mirror of https://github.com/MISP/misp-modules
Merge branch 'master' of github.com:MISP/misp-modules
commit
62aa268d01
39
README.md
39
README.md
|
@ -75,17 +75,35 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
|
||||||
* [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
|
* [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
|
||||||
* [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
|
* [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
|
||||||
|
|
||||||
|
## How to install and start MISP modules in a Python virtualenv?
|
||||||
|
|
||||||
|
~~~~bash
|
||||||
|
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick
|
||||||
|
sudo -u www-data virtualenv -p python3 /var/www/MISP/venv
|
||||||
|
cd /usr/local/src/
|
||||||
|
sudo git clone https://github.com/MISP/misp-modules.git
|
||||||
|
cd misp-modules
|
||||||
|
sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS
|
||||||
|
sudo -u www-data /var/www/MISP/venv/bin/pip install .
|
||||||
|
sudo apt install ruby-pygments.rb -y
|
||||||
|
sudo gem install asciidoctor-pdf --pre
|
||||||
|
sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local
|
||||||
|
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
|
||||||
|
~~~~
|
||||||
|
|
||||||
## How to install and start MISP modules?
|
## How to install and start MISP modules?
|
||||||
|
|
||||||
~~~~bash
|
~~~~bash
|
||||||
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev
|
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick
|
||||||
cd /usr/local/src/
|
cd /usr/local/src/
|
||||||
sudo git clone https://github.com/MISP/misp-modules.git
|
sudo git clone https://github.com/MISP/misp-modules.git
|
||||||
cd misp-modules
|
cd misp-modules
|
||||||
sudo pip3 install -I -r REQUIREMENTS
|
sudo pip3 install -I -r REQUIREMENTS
|
||||||
sudo pip3 install -I .
|
sudo pip3 install -I .
|
||||||
sudo vi /etc/rc.local, add this line: `sudo -u www-data misp-modules -s &`
|
sudo apt install ruby-pygments.rb -y
|
||||||
misp-modules #to start the modules
|
sudo gem install asciidoctor-pdf --pre
|
||||||
|
sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local
|
||||||
|
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
|
||||||
~~~~
|
~~~~
|
||||||
|
|
||||||
## How to add your own MISP modules?
|
## How to add your own MISP modules?
|
||||||
|
@ -98,6 +116,8 @@ Create your module in [misp_modules/modules/expansion/](misp_modules/modules/exp
|
||||||
|
|
||||||
Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.
|
Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.
|
||||||
|
|
||||||
|
Your module's script name should also be added in the `__all__` list of `<module type folder>/__init__.py` in order for it to be loaded.
|
||||||
|
|
||||||
~~~python
|
~~~python
|
||||||
...
|
...
|
||||||
# Checking for required value
|
# Checking for required value
|
||||||
|
@ -189,6 +209,19 @@ def handler(q=False):
|
||||||
codecs.encode(src, "rot-13")}
|
codecs.encode(src, "rot-13")}
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
|
#### export module
|
||||||
|
|
||||||
|
For an export module, the `request["data"]` object corresponds to a list of events (dictionaries) to handle.
|
||||||
|
|
||||||
|
Iterating over events attributes is performed using their `Attribute` key.
|
||||||
|
|
||||||
|
~~~python
|
||||||
|
...
|
||||||
|
for event in request["data"]:
|
||||||
|
for attribute in event["Attribute"]:
|
||||||
|
# do stuff w/ attribute['type'], attribute['value'], ...
|
||||||
|
...
|
||||||
|
|
||||||
### Returning Binary Data
|
### Returning Binary Data
|
||||||
|
|
||||||
If you want to return a file or other data you need to add a data attribute.
|
If you want to return a file or other data you need to add a data attribute.
|
||||||
|
|
|
@ -304,6 +304,20 @@ Lite export of a MISP event.
|
||||||
|
|
||||||
-----
|
-----
|
||||||
|
|
||||||
|
#### [osqueryexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/osqueryexport.py)
|
||||||
|
|
||||||
|
<img src=logos/osquery.png height=60>
|
||||||
|
|
||||||
|
OSQuery export of a MISP event.
|
||||||
|
- **features**:
|
||||||
|
>This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.
|
||||||
|
- **input**:
|
||||||
|
>MISP Event attributes
|
||||||
|
- **output**:
|
||||||
|
>osquery SQL queries
|
||||||
|
|
||||||
|
-----
|
||||||
|
|
||||||
#### [pdfexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py)
|
#### [pdfexport](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/export_mod/pdfexport.py)
|
||||||
|
|
||||||
Simple export of a MISP event to PDF.
|
Simple export of a MISP event to PDF.
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"description": "OSQuery export of a MISP event.",
|
||||||
|
"requirements": [],
|
||||||
|
"features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.",
|
||||||
|
"references": [],
|
||||||
|
"input": "MISP Event attributes",
|
||||||
|
"output": "osquery SQL queries",
|
||||||
|
"logo": "logos/osquery.png"
|
||||||
|
}
|
Binary file not shown.
After Width: | Height: | Size: 1.6 KiB |
|
@ -42,7 +42,7 @@ def handle_regkeyvalue(value):
|
||||||
return 'SELECT * FROM registry WHERE path LIKE \'%s\' AND data LIKE \'%s\';' % (key, value)
|
return 'SELECT * FROM registry WHERE path LIKE \'%s\' AND data LIKE \'%s\';' % (key, value)
|
||||||
|
|
||||||
def handle_mutex(value):
|
def handle_mutex(value):
|
||||||
return 'not implemented yet'
|
return 'SELECT * FROM winbaseobj WHERE object_name LIKE \'%s\';' % value
|
||||||
|
|
||||||
def handle_service(value):
|
def handle_service(value):
|
||||||
return 'SELECT * FROM services WHERE display_name LIKE \'%s\' OR name like \'%s\';' % (value, value)
|
return 'SELECT * FROM services WHERE display_name LIKE \'%s\' OR name like \'%s\';' % (value, value)
|
||||||
|
|
Loading…
Reference in New Issue