<ahref="#how-to-install-and-start-misp-modules-in-a-python-virtualenv-recommended"title="How to install and start MISP modules in a Python virtualenv? (recommended)"class="md-nav__link">
How to install and start MISP modules in a Python virtualenv? (recommended)
</a>
</li>
<liclass="md-nav__item">
<ahref="#how-to-install-and-start-misp-modules-on-rhel-based-distributions"title="How to install and start MISP modules on RHEL-based distributions ?"class="md-nav__link">
How to install and start MISP modules on RHEL-based distributions ?
</a>
</li>
<liclass="md-nav__item">
<ahref="#how-to-add-your-own-misp-modules"title="How to add your own MISP modules?"class="md-nav__link">
<ahref="#how-to-install-and-start-misp-modules-in-a-python-virtualenv-recommended"title="How to install and start MISP modules in a Python virtualenv? (recommended)"class="md-nav__link">
How to install and start MISP modules in a Python virtualenv? (recommended)
</a>
</li>
<liclass="md-nav__item">
<ahref="#how-to-install-and-start-misp-modules-on-rhel-based-distributions"title="How to install and start MISP modules on RHEL-based distributions ?"class="md-nav__link">
How to install and start MISP modules on RHEL-based distributions ?
</a>
</li>
<liclass="md-nav__item">
<ahref="#how-to-add-your-own-misp-modules"title="How to add your own MISP modules?"class="md-nav__link">
<p>MISP modules are autonomous modules that can be used to extend <ahref="https://github.com/MISP/MISP">MISP</a> for new services such as expansion, import and export.</p>
<p>For more information: <ahref="https://www.misp-project.org/misp-training/3.1-misp-modules.pdf">Extending MISP with Python modules</a> slides from <ahref="https://github.com/MISP/misp-training">MISP training</a>.</p>
<li><ahref="misp_modules/modules/expansion/apiosintds.py">apiosintDS</a> - a hover and expansion module to query the OSINT.digitalside.it API.</li>
<li><ahref="misp_modules/modules/expansion/apivoid.py">API Void</a> - an expansion and hover module to query API Void with a domain attribute.</li>
<li><ahref="misp_modules/modules/expansion/assemblyline_submit.py">AssemblyLine submit</a> - an expansion module to submit samples and urls to AssemblyLine.</li>
<li><ahref="misp_modules/modules/expansion/assemblyline_query.py">AssemblyLine query</a> - an expansion module to query AssemblyLine and parse the full submission report.</li>
<li><ahref="misp_modules/modules/expansion/backscatter_io.py">Backscatter.io</a> - a hover and expansion module to expand an IP address with mass-scanning observations.</li>
<li><ahref="misp_modules/modules/expansion/bgpranking.py">BGP Ranking</a> - a hover and expansion module to expand an AS number with the ASN description and its ranking and position in BGP Ranking.</li>
<li><ahref="misp_modules/modules/expansion/ransomcoindb.py">RansomcoinDB check</a> - An expansion hover module to query the <ahref="https://ransomcoindb.concinnity-risks.com">ransomcoinDB</a>: it contains mapping between BTC addresses and malware hashes. Enrich MISP by querying for BTC -> hash or hash -> BTC addresses.</li>
<li><ahref="misp_modules/modules/expansion/btc_scam_check.py">BTC scam check</a> - An expansion hover module to instantly check if a BTC address has been abused.</li>
<li><ahref="misp_modules/modules/expansion/btc_steroids.py">BTC transactions</a> - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP.</li>
<li><ahref="misp_modules/modules/expansion/censys_enrich.py">Censys-enrich</a> - An expansion and module to retrieve information from censys.io about a particular IP or certificate.</li>
<li><ahref="misp_modules/modules/expansion/circl_passivedns.py">CIRCL Passive DNS</a> - a hover and expansion module to expand hostname and IP addresses with passive DNS information.</li>
<li><ahref="misp_modules/modules/expansion/circl_passivessl.py">CIRCL Passive SSL</a> - a hover and expansion module to expand IP addresses with the X.509 certificate(s) seen.</li>
<li><ahref="misp_modules/modules/expansion/countrycode.py">countrycode</a> - a hover module to tell you what country a URL belongs to.</li>
<li><ahref="misp_modules/modules/expansion/crowdstrike_falcon.py">CrowdStrike Falcon</a> - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.</li>
<li><ahref="misp_modules/modules/expansion/cpe.py">CPE</a> - An expansion module to query the CVE Search API with a cpe code, to get its related vulnerabilities.</li>
<li><ahref="misp_modules/modules/expansion/cve.py">CVE</a> - a hover module to give more information about a vulnerability (CVE).</li>
<li><ahref="misp_modules/modules/expansion/cve_advanced.py">CVE advanced</a> - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).</li>
<li><ahref="misp_modules/modules/expansion/cuckoo_submit.py">Cuckoo submit</a> - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.</li>
<li><ahref="misp_modules/modules/expansion/cytomic_orion.py">Cytomic Orion</a> - An expansion module to enrich attributes in MISP and share indicators of compromise with Cytomic Orion.</li>
<li><ahref="misp_modules/modules/expansion/dbl_spamhaus.py">DBL Spamhaus</a> - a hover module to check Spamhaus DBL for a domain name.</li>
<li><ahref="misp_modules/modules/expansion/dns.py">DNS</a> - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.</li>
<li><ahref="misp_modules/modules/expansion/docx_enrich.py">docx-enrich</a> - an enrichment module to get text out of Word document into MISP (using free-text parser).</li>
<li><ahref="misp_modules/modules/expansion/domaintools.py">DomainTools</a> - a hover and expansion module to get information from <ahref="http://www.domaintools.com/">DomainTools</a> whois.</li>
<li><ahref="misp_modules/modules/expansion/eql.py">EQL</a> - an expansion module to generate event query language (EQL) from an attribute. <ahref="https://eql.readthedocs.io/en/latest/">Event Query Language</a></li>
<li><ahref="misp_modules/modules/expansion/eupi.py">EUPI</a> - a hover and expansion module to get information about an URL from the <ahref="https://phishing-initiative.eu/?lang=en">Phishing Initiative project</a>.</li>
<li><ahref="misp_modules/modules/expansion/farsight_passivedns.py">Farsight DNSDB Passive DNS</a> - a hover and expansion module to expand hostname and IP addresses with passive DNS information.</li>
<li><ahref="misp_modules/modules/expansion/geoip_country.py">GeoIP</a> - a hover and expansion module to get GeoIP information from geolite/maxmind.</li>
<li><ahref="misp_modules/modules/expansion/geoip_city.py">GeoIP_City</a> - a hover and expansion module to get GeoIP City information from geolite/maxmind.</li>
<li><ahref="misp_modules/modules/expansion/geoip_asn.py">GeoIP_ASN</a> - a hover and expansion module to get GeoIP ASN information from geolite/maxmind.</li>
<li><ahref="misp_modules/modules/expansion/greynoise.py">Greynoise</a> - a hover to get information from greynoise.</li>
<li><ahref="misp_modules/modules/expansion/hashdd.py">hashdd</a> - a hover module to check file hashes against <ahref="http://www.hashdd.com">hashdd.com</a> including NSLR dataset.</li>
<li><ahref="misp_modules/modules/expansion/hibp.py">hibp</a> - a hover module to lookup against Have I Been Pwned?</li>
<li><ahref="misp_modules/modules/expansion/html_to_markdown.py">html_to_markdown</a> - Simple HTML to markdown converter</li>
<li><ahref="misp_modules/modules/expansion/intel471.py">intel471</a> - an expansion module to get info from <ahref="https://intel471.com">Intel471</a>.</li>
<li><ahref="misp_modules/modules/expansion/ipasn.py">IPASN</a> - a hover and expansion to get the BGP ASN of an IP address.</li>
<li><ahref="misp_modules/modules/expansion/iprep.py">iprep</a> - an expansion module to get IP reputation from packetmail.net.</li>
<li><ahref="misp_modules/modules/expansion/joesandbox_submit.py">Joe Sandbox submit</a> - Submit files and URLs to Joe Sandbox.</li>
<li><ahref="misp_modules/modules/expansion/joesandbox_query.py">Joe Sandbox query</a> - Query Joe Sandbox with the link of an analysis and get the parsed data.</li>
<li><ahref="misp_modules/modules/expansion/lastline_submit.py">Lastline submit</a> - Submit files and URLs to Lastline.</li>
<li><ahref="misp_modules/modules/expansion/lastline_query.py">Lastline query</a> - Query Lastline with the link to an analysis and parse the report.</li>
<li><ahref="misp_modules/modules/expansion/macaddress_io.py">macaddress.io</a> - a hover module to retrieve vendor details and other information regarding a given MAC address or an OUI from <ahref="https://macaddress.io">MAC address Vendor Lookup</a>. See <ahref="https://macaddress.io/integrations/MISP-module">integration tutorial here</a>.</li>
<li><ahref="misp_modules/modules/expansion/macvendors.py">macvendors</a> - a hover module to retrieve mac vendor information.</li>
<li><ahref="misp_modules/modules/expansion/malwarebazaar.py">MALWAREbazaar</a> - an expansion module to query MALWAREbazaar with some payload.</li>
<li><ahref="misp_modules/modules/expansion/ocr_enrich.py">ocr-enrich</a> - an enrichment module to get OCRized data from images into MISP.</li>
<li><ahref="misp_modules/modules/expansion/ods_enrich.py">ods-enrich</a> - an enrichment module to get text out of OpenOffice spreadsheet document into MISP (using free-text parser).</li>
<li><ahref="misp_modules/modules/expansion/odt_enrich.py">odt-enrich</a> - an enrichment module to get text out of OpenOffice document into MISP (using free-text parser).</li>
<li><ahref="misp_modules/modules/expansion/onyphe.py">onyphe</a> - a modules to process queries on Onyphe.</li>
<li><ahref="misp_modules/modules/expansion/onyphe_full.py">onyphe_full</a> - a modules to process full queries on Onyphe.</li>
<li><ahref="misp_modules/modules/expansion/otx.py">OTX</a> - an expansion module for <ahref="https://otx.alienvault.com/">OTX</a>.</li>
<li><ahref="misp_modules/modules/expansion/passivetotal.py">passivetotal</a> - a <ahref="https://www.passivetotal.org/">passivetotal</a> module that queries a number of different PassiveTotal datasets.</li>
<li><ahref="misp_modules/modules/expansion/pdf_enrich.py">pdf-enrich</a> - an enrichment module to extract text from PDF into MISP (using free-text parser).</li>
<li><ahref="misp_modules/modules/expansion/pptx_enrich.py">pptx-enrich</a> - an enrichment module to get text out of PowerPoint document into MISP (using free-text parser).</li>
<li><ahref="misp_modules/modules/expansion/qrcode.py">qrcode</a> - a module decode QR code, barcode and similar codes from an image and enrich with the decoded values.</li>
<li><ahref="misp_modules/modules/expansion/rbl.py">rbl</a> - a module to get RBL (Real-Time Blackhost List) values from an attribute.</li>
<li><ahref="misp_modules/modules/expansion/recordedfuture.py">recordedfuture</a> - a hover and expansion module for enriching MISP attributes with threat intelligence from Recorded Future.</li>
<li><ahref="misp_modules/modules/expansion/reversedns.py">reversedns</a> - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.</li>
<li><ahref="misp_modules/modules/expansion/securitytrails.py">securitytrails</a> - an expansion module for <ahref="https://securitytrails.com/">securitytrails</a>.</li>
<li><ahref="misp_modules/modules/expansion/shodan.py">shodan</a> - a minimal <ahref="https://www.shodan.io/">shodan</a> expansion module.</li>
<li><ahref="misp_modules/modules/expansion/sigma_queries.py">Sigma queries</a> - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.</li>
<li><ahref="misp_modules/modules/expansion/socialscan.py">Socialscan</a> - a hover module to check if an email address or a username is used on different online platforms, using the <ahref="https://github.com/iojw/socialscan">socialscan</a> python library</li>
<li><ahref="misp_modules/modules/expansion/sophoslabs_intelix.py">SophosLabs Intelix</a> - SophosLabs Intelix is an API for Threat Intelligence and Analysis (free tier available). <ahref="https://aws.amazon.com/marketplace/pp/B07SLZPMCS">SophosLabs</a></li>
<li><ahref="misp_modules/modules/expansion/sourcecache.py">sourcecache</a> - a module to cache a specific link from a MISP instance.</li>
<li><ahref="misp_modules/modules/expansion/stix2_pattern_syntax_validator.py">STIX2 pattern syntax validator</a> - a module to check a STIX2 pattern syntax.</li>
<li><ahref="misp_modules/modules/expansion/threatcrowd.py">ThreatCrowd</a> - an expansion module for <ahref="https://www.threatcrowd.org/">ThreatCrowd</a>.</li>
<li><ahref="misp_modules/modules/expansion/threatminer.py">threatminer</a> - an expansion module to expand from <ahref="https://www.threatminer.org/">ThreatMiner</a>.</li>
<li><ahref="misp_modules/modules/expansion/trustar_enrich.py">TruSTAR Enrich</a> - an expansion module to enrich MISP data with <ahref="https://www.trustar.co/">TruSTAR</a>.</li>
<li><ahref="misp_modules/modules/expansion/urlhaus.py">urlhaus</a> - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.</li>
<li><ahref="misp_modules/modules/expansion/urlscan.py">urlscan</a> - an expansion module to query <ahref="https://urlscan.io">urlscan.io</a>.</li>
<li><ahref="misp_modules/modules/expansion/virustotal.py">virustotal</a> - an expansion module to query the <ahref="https://www.virustotal.com/gui/home">VirusTotal</a> API with a high request rate limit required. (More details about the API: <ahref="https://developers.virustotal.com/reference">here</a>)</li>
<li><ahref="misp_modules/modules/expansion/virustotal_public.py">virustotal_public</a> - an expansion module to query the <ahref="https://www.virustotal.com/gui/home">VirusTotal</a> API with a public key and a low request rate limit. (More details about the API: <ahref="https://developers.virustotal.com/reference">here</a>)</li>
<li><ahref="misp_modules/modules/expansion/vmray_submit.py">VMray</a> - a module to submit a sample to VMray.</li>
<li><ahref="misp_modules/modules/expansion/vulndb.py">VulnDB</a> - a module to query <ahref="https://www.riskbasedsecurity.com/">VulnDB</a>.</li>
<li><ahref="misp_modules/modules/expansion/vulners.py">Vulners</a> - an expansion module to expand information about CVEs using Vulners API.</li>
<li><ahref="misp_modules/modules/expansion/whois.py">whois</a> - a module to query a local instance of <ahref="https://github.com/rafiot/uwhoisd">uwhois</a>.</li>
<li><ahref="misp_modules/modules/expansion/wiki.py">wikidata</a> - a <ahref="https://www.wikidata.org">wikidata</a> expansion module.</li>
<li><ahref="misp_modules/modules/expansion/xforceexchange.py">xforce</a> - an IBM X-Force Exchange expansion module.</li>
<li><ahref="misp_modules/modules/expansion/xlsx_enrich.py">xlsx-enrich</a> - an enrichment module to get text out of an Excel document into MISP (using free-text parser).</li>
<li><ahref="misp_modules/modules/expansion/yara_query.py">YARA query</a> - a module to create YARA rules from single hash attributes.</li>
<li><ahref="misp_modules/modules/export_mod/cef_export.py">CEF</a> - module to export Common Event Format (CEF).</li>
<li><ahref="misp_modules/modules/export_mod/cisco_firesight_manager_ACL_rule_export.py">Cisco FireSight Manager ACL rule</a> - module to export as rule for the Cisco FireSight manager ACL.</li>
<li><ahref="misp_modules/modules/export_mod/goamlexport.py">GoAML export</a> - module to export in <ahref="http://goaml.unodc.org/goaml/en/index.html">GoAML format</a>.</li>
<li><ahref="misp_modules/modules/export_mod/liteexport.py">Lite Export</a> - module to export a lite event.</li>
<li><ahref="misp_modules/modules/export_mod/pdfexport.py">PDF export</a> - module to export an event in PDF.</li>
<li><ahref="misp_modules/modules/export_mod/mass_eql_export.py">Mass EQL Export</a> - module to export applicable attributes from an event to a mass EQL query.</li>
<li><ahref="misp_modules/modules/export_mod/nexthinkexport.py">Nexthink query format</a> - module to export in Nexthink query format.</li>
<li><ahref="misp_modules/modules/export_mod/osqueryexport.py">osquery</a> - module to export in <ahref="https://osquery.io/">osquery</a> query format.</li>
<li><ahref="misp_modules/modules/export_mod/threat_connect_export.py">ThreatConnect</a> - module to export in ThreatConnect CSV format.</li>
<li><ahref="misp_modules/modules/export_mod/threatStream_misp_export.py">ThreatStream</a> - module to export in ThreatStream format.</li>
<li><ahref="misp_modules/modules/export_mod/vt_graph.py">VirusTotal Graph</a> - Module to create a VirusTotal graph out of an event.</li>
<li><ahref="misp_modules/modules/import_mod/email_import.py">Email Import</a> - Email import module for MISP to import basic metadata.</li>
<li><ahref="misp_modules/modules/import_mod/goamlimport.py">GoAML import</a> - Module to import <ahref="http://goaml.unodc.org/goaml/en/index.html">GoAML</a> XML format.</li>
<li><ahref="misp_modules/modules/import_mod/joe_import.py">Joe Sandbox import</a> - Parse data from a Joe Sandbox json report.</li>
<li><ahref="misp_modules/modules/import_mod/lastline_import.py">Lastline import</a> - Module to import Lastline analysis reports.</li>
<li><ahref="misp_modules/modules/import_mod/ocr.py">OCR</a> - Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.</li>
<li><ahref="misp_modules/modules/import_mod/openiocimport.py">OpenIOC</a> - OpenIOC import based on PyMISP library.</li>
<li><ahref="misp_modules/modules/import_mod/threatanalyzer_import.py">ThreatAnalyzer</a> - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.</li>
<li><ahref="misp_modules/modules/import_mod/vmray_import.py">VMRay</a> - An import module to process VMRay export.</li>
</ul>
<h2id="how-to-install-and-start-misp-modules-in-a-python-virtualenv-recommended">How to install and start MISP modules in a Python virtualenv? (recommended)<aclass="headerlink"href="#how-to-install-and-start-misp-modules-in-a-python-virtualenv-recommended"title="Permanent link">¶</a></h2>
/var/www/MISP/venv/bin/misp-modules -l <spanclass="m">127</span>.0.0.1 -s <spanclass="p">&</span><spanclass="c1">#to start the modules</span>
</pre></div>
<h2id="how-to-install-and-start-misp-modules-on-rhel-based-distributions">How to install and start MISP modules on RHEL-based distributions ?<aclass="headerlink"href="#how-to-install-and-start-misp-modules-on-rhel-based-distributions"title="Permanent link">¶</a></h2>
<p>As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the <ahref="https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe">SCL</a> repository. </p>
<h2id="how-to-add-your-own-misp-modules">How to add your own MISP modules?<aclass="headerlink"href="#how-to-add-your-own-misp-modules"title="Permanent link">¶</a></h2>
<p>Create your module in <ahref="misp_modules/modules/expansion/">misp_modules/modules/expansion/</a>, <ahref="misp_modules/modules/export_mod/">misp_modules/modules/export_mod/</a>, or <ahref="misp_modules/modules/import_mod/">misp_modules/modules/import_mod/</a>. The module should have at minimum three functions:</p>
<ul>
<li><strong>introspection</strong> function that returns a dict of the supported attributes (input and output) by your expansion module.</li>
<li><strong>handler</strong> function which accepts a JSON document to expand the values and return a dictionary of the expanded values.</li>
<li><strong>version</strong> function that returns a dict with the version and the associated meta-data including potential configurations required of the module.</li>
</ul>
<p>Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.</p>
<p>Your module's script name should also be added in the <code>__all__</code> list of <code><module type folder>/__init__.py</code> in order for it to be loaded.</p>
<spanclass="k">return</span><spanclass="p">{</span><spanclass="s1">'error'</span><spanclass="p">:</span><spanclass="s2">"A source IP is required"</span><spanclass="p">}</span>
<p>If your module requires additional configuration (to be exposed via the MISP user-interface), you can define those in the moduleconfig value returned by the version function.</p>
<divclass="codehilite"><pre><span></span><spanclass="c1"># config fields that your code expects from the site admin</span>
"description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
"config": [
"username",
"password"
],
"module-type": [
"expansion",
"hover"
],
...
</pre></div>
<p>If you want to use the configuration values set in the web interface they are stored in the key <code>config</code> in the JSON object passed to the handler.</p>
<spanclass="k">return</span><spanclass="p">{</span><spanclass="s1">'error'</span><spanclass="p">:</span><spanclass="s2">"A source IP is required"</span><spanclass="p">}</span>
<spanclass="s2">"data"</span><spanclass="p">:</span><spanclass="n">base64</span><spanclass="o">.</span><spanclass="n">b64encode</span><spanclass="p">(</span><spanclass="o"><</span><spanclass="n">ByteIO</span><spanclass="o">></span><spanclass="p">)</span><spanclass="c1"># base64 encode your data first</span>
<spanclass="s2">"comment"</span><spanclass="p">:</span><spanclass="s2">"This is an attachment"</span><spanclass="p">}}</span>
</pre></div>
<p>If the binary file is malware you can use 'malware-sample' as the type. If you do this the malware sample will be automatically zipped and password protected ('infected') after being uploaded.</p>
<spanclass="s2">"data"</span><spanclass="p">:</span><spanclass="n">base64</span><spanclass="o">.</span><spanclass="n">b64encode</span><spanclass="p">(</span><spanclass="o"><</span><spanclass="n">ByteIO</span><spanclass="o">></span><spanclass="p">)</span><spanclass="c1"># base64 encode your data first</span>
<spanclass="s2">"comment"</span><spanclass="p">:</span><spanclass="s2">"This is an attachment"</span><spanclass="p">}}</span>
</pre></div>
<p><ahref="https://github.com/MISP/PyMISP/blob/4f230c9299ad9d2d1c851148c629b61a94f3f117/pymisp/mispevent.py#L185-L200">To learn more about how data attributes are processed you can read the processing code here.</a></p>
<p>For both the type and the category lists, the first item in the list will be the default setting on the interface.</p>
<h3id="enable-your-module-in-the-web-interface">Enable your module in the web interface<aclass="headerlink"href="#enable-your-module-in-the-web-interface"title="Permanent link">¶</a></h3>
<p>For a module to be activated in the MISP web interface it must be enabled in the "Plugin Settings.</p>
<p>Go to "Administration > Server Settings" in the top menu
- Go to "Plugin Settings" in the top "tab menu bar"
- Click on the name of the type of module you have created to expand the list of plugins to show your module.
- Find the name of your plugin's "enabled" value in the Setting Column.
"Plugin.[MODULE NAME]_enabled"
- Double click on its "Value" column</p>
<divclass="codehilite"><pre><span></span>Priority Setting Value Description Error Message
Recommended Plugin.Import_ocr_enabled false Enable or disable the ocr module. Value not set.
</pre></div>
<ul>
<li>Use the drop-down to set the enabled value to 'true'</li>
</ul>
<divclass="codehilite"><pre><span></span>Priority Setting Value Description Error Message
Recommended Plugin.Import_ocr_enabled true Enable or disable the ocr module. Value not set.
</pre></div>
<h3id="set-any-other-required-settings-for-your-module">Set any other required settings for your module<aclass="headerlink"href="#set-any-other-required-settings-for-your-module"title="Permanent link">¶</a></h3>
<p>In this same menu set any other plugin settings that are required for testing.</p>
<h2id="install-misp-module-on-an-offline-instance">Install misp-module on an offline instance.<aclass="headerlink"href="#install-misp-module-on-an-offline-instance"title="Permanent link">¶</a></h2>
<p>First, you need to grab all necessary packages for example like this :</p>
<h2id="how-to-contribute-your-own-module">How to contribute your own module?<aclass="headerlink"href="#how-to-contribute-your-own-module"title="Permanent link">¶</a></h2>
<p>Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.</p>
<h2id="tips-for-developers-creating-modules">Tips for developers creating modules<aclass="headerlink"href="#tips-for-developers-creating-modules"title="Permanent link">¶</a></h2>
<p>Download a pre-built virtual image from the <ahref="https://www.circl.lu/services/misp-training-materials/">MISP training materials</a>.</p>
<ul>
<li>Create a Host-Only adapter in VirtualBox</li>
<li>Set your Misp OVA to that Host-Only adapter</li>
<li>Start the virtual machine</li>
<li>Get the IP address of the virtual machine</li>
<li>SSH into the machine (Login info on training page)</li>
<p>In order to provide documentation about some modules that require specific input / output / configuration, the <ahref="doc">doc</a> directory contains detailed information about the general purpose, requirements, features, input and ouput of each of these modules:</p>
<ul>
<li>***description** - quick description of the general purpose of the module, as the one given by the moduleinfo</li>
<li><strong>requirements</strong> - special libraries needed to make the module work</li>
<li><strong>features</strong> - description of the way to use the module, with the required MISP features to make the module give the intended result</li>
<li><strong>references</strong> - link(s) giving additional information about the format concerned in the module</li>
<li><strong>input</strong> - description of the format of data used in input</li>
<li><strong>output</strong> - description of the format given as the result of the module execution</li>