diff --git a/README.md b/README.md index 462e4c1..235b085 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,7 @@ sudo systemctl enable --now misp-modules ~~~~ ## How to install and start MISP modules on RHEL-based distributions ? -As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository. +As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository. ~~~~bash sudo yum install rh-ruby22 diff --git a/misp_modules/modules/expansion/crowdstrike_falcon.py b/misp_modules/modules/expansion/crowdstrike_falcon.py index 1342e88..8ed3311 100755 --- a/misp_modules/modules/expansion/crowdstrike_falcon.py +++ b/misp_modules/modules/expansion/crowdstrike_falcon.py @@ -7,9 +7,10 @@ moduleinfo = {'version': '0.1', 'module-type': ['expansion']} moduleconfig = ['api_id', 'apikey'] misperrors = {'error': 'Error'} -misp_types_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject', - 'filename', 'hostname', 'ip', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url', - 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5'] +misp_types_in = ['domain', 'domain|ip', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject', + 'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'ip-src|port', + 'ip-dst|port', 'uri', 'url', 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5', + 'hostname|port'] mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types. 'domain': {'types': 'hostname', 'to_ids': True}, 'email_address': {'types': 'email-src', 'to_ids': True}, @@ -51,9 +52,13 @@ def handler(q=False): valid_type = False for k in misp_types_in: if request.get(k): - # map the MISP typ to the CrowdStrike type - for item in lookup_indicator(client, request[k]): - r['results'].append(item) + to_query = request[k] + if '|' in k: + to_query, query = to_query.split('|') + if 'port' not in k: + r['result'].extend([ item for item in lookup_indicator(client, query)]) + # map the MISP type to the CrowdStrike type + r['results'].extend([item for item in lookup_indicator(client, to_query)]) valid_type = True if not valid_type: diff --git a/misp_modules/modules/expansion/dns.py b/misp_modules/modules/expansion/dns.py index c5af9d6..a9b73fe 100755 --- a/misp_modules/modules/expansion/dns.py +++ b/misp_modules/modules/expansion/dns.py @@ -2,8 +2,8 @@ import json import dns.resolver misperrors = {'error': 'Error'} -mispattributes = {'input': ['hostname', 'domain', 'domain|ip'], 'output': ['ip-src', - 'ip-dst']} +mispattributes = {'input': ['hostname', 'hostname|port', 'domain', 'domain|ip'], + 'output': ['ip-src', 'ip-dst']} moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy', 'description': 'Simple DNS expansion service to resolve IP address from MISP attributes', 'module-type': ['expansion', 'hover']} @@ -21,6 +21,8 @@ def handler(q=False): toquery = request['domain'] elif request.get('domain|ip'): toquery = request['domain|ip'].split('|')[0] + elif request.get('hostname|port'): + toquery = request['hostname|port'].split('|')[0] else: return False r = dns.resolver.Resolver() diff --git a/misp_modules/modules/expansion/domaintools.py b/misp_modules/modules/expansion/domaintools.py index d952fdf..1113a88 100755 --- a/misp_modules/modules/expansion/domaintools.py +++ b/misp_modules/modules/expansion/domaintools.py @@ -15,8 +15,9 @@ log.addHandler(ch) misperrors = {'error': 'Error'} mispattributes = { - 'input': ['domain', 'email-src', 'email-dst', 'target-email', 'whois-registrant-email', - 'whois-registrant-name', 'whois-registrant-phone', 'ip-src', 'ip-dst'], + 'input': ['domain', 'domain|ip', 'email-src', 'email-dst', 'target-email', 'whois-registrant-email', + 'whois-registrant-name', 'whois-registrant-phone', 'ip-src', 'ip-dst', 'hostname', + 'hostname|port', 'ip-src|port', 'ip-dst|port'], 'output': ['whois-registrant-email', 'whois-registrant-phone', 'whois-registrant-name', 'whois-registrar', 'whois-creation-date', 'freetext', 'domain'] } @@ -31,9 +32,9 @@ moduleinfo = { moduleconfig = ['username', 'api_key'] query_profiles = [ - {'inputs': ['domain'], 'services': ['parsed_whois', 'domain_profile', 'reputation', 'reverse_ip']}, + {'inputs': ['domain', 'hostname'], 'services': ['parsed_whois', 'domain_profile', 'reputation', 'reverse_ip']}, {'inputs': ['email-src', 'email-dst', 'target-email', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-phone'], 'services': ['reverse_whois']}, - {'inputs': ['ip-src', 'ip-dst'], 'services': ['host_domains']} + {'inputs': ['ip', 'ip-src', 'ip-dst'], 'services': ['host_domains']} ] @@ -223,15 +224,20 @@ def reverse_ip_whois(domtools, to_query, values): # values.add_domain(d, 'Reverse domain related to {}.'.format(to_query)) return values +def get_services(type_): + for p in query_profiles: + if type_ in p['inputs']: + return p['services'] -def get_services(request): - for t in mispattributes['input']: - to_query = request.get(t) - if not to_query: - continue - for p in query_profiles: - if t in p['inputs']: - return p['services'] + +def process_query(type_, domtools, to_query, values): + services = get_services(type_) + if services: + try: + for s in services: + globals()[s](domtools, to_query, values) + except Exception as e: + print(to_query, type(e), e) def handler(q=False): @@ -243,6 +249,7 @@ def handler(q=False): for t in mispattributes['input']: to_query = request.get(t) if to_query: + input_type = t break if not to_query: misperrors['error'] = "Unsupported attributes type" @@ -259,13 +266,12 @@ def handler(q=False): return misperrors values = DomainTools() - services = get_services(request) - if services: - try: - for s in services: - globals()[s](domtools, to_query, values) - except Exception as e: - print(to_query, type(e), e) + if '|' in input_type: + to_query, query = to_query.split('|') + input_type, type_ = input_type.split('|') + if type_ != 'port': + process_query(type_, domtools, query, values) + process_query(input_type, domtools, to_query, values) return {'results': values.dump()} diff --git a/misp_modules/modules/expansion/eupi.py b/misp_modules/modules/expansion/eupi.py index e230bcf..561efb2 100755 --- a/misp_modules/modules/expansion/eupi.py +++ b/misp_modules/modules/expansion/eupi.py @@ -4,7 +4,7 @@ import json from pyeupi import PyEUPI misperrors = {'error': 'Error'} -mispattributes = {'input': ['hostname', 'domain', 'url'], 'output': ['freetext']} +mispattributes = {'input': ['hostname', 'hostname|port', 'domain', 'domain|ip', 'url'], 'output': ['freetext']} moduleinfo = {'version': '0.1', 'author': 'Raphaƫl Vinot', 'description': 'Query the Phishing Initiative service (https://phishing-initiative.lu)', 'module-type': ['expansion', 'hover']} @@ -18,8 +18,12 @@ def handler(q=False): request = json.loads(q) if request.get('hostname'): toquery = request['hostname'] + elif request.get('hostname|port'): + toquery, _ = request['hostname|port'].split('|') elif request.get('domain'): toquery = request['domain'] + elif request.get('domain|ip'): + toquery, _ = request['domain|ip'].split('|') elif request.get('url'): toquery = request['url'] else: