2016-02-17 18:40:55 +01:00
# MISP modules
MISP modules are autonomous modules that can be used for expansion and other services in [MISP ](https://github.com/MISP/MISP ).
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities
without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.
MISP modules support is included in MISP starting from version 2.4.X.
## Existing MISP modules
* [DNS ](modules/expansion/dns.py ) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
2016-03-02 21:26:04 +01:00
* [passivetotal ](modules/expansion/passivetotal.py ) - a [passivetotal ](https://www.passivetotal.org/ ) module to query the passivetotal passive DNS interface.
2016-02-17 18:40:55 +01:00
## How to add your own MISP modules?
2016-03-09 07:49:46 +01:00
Create your module in [modules/expansion/ ](modules/expansion/ ). The module should have at minimum three functions:
2016-02-17 18:40:55 +01:00
2016-03-09 07:49:46 +01:00
* **introspection** function that returns a dict of the supported attributes (input and output) by your expansion module.
2016-02-17 18:40:55 +01:00
* **handler** function which accepts a JSON document to expand the values and return a dictionary of the expanded values.
2016-03-09 07:49:46 +01:00
* **version** function that returns a dict with the version and the associated meta-data of the module.
2016-02-17 18:40:55 +01:00
2016-02-29 21:49:42 +01:00
Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.
2016-03-03 07:18:51 +01:00
If your module requires authentication, the following reserved MISP attributes are used to pass the authentication
values from MISP towards the module:
* module-username
* module-password
2016-02-17 18:40:55 +01:00
## Testing your modules?
MISP uses the **modules** function to discover the available MISP modules and their supported MISP attributes:
~~~
% curl -s http://127.0.0.1:6666/modules | jq .
[
{
2016-02-24 00:55:14 +01:00
"mispattributes": {
2016-03-09 07:25:54 +01:00
"input": [
"hostname",
"domain",
2016-02-24 00:55:14 +01:00
"ip-src",
2016-03-09 07:25:54 +01:00
"ip-dst",
"module-username",
"module-password"
2016-02-24 00:55:14 +01:00
],
2016-03-09 07:25:54 +01:00
"output": [
"ip-src",
"ip-dst",
"hostname",
"domain"
]
},
"meta": "0.1",
"name": "passivetotal",
"type": "expansion"
},
{
"mispattributes": {
2016-02-24 00:55:14 +01:00
"input": [
"hostname",
"domain"
2016-03-09 07:25:54 +01:00
],
"output": [
"ip-src",
"ip-dst"
2016-02-24 00:55:14 +01:00
]
},
2016-03-09 07:25:54 +01:00
"meta": {
"description": "Simple DNS expansion services to resolve IP address from MISP attributes",
"version": "0.1",
"author": "Alexandre Dulaunoy"
},
2016-02-17 18:40:55 +01:00
"name": "dns",
2016-03-09 07:25:54 +01:00
"type": "expansion"
2016-02-17 18:40:55 +01:00
}
]
~~~
The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes.
Based on this information, a query can be built in a JSON format and saved as body.json:
~~~json
2016-02-24 00:23:26 +01:00
{
"results": [
{
"types": [
"ip-src",
"ip-dst"
],
"values": [
"188.65.217.78"
]
}
]
}
2016-02-17 18:40:55 +01:00
~~~
Then you can POST this JSON format query towards the MISP object server:
~~~
curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @body .json -X POST
~~~
2016-03-09 07:49:46 +01:00
## How to contribute your own module?
Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.
