diff --git a/README.md b/README.md index 02c0943..a1a2d1d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ + ![logo](https://raw.githubusercontent.com/MISP/MISP-maltego/master/doc/logo.png) This is a [Maltego](https://www.paterva.com/web7/) [MISP](https://www.misp-project.org) integration tool allowing you to view (read-only) data from a MISP instance. @@ -17,11 +18,13 @@ The currently supported entities are: `AS`, `DNSName`, `Domain`, `EmailAddress`, For MITRE ATT&CK pivoting, feel free to start with an `Attack Technique`, `Software`, `Threat Actor`, or `MISPGalaxy`. Create your entity, enter a keyword such as `%gama%` and use the `Search in MISP` transform to get started. ## Installation -### Remote Transform Installation -This is coming soon. An entry will appear in the Transform Hub of Maltego, on which you can simply press the "install" button, and no local code needs to be installed. Your transforms will however go throught Paterva's servers and ours. See the [Transform Hub Disclaimer](https://github.com/MISP/MISP-maltego/blob/master/TRANSFORM_HUB_DISCLAIMER.md) for more information. +### Transform Hub +Open the Transform Hub, locate **ATT&CK - MISP** and press the **Install** button. -**For MISP specific transforms this requires your MISP server to be reachable from the internet! -ATT&CK transforms do not require a MISP server or API key to be configured.** +Your transforms will go through Paterva's servers and ours. See the [Transform Hub Disclaimer](https://github.com/MISP/MISP-maltego/blob/master/TRANSFORM_HUB_DISCLAIMER.md) for more information. + +- ATT&CK transforms do not require a MISP server or API key to be configured. +- MISP transforms requires your MISP server to be reachable from the internet! To enter your MISP server URL and key click **Details** on the Transform Hub item and then **Settings** at the bottom right. ### Local Transform Installation If you trust nobody, or just want to connect to your local MISP server you can install everything as local transforms. diff --git a/ansible/nginx.conf b/ansible/nginx.conf index 27d07c6..129fca4 100644 --- a/ansible/nginx.conf +++ b/ansible/nginx.conf @@ -21,6 +21,12 @@ server { root /var/www/html; server_name _; + location /munin { + alias /var/cache/munin/www/; + index index.html; + allow 127.0.0.1; + deny all; + } location / { proxy_set_header X-Real-IP $remote_addr; diff --git a/ansible/plume.yaml b/ansible/plume.yaml index aea4c72..52a5c04 100644 --- a/ansible/plume.yaml +++ b/ansible/plume.yaml @@ -168,6 +168,29 @@ name: plume state: started + # MONITORING + ############# + - name: install munin + package: + name: ['munin', 'munin-node', 'munin-plugins-extra'] + + - name: munin - enabling plugins + file: + state: link + src: '/usr/share/munin/plugins/{{item}}' + dest: '/etc/munin/plugins/{{item}}' + loop: + - nginx_request + - nginx_status + notify: restart munin-node + + - name: munin - service active and running + service: + name: munin-node + state: started + enabled: yes + + # FIREWALLING ############# - name: firewall logging @@ -225,3 +248,8 @@ service: name: nginx state: restarted + + - name: restart munin-node + service: + name: munin-node + state: restarted diff --git a/ansible/redeploy.yaml b/ansible/redeploy.yaml new file mode 100644 index 0000000..5dc8132 --- /dev/null +++ b/ansible/redeploy.yaml @@ -0,0 +1,59 @@ +--- +# Install MISP-maltego remote transform using ansible. + +- hosts: all + become: yes + vars: + misp_maltego_version: 1.4.5 # TODO change this !!! + host_locale: en_US.UTF-8 + host_locale_dict: { + LANG: "{{ host_locale }}", + LC_COLLATE: "{{ host_locale }}", + LC_CTYPE: "{{ host_locale }}", + LC_MESSAGES: "{{ host_locale }}", + LC_MONETARY: "{{ host_locale }}", + LC_NUMERIC: "{{ host_locale }}", + LC_TIME: "{{ host_locale }}", + LC_ALL: "{{ host_locale }}", + } + + tasks: + # use the public pip package + - name: install MISP-maltego + pip: + executable: pip3 + name: ['MISP-maltego'] + state: latest + notify: restart plume + + # use local git repo instead, useful for development + # - name: bundle MISP-maltego + # delegate_to: 127.0.0.1 + # command: + # cmd: python3 setup.py sdist + # chdir: ../ + # become: no + # - name: copy MISP-maltego + # copy: + # src: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz + # dest: /usr/local/src/ + # - name: install MISP-maltego + # pip: + # executable: /usr/bin/pip3 + # name: file:///usr/local/src/MISP_maltego-{{misp_maltego_version}}.tar.gz + # state: forcereinstall + # environment: "{{host_locale_dict}}" + # notify: restart plume + + # - name: remove local MISP-maltego bundle + # delegate_to: 127.0.0.1 + # file: + # path: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz + # state: absent + # become: no + + handlers: + - name: restart plume + service: + name: plume + state: restarted diff --git a/src/MISP_maltego/transforms/attributetoevent.py b/src/MISP_maltego/transforms/attributetoevent.py index 9090c09..693b34b 100644 --- a/src/MISP_maltego/transforms/attributetoevent.py +++ b/src/MISP_maltego/transforms/attributetoevent.py @@ -123,7 +123,7 @@ class SearchInMISP(Transform): class AttributeToEvent(Transform): input_type = Unknown - display_name = 'to MISP Events' + display_name = 'To MISP Events' remote = True def do_transform(self, request, response, config): diff --git a/src/MISP_maltego/transforms/eventtoattributes.py b/src/MISP_maltego/transforms/eventtoattributes.py index b0b0012..42164af 100644 --- a/src/MISP_maltego/transforms/eventtoattributes.py +++ b/src/MISP_maltego/transforms/eventtoattributes.py @@ -85,6 +85,7 @@ class EventToTransform(Transform): class EventToAll(EventToTransform): input_type = MISPEvent + display_name = 'To All' description = 'Expands an Event to Attributes, Objects, Tags, Galaxies' remote = True @@ -100,7 +101,7 @@ class EventToAll(EventToTransform): class EventToAttributes(EventToTransform): input_type = MISPEvent - description = 'Expands an Event to Attributes' + display_name = 'To Attributes/Objects' remote = True def do_transform(self, request, response, config): @@ -113,6 +114,7 @@ class EventToAttributes(EventToTransform): class EventToTags(EventToTransform): input_type = MISPEvent + display_name = 'To Tags' description = 'Expands an Event to Tags and Galaxies' remote = True @@ -126,7 +128,7 @@ class EventToTags(EventToTransform): class EventToGalaxies(EventToTransform): input_type = MISPEvent - description = 'Expands an Event to Galaxies' + display_name = 'To Galaxies / ATT&CK' remote = True def do_transform(self, request, response, config): @@ -138,7 +140,7 @@ class EventToGalaxies(EventToTransform): class EventToObjects(EventToTransform): input_type = MISPEvent - description = 'Expands an Event to Objects' + display_name = 'To Objects' remote = True def do_transform(self, request, response, config): @@ -150,7 +152,7 @@ class EventToObjects(EventToTransform): class EventToRelations(EventToTransform): input_type = MISPEvent - description = 'Expands an Event to related Events' + display_name = 'To Related Events' remote = True def do_transform(self, request, response, config): @@ -161,9 +163,8 @@ class EventToRelations(EventToTransform): class ObjectToAttributes(Transform): - """"Expands an object to its attributes""" input_type = MISPObject - description = 'Expands an Object to Attributes' + display_name = 'To Attributes' remote = True def do_transform(self, request, response, config): @@ -184,9 +185,8 @@ class ObjectToAttributes(Transform): class ObjectToRelations(Transform): - """Expands an object to the relations of the object""" input_type = MISPObject - description = 'Expands an Object to Relations' + display_name = 'To Related Objects' remote = True def do_transform(self, request, response, config): diff --git a/src/MISP_maltego/transforms/galaxytoevent.py b/src/MISP_maltego/transforms/galaxytoevent.py index 785bad4..ee1461c 100644 --- a/src/MISP_maltego/transforms/galaxytoevent.py +++ b/src/MISP_maltego/transforms/galaxytoevent.py @@ -15,26 +15,6 @@ __email__ = 'christophe@vandeplas.com' __status__ = 'Development' -class GalaxyToEvents(Transform): - """Expands a Galaxy to multiple MISP Events.""" - - # The transform input entity type. - input_type = MISPGalaxy - remote = True - - def do_transform(self, request, response, config): - response += check_update(config) - conn = MISPConnection(config, request.parameters) - if request.entity.tag_name: - tag_name = request.entity.tag_name - else: - tag_name = request.entity.value - events_json = conn.misp.search(controller='events', tags=tag_name, with_attachments=False) - for e in events_json: - response += MISPEvent(e['Event']['id'], uuid=e['Event']['uuid'], info=e['Event']['info'], link_direction=LinkDirection.OutputToInput) - return response - - class GalaxyToTransform(Transform): input_type = None @@ -106,8 +86,8 @@ class GalaxyToTransform(Transform): class GalaxyToRelations(GalaxyToTransform): - """Expands a Galaxy to related Galaxies and Clusters""" input_type = MISPGalaxy + display_name = 'To Related Galaxies' remote = True def do_transform(self, request, response, config, type_filter=MISPGalaxy): @@ -115,8 +95,8 @@ class GalaxyToRelations(GalaxyToTransform): class GalaxyToSoftware(GalaxyToTransform): - """Expands a Galaxy to related Software/Tool Galaxies""" input_type = MISPGalaxy + display_name = 'To Malware/Software/Tools' remote = True def do_transform(self, request, response, config, type_filter=Software): @@ -124,8 +104,8 @@ class GalaxyToSoftware(GalaxyToTransform): class GalaxyToThreatActor(GalaxyToTransform): - """Expands a Galaxy to related ThreatActor Galaxies""" input_type = MISPGalaxy + display_name = 'To Threat Actors' remote = True def do_transform(self, request, response, config, type_filter=ThreatActor): @@ -133,8 +113,8 @@ class GalaxyToThreatActor(GalaxyToTransform): class GalaxyToAttackTechnique(GalaxyToTransform): - """Expands a Galaxy to related Attack Techniques Galaxies""" input_type = MISPGalaxy + display_name = 'To Attack Techniques' remote = True def do_transform(self, request, response, config, type_filter=AttackTechnique):