From ec9e6b8d486d2bffd7c6c7cea2b657b021f1e3df Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 09:48:20 +0100 Subject: [PATCH 01/10] Use Modules Controller Documentation to use the new feature to can call misp-modules from API. --- automation/README.md | 116 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/automation/README.md b/automation/README.md index 170b901..2a0813c 100644 --- a/automation/README.md +++ b/automation/README.md @@ -1978,6 +1978,122 @@ An example output of https:///users/statistics.json: } ~~~~ +# MISP modules +## Description +It is possible call misp-modules directly from API. +If the module needs credentials, API will get the information directly from MISP configuration. +### GET /modules/ +Retrieve a list of all modules enabled. +#### Example +~~~bash +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" -X GET http:///modules/ +~~~ + +#### Output +~~~json +[ + { + "name": "passivetotal", + "type": "expansion", + "mispattributes": { + "input": [ + "hostname", + "domain", + "ip-src", + "ip-dst" + ], + "output": [ + "ip-src", + "ip-dst", + "hostname", + "domain" + ] + }, + "meta": { + "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources", + "config": [ + "username", + "password" + ], + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + }, + { + "name": "sourcecache", + "type": "expansion", + "mispattributes": { + "input": [ + "link" + ], + "output": [ + "link" + ] + }, + "meta": { + "description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.", + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + }, + { + "name": "dns", + "type": "expansion", + "mispattributes": { + "input": [ + "hostname", + "domain" + ], + "output": [ + "ip-src", + "ip-dst" + ] + }, + "meta": { + "description": "Simple DNS expansion service to resolve IP address from MISP attributes", + "author": "Alexandre Dulaunoy", + "version": "0.1" + } + } +] +~~~ + +### POST /modules/query +Call any enabled module. + +#### Example + +Content of dns.json +~~~json +{ + "hostname": "www.foo.be", + "module": "dns" +} +~~~ + +Query using MISP API + +~~~bash +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/query +~~~ + +The output will be following JSON: + +~~~json +{ + "results": [ + { + "types": [ + "ip-src", + "ip-dst" + ], + "values": [ + "188.65.217.78" + ] + } + ] +} +~~~ From 2cb4f2bb51f1945e36d75f5ee87e402101034579 Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 09:50:56 +0100 Subject: [PATCH 02/10] Use new Modules Controller Documentation to use the new feature to can call misp-modules from API. --- automation/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/automation/README.md b/automation/README.md index 2a0813c..ce59664 100644 --- a/automation/README.md +++ b/automation/README.md @@ -27,7 +27,6 @@ The authorization is performed by using the following header: ~~~~ Authorization: YOUR API KEY ~~~~ - ### Accept and Content-Type headers When performing your request, depending on the type of request, you might need to explicitly specify in what content type you want to get your results. This is done by setting one of the below Accept headers: From df9b4f7f75a19d00dec9c6f8023e5a29696cda2e Mon Sep 17 00:00:00 2001 From: "Juan C. Montes" <33036804+juancmontes@users.noreply.github.com> Date: Fri, 23 Feb 2018 10:10:58 +0100 Subject: [PATCH 03/10] Use new Modules Controller --- automation/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/README.md b/automation/README.md index ce59664..25cd36a 100644 --- a/automation/README.md +++ b/automation/README.md @@ -2059,7 +2059,7 @@ curl --header "Authorization: " --header "Accept: application/json" --h ] ~~~ -### POST /modules/query +### POST /modules/queryEnrichment Call any enabled module. #### Example @@ -2075,7 +2075,7 @@ Content of dns.json Query using MISP API ~~~bash -curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/query +curl --header "Authorization: " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http:///modules/queryEnrichment ~~~ The output will be following JSON: From 1191e3a5720f358305502871dc9d7b5469517a98 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Mon, 26 Feb 2018 11:55:44 +0100 Subject: [PATCH 04/10] Update README.md --- automation/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/automation/README.md b/automation/README.md index 25cd36a..5c44bdf 100644 --- a/automation/README.md +++ b/automation/README.md @@ -445,6 +445,12 @@ Attaches an Tag to an Object by a given UUID curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --header "Accept: application/json" --header "Content-Type: application/json" -X POST http://10.50.13.60/tags/attachTagToObject/5a0d68b3-6da0-4ced-8233-77bb950d210f/tlp3Awhite ~~~~ + +~~~~ +curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " -d "{"uuid"="5a0d68b3-6da0-4ced-8233-77bb950d210f" "tag"="tlp:white"}" --header "Accept: application/json" --header "Content-Type: application/json" -X POST http://10.50.13.60/tags/attachTagToObject/ +~~~~ + + ### POST /tags/removeTagFromObject #### Description From b412cd71f2779b5615c47898eb9a03c864957b7a Mon Sep 17 00:00:00 2001 From: Alexander J Date: Mon, 26 Feb 2018 12:44:04 +0100 Subject: [PATCH 05/10] mention add Attributes no idea why that has never been documented. --- automation/README.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/automation/README.md b/automation/README.md index 5c44bdf..c2c65cf 100644 --- a/automation/README.md +++ b/automation/README.md @@ -55,7 +55,8 @@ By appending .json or .xml the content type can also be set without the need for PyMISP is a Python library to access MISP platforms via their REST API. -PyMISP allows you to fetch events, add or update events/attributes, add or update samples or search for attributes. +PyMISP allows you to fetch events, add or update events/ +utes, add or update samples or search for attributes. [PyMISP is available](https://github.com/MISP/PyMISP) including a documentation with various examples. @@ -508,6 +509,20 @@ curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --heade ## Attribute management +### POST /attributes/add/ + +Adds an Attribute to an event + +#### URL Arguments + +- event id + +#### Output + +#### Example +~~~~ +curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --header "Accept: application/json" --header "Content-Type: application/json" -d "{"event_id":"3542","value":"1.2.3.4","category":"Network activity","type":"ip-dst"}" http://10.50.13.60/attributes/add/3542 +~~~~ ### GET /attributes From 9ea8a1fe5a0436a7c57081abed5c868b1af4d818 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Mon, 26 Feb 2018 12:46:41 +0100 Subject: [PATCH 06/10] Update README.md --- automation/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/automation/README.md b/automation/README.md index c2c65cf..f157dcc 100644 --- a/automation/README.md +++ b/automation/README.md @@ -55,8 +55,7 @@ By appending .json or .xml the content type can also be set without the need for PyMISP is a Python library to access MISP platforms via their REST API. -PyMISP allows you to fetch events, add or update events/ -utes, add or update samples or search for attributes. +PyMISP allows you to fetch events, add or update events/attributes, add or update samples or search for attributes. [PyMISP is available](https://github.com/MISP/PyMISP) including a documentation with various examples. From 0458def491d68ef76e9e3b8184e759a8d3e9d568 Mon Sep 17 00:00:00 2001 From: Alexander J Date: Mon, 26 Feb 2018 17:08:43 +0100 Subject: [PATCH 07/10] Update README.md --- automation/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/automation/README.md b/automation/README.md index 5c44bdf..7189b44 100644 --- a/automation/README.md +++ b/automation/README.md @@ -1315,6 +1315,8 @@ To return an event with all of its attributes, relations, shadowAttributes, use ~~~~ https:///attributes/restSearch/json/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]/[eventid]/[withAttachments]/[metadata]/[uuid] ~~~~ + + If you include "includeEventUuid":1" in the json request, it will give you the event_uuid as a result as well. From 35d5204b768f2d614c8841ac85a1ca32f6290422 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 27 Feb 2018 23:52:21 +0100 Subject: [PATCH 08/10] - Added notes on macOS - Added notes on what to do if npm fails - Put npm install packages in 1 line (better results in my setup) --- USAGE | 66 +++++++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 55 insertions(+), 11 deletions(-) diff --git a/USAGE b/USAGE index 114c3e6..8b0d1c2 100644 --- a/USAGE +++ b/USAGE @@ -2,27 +2,71 @@ Install notes ============= -~~~ -npm install gitbook +:warning: +Make sure to be in the *misp-book* repository directory for the npm magic. + +``` +npm install gitbook gitbook-plugin-autocover gitbook-plugin-github gitbook-plugin-toc gitbook-plugin-anchors sudo npm install gitbook-cli -g -npm install gitbook-plugin-autocover -npm install gitbook-plugin-github -npm install gitbook-plugin-toc -npm install gitbook-plugin-anchors gitbook install -~~~ +``` Usage ===== If you want to generate the PDF output (you need to have Calibre installed): -~~~ +``` gitbook pdf -~~~ +``` + +on macOS (ebook-convert is not in path): + +``` +PATH=$PATH:/Applications/calibre.app/Contents/MacOS/ ; gitbook pdf +``` and if you want to want to serve the HTML pages on 127.0.0.1:4000: -~~~ +``` gitbook serve -~~~ +``` + +macOS Notes +=========== + +canvas needs to be compiled and needs the following dependencies: + +``` +xcode-select --install +# If you have homebrew not installed yet: +## /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" +# For the more adventureous you can install a cask of calibre which gives you access to *ebook-convert* +## brew cask install calibre +brew install pkg-config cairo pango libpng jpeg giflib +``` + +:warning: +Make sure to be in the *misp-book* repository directory for the npm magic. + +Installing gitbook and all dependencies wants to look like this (Tested on macOS 11.13.3): + +``` +npm install gitbook git+https://github.com/SteveClement/plugin-autocover.git gitbook-plugin-github gitbook-plugin-toc gitbook-plugin-anchors +npm install gitbook-cli -g +gitbook install +``` + +npm salvage +=========== + +In case something with npm breaks, this brings you back to a sane default. +We still assume we are in the *misp-book* repository working directory. + +``` +rm -rf node_modules +rm package-lock.json +rm -rf ~/.gitbook +sudo rm -rf /usr/local/lib/node_modules/gitbook-cli +``` + From c6da52f7eee7242e4d99a6ca0bd94958acb7fe36 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Wed, 28 Feb 2018 00:32:57 +0100 Subject: [PATCH 09/10] - move usage to .md - added Ubuntu deps --- USAGE => USAGE.md | 1 + 1 file changed, 1 insertion(+) rename USAGE => USAGE.md (97%) diff --git a/USAGE b/USAGE.md similarity index 97% rename from USAGE rename to USAGE.md index 8b0d1c2..50b9878 100644 --- a/USAGE +++ b/USAGE.md @@ -6,6 +6,7 @@ Install notes Make sure to be in the *misp-book* repository directory for the npm magic. ``` +sudo apt install npm pkg-config libcairo2-dev npm install gitbook gitbook-plugin-autocover gitbook-plugin-github gitbook-plugin-toc gitbook-plugin-anchors sudo npm install gitbook-cli -g gitbook install From 73fc13d389adc254b958c25e2afdb0ca0634b2d8 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Wed, 28 Feb 2018 00:45:19 +0100 Subject: [PATCH 10/10] =?UTF-8?q?-=20This=20now=20works=20on=20Ubuntu=2016?= =?UTF-8?q?+=20again=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- USAGE.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/USAGE.md b/USAGE.md index 50b9878..a7c7d09 100644 --- a/USAGE.md +++ b/USAGE.md @@ -3,11 +3,17 @@ Install notes ============= :warning: -Make sure to be in the *misp-book* repository directory for the npm magic. +Make sure to be in the *misp-book* repository directory for the *npm magic*. +Also: The *npm* plugin *autocover* is broken. It pulls an incompatible *canvas* module version. Thus patched repository used (forked from original) + +Tested on: Ubuntu 16.04.4 LTS ``` -sudo apt install npm pkg-config libcairo2-dev -npm install gitbook gitbook-plugin-autocover gitbook-plugin-github gitbook-plugin-toc gitbook-plugin-anchors +curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash - +sudo apt-get install -y nodejs +sudo apt-get install -y build-essential +sudo apt install -y npm pkg-config libcairo2-dev +npm install gitbook git+https://github.com/SteveClement/plugin-autocover.git gitbook-plugin-github gitbook-plugin-toc gitbook-plugin-anchors sudo npm install gitbook-cli -g gitbook install ```