Merge branch 'master' of github.com:SteveClement/misp-book

pull/100/head
Steve Clement 2018-02-28 10:47:29 +01:00
commit fe4a38502c
3 changed files with 217 additions and 29 deletions

28
USAGE
View File

@ -1,28 +0,0 @@
Install notes
=============
~~~
npm install gitbook
sudo npm install gitbook-cli -g
npm install gitbook-plugin-autocover
npm install gitbook-plugin-github
npm install gitbook-plugin-toc
npm install gitbook-plugin-anchors
gitbook install
~~~
Usage
=====
If you want to generate the PDF output (you need to have Calibre installed):
~~~
gitbook pdf
~~~
and if you want to want to serve the HTML pages on 127.0.0.1:4000:
~~~
gitbook serve
~~~

79
USAGE.md Normal file
View File

@ -0,0 +1,79 @@
Install notes
=============
:warning:
Make sure to be in the *misp-book* repository directory for the *npm magic*.
Also: The *npm* plugin *autocover* is broken. It pulls an incompatible *canvas* module version. Thus patched repository used (forked from original)
Tested on: Ubuntu 16.04.4 LTS
```
curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
sudo apt-get install -y nodejs
sudo apt-get install -y build-essential
sudo apt install -y npm pkg-config libcairo2-dev
npm install gitbook git+https://github.com/SteveClement/plugin-autocover.git gitbook-plugin-github gitbook-plugin-toc gitbook-plugin-anchors
sudo npm install gitbook-cli -g
gitbook install
```
Usage
=====
If you want to generate the PDF output (you need to have Calibre installed):
```
gitbook pdf
```
on macOS (ebook-convert is not in path):
```
PATH=$PATH:/Applications/calibre.app/Contents/MacOS/ ; gitbook pdf
```
and if you want to want to serve the HTML pages on 127.0.0.1:4000:
```
gitbook serve
```
macOS Notes
===========
canvas needs to be compiled and needs the following dependencies:
```
xcode-select --install
# If you have homebrew not installed yet:
## /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
# For the more adventureous you can install a cask of calibre which gives you access to *ebook-convert*
## brew cask install calibre
brew install pkg-config cairo pango libpng jpeg giflib
```
:warning:
Make sure to be in the *misp-book* repository directory for the npm magic.
Installing gitbook and all dependencies wants to look like this (Tested on macOS 11.13.3):
```
npm install gitbook git+https://github.com/SteveClement/plugin-autocover.git gitbook-plugin-github gitbook-plugin-toc gitbook-plugin-anchors
npm install gitbook-cli -g
gitbook install
```
npm salvage
===========
In case something with npm breaks, this brings you back to a sane default.
We still assume we are in the *misp-book* repository working directory.
```
rm -rf node_modules
rm package-lock.json
rm -rf ~/.gitbook
sudo rm -rf /usr/local/lib/node_modules/gitbook-cli
```

View File

@ -27,7 +27,6 @@ The authorization is performed by using the following header:
~~~~ ~~~~
Authorization: YOUR API KEY Authorization: YOUR API KEY
~~~~ ~~~~
### Accept and Content-Type headers ### Accept and Content-Type headers
When performing your request, depending on the type of request, you might need to explicitly specify in what content type you want to get your results. This is done by setting one of the below Accept headers: When performing your request, depending on the type of request, you might need to explicitly specify in what content type you want to get your results. This is done by setting one of the below Accept headers:
@ -446,6 +445,12 @@ Attaches an Tag to an Object by a given UUID
curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --header "Accept: application/json" --header "Content-Type: application/json" -X POST http://10.50.13.60/tags/attachTagToObject/5a0d68b3-6da0-4ced-8233-77bb950d210f/tlp3Awhite curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --header "Accept: application/json" --header "Content-Type: application/json" -X POST http://10.50.13.60/tags/attachTagToObject/5a0d68b3-6da0-4ced-8233-77bb950d210f/tlp3Awhite
~~~~ ~~~~
~~~~
curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " -d "{"uuid"="5a0d68b3-6da0-4ced-8233-77bb950d210f" "tag"="tlp:white"}" --header "Accept: application/json" --header "Content-Type: application/json" -X POST http://10.50.13.60/tags/attachTagToObject/
~~~~
### POST /tags/removeTagFromObject ### POST /tags/removeTagFromObject
#### Description #### Description
@ -503,6 +508,20 @@ curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --heade
## Attribute management ## Attribute management
### POST /attributes/add/
Adds an Attribute to an event
#### URL Arguments
- event id
#### Output
#### Example
~~~~
curl --header "Authorization: a4PLf8QICdDdOmFjwdtSYqkCqn9CvN0VQt7mpUUf " --header "Accept: application/json" --header "Content-Type: application/json" -d "{"event_id":"3542","value":"1.2.3.4","category":"Network activity","type":"ip-dst"}" http://10.50.13.60/attributes/add/3542
~~~~
### GET /attributes ### GET /attributes
@ -1310,6 +1329,8 @@ To return an event with all of its attributes, relations, shadowAttributes, use
~~~~ ~~~~
https://<misp url>/attributes/restSearch/json/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]/[eventid]/[withAttachments]/[metadata]/[uuid] https://<misp url>/attributes/restSearch/json/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]/[eventid]/[withAttachments]/[metadata]/[uuid]
~~~~ ~~~~
If you include "includeEventUuid":1" in the json request, it will give you the event_uuid as a result as well.
@ -1978,6 +1999,122 @@ An example output of https://<misp url>/users/statistics.json:
} }
~~~~ ~~~~
# MISP modules
## Description
It is possible call misp-modules directly from API.
If the module needs credentials, API will get the information directly from MISP configuration.
### GET /modules/
Retrieve a list of all modules enabled.
#### Example
~~~bash
curl --header "Authorization: <APIKEY> " --header "Accept: application/json" --header "Content-Type: application/json" -X GET http://<MISP>/modules/
~~~
#### Output
~~~json
[
{
"name": "passivetotal",
"type": "expansion",
"mispattributes": {
"input": [
"hostname",
"domain",
"ip-src",
"ip-dst"
],
"output": [
"ip-src",
"ip-dst",
"hostname",
"domain"
]
},
"meta": {
"description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
"config": [
"username",
"password"
],
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
},
{
"name": "sourcecache",
"type": "expansion",
"mispattributes": {
"input": [
"link"
],
"output": [
"link"
]
},
"meta": {
"description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.",
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
},
{
"name": "dns",
"type": "expansion",
"mispattributes": {
"input": [
"hostname",
"domain"
],
"output": [
"ip-src",
"ip-dst"
]
},
"meta": {
"description": "Simple DNS expansion service to resolve IP address from MISP attributes",
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
}
]
~~~
### POST /modules/queryEnrichment
Call any enabled module.
#### Example
Content of dns.json
~~~json
{
"hostname": "www.foo.be",
"module": "dns"
}
~~~
Query using MISP API
~~~bash
curl --header "Authorization: <APIKEY> " --header "Accept: application/json" --header "Content-Type: application/json" --data @dns.json -X POST http://<MISP>/modules/queryEnrichment
~~~
The output will be following JSON:
~~~json
{
"results": [
{
"types": [
"ip-src",
"ip-dst"
],
"values": [
"188.65.217.78"
]
}
]
}
~~~