Merge branch 'chrisr3d_patch' of github.com:MISP/misp-modules into chrisr3d_patch

README.md

@@ -121,7 +121,7 @@ sudo systemctl enable --now misp-modules
 ~~~~
 
 ## How to install and start MISP modules on RHEL-based distributions ?
-As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository. 
+As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository.
 
 ~~~~bash
 sudo yum install rh-ruby22

misp_modules/modules/expansion/crowdstrike_falcon.py

@@ -7,9 +7,10 @@ moduleinfo = {'version': '0.1',
               'module-type': ['expansion']}
 moduleconfig = ['api_id', 'apikey']
 misperrors = {'error': 'Error'}
-misp_types_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
-                 'filename', 'hostname', 'ip', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url',
-                 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']
+misp_types_in = ['domain', 'domain|ip', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
+                 'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'ip-src|port',
+                 'ip-dst|port', 'uri', 'url', 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5',
+                 'hostname|port']
 mapping_out = {  # mapping between the MISP attributes types and the compatible CrowdStrike indicator types.
     'domain': {'types': 'hostname', 'to_ids': True},
     'email_address': {'types': 'email-src', 'to_ids': True},
@@ -51,9 +52,13 @@ def handler(q=False):
     valid_type = False
     for k in misp_types_in:
         if request.get(k):
-            # map the MISP typ to the CrowdStrike type
-            for item in lookup_indicator(client, request[k]):
-                r['results'].append(item)
+            to_query = request[k]
+            if '|' in k:
+                to_query, query = to_query.split('|')
+                if 'port' not in k:
+                    r['result'].extend([ item for item in lookup_indicator(client, query)])
+            # map the MISP type to the CrowdStrike type
+            r['results'].extend([item for item in lookup_indicator(client, to_query)])
             valid_type = True
 
     if not valid_type:

misp_modules/modules/expansion/dns.py

@@ -2,8 +2,8 @@ import json
 import dns.resolver
 
 misperrors = {'error': 'Error'}
-mispattributes = {'input': ['hostname', 'domain', 'domain|ip'], 'output': ['ip-src',
-                                                                           'ip-dst']}
+mispattributes = {'input': ['hostname', 'hostname|port', 'domain', 'domain|ip'],
+                  'output': ['ip-src', 'ip-dst']}
 moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy',
               'description': 'Simple DNS expansion service to resolve IP address from MISP attributes',
               'module-type': ['expansion', 'hover']}
@@ -21,6 +21,8 @@ def handler(q=False):
         toquery = request['domain']
     elif request.get('domain|ip'):
         toquery = request['domain|ip'].split('|')[0]
+    elif request.get('hostname|port'):
+        toquery = request['hostname|port'].split('|')[0]
     else:
         return False
     r = dns.resolver.Resolver()

misp_modules/modules/expansion/domaintools.py

@@ -15,8 +15,9 @@ log.addHandler(ch)
 
 misperrors = {'error': 'Error'}
 mispattributes = {
-    'input': ['domain', 'email-src', 'email-dst', 'target-email', 'whois-registrant-email',
-              'whois-registrant-name', 'whois-registrant-phone', 'ip-src', 'ip-dst'],
+    'input': ['domain', 'domain|ip', 'email-src', 'email-dst', 'target-email', 'whois-registrant-email',
+              'whois-registrant-name', 'whois-registrant-phone', 'ip-src', 'ip-dst', 'hostname',
+              'hostname|port', 'ip-src|port', 'ip-dst|port'],
     'output': ['whois-registrant-email', 'whois-registrant-phone', 'whois-registrant-name',
                'whois-registrar', 'whois-creation-date', 'freetext', 'domain']
 }
@@ -31,9 +32,9 @@ moduleinfo = {
 moduleconfig = ['username', 'api_key']
 
 query_profiles = [
-    {'inputs': ['domain'], 'services': ['parsed_whois', 'domain_profile', 'reputation', 'reverse_ip']},
+    {'inputs': ['domain', 'hostname'], 'services': ['parsed_whois', 'domain_profile', 'reputation', 'reverse_ip']},
     {'inputs': ['email-src', 'email-dst', 'target-email', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-phone'], 'services': ['reverse_whois']},
-    {'inputs': ['ip-src', 'ip-dst'], 'services': ['host_domains']}
+    {'inputs': ['ip', 'ip-src', 'ip-dst'], 'services': ['host_domains']}
 ]
 
 
@@ -223,15 +224,20 @@ def reverse_ip_whois(domtools, to_query, values):
     #    values.add_domain(d, 'Reverse domain related to {}.'.format(to_query))
     return values
 
+def get_services(type_):
+    for p in query_profiles:
+        if type_ in p['inputs']:
+            return p['services']
 
-def get_services(request):
-    for t in mispattributes['input']:
-        to_query = request.get(t)
-        if not to_query:
-            continue
-        for p in query_profiles:
-            if t in p['inputs']:
-                return p['services']
+
+def process_query(type_, domtools, to_query, values):
+    services = get_services(type_)
+    if services:
+        try:
+            for s in services:
+                globals()[s](domtools, to_query, values)
+        except Exception as e:
+            print(to_query, type(e), e)
 
 
 def handler(q=False):
@@ -243,6 +249,7 @@ def handler(q=False):
     for t in mispattributes['input']:
         to_query = request.get(t)
         if to_query:
+            input_type = t
             break
     if not to_query:
         misperrors['error'] = "Unsupported attributes type"
@@ -259,13 +266,12 @@ def handler(q=False):
         return misperrors
 
     values = DomainTools()
-    services = get_services(request)
-    if services:
-        try:
-            for s in services:
-                globals()[s](domtools, to_query, values)
-        except Exception as e:
-            print(to_query, type(e), e)
+    if '|' in input_type:
+        to_query, query = to_query.split('|')
+        input_type, type_ = input_type.split('|')
+        if type_ != 'port':
+            process_query(type_, domtools, query, values)
+    process_query(input_type, domtools, to_query, values)
 
     return {'results': values.dump()}
 

misp_modules/modules/expansion/eupi.py

@@ -4,7 +4,7 @@ import json
 from pyeupi import PyEUPI
 
 misperrors = {'error': 'Error'}
-mispattributes = {'input': ['hostname', 'domain', 'url'], 'output': ['freetext']}
+mispattributes = {'input': ['hostname', 'hostname|port', 'domain', 'domain|ip', 'url'], 'output': ['freetext']}
 moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
               'description': 'Query the Phishing Initiative service (https://phishing-initiative.lu)',
               'module-type': ['expansion', 'hover']}
@@ -18,8 +18,12 @@ def handler(q=False):
     request = json.loads(q)
     if request.get('hostname'):
         toquery = request['hostname']
+    elif request.get('hostname|port'):
+        toquery, _ = request['hostname|port'].split('|')
     elif request.get('domain'):
         toquery = request['domain']
+    elif request.get('domain|ip'):
+        toquery, _ = request['domain|ip'].split('|')
     elif request.get('url'):
         toquery = request['url']
     else: