From ec9e6b8d486d2bffd7c6c7cea2b657b021f1e3df Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 09:48:20 +0100 Subject: [PATCH 1/3] Use Modules Controller Documentation to use the new feature to can call misp-modules from API. --- automation/README.md | 116 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/automation/README.md b/automation/README.md index 170b901..2a0813c 100644 --- a/automation/README.md +++ b/automation/README.md @@ -1978,6 +1978,122 @@ An example output of https:///users/statistics.json: } ~~~~ +# MISP modules +## Description +It is possible call misp-modules directly from API. +If the module needs credentials, API will get the information directly from MISP configuration. +### GET /modules/ +Retrieve a list of all modules enabled. +#### Example +~~~bash +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" -X GET http:///modules/ +~~~ + +#### Output +~~~json +[ + { + "name": "passivetotal", + "type": "expansion", + "mispattributes": { + "input": [ + "hostname", + "domain", + "ip-src", + "ip-dst" + ], + "output": [ + "ip-src", + "ip-dst", + "hostname", + "domain" + ] + }, + "meta": { + "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources", + "config": [ + "username", + "password" + ], + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + }, + { + "name": "sourcecache", + "type": "expansion", + "mispattributes": { + "input": [ + "link" + ], + "output": [ + "link" + ] + }, + "meta": { + "description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.", + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + }, + { + "name": "dns", + "type": "expansion", + "mispattributes": { + "input": [ + "hostname", + "domain" + ], + "output": [ + "ip-src", + "ip-dst" + ] + }, + "meta": { + "description": "Simple DNS expansion service to resolve IP address from MISP attributes", + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + } +] +~~~ + +### POST /modules/query +Call any enabled module. + +#### Example + +Content of dns.json +~~~json +{ + "hostname": "www.foo.be", + "module": "dns" +} +~~~ + +Query using MISP API + +~~~bash +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/query +~~~ + +The output will be following JSON: + +~~~json +{ + "results": [ + { + "types": [ + "ip-src", + "ip-dst" + ], + "values": [ + "188.65.217.78" + ] + } + ] +} +~~~ From 2cb4f2bb51f1945e36d75f5ee87e402101034579 Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 09:50:56 +0100 Subject: [PATCH 2/3] Use new Modules Controller Documentation to use the new feature to can call misp-modules from API. --- automation/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/automation/README.md b/automation/README.md index 2a0813c..ce59664 100644 --- a/automation/README.md +++ b/automation/README.md @@ -27,7 +27,6 @@ The authorization is performed by using the following header: ~~~~ Authorization: YOUR API KEY ~~~~ - ### Accept and Content-Type headers When performing your request, depending on the type of request, you might need to explicitly specify in what content type you want to get your results. This is done by setting one of the below Accept headers: From df9b4f7f75a19d00dec9c6f8023e5a29696cda2e Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 10:10:58 +0100 Subject: [PATCH 3/3] Use new Modules Controller --- automation/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/README.md b/automation/README.md index ce59664..25cd36a 100644 --- a/automation/README.md +++ b/automation/README.md @@ -2059,7 +2059,7 @@ curl --header "Authorization: " --header "Accept: application/json" --h ] ~~~ -### POST /modules/query +### POST /modules/queryEnrichment Call any enabled module. #### Example @@ -2075,7 +2075,7 @@ Content of dns.json Query using MISP API ~~~bash -curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/query +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/queryEnrichment ~~~ The output will be following JSON: