MISP - Zeek export¶
An export of all attributes of a specific bro type to a formatted plain text file. By default only published and IDS flagged attributes are exported.
You can configure your tools to automatically download a file one of the Bro types.
https://misp/attributes/bro/download/all https://misp/attributes/bro/download/ip https://misp/attributes/bro/download/url https://misp/attributes/bro/download/domain https://misp/attributes/bro/download/ja3-fingerprint-md5 https://misp/attributes/bro/download/email https://misp/attributes/bro/download/filename https://misp/attributes/bro/download/filehash https://misp/attributes/bro/download/certhash https://misp/attributes/bro/download/software
To restrict the results by tags, use the usual syntax. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). To get ip values from events tagged tag1 but not tag2 use:
https://misp/attributes/bro/download/ip/tag1&&!tag2
Alternatively, it is also possible to pass the filters via the parameters in the URL. The format is as described below:
https://misp/attributes/bro/download/[type]/[tags]/[event_id]/[from]/[to]/[last]
type: The Zeek type, any valid Bro type is accepted. See below for a mapping between Zeek and MISP types. tags: To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'. You can also chain several tag commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). event_id: Restrict the results to the given event IDs. allowNonIDS: Allow attributes to be exported that are not marked as "to_ids". from: 'Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.' to: 'Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.' last: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event. enforceWarninglist: All attributes that have a hit on a warninglist will be excluded.
Zeek Type MISP Type all: All types listed below. ip: ip-src, ip-dst, ip-src|port, ip-dst|port, domain|ip url: url domain: hostname, domain, domain|ip ja3-fingerprint-md5: ja3-fingerprint-md5 email: email, email-src, email-dst, target-email filename: filename, email-attachment, attachment, filename|md5, filename|sha1, filename|sha256, malware-sample, pdb filehash: md5, sha1, sha256, authentihash, ssdeep, imphash, pehash, impfuzzy, sha224, sha384, sha512, sha512/224, sha512/256, tlsh, filename|md5, filename|sha1, filename|sha256, filename|authentihash, filename|ssdeep, filename|imphash, filename|pehash, filename|impfuzzy, filename|sha224, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|tlsh, malware-sample certhash: x509-fingerprint-sha1 software: user-agent The keywords false or null should be used for optional empty parameters in the URL.
For example, to retrieve all attributes for event #5, including non IDS marked attributes too, use the following line:
https://misp/attributes/text/download/all/null/5/true