mirror of https://github.com/MISP/misp-modules
Merge branch 'chrisr3d_patch' of github.com:MISP/misp-modules into chrisr3d_patch
commit
29dff547a2
|
@ -121,7 +121,7 @@ sudo systemctl enable --now misp-modules
|
||||||
~~~~
|
~~~~
|
||||||
|
|
||||||
## How to install and start MISP modules on RHEL-based distributions ?
|
## How to install and start MISP modules on RHEL-based distributions ?
|
||||||
As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository.
|
As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository.
|
||||||
|
|
||||||
~~~~bash
|
~~~~bash
|
||||||
sudo yum install rh-ruby22
|
sudo yum install rh-ruby22
|
||||||
|
|
|
@ -7,9 +7,10 @@ moduleinfo = {'version': '0.1',
|
||||||
'module-type': ['expansion']}
|
'module-type': ['expansion']}
|
||||||
moduleconfig = ['api_id', 'apikey']
|
moduleconfig = ['api_id', 'apikey']
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
misp_types_in = ['domain', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
|
misp_types_in = ['domain', 'domain|ip', 'email-attachment', 'email-dst', 'email-reply-to', 'email-src', 'email-subject',
|
||||||
'filename', 'hostname', 'ip', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'uri', 'url',
|
'filename', 'hostname', 'ip-src', 'ip-dst', 'md5', 'mutex', 'regkey', 'sha1', 'sha256', 'ip-src|port',
|
||||||
'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5']
|
'ip-dst|port', 'uri', 'url', 'user-agent', 'whois-registrant-email', 'x509-fingerprint-md5',
|
||||||
|
'hostname|port']
|
||||||
mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types.
|
mapping_out = { # mapping between the MISP attributes types and the compatible CrowdStrike indicator types.
|
||||||
'domain': {'types': 'hostname', 'to_ids': True},
|
'domain': {'types': 'hostname', 'to_ids': True},
|
||||||
'email_address': {'types': 'email-src', 'to_ids': True},
|
'email_address': {'types': 'email-src', 'to_ids': True},
|
||||||
|
@ -51,9 +52,13 @@ def handler(q=False):
|
||||||
valid_type = False
|
valid_type = False
|
||||||
for k in misp_types_in:
|
for k in misp_types_in:
|
||||||
if request.get(k):
|
if request.get(k):
|
||||||
# map the MISP typ to the CrowdStrike type
|
to_query = request[k]
|
||||||
for item in lookup_indicator(client, request[k]):
|
if '|' in k:
|
||||||
r['results'].append(item)
|
to_query, query = to_query.split('|')
|
||||||
|
if 'port' not in k:
|
||||||
|
r['result'].extend([ item for item in lookup_indicator(client, query)])
|
||||||
|
# map the MISP type to the CrowdStrike type
|
||||||
|
r['results'].extend([item for item in lookup_indicator(client, to_query)])
|
||||||
valid_type = True
|
valid_type = True
|
||||||
|
|
||||||
if not valid_type:
|
if not valid_type:
|
||||||
|
|
|
@ -2,8 +2,8 @@ import json
|
||||||
import dns.resolver
|
import dns.resolver
|
||||||
|
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
mispattributes = {'input': ['hostname', 'domain', 'domain|ip'], 'output': ['ip-src',
|
mispattributes = {'input': ['hostname', 'hostname|port', 'domain', 'domain|ip'],
|
||||||
'ip-dst']}
|
'output': ['ip-src', 'ip-dst']}
|
||||||
moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy',
|
moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy',
|
||||||
'description': 'Simple DNS expansion service to resolve IP address from MISP attributes',
|
'description': 'Simple DNS expansion service to resolve IP address from MISP attributes',
|
||||||
'module-type': ['expansion', 'hover']}
|
'module-type': ['expansion', 'hover']}
|
||||||
|
@ -21,6 +21,8 @@ def handler(q=False):
|
||||||
toquery = request['domain']
|
toquery = request['domain']
|
||||||
elif request.get('domain|ip'):
|
elif request.get('domain|ip'):
|
||||||
toquery = request['domain|ip'].split('|')[0]
|
toquery = request['domain|ip'].split('|')[0]
|
||||||
|
elif request.get('hostname|port'):
|
||||||
|
toquery = request['hostname|port'].split('|')[0]
|
||||||
else:
|
else:
|
||||||
return False
|
return False
|
||||||
r = dns.resolver.Resolver()
|
r = dns.resolver.Resolver()
|
||||||
|
|
|
@ -15,8 +15,9 @@ log.addHandler(ch)
|
||||||
|
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
mispattributes = {
|
mispattributes = {
|
||||||
'input': ['domain', 'email-src', 'email-dst', 'target-email', 'whois-registrant-email',
|
'input': ['domain', 'domain|ip', 'email-src', 'email-dst', 'target-email', 'whois-registrant-email',
|
||||||
'whois-registrant-name', 'whois-registrant-phone', 'ip-src', 'ip-dst'],
|
'whois-registrant-name', 'whois-registrant-phone', 'ip-src', 'ip-dst', 'hostname',
|
||||||
|
'hostname|port', 'ip-src|port', 'ip-dst|port'],
|
||||||
'output': ['whois-registrant-email', 'whois-registrant-phone', 'whois-registrant-name',
|
'output': ['whois-registrant-email', 'whois-registrant-phone', 'whois-registrant-name',
|
||||||
'whois-registrar', 'whois-creation-date', 'freetext', 'domain']
|
'whois-registrar', 'whois-creation-date', 'freetext', 'domain']
|
||||||
}
|
}
|
||||||
|
@ -31,9 +32,9 @@ moduleinfo = {
|
||||||
moduleconfig = ['username', 'api_key']
|
moduleconfig = ['username', 'api_key']
|
||||||
|
|
||||||
query_profiles = [
|
query_profiles = [
|
||||||
{'inputs': ['domain'], 'services': ['parsed_whois', 'domain_profile', 'reputation', 'reverse_ip']},
|
{'inputs': ['domain', 'hostname'], 'services': ['parsed_whois', 'domain_profile', 'reputation', 'reverse_ip']},
|
||||||
{'inputs': ['email-src', 'email-dst', 'target-email', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-phone'], 'services': ['reverse_whois']},
|
{'inputs': ['email-src', 'email-dst', 'target-email', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-phone'], 'services': ['reverse_whois']},
|
||||||
{'inputs': ['ip-src', 'ip-dst'], 'services': ['host_domains']}
|
{'inputs': ['ip', 'ip-src', 'ip-dst'], 'services': ['host_domains']}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -223,15 +224,20 @@ def reverse_ip_whois(domtools, to_query, values):
|
||||||
# values.add_domain(d, 'Reverse domain related to {}.'.format(to_query))
|
# values.add_domain(d, 'Reverse domain related to {}.'.format(to_query))
|
||||||
return values
|
return values
|
||||||
|
|
||||||
|
def get_services(type_):
|
||||||
|
for p in query_profiles:
|
||||||
|
if type_ in p['inputs']:
|
||||||
|
return p['services']
|
||||||
|
|
||||||
def get_services(request):
|
|
||||||
for t in mispattributes['input']:
|
def process_query(type_, domtools, to_query, values):
|
||||||
to_query = request.get(t)
|
services = get_services(type_)
|
||||||
if not to_query:
|
if services:
|
||||||
continue
|
try:
|
||||||
for p in query_profiles:
|
for s in services:
|
||||||
if t in p['inputs']:
|
globals()[s](domtools, to_query, values)
|
||||||
return p['services']
|
except Exception as e:
|
||||||
|
print(to_query, type(e), e)
|
||||||
|
|
||||||
|
|
||||||
def handler(q=False):
|
def handler(q=False):
|
||||||
|
@ -243,6 +249,7 @@ def handler(q=False):
|
||||||
for t in mispattributes['input']:
|
for t in mispattributes['input']:
|
||||||
to_query = request.get(t)
|
to_query = request.get(t)
|
||||||
if to_query:
|
if to_query:
|
||||||
|
input_type = t
|
||||||
break
|
break
|
||||||
if not to_query:
|
if not to_query:
|
||||||
misperrors['error'] = "Unsupported attributes type"
|
misperrors['error'] = "Unsupported attributes type"
|
||||||
|
@ -259,13 +266,12 @@ def handler(q=False):
|
||||||
return misperrors
|
return misperrors
|
||||||
|
|
||||||
values = DomainTools()
|
values = DomainTools()
|
||||||
services = get_services(request)
|
if '|' in input_type:
|
||||||
if services:
|
to_query, query = to_query.split('|')
|
||||||
try:
|
input_type, type_ = input_type.split('|')
|
||||||
for s in services:
|
if type_ != 'port':
|
||||||
globals()[s](domtools, to_query, values)
|
process_query(type_, domtools, query, values)
|
||||||
except Exception as e:
|
process_query(input_type, domtools, to_query, values)
|
||||||
print(to_query, type(e), e)
|
|
||||||
|
|
||||||
return {'results': values.dump()}
|
return {'results': values.dump()}
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ import json
|
||||||
from pyeupi import PyEUPI
|
from pyeupi import PyEUPI
|
||||||
|
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
mispattributes = {'input': ['hostname', 'domain', 'url'], 'output': ['freetext']}
|
mispattributes = {'input': ['hostname', 'hostname|port', 'domain', 'domain|ip', 'url'], 'output': ['freetext']}
|
||||||
moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
|
moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
|
||||||
'description': 'Query the Phishing Initiative service (https://phishing-initiative.lu)',
|
'description': 'Query the Phishing Initiative service (https://phishing-initiative.lu)',
|
||||||
'module-type': ['expansion', 'hover']}
|
'module-type': ['expansion', 'hover']}
|
||||||
|
@ -18,8 +18,12 @@ def handler(q=False):
|
||||||
request = json.loads(q)
|
request = json.loads(q)
|
||||||
if request.get('hostname'):
|
if request.get('hostname'):
|
||||||
toquery = request['hostname']
|
toquery = request['hostname']
|
||||||
|
elif request.get('hostname|port'):
|
||||||
|
toquery, _ = request['hostname|port'].split('|')
|
||||||
elif request.get('domain'):
|
elif request.get('domain'):
|
||||||
toquery = request['domain']
|
toquery = request['domain']
|
||||||
|
elif request.get('domain|ip'):
|
||||||
|
toquery, _ = request['domain|ip'].split('|')
|
||||||
elif request.get('url'):
|
elif request.get('url'):
|
||||||
toquery = request['url']
|
toquery = request['url']
|
||||||
else:
|
else:
|
||||||
|
|
Loading…
Reference in New Issue