diff --git a/automation/README.md b/automation/README.md index 1b55285..4c94564 100644 --- a/automation/README.md +++ b/automation/README.md @@ -214,9 +214,61 @@ The keywords false or null should be used for optional empty parameters in the U An example for a Suricata export for all events excluding those tagged tag1, without all of the commented information at the start of the file would look like this: ~~~~ -https://misppriv.circl.lu/events/nids/suricata/download/null/true/!tag1 +https:///events/nids/suricata/download/null/true/!tag1 ~~~~ Administration is able to maintain a white-list containing host, domain name and IP numbers to exclude from the NIDS export. +## Hash - HIDS database export + +Automatic export of MD5/SHA1 checksums contained in file-related attributes. This list can be used to feed forensic software when searching for + suspicious files. Only published events and attributes marked as IDS Signature are exported. + +You can configure your tools to automatically download all the MD5 hashes from MISP: + +~~~~ +https:///events/hids/md5/download +~~~~ + +Or the SHA1 hashes: + +~~~~ +https:///events/hids/sha1/download +~~~~ + +The API's full format is as follow: + +~~~~ +https:///events/hids/[format]/download/[tags]/[from]/[to]/[last] +~~~~ + +
+
format
+
The export format, can be "md5" or "sha1"
+
tags
+
To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'. You can also chain several tag + commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will + automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:
+
+ +~~~~ +https:///events/hids/md5/download/tag1&&tag2&&!tag3 +~~~~ + +
+
from
+
Events with the date set to a date after the one specified in the from field (format: 2015-02-15)
+
to
+
Events with the date set to a date before the one specified in the to field (format: 2015-02-15)
+
last
+
Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)
+
+ +The keywords false or null should be used for optional empty parameters in the URL. + +For example, to only show sha1 values from events tagged tag1, use: + +~~~~ +https:///events/hids/sha1/download/tag1 +~~~~