From bb5f6fffae38acd8a348ec94282fe51a3712b4e4 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Fri, 2 Nov 2018 10:42:40 +0900 Subject: [PATCH 1/3] chg: [init] Added try/catch in case misp-modules is already running on a port, or port is in use... --- misp_modules/__init__.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/misp_modules/__init__.py b/misp_modules/__init__.py index 3bb7253..7d3c2ce 100644 --- a/misp_modules/__init__.py +++ b/misp_modules/__init__.py @@ -29,6 +29,7 @@ import fnmatch import argparse import re import datetime +import psutil import tornado.web import tornado.process @@ -241,7 +242,23 @@ def main(): service = [(r'/modules', ListModules), (r'/query', QueryModule)] application = tornado.web.Application(service) - application.listen(port, address=listen) + try: + application.listen(port, address=listen) + except Exception as e: + if e.errno == 98: + pids = psutil.pids() + for pid in pids: + p = psutil.Process(pid) + if p.name() == "misp-modules": + print("\n\n\n") + print(e) + print("\nmisp-modules is still running as PID: {}\n".format(pid)) + print("Please kill accordingly:") + print("sudo kill {}".format(pid)) + sys.exit(-1) + print(e) + print("misp-modules might still be running.") + log.info('MISP modules server started on {0} port {1}'.format(listen, port)) if args.t: log.info('MISP modules started in test-mode, quitting immediately.') From 74bf2f267874c5cf48757b2bc3a26a57389f4032 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Fri, 2 Nov 2018 10:44:46 +0900 Subject: [PATCH 2/3] chg: [tools] Added psutil as a dependency to detect misp-modules PID --- REQUIREMENTS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/REQUIREMENTS b/REQUIREMENTS index 6ab46cc..0aae71f 100644 --- a/REQUIREMENTS +++ b/REQUIREMENTS @@ -25,4 +25,5 @@ yara sigmatools stix2-patterns maclookup -vulners \ No newline at end of file +vulners +psutil From 7bafa939b07f426cde7eef121f65188e57143515 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 6 Nov 2018 00:48:36 +0900 Subject: [PATCH 3/3] new: [btc] Very simple BTC expansion chg: [req] yara-python is preferred --- REQUIREMENTS | 3 +- misp_modules/modules/expansion/__init__.py | 2 +- misp_modules/modules/expansion/btc.py | 50 ++++++++++++++++++++++ 3 files changed, 53 insertions(+), 2 deletions(-) create mode 100755 misp_modules/modules/expansion/btc.py diff --git a/REQUIREMENTS b/REQUIREMENTS index 0aae71f..cfaf9ad 100644 --- a/REQUIREMENTS +++ b/REQUIREMENTS @@ -21,9 +21,10 @@ domaintools_api pygeoip bs4 oauth2 -yara +yara-python sigmatools stix2-patterns maclookup vulners psutil +blockchain diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index f1c6d7a..73abd2e 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -1,3 +1,3 @@ from . import _vmray -__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] +__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'btc', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] diff --git a/misp_modules/modules/expansion/btc.py b/misp_modules/modules/expansion/btc.py new file mode 100755 index 0000000..da2fbe0 --- /dev/null +++ b/misp_modules/modules/expansion/btc.py @@ -0,0 +1,50 @@ +import json +import blockchain + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['btc'], 'output': ['text']} +moduleinfo = {'version': '0.1', 'author': 'Steve Clement', + 'description': 'Simple BTC expansion service to \ + get quick information from MISP attributes', + 'module-type': ['expansion', 'hover']} + +moduleconfig = [] + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if request.get('btc'): + toquery = request['btc'] + else: + return False + + try: + address = blockchain.blockexplorer.get_address(toquery) + except Exception as e: + misperrors['error'] = e + return misperrors + finalBalance = address.final_balance*(1/100000000) + totalRX = address.total_received*(1/100000000) + totalTX = address.total_sent*(1/100000000) + totalTransactions = address.n_tx + + answer = 'Current balance: \ + {} - \ + {} total received - \ + {} total sent - \ + {} transactions.\ + '.format(finalBalance, totalRX, totalTX, totalTransactions) + r = {'results': [{'types': mispattributes['output'], + 'values':[str(answer)]}]} + return r + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo