mirror of https://github.com/MISP/misp-modules
Merge branch 'master' of github.com:MISP/misp-modules
commit
62aa268d01
39
README.md
39
README.md
|
@ -75,17 +75,35 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
|
|||
* [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
|
||||
* [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
|
||||
|
||||
## How to install and start MISP modules in a Python virtualenv?
|
||||
|
||||
~~~~bash
|
||||
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick
|
||||
sudo -u www-data virtualenv -p python3 /var/www/MISP/venv
|
||||
cd /usr/local/src/
|
||||
sudo git clone https://github.com/MISP/misp-modules.git
|
||||
cd misp-modules
|
||||
sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS
|
||||
sudo -u www-data /var/www/MISP/venv/bin/pip install .
|
||||
sudo apt install ruby-pygments.rb -y
|
||||
sudo gem install asciidoctor-pdf --pre
|
||||
sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local
|
||||
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
|
||||
~~~~
|
||||
|
||||
## How to install and start MISP modules?
|
||||
|
||||
~~~~bash
|
||||
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev
|
||||
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick
|
||||
cd /usr/local/src/
|
||||
sudo git clone https://github.com/MISP/misp-modules.git
|
||||
cd misp-modules
|
||||
sudo pip3 install -I -r REQUIREMENTS
|
||||
sudo pip3 install -I .
|
||||
sudo vi /etc/rc.local, add this line: `sudo -u www-data misp-modules -s &`
|
||||
misp-modules #to start the modules
|
||||
sudo apt install ruby-pygments.rb -y
|
||||
sudo gem install asciidoctor-pdf --pre
|
||||
sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local
|
||||
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
|
||||
~~~~
|
||||
|
||||
## How to add your own MISP modules?
|
||||
|
@ -98,6 +116,8 @@ Create your module in [misp_modules/modules/expansion/](misp_modules/modules/exp
|
|||
|
||||
Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.
|
||||
|
||||
Your module's script name should also be added in the `__all__` list of `<module type folder>/__init__.py` in order for it to be loaded.
|
||||
|
||||
~~~python
|
||||
...
|
||||
# Checking for required value
|
||||
|
@ -189,6 +209,19 @@ def handler(q=False):
|
|||
codecs.encode(src, "rot-13")}
|
||||
~~~
|
||||
|
||||
#### export module
|
||||
|
||||
For an export module, the `request["data"]` object corresponds to a list of events (dictionaries) to handle.
|
||||
|
||||
Iterating over events attributes is performed using their `Attribute` key.
|
||||
|
||||
~~~python
|
||||
...
|
||||
for event in request["data"]:
|
||||
for attribute in event["Attribute"]:
|
||||
# do stuff w/ attribute['type'], attribute['value'], ...
|
||||
...
|
||||
|
||||
### Returning Binary Data
|
||||
|
||||
If you want to return a file or other data you need to add a data attribute.
|
||||
|
|
|
@ -304,6 +304,20 @@ Lite export of a MISP event.
|
|||
|
||||
-----
|
||||
|
||||
#### [osqueryexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py)
|
||||
|
||||
<img src=logos/osquery.png height=60>
|
||||
|
||||
OSQuery export of a MISP event.
|
||||
- **features**:
|
||||
>This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.
|
||||
- **input**:
|
||||
>MISP Event attributes
|
||||
- **output**:
|
||||
>osquery SQL queries
|
||||
|
||||
-----
|
||||
|
||||
#### [pdfexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py)
|
||||
|
||||
Simple export of a MISP event to PDF.
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"description": "OSQuery export of a MISP event.",
|
||||
"requirements": [],
|
||||
"features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.",
|
||||
"references": [],
|
||||
"input": "MISP Event attributes",
|
||||
"output": "osquery SQL queries",
|
||||
"logo": "logos/osquery.png"
|
||||
}
|
Binary file not shown.
After Width: | Height: | Size: 1.6 KiB |
|
@ -42,7 +42,7 @@ def handle_regkeyvalue(value):
|
|||
return 'SELECT * FROM registry WHERE path LIKE \'%s\' AND data LIKE \'%s\';' % (key, value)
|
||||
|
||||
def handle_mutex(value):
|
||||
return 'not implemented yet'
|
||||
return 'SELECT * FROM winbaseobj WHERE object_name LIKE \'%s\';' % value
|
||||
|
||||
def handle_service(value):
|
||||
return 'SELECT * FROM services WHERE display_name LIKE \'%s\' OR name like \'%s\';' % (value, value)
|
||||
|
|
Loading…
Reference in New Issue