diff --git a/README.md b/README.md index f284e68..66ca56f 100644 --- a/README.md +++ b/README.md @@ -75,17 +75,35 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ * [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports. * [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export. +## How to install and start MISP modules in a Python virtualenv? + +~~~~bash +sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick +sudo -u www-data virtualenv -p python3 /var/www/MISP/venv +cd /usr/local/src/ +sudo git clone https://github.com/MISP/misp-modules.git +cd misp-modules +sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS +sudo -u www-data /var/www/MISP/venv/bin/pip install . +sudo apt install ruby-pygments.rb -y +sudo gem install asciidoctor-pdf --pre +sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local +/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules +~~~~ + ## How to install and start MISP modules? ~~~~bash -sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev +sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick cd /usr/local/src/ sudo git clone https://github.com/MISP/misp-modules.git cd misp-modules sudo pip3 install -I -r REQUIREMENTS sudo pip3 install -I . -sudo vi /etc/rc.local, add this line: `sudo -u www-data misp-modules -s &` -misp-modules #to start the modules +sudo apt install ruby-pygments.rb -y +sudo gem install asciidoctor-pdf --pre +sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local +/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules ~~~~ ## How to add your own MISP modules? @@ -98,6 +116,8 @@ Create your module in [misp_modules/modules/expansion/](misp_modules/modules/exp Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface. +Your module's script name should also be added in the `__all__` list of `/__init__.py` in order for it to be loaded. + ~~~python ... # Checking for required value @@ -189,6 +209,19 @@ def handler(q=False): codecs.encode(src, "rot-13")} ~~~ +#### export module + +For an export module, the `request["data"]` object corresponds to a list of events (dictionaries) to handle. + +Iterating over events attributes is performed using their `Attribute` key. + +~~~python +... +for event in request["data"]: + for attribute in event["Attribute"]: + # do stuff w/ attribute['type'], attribute['value'], ... +... + ### Returning Binary Data If you want to return a file or other data you need to add a data attribute. diff --git a/doc/documentation.md b/doc/documentation.md index 7be5f29..20ee566 100644 --- a/doc/documentation.md +++ b/doc/documentation.md @@ -304,6 +304,20 @@ Lite export of a MISP event. ----- +#### [osqueryexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py) + + + +OSQuery export of a MISP event. +- **features**: +>This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide. +- **input**: +>MISP Event attributes +- **output**: +>osquery SQL queries + +----- + #### [pdfexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py) Simple export of a MISP event to PDF. diff --git a/doc/export_mod/osqueryexport.json b/doc/export_mod/osqueryexport.json new file mode 100644 index 0000000..6543cb1 --- /dev/null +++ b/doc/export_mod/osqueryexport.json @@ -0,0 +1,9 @@ +{ + "description": "OSQuery export of a MISP event.", + "requirements": [], + "features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.", + "references": [], + "input": "MISP Event attributes", + "output": "osquery SQL queries", + "logo": "logos/osquery.png" +} diff --git a/doc/logos/osquery.png b/doc/logos/osquery.png new file mode 100644 index 0000000..2e4320e Binary files /dev/null and b/doc/logos/osquery.png differ diff --git a/misp_modules/modules/export_mod/osqueryexport.py b/misp_modules/modules/export_mod/osqueryexport.py index a1535d8..084762e 100755 --- a/misp_modules/modules/export_mod/osqueryexport.py +++ b/misp_modules/modules/export_mod/osqueryexport.py @@ -42,7 +42,7 @@ def handle_regkeyvalue(value): return 'SELECT * FROM registry WHERE path LIKE \'%s\' AND data LIKE \'%s\';' % (key, value) def handle_mutex(value): - return 'not implemented yet' + return 'SELECT * FROM winbaseobj WHERE object_name LIKE \'%s\';' % value def handle_service(value): return 'SELECT * FROM services WHERE display_name LIKE \'%s\' OR name like \'%s\';' % (value, value)