MISP
/
MISP-maltego
mirror of https://github.com/MISP/MISP-maltego
2
0
Fork 0
Code Issues Releases Wiki Activity

new: [remote] Support for MISP specific transforms in remote mode

pull/40/head
Christophe Vandeplas 2019-12-27 09:54:20 +01:00
parent 448609326f
commit f449751acf
5 changed files with 63 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
TRANSFORM_HUB_DISCLAIMER.md Normal file
View File

@ -0,0 +1,19 @@
# MISP Maltego Remote Transform Disclaimer
When using the MISP Maltego transforms using the Transform Hub (not the locally installed version) you need to know you are are sending data, including your MISP URL and API key to 3rd parties.
The public Transform Distribution Server (TDS) is located on the Internet and is free for all to use. Its a convenient way to immediately start writing remote transforms. Since this server is located on Patervas infrastructure data (entity, and settings) will be flowing from the Maltego GUI to this server. Paterva states they DO NOT store the details of your transforms (entities, MISP URL, API KEY).
Finally it will flow further to a server managed by the MISP-maltego developer(s), where the transform code runs. We also DO NOT store or look at the details of your transforms (entities, MISP URL, API KEY). As you can see in the code (open source), this data is only used live in memory to provide the transform functionality. The only reasons why we would be seeing this data is by accident; while troubleshooting or by unintentional mis-configuration.
We do keep standard HTTP logs for troubleshooting and anonymous statistics, although these contain the IP addresses of Paterva's TDS server, and not yours.
**DO NOT use these Transform Hub transforms if you do not agree or if this is in violation with your MISP community.**
If so, feel free to use the MISP-Maltego transform locally, where all the code runs on your own system. Installation instructions can be found [here]([https://github.com/MISP/MISP-maltego/blob/master/doc/README.md#installation](https://github.com/MISP/MISP-maltego/blob/master/doc/README.md#installation)).
## More info
For more information please read Paterva's and Canari's documentation:
* [http://www.canariproject.com/en/latest/canari.quickstart.html#making-transforms-remote](http://www.canariproject.com/en/latest/canari.quickstart.html#making-transforms-remote)
* [https://docs.maltego.com/support/solutions/articles/15000020198-what-is-itds-](https://docs.maltego.com/support/solutions/articles/15000020198-what-is-itds-)
* [https://www.paterva.com/buy/maltego-servers.php](https://www.paterva.com/buy/maltego-servers.php)

13
src/MISP_maltego/transforms/attributetoevent.py
View File

@ -18,8 +18,9 @@ __status__ = 'Development'
# @EnableDebugWindow
class AttributeInMISP(Transform):
"""Green bookmark if known in MISP"""
display_name = 'in MISP?'
input_type = Unknown
display_name = 'in MISP?'
remote = True
def do_transform(self, request, response, config):
response += check_update(config)
@ -31,7 +32,7 @@ class AttributeInMISP(Transform):
except Exception:
pass
misp = get_misp_connection(config)
misp = get_misp_connection(config, request.parameters)
events_json = misp.search(controller='events', value=maltego_misp_attribute.value, with_attachments=False)
# we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
for e in events_json:
@ -48,10 +49,11 @@ class AttributeInMISP(Transform):
# class NetblockToAttributes(Transform):
# display_name = 'to MISP Attributes'
# input_type = Netblock
# remote = True
# def do_transform(self, request, response, config):
# maltego_misp_attribute = request.entity
# misp = get_misp_connection(config)
# misp = get_misp_connection(config, request.parameters)
# import ipaddress
# ip_start, ip_end = maltego_misp_attribute.value.split('-')
# # FIXME make this work with IPv4 and IPv6
@ -66,8 +68,9 @@ class AttributeInMISP(Transform):
# @EnableDebugWindow
class AttributeToEvent(Transform):
display_name = 'to MISP Event'
input_type = Unknown
display_name = 'to MISP Event'
remote = True
def do_transform(self, request, response, config):
response += check_update(config)
@ -81,7 +84,7 @@ class AttributeToEvent(Transform):
# placeholder for https://github.com/MISP/MISP-maltego/issues/11
pass
misp = get_misp_connection(config)
misp = get_misp_connection(config, request.parameters)
# from Galaxy
if 'properties.mispgalaxy' in request.entity.fields:
tag_name = get_entity_property(request.entity, 'tag_name')

34
src/MISP_maltego/transforms/common/util.py
View File

@ -165,24 +165,36 @@ def check_update(config):
return None
def get_misp_connection(config=None):
def get_misp_connection(config=None, parameters=None):
global misp_connection
if misp_connection:
return misp_connection
if not config:
raise MaltegoException("ERROR: MISP connection not yet established, and config not provided as parameter.")
if config['MISP_maltego.local.misp_verify'] in ['True', 'true', 1, 'yes', 'Yes']:
misp_verify = True
else:
misp_verify = False
if config['MISP_maltego.local.misp_debug'] in ['True', 'true', 1, 'yes', 'Yes']:
misp_debug = True
else:
misp_debug = False
misp_verify = True
misp_debug = False
misp_url = None
misp_key = None
try:
misp_connection = PyMISP(config['MISP_maltego.local.misp_url'], config['MISP_maltego.local.misp_key'], misp_verify, 'json', misp_debug)
if is_local_exec_mode():
misp_url = config['MISP_maltego.local.misp_url']
misp_key = config['MISP_maltego.local.misp_key']
if config['MISP_maltego.local.misp_verify'] in ['False', 'false', 0, 'no', 'No']:
misp_verify = False
if config['MISP_maltego.local.misp_debug'] in ['True', 'true', 1, 'yes', 'Yes']:
misp_debug = True
if is_remote_exec_mode():
try:
misp_url = parameters['mispurl'].value
misp_key = parameters['mispkey'].value
except AttributeError:
raise MaltegoException("ERROR: mispurl and mispkey need to be set to something valid")
misp_connection = PyMISP(misp_url, misp_key, misp_verify, 'json', misp_debug)
except Exception:
raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your MISP_Maltego.conf settings")
if is_local_exec_mode():
raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your MISP_Maltego.conf settings.")
if is_remote_exec_mode():
raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your settings (MISP URL and API key), and ensure the MISP server is reachable from the internet.")
return misp_connection

14
src/MISP_maltego/transforms/eventtoattributes.py
View File

@ -37,7 +37,7 @@ class EventToTransform(Transform):
self.config = config
self.response += check_update(config)
maltego_misp_event = request.entity
self.misp = get_misp_connection(config)
self.misp = get_misp_connection(config, request.parameters)
event_id = maltego_misp_event.id
search_result = self.misp.search(controller='events', eventid=event_id, with_attachments=False)
if search_result:
@ -88,6 +88,7 @@ class EventToTransform(Transform):
class EventToAll(EventToTransform):
input_type = MISPEvent
description = 'Expands an Event to Attributes, Objects, Tags, Galaxies'
remote = True
def do_transform(self, request, response, config):
if super().do_transform(request, response, config):
@ -103,6 +104,7 @@ class EventToAll(EventToTransform):
class EventToAttributes(EventToTransform):
input_type = MISPEvent
description = 'Expands an Event to Attributes'
remote = True
def do_transform(self, request, response, config):
if super().do_transform(request, response, config):
@ -115,6 +117,7 @@ class EventToAttributes(EventToTransform):
class EventToTags(EventToTransform):
input_type = MISPEvent
description = 'Expands an Event to Tags and Galaxies'
remote = True
def do_transform(self, request, response, config):
if super().do_transform(request, response, config):
@ -128,6 +131,7 @@ class EventToTags(EventToTransform):
class EventToGalaxies(EventToTransform):
input_type = MISPEvent
description = 'Expands an Event to Galaxies'
remote = True
def do_transform(self, request, response, config):
if super().do_transform(request, response, config):
@ -140,6 +144,7 @@ class EventToGalaxies(EventToTransform):
class EventToObjects(EventToTransform):
input_type = MISPEvent
description = 'Expands an Event to Objects'
remote = True
def do_transform(self, request, response, config):
if super().do_transform(request, response, config):
@ -152,6 +157,7 @@ class EventToObjects(EventToTransform):
class EventToRelations(EventToTransform):
input_type = MISPEvent
description = 'Expands an Event to related Events'
remote = True
def do_transform(self, request, response, config):
if super().do_transform(request, response, config):
@ -165,11 +171,12 @@ class ObjectToAttributes(Transform):
""""Expands an object to its attributes"""
input_type = MISPObject
description = 'Expands an Object to Attributes'
remote = True
def do_transform(self, request, response, config):
response += check_update(config)
maltego_object = request.entity
misp = get_misp_connection(config)
misp = get_misp_connection(config, request.parameters)
event_json = misp.get_event(maltego_object.event_id)
for o in event_json['Event']['Object']:
if o['uuid'] == maltego_object.uuid:
@ -188,11 +195,12 @@ class ObjectToRelations(Transform):
"""Expands an object to the relations of the object"""
input_type = MISPObject
description = 'Expands an Object to Relations'
remote = True
def do_transform(self, request, response, config):
response += check_update(config)
maltego_object = request.entity
misp = get_misp_connection(config)
misp = get_misp_connection(config, request.parameters)
event_json = misp.get_event(maltego_object.event_id)
for o in event_json['Event']['Object']:
if o['uuid'] == maltego_object.uuid:

3
src/MISP_maltego/transforms/galaxytoevent.py
View File

@ -22,11 +22,12 @@ class GalaxyToEvents(Transform):
# The transform input entity type.
input_type = MISPGalaxy
remote = True
def do_transform(self, request, response, config):
response += check_update(config)
maltego_misp_galaxy = request.entity
misp = get_misp_connection(config)
misp = get_misp_connection(config, request.parameters)
if maltego_misp_galaxy.tag_name:
tag_name = maltego_misp_galaxy.tag_name
else: