A.index, query=q, size=A.size,
scroll="2m", preserve_order=False))

def push_misp(hits: List[Dict[str, Any]]) -> None:
if not hits:
logging.info("No docs → nothing to push.")
return

ips_src, ips_dst, ports, protos = set(), set(), set(), set()
for h in hits:
    s = h.get("_source", {})
    if (v := s.get("src_ip")):    ips_src.add(v)
    if (v := s.get("dest_ip")):   ips_dst.add(v)
    if (v := s.get("src_port")):  ports.add(str(v))
    if (v := s.get("dest_port")): ports.add(str(v))
    if (v := s.get("protocol")):  protos.add(v)

evt = MISPEvent()
evt.info = "TPot logs " + datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S")
evt.date = datetime.now(timezone.utc).strftime("%Y-%m-%d")

evt.distribution = 0
evt.threat_level_id = 2
evt.analysis = 0

cat = "Network activity"
for ip in ips_src: evt.add_attribute("ip-src", ip, category=cat)
for ip in ips_dst: evt.add_attribute("ip-dst", ip, category=cat)
for p in ports:    evt.add_attribute("port", p, category=cat, to_ids=False)
for pr in protos:  evt.add_attribute("text", pr, comment="protocol", to_ids=False)

logging.debug("Outgoing JSON → %s", evt.to_json())

created = misp.add_event(evt, pythonify=True)
logging.info("Created MISP event %s with %d attrs",
             created.id, len(created.attributes))
print(f"✅  Event {created.id} OK ({len(created.attributes)} attributes)")

─────────────── MAIN ───────────────

if name == "main":
logging.info("ES @ %s", A.es)
logging.info("MISP @ %s", A.misp)
docs = pull_docs()
logging.info("Pulled %d docs", len(docs))
push_misp(docs)
`

python3 tpot_to_misp.py \ --es http://localhost:64298 \ --misp https:/<ip_misp> \ --key <your_api_key_from_misp> \ --window 15 --verify-certs false

0 replies

Wanted to send logs to MISP #1763

Uh oh!

crazypeter10 Mar 9, 2025

Replies: 3 comments · 7 replies

Uh oh!

dmille6 Mar 11, 2025

Uh oh!

dmille6 Mar 11, 2025

Uh oh!

crazypeter10 Mar 11, 2025 Author

Configure logging

======= Main Execution =======

Uh oh!

crazypeter10 Mar 16, 2025 Author

Uh oh!

dmille6 Mar 12, 2025

Uh oh!

crazypeter10 Mar 20, 2025 Author

Uh oh!

dmille6 Mar 24, 2025

Uh oh!

crazypeter10 Apr 7, 2025 Author

Uh oh!

dmille6 Apr 8, 2025

Uh oh!

crazypeter10 Apr 19, 2025 Author

─────────────── PARSE CLI ───────────────

─────────────── LOGGING ───────────────

─────────────── MAIN ───────────────

crazypeter10
Mar 9, 2025

Replies: 3 comments 7 replies

dmille6
Mar 11, 2025

crazypeter10 Mar 11, 2025
Author

crazypeter10 Mar 16, 2025
Author

dmille6
Mar 12, 2025

crazypeter10 Mar 20, 2025
Author

crazypeter10 Apr 7, 2025
Author

crazypeter10
Apr 19, 2025
Author