From d08962afd27f3045e63bf27475e595dd67f5ee16 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Thu, 25 Oct 2018 00:34:44 +0900 Subject: [PATCH 1/7] chg: [docs] Added some missing dependencies and instructions for virtualenv deployment --- README.md | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f284e68..32ca538 100644 --- a/README.md +++ b/README.md @@ -75,17 +75,35 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ * [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports. * [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export. +## How to install and start MISP modules in a Python virtualenv? + +~~~~bash +sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick +sudo -u www-data virtualenv -p python3 /var/www/MISP/venv +cd /usr/local/src/ +sudo git clone https://github.com/MISP/misp-modules.git +cd misp-modules +sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS +sudo -u www-data /var/www/MISP/venv/bin/pip install . +sudo apt install ruby-pygments.rb -y +sudo gem install asciidoctor-pdf --pre +sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local +/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules +~~~~ + ## How to install and start MISP modules? ~~~~bash -sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev +sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick cd /usr/local/src/ sudo git clone https://github.com/MISP/misp-modules.git cd misp-modules sudo pip3 install -I -r REQUIREMENTS sudo pip3 install -I . -sudo vi /etc/rc.local, add this line: `sudo -u www-data misp-modules -s &` -misp-modules #to start the modules +sudo apt install ruby-pygments.rb -y +sudo gem install asciidoctor-pdf --pre +sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local +/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules ~~~~ ## How to add your own MISP modules? From e8761c1664f30ea0522dc1281aace5ab2558bad9 Mon Sep 17 00:00:00 2001 From: milkmix Date: Thu, 25 Oct 2018 21:28:46 +0200 Subject: [PATCH 2/7] super simple support for mutexes through winbaseobj in osquery 3.3 --- misp_modules/modules/export_mod/osqueryexport.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/export_mod/osqueryexport.py b/misp_modules/modules/export_mod/osqueryexport.py index a1535d8..084762e 100755 --- a/misp_modules/modules/export_mod/osqueryexport.py +++ b/misp_modules/modules/export_mod/osqueryexport.py @@ -42,7 +42,7 @@ def handle_regkeyvalue(value): return 'SELECT * FROM registry WHERE path LIKE \'%s\' AND data LIKE \'%s\';' % (key, value) def handle_mutex(value): - return 'not implemented yet' + return 'SELECT * FROM winbaseobj WHERE object_name LIKE \'%s\';' % value def handle_service(value): return 'SELECT * FROM services WHERE display_name LIKE \'%s\' OR name like \'%s\';' % (value, value) From 8c9c70926d30339cc37efbc545384b0618fc22ce Mon Sep 17 00:00:00 2001 From: milkmix Date: Thu, 25 Oct 2018 21:35:21 +0200 Subject: [PATCH 3/7] added basic documentation --- doc/export_mod/osqueryexport.json | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 doc/export_mod/osqueryexport.json diff --git a/doc/export_mod/osqueryexport.json b/doc/export_mod/osqueryexport.json new file mode 100644 index 0000000..c5090a8 --- /dev/null +++ b/doc/export_mod/osqueryexport.json @@ -0,0 +1,8 @@ +{ + "description": "OSQuery export of a MISP event.", + "requirements": [], + "features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.", + "references": [], + "input": "MISP Event attributes", + "output": "osquery SQL queries" +} From 37e3d091024690a17289550d39586b9ac59fec80 Mon Sep 17 00:00:00 2001 From: milkmix Date: Thu, 25 Oct 2018 21:54:25 +0200 Subject: [PATCH 4/7] documentation for export module --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index 32ca538..66ca56f 100644 --- a/README.md +++ b/README.md @@ -116,6 +116,8 @@ Create your module in [misp_modules/modules/expansion/](misp_modules/modules/exp Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface. +Your module's script name should also be added in the `__all__` list of `/__init__.py` in order for it to be loaded. + ~~~python ... # Checking for required value @@ -207,6 +209,19 @@ def handler(q=False): codecs.encode(src, "rot-13")} ~~~ +#### export module + +For an export module, the `request["data"]` object corresponds to a list of events (dictionaries) to handle. + +Iterating over events attributes is performed using their `Attribute` key. + +~~~python +... +for event in request["data"]: + for attribute in event["Attribute"]: + # do stuff w/ attribute['type'], attribute['value'], ... +... + ### Returning Binary Data If you want to return a file or other data you need to add a data attribute. From 53ab8a0a2fd40e8aa24eb5aec49a217578033859 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 26 Oct 2018 08:26:58 +0200 Subject: [PATCH 5/7] chg: [documentation] generated --- doc/documentation.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/documentation.md b/doc/documentation.md index 7be5f29..a89ac63 100644 --- a/doc/documentation.md +++ b/doc/documentation.md @@ -304,6 +304,18 @@ Lite export of a MISP event. ----- +#### [osqueryexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py) + +OSQuery export of a MISP event. +- **features**: +>This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide. +- **input**: +>MISP Event attributes +- **output**: +>osquery SQL queries + +----- + #### [pdfexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py) Simple export of a MISP event to PDF. From 85061a0a9553ab3938f470a82b6743081434a3e1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 26 Oct 2018 08:41:56 +0200 Subject: [PATCH 6/7] add: [documentation] osquery logo --- doc/export_mod/osqueryexport.json | 3 ++- doc/logos/osquery.png | Bin 0 -> 1659 bytes 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 doc/logos/osquery.png diff --git a/doc/export_mod/osqueryexport.json b/doc/export_mod/osqueryexport.json index c5090a8..6543cb1 100644 --- a/doc/export_mod/osqueryexport.json +++ b/doc/export_mod/osqueryexport.json @@ -4,5 +4,6 @@ "features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.", "references": [], "input": "MISP Event attributes", - "output": "osquery SQL queries" + "output": "osquery SQL queries", + "logo": "logos/osquery.png" } diff --git a/doc/logos/osquery.png b/doc/logos/osquery.png new file mode 100644 index 0000000000000000000000000000000000000000..2e4320ee79f6ee297fd288bba122fa75a71a570c GIT binary patch literal 1659 zcmZ{le>f9(9LK+oj1_G~)P=F!njg_GMy9YCTWmHqNzAX4{7ShIi%hf_iQVe*TjWOa zyI&*@&oLcxE0v$^X^KUgx}%bvr+eyOXp{XDPd{k-3QzAsWd30lx?Pym3IyBm(W zrXy>|(okLdSt2ZVO~xpPz40oVZa~vbsZ>@7mH}`Az!3l!09=8FI{*#tL&48C zPKMvMKM-`Y?*1$3n?DA{0fB4)taSBA{){p<`+RrLpoIltd~!x(J)Y(rdEsIa#fOD9 zXKdCzWN1XNFbj`}Of|EhCb6@PO?@zS9(V6`+uJ4}5J7Z$&NhRCk3_RgjUpUAh{qE& zRw*0m#Q=B*hny@a>PA2P5C*`yqwY8-@5G|{U$ht!jDE&go|PZe{zN#X>uC$ud|iB5 zrw$`wyk4oyws9wo+O?fd+Gn>ZDM`USPn=3F-FNo7AiAHBQ*v{gh|Bz*sJqAHStd1u zr$M(eMb->Q3N!x$x68eak(?)_ey-UEznXHM#y3FpPM3J6aotNzjM?3aR*<>`SCi$%fDP^Bi8~LZ-rj~--k1f=_65n@VS&Updf8VV#t zZVX=Vz?g!3)GJYWdex4+?NWQVK&^VrGe%f9yCF8OBvdZ{=s#ySles*4x^Y8{;-#fz z@ggsyAYda7Hql?|d75uFdu<}S_lF?G8+}DTB3amCNXYK^cQ@1F>z}FK4_}(AYYX0?gEB>C zFQ^A8-$|dNZW#;8Y5cUx*F)62rFM#D=ke|MKvfulc~wDXo-3Y6`(?4F-a*kP z=g8g;9sD%B3(_kd$O#yzQ#U-<*6i5#9gN+kuNVoetcuu#J-1x12eXE;{cw-R@L9v-e&3IrUBs+tZ>x&8wW#3AH`!OJsPps3`9AKk7dObuXm-Bu@BS zbXiV$F-DiY;af>YIR!b@y;5B=YrLmb=ksdRLi6Orj?1GX8wKIX^p;dTH_L%ZKT&Qq`BN6~m43Vy)_6T9;LIVDRcv+?RC1>X4oikVBov)4opOuSgRax&I}E|hv;Kx zQjgA#o5&8Kf5!CTAEATBEbZ>q7%6uNY0v@Bg4lg`O&=p#q2!WQ2vH<(z9g{3DE4$r zp=0Uef2yqR&2;QofLl1*NLFLJrQyPY#$48P&PdT_%WEqBE2w#-;&?@9g`<7<#*0`{|5Lsdamk!yZlO5RcZs0sjrzc*VkqMxZ^!>x15=re*hgl`vL#} literal 0 HcmV?d00001 From f246a9f0c3824a469d80d7e70e46f7319990346c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 26 Oct 2018 08:42:30 +0200 Subject: [PATCH 7/7] chg: [documentation] osquery logo added --- doc/documentation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/documentation.md b/doc/documentation.md index a89ac63..20ee566 100644 --- a/doc/documentation.md +++ b/doc/documentation.md @@ -306,6 +306,8 @@ Lite export of a MISP event. #### [osqueryexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py) + + OSQuery export of a MISP event. - **features**: >This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.