2016-02-17 18:40:55 +01:00
# MISP modules
2016-04-11 12:18:56 +02:00
[![Build Status ](https://travis-ci.org/MISP/misp-modules.svg?branch=master )](https://travis-ci.org/MISP/misp-modules)
2016-02-17 18:40:55 +01:00
MISP modules are autonomous modules that can be used for expansion and other services in [MISP ](https://github.com/MISP/MISP ).
The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities
2016-06-23 12:51:13 +02:00
without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.
2016-02-17 18:40:55 +01:00
2016-03-21 23:10:48 +01:00
MISP modules support is included in MISP starting from version 2.4.28.
2016-02-17 18:40:55 +01:00
2016-03-27 21:57:07 +02:00
For more information: [Extending MISP with Python modules ](https://www.circl.lu/assets/files/misp-training/3.1-MISP-modules.pdf ) slides from MISP training.
2016-02-17 18:40:55 +01:00
## Existing MISP modules
2016-06-23 12:51:13 +02:00
* [ASN History ](misp_modules/modules/expansion/asn_history.py ) - a hover and expansion module to expand an AS number with the ASN description and its history.
2016-06-24 02:15:25 +02:00
* [CIRCL Passive SSL ](misp_modules/modules/expansion/circl_passivessl.py ) - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
2016-06-23 12:51:13 +02:00
* [CIRCL Passive DNS ](misp_modules/modules/expansion/circl_passivedns.py ) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
* [CVE ](misp_modules/modules/expansion/cve.py ) - a hover module to give more information about a vulnerability (CVE).
* [DNS ](misp_modules/modules/expansion/dns.py ) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
* [EUPI ](misp_modules/modules/expansion/eupi.py ) - a hover and expansion module to get information about an URL from the [Phishing Initiative project ](https://phishing-initiative.eu/?lang=en ).
* [IPASN ](misp_modules/modules/expansion/ipasn.py ) - a hover and expansion to get the BGP ASN of an IP address.
* [passivetotal ](misp_modules/modules/expansion/passivetotal.py ) - a [passivetotal ](https://www.passivetotal.org/ ) module that queries a number of different PassiveTotal datasets.
2016-06-24 02:15:25 +02:00
* [sourcecache ](misp_modules/modules/expansion/sourcecache.py ) - a module to cache a specific link from a MISP instance.
2016-02-17 18:40:55 +01:00
2016-03-24 16:52:53 +01:00
## How to install and start MISP modules?
~~~~bash
2016-07-22 11:56:31 +02:00
sudo apt-get install python3-dev python3-pip libpq5
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
2016-03-24 16:52:53 +01:00
cd misp-modules
2016-07-22 11:56:31 +02:00
sudo pip3 install -r REQUIREMENTS
sudo python3 setup.py build
sudo python3 setup.py install
sudo vi /etc/rc.local, add this line: `sudo -u www-data /usr/bin/python3 /usr/local/src/misp-modules/bin/misp-modules`
2016-03-24 16:52:53 +01:00
~~~~
2016-02-17 18:40:55 +01:00
## How to add your own MISP modules?
2016-06-23 12:51:13 +02:00
Create your module in [misp_modules/modules/expansion/ ](misp_modules/modules/expansion/ ). The module should have at minimum three functions:
2016-02-17 18:40:55 +01:00
2016-03-09 07:49:46 +01:00
* **introspection** function that returns a dict of the supported attributes (input and output) by your expansion module.
2016-02-17 18:40:55 +01:00
* **handler** function which accepts a JSON document to expand the values and return a dictionary of the expanded values.
2016-03-16 07:57:37 +01:00
* **version** function that returns a dict with the version and the associated meta-data including potential configurations required of the module.
2016-02-17 18:40:55 +01:00
2016-02-29 21:49:42 +01:00
Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.
2016-03-16 07:57:37 +01:00
If your module requires additional configuration (to be exposed via the MISP user-interface), a config array is added to the meta-data output containing all the potential configuration values:
2016-03-03 07:18:51 +01:00
2016-03-16 07:57:37 +01:00
~~~
"meta": {
"description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
"config": [
"username",
"password"
],
2016-03-20 19:54:32 +01:00
"module-type": [
"expansion",
"hover"
],
2016-03-16 07:57:37 +01:00
...
~~~
2016-03-03 07:18:51 +01:00
2016-03-20 19:54:32 +01:00
### Module type
A MISP module can be of two types:
- **expansion** - service related to an attribute that can be used to extend and update an existing event.
- **hover** - service related to an attribute to provide additional information to the users without updating the event.
module-type is an array where the list of supported types can be added.
2016-02-17 18:40:55 +01:00
## Testing your modules?
MISP uses the **modules** function to discover the available MISP modules and their supported MISP attributes:
~~~
% curl -s http://127.0.0.1:6666/modules | jq .
[
{
2016-03-16 07:57:37 +01:00
"name": "passivetotal",
"type": "expansion",
2016-02-24 00:55:14 +01:00
"mispattributes": {
2016-03-09 07:25:54 +01:00
"input": [
"hostname",
"domain",
2016-02-24 00:55:14 +01:00
"ip-src",
2016-03-16 07:57:37 +01:00
"ip-dst"
2016-02-24 00:55:14 +01:00
],
2016-03-09 07:25:54 +01:00
"output": [
"ip-src",
"ip-dst",
"hostname",
"domain"
]
},
2016-03-09 08:59:12 +01:00
"meta": {
2016-03-16 07:57:37 +01:00
"description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
"config": [
"username",
"password"
],
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
},
{
"name": "sourcecache",
"type": "expansion",
"mispattributes": {
"input": [
"link"
],
"output": [
"link"
]
2016-03-09 08:59:12 +01:00
},
2016-03-16 07:57:37 +01:00
"meta": {
"description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.",
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
2016-03-09 07:25:54 +01:00
},
{
2016-03-16 07:57:37 +01:00
"name": "dns",
"type": "expansion",
2016-03-09 07:25:54 +01:00
"mispattributes": {
2016-02-24 00:55:14 +01:00
"input": [
"hostname",
"domain"
2016-03-09 07:25:54 +01:00
],
"output": [
"ip-src",
"ip-dst"
2016-02-24 00:55:14 +01:00
]
},
2016-03-09 07:25:54 +01:00
"meta": {
2016-03-16 07:57:37 +01:00
"description": "Simple DNS expansion service to resolve IP address from MISP attributes",
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
2016-02-17 18:40:55 +01:00
}
]
2016-03-16 07:57:37 +01:00
2016-02-17 18:40:55 +01:00
~~~
The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes.
Based on this information, a query can be built in a JSON format and saved as body.json:
2016-03-16 07:57:37 +01:00
~~~json
{
"hostname": "www.foo.be",
"module": "dns"
}
~~~
Then you can POST this JSON format query towards the MISP object server:
~~~
curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @body .json -X POST
~~~
The module should output the following JSON:
2016-02-17 18:40:55 +01:00
~~~json
2016-02-24 00:23:26 +01:00
{
"results": [
{
"types": [
"ip-src",
"ip-dst"
],
"values": [
"188.65.217.78"
]
}
]
}
2016-02-17 18:40:55 +01:00
~~~
2016-07-26 12:13:49 +02:00
It is also possible to restrict the category options of the resolved attributes by passing a list of categories along (optional):
~~~json
{
"results": [
{
"types": [
"ip-src",
"ip-dst"
],
"values": [
"188.65.217.78"
],
"categories": [
"Network activity",
"Payload delivery"
]
}
]
}
~~~
For both the type and the category lists, the first item in the list will be the default setting on the interface.
2016-03-09 07:49:46 +01:00
## How to contribute your own module?
Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.