need to upload the pyFireEyeAlert file.

Im getting a weird reset from the server when doing a test or accessing the port. Its establishing a connection (See tcpdump below) but its resting the connection after the post. I'm guessing its something with the http server. Thanks for the help, really want to get this working.

strace
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
accept4(3, {sa_family=AF_INET, sin_port=htons(48042), sin_addr=inet_addr("172.31.74.93")}, [16], SOCK_CLOEXEC) = 4
getsockopt(4, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
ioctl(4, FIONBIO, [0]) = 0
getpeername(4, {sa_family=AF_INET, sin_port=htons(48042), sin_addr=inet_addr("172.31.74.93")}, [16]) = 0
read(4, "POST / HTTP", 11) = 11
ioctl(4, FIONBIO, [0]) = 0
close(4) = 0
clock_gettime(CLOCK_MONOTONIC, {6477550, 132108430}) = 0

Requirement already satisfied (use --upgrade to upgrade): simplejson>=3.6.5 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): pymisp>=2.4.62 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): httplib2>=0.8 in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 3))
Requirement already satisfied (use --upgrade to upgrade): configparser in /usr/local/lib/python3.5/dist-packages (from -r requirements.txt (line 4))
Requirement already satisfied (use --upgrade to upgrade): urllib3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 5))
Requirement already satisfied (use --upgrade to upgrade): six in /usr/lib/python3/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): requests in /usr/lib/python3/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): python-dateutil in /usr/local/lib/python3.5/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): jsonschema in /usr/local/lib/python3.5/dist-packages (from pymisp>=2.4.62->-r requirements.txt (line 2))

tcpdump -Anni lo port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:29:31.716449 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [S], seq 657993979, win 43690, options [mss 65495,sackOK,TS val 1618276462 ecr 0,nop,wscale 7], length 0
E..<..@[email protected]]..J].h..'80..........'.........
t.n........ 17:29:31.716461 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [S.], seq 1921625788, ack 657993980, win 43690, options [mss 65495,sackOK,TS val 1618276462 ecr 1618276462,nop,wscale 7], length 0 E..<..@[email protected]]..J]...hr...'80......'......... t.nt.n.... 17:29:31.716469 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [.], ack 1, win 342, options [nop,nop,TS val 1618276462 ecr 1618276462], length 0 E..4..@[email protected]]..J].h..'80.r......V....... t.nt.n 17:29:31.716672 IP 172.31.74.93.47976 > 172.31.74.93.8080: Flags [P.], seq 1:203, ack 1, win 342, options [nop,nop,TS val 1618276463 ecr 1618276462], length 202: HTTP: POST / HTTP/1.1 E.....@[email protected]]..J].h..'80.r......V....... t.o`t.nPOST / HTTP/1.1
Host: 172.31.74.93:8080
Accept: /
User-Agent: python-requests/2.9.1
Accept-Encoding: gzip, deflate
content-type: application/json
Content-Length: 1595
Connection: keep-alive

17:29:31.716682 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [.], ack 203, win 350, options [nop,nop,TS val 1618276463 ecr 1618276463], length 0
E..4^.@[email protected]]..J]...hr...'81....^.......
t.ot.o
17:29:31.716715 IP 172.31.74.93.8080 > 172.31.74.93.47976: Flags [R.], seq 1, ack 203, win 350, options [nop,nop,TS val 1618276463 ecr 1618276463], length 0
E..4^.@[email protected]]..J]...hr...'81....^.......
t.ot.o

python3 fmtest.py -f alert-details.json -u 172.31.74.93 -p 8080
"{"msg": "extended", "product": "Web MPS", "version": "7.7.0.123456", "appliance": "fireeye.foo.bar", "appliance-id": "00:11:11:11:11:11","alert": [{ "src": { "ip": "10.1.2.3", "host": "internalclient.intra.net", "vlan": "0", "mac": "00:24:aa:aa:aa:aa" }, "severity": "minr", "alert-url": "https://fireeye.foo.bar/event_stream/events_for_bot?ma_id=12345678", "explanation": { "malware-detected": { "malware": { "profile": "win7x64-sp1", "http-header": "POST http://malicious.com", "name": "Misc.Eicar-Test-File", "md5sum": "44d88612fea8a8f36de82e1278abb02f", "executed-at": "2016-01-19T08:30:21Z", "application": "Windows Explorer", "type": "exe", "original": "driver.exe", "stype": "24" } }, "protocol": "", "analysis": "binary", "cnc-services": { "cnc-service": [ { "protocol": "tcp", "port": "4143", "channel": "\\\\026\\\\003\\\\001", "address": "198.50.234.211" }, { "protocol": "tcp", "port": "9943", "channel": "\\\\026\\\\003\\\\001", "address": "80.96.150.201" }, { "protocol": "tcp", "port": "4493", "channel": "\\\\026\\\\003\\\\001", "address": "1.179.170.7" } ] }, "anomaly": "98816" }, "occurred": "2016-01-19 08:30:21+00", "id": "12345678", "action": "notified", "interface": { "mode": "tap" }, "dst": { "ip": "10.1.2.4", "mac": "00:24:bb:bb:bb:bb" }, "name": "malware-object"}]}"
COMMUNICATION ERROR : ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

Would like to get ideas / input about use cases for it if encryption is an issue, not a big deal I guess to put it behind an apache as an reverse proxy.

Hey there. Just did a git pull and am trying to run the script. Getting this error and can't find a corresponding module to go with it.

Traceback (most recent call last):
  File "firemisp.py", line 22, in <module>
    from ldap_query import search_host_and_fqdn, search_userprinciplename, search_for_mail
ImportError: No module named ldap_query

Any help would be appreciated.

Thanks!

i have problem in integration misp and fire-eye
i install fire-misp from this link :
https://github.com/deralexxx/FireMISP
i set the config.cfg and the fire-eye notifications .
when i run the script firemisp.py i get the error :
jsonschema.exceptions.validationerror: 'Event is a required property
failed validating 'required' in schema
attach screen shot .


ubuntu 16.04

TO make the import and mapping more accurate and complete, we rely on the community to provide sample files that can be used to test the scripts.