MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add: [documentation] Updated README and documentation with the virustotal modules changes

Browse Source
pull/322/head
chrisr3d 4 years ago
parent 14cf39d8b6
commit 13d683f7c6
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
4 changed files with 47 additions and 13 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      README.md
  2. 38
      doc/README.md
  3. 10
      doc/expansion/virustotal.json
  4. 9
      doc/expansion/virustotal_public.json

3
README.md
Unescape View File

@ -67,7 +67,8 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
* [threatminer](misp_modules/modules/expansion/threatminer.py) - an expansion module to expand from [ThreatMiner](https://www.threatminer.org/).
* [urlhaus](misp_modules/modules/expansion/urlhaus.py) - Query urlhaus to get additional data about a domain, hash, hostname, ip or url.
* [urlscan](misp_modules/modules/expansion/urlscan.py) - an expansion module to query [urlscan.io](https://urlscan.io).
* [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to pull known resolutions and malware samples related with an IP/Domain from virusTotal (this modules require a VirusTotal private API key)
* [virustotal](misp_modules/modules/expansion/virustotal.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a high request rate limit required. (More details about the API: [here](https://developers.virustotal.com/reference))
* [virustotal_public](misp_modules/modules/expansion/virustotal_public.py) - an expansion module to query the [VirusTotal](https://www.virustotal.com/gui/home) API with a public key and a low request rate limit. (More details about the API: [here](https://developers.virustotal.com/reference))
* [VMray](misp_modules/modules/expansion/vmray_submit.py) - a module to submit a sample to VMray.
* [VulnDB](misp_modules/modules/expansion/vulndb.py) - a module to query [VulnDB](https://www.riskbasedsecurity.com/).
* [Vulners](misp_modules/modules/expansion/vulners.py) - an expansion module to expand information about CVEs using Vulners API.

38
doc/README.md
Unescape View File

@ -1042,21 +1042,45 @@ An expansion module to query urlscan.io.
<img src=logos/virustotal.png height=60>
Module to get information from virustotal.
Module to get advanced information from virustotal.
- **features**:
>This module takes a MISP attribute as input and queries the VirusTotal API with it, in order to get additional data on the input attribute.
>New format of modules able to return attributes and objects.
>
>Multiple recursive requests on the API can then be processed on some attributes found in the first request. A limit can be set to restrict the number of values to query again, and at the same time the number of request submitted to the API.
>A module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.
>
>This limit is important because the default user VirusTotal apikey only allows to process a certain nunmber of queries per minute. As a consequence it is recommended to have a larger number of requests or a private apikey.
>Compared to the [standard VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal.py), this module is made for advanced parsing of VirusTotal report, with a recursive analysis of the elements found after the first request.
>
>Data is then mapped into MISP attributes.
>Thus, it requires a higher request rate limit to avoid the API to return a 204 error (Request rate limit exceeded), and the data parsed from the different requests are returned as MISP attributes and objects, with the corresponding relations between each one of them.
- **input**:
>A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.
- **output**:
>MISP attributes mapped from the rersult of the query on VirusTotal API.
>MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.
- **references**:
>https://www.virustotal.com/
>https://www.virustotal.com/, https://developers.virustotal.com/reference
- **requirements**:
>An access to the VirusTotal API (apikey), with a high request rate limit.
-----
#### [virustotal_public](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/virustotal_public.py)
<img src=logos/virustotal.png height=60>
Module to get information from VirusTotal.
- **features**:
>New format of modules able to return attributes and objects.
>
>A module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.
>
>Compared to the [more advanced VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal.py), this module is made for VirusTotal users who have a low request rate limit.
>
>Thus, it only queries the API once and returns the results that is parsed into MISP attributes and objects.
- **input**:
>A domain, hostname, ip, url or hash (md5, sha1, sha256 or sha512) attribute.
- **output**:
>MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.
- **references**:
>https://www.virustotal.com, https://developers.virustotal.com/reference
- **requirements**:
>An access to the VirusTotal API (apikey)

10
doc/expansion/virustotal.json
Unescape View File

@ -1,9 +1,9 @@
{
"description": "Module to get information from virustotal.",
"description": "Module to get advanced information from virustotal.",
"logo": "logos/virustotal.png",
"requirements": ["An access to the VirusTotal API (apikey)"],
"requirements": ["An access to the VirusTotal API (apikey), with a high request rate limit."],
"input": "A domain, hash (md5, sha1, sha256 or sha512), hostname or IP address attribute.",
"output": "MISP attributes mapped from the rersult of the query on VirusTotal API.",
"references": ["https://www.virustotal.com/"],
"features": "This module takes a MISP attribute as input and queries the VirusTotal API with it, in order to get additional data on the input attribute.\n\nMultiple recursive requests on the API can then be processed on some attributes found in the first request. A limit can be set to restrict the number of values to query again, and at the same time the number of request submitted to the API.\n\nThis limit is important because the default user VirusTotal apikey only allows to process a certain nunmber of queries per minute. As a consequence it is recommended to have a larger number of requests or a private apikey.\n\nData is then mapped into MISP attributes."
"output": "MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.",
"references": ["https://www.virustotal.com/", "https://developers.virustotal.com/reference"],
"features": "New format of modules able to return attributes and objects.\n\nA module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.\n\nCompared to the [standard VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal.py), this module is made for advanced parsing of VirusTotal report, with a recursive analysis of the elements found after the first request.\n\nThus, it requires a higher request rate limit to avoid the API to return a 204 error (Request rate limit exceeded), and the data parsed from the different requests are returned as MISP attributes and objects, with the corresponding relations between each one of them."
}

9
doc/expansion/virustotal_public.json
Unescape View File

@ -0,0 +1,9 @@
{
"description": "Module to get information from VirusTotal.",
"logo": "logos/virustotal.png",
"requirements": ["An access to the VirusTotal API (apikey)"],
"input": "A domain, hostname, ip, url or hash (md5, sha1, sha256 or sha512) attribute.",
"output": "MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.",
"references": ["https://www.virustotal.com", "https://developers.virustotal.com/reference"],
"features": "New format of modules able to return attributes and objects.\n\nA module to take a MISP attribute as input and query the VirusTotal API to get additional data about it.\n\nCompared to the [more advanced VirusTotal expansion module](https://github.com/MISP/misp-modules/blob/master/misp_modules/modules/expansion/virustotal.py), this module is made for VirusTotal users who have a low request rate limit.\n\nThus, it only queries the API once and returns the results that is parsed into MISP attributes and objects."
}
Write Preview
Loading…
Cancel
Save