diff --git a/TRANSFORM_HUB_DISCLAIMER.md b/TRANSFORM_HUB_DISCLAIMER.md new file mode 100644 index 0000000..e8fdbce --- /dev/null +++ b/TRANSFORM_HUB_DISCLAIMER.md @@ -0,0 +1,19 @@ +# MISP Maltego Remote Transform Disclaimer +When using the MISP Maltego transforms using the Transform Hub (not the locally installed version) you need to know you are are sending data, including your MISP URL and API key to 3rd parties. + +The public Transform Distribution Server (TDS) is located on the Internet and is free for all to use. It’s a convenient way to immediately start writing remote transforms. Since this server is located on Paterva’s infrastructure data (entity, and settings) will be flowing from the Maltego GUI to this server. Paterva states they DO NOT store the details of your transforms (entities, MISP URL, API KEY). + +Finally it will flow further to a server managed by the MISP-maltego developer(s), where the transform code runs. We also DO NOT store or look at the details of your transforms (entities, MISP URL, API KEY). As you can see in the code (open source), this data is only used live in memory to provide the transform functionality. The only reasons why we would be seeing this data is by accident; while troubleshooting or by unintentional mis-configuration. + +We do keep standard HTTP logs for troubleshooting and anonymous statistics, although these contain the IP addresses of Paterva's TDS server, and not yours. + +**DO NOT use these Transform Hub transforms if you do not agree or if this is in violation with your MISP community.** + +If so, feel free to use the MISP-Maltego transform locally, where all the code runs on your own system. Installation instructions can be found [here]([https://github.com/MISP/MISP-maltego/blob/master/doc/README.md#installation](https://github.com/MISP/MISP-maltego/blob/master/doc/README.md#installation)). + + +## More info +For more information please read Paterva's and Canari's documentation: +* [http://www.canariproject.com/en/latest/canari.quickstart.html#making-transforms-remote](http://www.canariproject.com/en/latest/canari.quickstart.html#making-transforms-remote) +* [https://docs.maltego.com/support/solutions/articles/15000020198-what-is-itds-](https://docs.maltego.com/support/solutions/articles/15000020198-what-is-itds-) +* [https://www.paterva.com/buy/maltego-servers.php](https://www.paterva.com/buy/maltego-servers.php) \ No newline at end of file diff --git a/src/MISP_maltego/transforms/attributetoevent.py b/src/MISP_maltego/transforms/attributetoevent.py index 3f4b127..daba654 100644 --- a/src/MISP_maltego/transforms/attributetoevent.py +++ b/src/MISP_maltego/transforms/attributetoevent.py @@ -18,8 +18,9 @@ __status__ = 'Development' # @EnableDebugWindow class AttributeInMISP(Transform): """Green bookmark if known in MISP""" - display_name = 'in MISP?' input_type = Unknown + display_name = 'in MISP?' + remote = True def do_transform(self, request, response, config): response += check_update(config) @@ -31,7 +32,7 @@ class AttributeInMISP(Transform): except Exception: pass - misp = get_misp_connection(config) + misp = get_misp_connection(config, request.parameters) events_json = misp.search(controller='events', value=maltego_misp_attribute.value, with_attachments=False) # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown for e in events_json: @@ -48,10 +49,11 @@ class AttributeInMISP(Transform): # class NetblockToAttributes(Transform): # display_name = 'to MISP Attributes' # input_type = Netblock +# remote = True # def do_transform(self, request, response, config): # maltego_misp_attribute = request.entity -# misp = get_misp_connection(config) +# misp = get_misp_connection(config, request.parameters) # import ipaddress # ip_start, ip_end = maltego_misp_attribute.value.split('-') # # FIXME make this work with IPv4 and IPv6 @@ -66,8 +68,9 @@ class AttributeInMISP(Transform): # @EnableDebugWindow class AttributeToEvent(Transform): - display_name = 'to MISP Event' input_type = Unknown + display_name = 'to MISP Event' + remote = True def do_transform(self, request, response, config): response += check_update(config) @@ -81,7 +84,7 @@ class AttributeToEvent(Transform): # placeholder for https://github.com/MISP/MISP-maltego/issues/11 pass - misp = get_misp_connection(config) + misp = get_misp_connection(config, request.parameters) # from Galaxy if 'properties.mispgalaxy' in request.entity.fields: tag_name = get_entity_property(request.entity, 'tag_name') diff --git a/src/MISP_maltego/transforms/common/util.py b/src/MISP_maltego/transforms/common/util.py index 6da31a1..be7738d 100644 --- a/src/MISP_maltego/transforms/common/util.py +++ b/src/MISP_maltego/transforms/common/util.py @@ -165,24 +165,36 @@ def check_update(config): return None -def get_misp_connection(config=None): +def get_misp_connection(config=None, parameters=None): global misp_connection if misp_connection: return misp_connection if not config: raise MaltegoException("ERROR: MISP connection not yet established, and config not provided as parameter.") - if config['MISP_maltego.local.misp_verify'] in ['True', 'true', 1, 'yes', 'Yes']: - misp_verify = True - else: - misp_verify = False - if config['MISP_maltego.local.misp_debug'] in ['True', 'true', 1, 'yes', 'Yes']: - misp_debug = True - else: - misp_debug = False + misp_verify = True + misp_debug = False + misp_url = None + misp_key = None try: - misp_connection = PyMISP(config['MISP_maltego.local.misp_url'], config['MISP_maltego.local.misp_key'], misp_verify, 'json', misp_debug) + if is_local_exec_mode(): + misp_url = config['MISP_maltego.local.misp_url'] + misp_key = config['MISP_maltego.local.misp_key'] + if config['MISP_maltego.local.misp_verify'] in ['False', 'false', 0, 'no', 'No']: + misp_verify = False + if config['MISP_maltego.local.misp_debug'] in ['True', 'true', 1, 'yes', 'Yes']: + misp_debug = True + if is_remote_exec_mode(): + try: + misp_url = parameters['mispurl'].value + misp_key = parameters['mispkey'].value + except AttributeError: + raise MaltegoException("ERROR: mispurl and mispkey need to be set to something valid") + misp_connection = PyMISP(misp_url, misp_key, misp_verify, 'json', misp_debug) except Exception: - raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your MISP_Maltego.conf settings") + if is_local_exec_mode(): + raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your MISP_Maltego.conf settings.") + if is_remote_exec_mode(): + raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your settings (MISP URL and API key), and ensure the MISP server is reachable from the internet.") return misp_connection diff --git a/src/MISP_maltego/transforms/eventtoattributes.py b/src/MISP_maltego/transforms/eventtoattributes.py index 0826b9e..91f1f5d 100644 --- a/src/MISP_maltego/transforms/eventtoattributes.py +++ b/src/MISP_maltego/transforms/eventtoattributes.py @@ -37,7 +37,7 @@ class EventToTransform(Transform): self.config = config self.response += check_update(config) maltego_misp_event = request.entity - self.misp = get_misp_connection(config) + self.misp = get_misp_connection(config, request.parameters) event_id = maltego_misp_event.id search_result = self.misp.search(controller='events', eventid=event_id, with_attachments=False) if search_result: @@ -88,6 +88,7 @@ class EventToTransform(Transform): class EventToAll(EventToTransform): input_type = MISPEvent description = 'Expands an Event to Attributes, Objects, Tags, Galaxies' + remote = True def do_transform(self, request, response, config): if super().do_transform(request, response, config): @@ -103,6 +104,7 @@ class EventToAll(EventToTransform): class EventToAttributes(EventToTransform): input_type = MISPEvent description = 'Expands an Event to Attributes' + remote = True def do_transform(self, request, response, config): if super().do_transform(request, response, config): @@ -115,6 +117,7 @@ class EventToAttributes(EventToTransform): class EventToTags(EventToTransform): input_type = MISPEvent description = 'Expands an Event to Tags and Galaxies' + remote = True def do_transform(self, request, response, config): if super().do_transform(request, response, config): @@ -128,6 +131,7 @@ class EventToTags(EventToTransform): class EventToGalaxies(EventToTransform): input_type = MISPEvent description = 'Expands an Event to Galaxies' + remote = True def do_transform(self, request, response, config): if super().do_transform(request, response, config): @@ -140,6 +144,7 @@ class EventToGalaxies(EventToTransform): class EventToObjects(EventToTransform): input_type = MISPEvent description = 'Expands an Event to Objects' + remote = True def do_transform(self, request, response, config): if super().do_transform(request, response, config): @@ -152,6 +157,7 @@ class EventToObjects(EventToTransform): class EventToRelations(EventToTransform): input_type = MISPEvent description = 'Expands an Event to related Events' + remote = True def do_transform(self, request, response, config): if super().do_transform(request, response, config): @@ -165,11 +171,12 @@ class ObjectToAttributes(Transform): """"Expands an object to its attributes""" input_type = MISPObject description = 'Expands an Object to Attributes' + remote = True def do_transform(self, request, response, config): response += check_update(config) maltego_object = request.entity - misp = get_misp_connection(config) + misp = get_misp_connection(config, request.parameters) event_json = misp.get_event(maltego_object.event_id) for o in event_json['Event']['Object']: if o['uuid'] == maltego_object.uuid: @@ -188,11 +195,12 @@ class ObjectToRelations(Transform): """Expands an object to the relations of the object""" input_type = MISPObject description = 'Expands an Object to Relations' + remote = True def do_transform(self, request, response, config): response += check_update(config) maltego_object = request.entity - misp = get_misp_connection(config) + misp = get_misp_connection(config, request.parameters) event_json = misp.get_event(maltego_object.event_id) for o in event_json['Event']['Object']: if o['uuid'] == maltego_object.uuid: diff --git a/src/MISP_maltego/transforms/galaxytoevent.py b/src/MISP_maltego/transforms/galaxytoevent.py index eb51065..b2fc989 100644 --- a/src/MISP_maltego/transforms/galaxytoevent.py +++ b/src/MISP_maltego/transforms/galaxytoevent.py @@ -22,11 +22,12 @@ class GalaxyToEvents(Transform): # The transform input entity type. input_type = MISPGalaxy + remote = True def do_transform(self, request, response, config): response += check_update(config) maltego_misp_galaxy = request.entity - misp = get_misp_connection(config) + misp = get_misp_connection(config, request.parameters) if maltego_misp_galaxy.tag_name: tag_name = maltego_misp_galaxy.tag_name else: