MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [documentation] updated

pull/532/head
Alexandre Dulaunoy 2021-10-27 22:25:41 +02:00
parent 04a6e89813
commit 7cb7a9bd52
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 105 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
documentation/README.md
View File

@ -606,24 +606,19 @@ Module to query a local copy of Maxmind's Geolite database.
<img src=logos/greynoise.png height=60>
Module to access GreyNoise.io API
Module to query IP and CVE information from GreyNoise
- **features**:
> - Query an IP from GreyNoise to see if it is internet background noise or a common business service
> - Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days
> - Supports Enterprise (Paid) and Community API for IP lookup
> - CVE Lookup is only supported with an Enterprise API Key
>This module supports: 1) Query an IP from GreyNoise to see if it is internet background noise or a common business service 2) Query a CVE from GreyNoise to see the total number of internet scanners looking for the CVE in the last 7 days.
- **input**:
>An IP address or CVE ID.
>An IP address or CVE ID
- **output**:
> - For IPs: IP Lookup Details
> - FOR CVEs: Scanner Count for last 7 days
>IP Lookup information or CVE scanning profile for past 7 days
- **references**:
> - https://greynoise.io/
> - https://docs.greyniose.io/
> - https://www.greynoise.io/viz/account/
- **requirements**:
> - A Greynoise API key.
> - Selection of API Key type: `enterprise` (for Paid users) or `community` (for Free users)
>A Greynoise API key. Both Enterprise (Paid) and Community (Free) API keys are supported, however Community API users will only be able to perform IP lookups.
-----
@ -641,6 +636,25 @@ A hover module to check hashes against hashdd.com including NSLR dataset.
-----
#### [hashlookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hashlookup.py)
<img src=logos/circl.png height=60>
An expansion module to query the CIRCL hashlookup services to find it if a hash is part of a known set such as NSRL.
- **features**:
>The module takes file hashes as input such as a MD5 or SHA1.
> It queries the public CIRCL.lu hashlookup service and return all the hits if the hashes are known in an existing dataset. The module can be configured with a custom hashlookup url if required.
> The module can be used an hover module but also an expansion model to add related MISP objects.
>
- **input**:
>File hashes (MD5, SHA1)
- **output**:
>Object with the filename associated hashes if the hash is part of a known set.
- **references**:
>https://www.circl.lu/services/hashlookup/
-----
#### [hibp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/hibp.py)
<img src=logos/hibp.png height=60>
@ -808,6 +822,8 @@ A module to submit files or URLs to Joe Sandbox for an advanced analysis, and re
<img src=logos/lastline.png height=60>
Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
Query Lastline with an analysis link and parse the report into MISP attributes and objects.
The analysis link can also be retrieved from the output of the [lastline_submit](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/lastline_submit.py) expansion module.
- **features**:
@ -827,6 +843,8 @@ The analysis link can also be retrieved from the output of the [lastline_submit]
<img src=logos/lastline.png height=60>
Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
Module to submit a file or URL to Lastline.
- **features**:
>The module requires a Lastline Analysis `api_token` and `key`.
@ -1022,6 +1040,25 @@ Module to get information from AlienVault OTX.
-----
#### [passivessh](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivessh.py)
<img src=logos/passivessh.png height=60>
An expansion module to query the CIRCL Passive SSH.
- **features**:
>The module queries the Passive SSH service from CIRCL.
>
> The module can be used an hover module but also an expansion model to add related MISP objects.
>
- **input**:
>IP addresses or SSH fingerprints
- **output**:
>SSH key materials, complementary IP addresses with similar SSH key materials
- **references**:
>https://github.com/D4-project/passive-ssh
-----
#### [passivetotal](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/passivetotal.py)
<img src=logos/passivetotal.png height=60>
@ -1573,6 +1610,26 @@ Module to submit a sample to VMRay.
-----
#### [vmware_nsx](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vmware_nsx.py)
<img src=logos/vmware_nsx.png height=60>
Module to enrich a file or URL with VMware NSX Defender.
- **features**:
>This module takes an IoC such as file hash, file attachment, malware-sample or url as input to query VMware NSX Defender.
>
>The IoC is then enriched with data from VMware NSX Defender.
- **input**:
>File hash, attachment or URL to be enriched with VMware NSX Defender.
- **output**:
>Objects and tags generated by VMware NSX Defender.
- **references**:
>https://www.vmware.com
- **requirements**:
>The module requires a VMware NSX Defender Analysis `api_token` and `key`.
-----
#### [vulndb](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulndb.py)
<img src=logos/vulndb.png height=60>
@ -1726,6 +1783,26 @@ An expansion hover module to perform a syntax check on if yara rules are valid o
-----
#### [yeti](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yeti.py)
<img src=logos/yeti.png height=60>
Module to process a query on Yeti.
- **features**:
>This module add context and links between observables using yeti
- **input**:
>A domain, hostname,IP, sha256,sha1, md5, url of MISP attribute.
- **output**:
>MISP attributes and objects fetched from the Yeti instances.
- **references**:
> - https://github.com/yeti-platform/yeti
> - https://github.com/sebdraven/pyeti
- **requirements**:
> - pyeti
> - API key
-----
## Export Modules
#### [cef_export](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/export_mod/cef_export.py)
@ -1958,6 +2035,22 @@ This module is used to create a VirusTotal Graph from a MISP event.
## Import Modules
#### [cof2misp](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/cof2misp.py)
Passive DNS Common Output Format (COF) MISP importer
- **features**:
>Takes as input a valid COF file or the output of the dnsdbflex utility and creates MISP objects for the input.
- **input**:
>Passive DNS output in Common Output Format (COF)
- **output**:
>MISP objects
- **references**:
>https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-08.html
- **requirements**:
>PyMISP
-----
#### [csvimport](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/import_mod/csvimport.py)
Module to import MISP attributes from a csv file.
@ -2050,6 +2143,8 @@ A module to import data from a Joe Sandbox analysis json report.
<img src=logos/lastline.png height=60>
Deprecation notice: this module will be deprecated by December 2021, please use vmware_nsx module.
Module to import and parse reports from Lastline analysis links.
- **features**:
>The module requires a Lastline Portal `username` and `password`.