MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

README updated to reflect config parameters changes

pull/2/head
Alexandre Dulaunoy 2016-03-16 07:57:37 +01:00
parent 3ee1f34aff
commit 4231cf1f6f
1 changed files with 61 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
README.md
View File

@ -19,15 +19,21 @@ Create your module in [modules/expansion/](modules/expansion/). The module shoul
* **introspection** function that returns a dict of the supported attributes (input and output) by your expansion module. * **introspection** function that returns a dict of the supported attributes (input and output) by your expansion module.
* **handler** function which accepts a JSON document to expand the values and return a dictionary of the expanded values. * **handler** function which accepts a JSON document to expand the values and return a dictionary of the expanded values.
* **version** function that returns a dict with the version and the associated meta-data of the module. * **version** function that returns a dict with the version and the associated meta-data including potential configurations required of the module.
Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface. Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.
If your module requires authentication, the following reserved MISP attributes are used to pass the authentication If your module requires additional configuration (to be exposed via the MISP user-interface), a config array is added to the meta-data output containing all the potential configuration values:
values from MISP towards the module:
* module-username ~~~
* module-password "meta": {
"description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
"config": [
"username",
"password"
],
...
~~~
## Testing your modules? ## Testing your modules?
@ -37,14 +43,14 @@ MISP uses the **modules** function to discover the available MISP modules and th
% curl -s http://127.0.0.1:6666/modules | jq . % curl -s http://127.0.0.1:6666/modules | jq .
[ [
{ {
"name": "passivetotal",
"type": "expansion",
"mispattributes": { "mispattributes": {
"input": [ "input": [
"hostname", "hostname",
"domain", "domain",
"ip-src", "ip-src",
"ip-dst", "ip-dst"
"module-username",
"module-password"
], ],
"output": [ "output": [
"ip-src", "ip-src",
@ -54,14 +60,35 @@ MISP uses the **modules** function to discover the available MISP modules and th
] ]
}, },
"meta": { "meta": {
"description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources", "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
"author": "Alexandre Dulaunoy", "config": [
"version": "0.1" "username",
}, "password"
"name": "passivetotal", ],
"type": "expansion" "author": "Alexandre Dulaunoy",
"version": "0.1"
}
}, },
{ {
"name": "sourcecache",
"type": "expansion",
"mispattributes": {
"input": [
"link"
],
"output": [
"link"
]
},
"meta": {
"description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.",
"author": "Alexandre Dulaunoy",
"version": "0.1"
}
},
{
"name": "dns",
"type": "expansion",
"mispattributes": { "mispattributes": {
"input": [ "input": [
"hostname", "hostname",
@ -73,20 +100,34 @@ MISP uses the **modules** function to discover the available MISP modules and th
] ]
}, },
"meta": { "meta": {
"description": "Simple DNS expansion services to resolve IP address from MISP attributes", "description": "Simple DNS expansion service to resolve IP address from MISP attributes",
"version": "0.1", "author": "Alexandre Dulaunoy",
"author": "Alexandre Dulaunoy" "version": "0.1"
}, }
"name": "dns",
"type": "expansion"
} }
] ]
~~~ ~~~
The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes. The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes.
Based on this information, a query can be built in a JSON format and saved as body.json: Based on this information, a query can be built in a JSON format and saved as body.json:
~~~json
{
"hostname": "www.foo.be",
"module": "dns"
}
~~~
Then you can POST this JSON format query towards the MISP object server:
~~~
curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @body.json -X POST
~~~
The module should output the following JSON:
~~~json ~~~json
{ {
"results": [ "results": [
@ -103,12 +144,6 @@ Based on this information, a query can be built in a JSON format and saved as bo
} }
~~~ ~~~
Then you can POST this JSON format query towards the MISP object server:
~~~
curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @body.json -X POST
~~~
## How to contribute your own module? ## How to contribute your own module?
Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation. Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.