Merge remote-tracking branch 'upstream/main' into main

pull/452/head
Jens Thom 2020-11-30 12:23:11 +01:00
commit a404202d1d
210 changed files with 2609 additions and 1190 deletions

26
Pipfile
View File

@ -11,16 +11,16 @@ flake8 = "*"
[packages]
dnspython = "*"
requests = {extras = ["security"],version = "*"}
requests = { extras = ["security"], version = "*" }
urlarchiver = "*"
passivetotal = "*"
pypdns = "*"
pypssl = "*"
pyeupi = "*"
uwhois = {editable = true,git = "https://github.com/Rafiot/uwhoisd.git",ref = "testing",subdirectory = "client"}
pymisp = {editable = true,extras = ["fileobjects,openioc,pdfexport"],git = "https://github.com/MISP/PyMISP.git"}
pyonyphe = {editable = true,git = "https://github.com/sebdraven/pyonyphe"}
pydnstrails = {editable = true,git = "https://github.com/sebdraven/pydnstrails"}
uwhois = { editable = true, git = "https://github.com/Rafiot/uwhoisd.git", ref = "testing", subdirectory = "client" }
pymisp = { editable = true, extras = ["fileobjects,openioc,pdfexport,email"], git = "https://github.com/MISP/PyMISP.git" }
pyonyphe = { editable = true, git = "https://github.com/sebdraven/pyonyphe" }
pydnstrails = { editable = true, git = "https://github.com/sebdraven/pydnstrails" }
pytesseract = "*"
pygeoip = "*"
beautifulsoup4 = "*"
@ -32,20 +32,20 @@ maclookup = "*"
vulners = "*"
blockchain = "*"
reportlab = "*"
pyintel471 = {editable = true,git = "https://github.com/MISP/PyIntel471.git"}
pyintel471 = { editable = true, git = "https://github.com/MISP/PyIntel471.git" }
shodan = "*"
Pillow = "*"
Wand = "*"
SPARQLWrapper = "*"
domaintools_api = "*"
misp-modules = {editable = true,path = "."}
pybgpranking = {editable = true,git = "https://github.com/D4-project/BGP-Ranking.git/",subdirectory = "client"}
pyipasnhistory = {editable = true,git = "https://github.com/D4-project/IPASN-History.git/",subdirectory = "client"}
misp-modules = { editable = true, path = "." }
pybgpranking = { editable = true, git = "https://github.com/D4-project/BGP-Ranking.git/", subdirectory = "client" }
pyipasnhistory = { editable = true, git = "https://github.com/D4-project/IPASN-History.git/", subdirectory = "client" }
backscatter = "*"
pyzbar = "*"
opencv-python = "*"
np = "*"
ODTReader = {editable = true,git = "https://github.com/cartertemm/ODTReader.git/"}
ODTReader = { editable = true, git = "https://github.com/cartertemm/ODTReader.git/" }
python-pptx = "*"
python-docx = "*"
ezodf = "*"
@ -54,13 +54,17 @@ pandas_ods_reader = "*"
pdftotext = "*"
lxml = "*"
xlrd = "*"
idna-ssl = {markers = "python_version < '3.7'"}
idna-ssl = { markers = "python_version < '3.7'" }
jbxapi = "*"
geoip2 = "*"
apiosintDS = "*"
assemblyline_client = "*"
vt-graph-api = "*"
trustar = "*"
markdownify = "==0.5.3"
socialscan = "*"
dnsdb2 = "*"
clamd = "*"
[requires]
python_version = "3"

1124
Pipfile.lock generated

File diff suppressed because it is too large Load Diff

View File

@ -31,6 +31,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
* [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate(s) seen.
* [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to.
* [CrowdStrike Falcon](misp_modules/modules/expansion/crowdstrike_falcon.py) - an expansion module to expand using CrowdStrike Falcon Intel Indicator API.
* [CPE](misp_modules/modules/expansion/cpe.py) - An expansion module to query the CVE Search API with a cpe code, to get its related vulnerabilities.
* [CVE](misp_modules/modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
* [CVE advanced](misp_modules/modules/expansion/cve_advanced.py) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
* [Cuckoo submit](misp_modules/modules/expansion/cuckoo_submit.py) - A hover module to submit malware sample, url, attachment, domain to Cuckoo Sandbox.
@ -48,6 +49,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
* [Greynoise](misp_modules/modules/expansion/greynoise.py) - a hover to get information from greynoise.
* [hashdd](misp_modules/modules/expansion/hashdd.py) - a hover module to check file hashes against [hashdd.com](http://www.hashdd.com) including NSLR dataset.
* [hibp](misp_modules/modules/expansion/hibp.py) - a hover module to lookup against Have I Been Pwned?
* [html_to_markdown](misp_modules/modules/expansion/html_to_markdown.py) - Simple HTML to markdown converter
* [intel471](misp_modules/modules/expansion/intel471.py) - an expansion module to get info from [Intel471](https://intel471.com).
* [IPASN](misp_modules/modules/expansion/ipasn.py) - a hover and expansion to get the BGP ASN of an IP address.
* [iprep](misp_modules/modules/expansion/iprep.py) - an expansion module to get IP reputation from packetmail.net.
@ -75,7 +77,8 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
* [shodan](misp_modules/modules/expansion/shodan.py) - a minimal [shodan](https://www.shodan.io/) expansion module.
* [Sigma queries](misp_modules/modules/expansion/sigma_queries.py) - Experimental expansion module querying a sigma rule to convert it into all the available SIEM signatures.
* [Sigma syntax validator](misp_modules/modules/expansion/sigma_syntax_validator.py) - Sigma syntax validator.
* [SophosLabs Intelix](misp_modules/modules/expansion/sophoslabs_intelix.py) - SophosLabs Intelix is an API for Threat Intelligence and Analysis (free tier availible). [SophosLabs](https://aws.amazon.com/marketplace/pp/B07SLZPMCS)
* [Socialscan](misp_modules/modules/expansion/socialscan.py) - a hover module to check if an email address or a username is used on different online platforms, using the [socialscan](https://github.com/iojw/socialscan) python library
* [SophosLabs Intelix](misp_modules/modules/expansion/sophoslabs_intelix.py) - SophosLabs Intelix is an API for Threat Intelligence and Analysis (free tier available). [SophosLabs](https://aws.amazon.com/marketplace/pp/B07SLZPMCS)
* [sourcecache](misp_modules/modules/expansion/sourcecache.py) - a module to cache a specific link from a MISP instance.
* [STIX2 pattern syntax validator](misp_modules/modules/expansion/stix2_pattern_syntax_validator.py) - a module to check a STIX2 pattern syntax.
* [ThreatCrowd](misp_modules/modules/expansion/threatcrowd.py) - an expansion module for [ThreatCrowd](https://www.threatcrowd.org/).

View File

@ -1,35 +1,43 @@
#
# These requirements were autogenerated by pipenv
# To regenerate from the project's Pipfile, run:
#
# pipenv lock --requirements
#
-i https://pypi.org/simple
-e .
-e git+https://github.com/D4-project/BGP-Ranking.git/@fd9c0e03af9b61d4bf0b67ac73c7208a55178a54#egg=pybgpranking&subdirectory=client
-e git+https://github.com/D4-project/IPASN-History.git/@fc5e48608afc113e101ca6421bf693b7b9753f9e#egg=pyipasnhistory&subdirectory=client
-e git+https://github.com/MISP/PyIntel471.git@0df8d51f1c1425de66714b3a5a45edb69b8cc2fc#egg=pyintel471
-e git+https://github.com/MISP/PyMISP.git@bacd4c78cd83d3bf45dcf55cd9ad3514747ac985#egg=pymisp[fileobjects,openioc,pdfexport]
-e git+https://github.com/MISP/PyMISP.git@fe91e10cedb4660b58dcc0db7833c46a5b0efeb9#egg=pymisp[email,fileobjects,openioc,pdfexport]
-e git+https://github.com/Rafiot/uwhoisd.git@783bba09b5a6964f25566089826a1be4b13f2a22#egg=uwhois&subdirectory=client
-e git+https://github.com/cartertemm/ODTReader.git/@49d6938693f6faa3ff09998f86dba551ae3a996b#egg=odtreader
-e git+https://github.com/sebdraven/pydnstrails@48c1f740025c51289f43a24863d1845ff12fd21a#egg=pydnstrails
-e git+https://github.com/sebdraven/pyonyphe@1ce15581beebb13e841193a08a2eb6f967855fcb#egg=pyonyphe
aiohttp==3.6.2; python_full_version >= '3.5.3'
aiohttp==3.7.3; python_version >= '3.6'
antlr4-python3-runtime==4.8; python_version >= '3'
apiosintds==1.8.3
argparse==1.4.0
assemblyline-client==4.0.1
async-timeout==3.0.1; python_full_version >= '3.5.3'
attrs==20.2.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
attrs==20.3.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
backscatter==0.2.4
beautifulsoup4==4.9.3
blockchain==1.4.4
certifi==2020.6.20
cffi==1.14.3
certifi==2020.11.8
cffi==1.14.4
chardet==3.0.4
clamd==1.0.2
click-plugins==1.1.1
click==7.1.2; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
colorama==0.4.3; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
colorama==0.4.4; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
configparser==5.0.1; python_version >= '3.6'
cryptography==3.1.1
clamd==1.0.2
dataclasses; python_version < '3.7'
cryptography==3.2.1
dataclasses==0.8; python_version < '3.7'
decorator==4.4.2
deprecated==1.2.10; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
dnsdb2==1.1.1
dnspython==2.0.0
domaintools-api==0.5.2
enum-compat==0.0.3
@ -41,30 +49,39 @@ geoip2==4.1.0
httplib2==0.18.1
idna-ssl==1.1.0; python_version < '3.7'
idna==2.10; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
importlib-metadata==3.1.0; python_version < '3.8'
importlib==1.0.4; python_version < '3.8'
isodate==0.6.0
jbxapi==3.11.0
jbxapi==3.14.0
json-log-formatter==0.3.0
jsonschema==3.2.0
lief==0.10.1
lxml==4.5.2
lxml==4.6.2
maclookup==1.0.3
<<<<<<< HEAD
markdownify==0.5.3
maxminddb==2.0.2; python_version >= '3.6'
multidict==4.7.6; python_version >= '3.5'
=======
mail-parser==3.14.0
markdownify==0.5.3
maxminddb==2.0.3; python_version >= '3.6'
multidict==5.0.2; python_version >= '3.5'
>>>>>>> upstream/main
np==1.0.2
numpy==1.19.2; python_version >= '3.6'
numpy==1.19.4; python_version >= '3.6'
oauth2==1.9.0.post1
opencv-python==4.4.0.44
opencv-python==4.4.0.46
pandas-ods-reader==0.0.7
pandas==1.1.3
pandas==1.1.4
passivetotal==1.0.31
pdftotext==2.1.5
pillow==7.2.0
pillow==8.0.1
progressbar2==3.53.1
psutil==5.7.2; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'
psutil==5.7.3; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'
pycparser==2.20; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
pycryptodome==3.9.8; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'
pycryptodomex==3.9.8; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'
pycryptodome==3.9.9; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'
pycryptodomex==3.9.9; python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'
pydeep==0.4
pyeupi==1.1
pygeoip==0.3.2
@ -88,31 +105,36 @@ pyzbar==0.1.8
pyzipper==0.3.3; python_version >= '3.5'
rdflib==5.0.0
redis==3.5.3; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'
reportlab==3.5.53
reportlab==3.5.55
requests-cache==0.5.2
requests[security]==2.24.0
shodan==1.23.1
requests[security]==2.25.0
shodan==1.24.0
sigmatools==0.18.1
simplejson==3.17.2; python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'
six==1.15.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
socialscan==1.4.1
socketio-client==0.5.7.4
soupsieve==2.0.1; python_version >= '3.0'
soupsieve==2.0.1; python_version >= '3'
sparqlwrapper==1.8.5
stix2-patterns==1.3.1
tabulate==0.8.7
tornado==6.0.4; python_version >= '3.5'
trustar==0.3.33
tornado==6.1; python_version >= '3.5'
tqdm==4.54.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
trustar==0.3.34
typing-extensions==3.7.4.3; python_version < '3.8'
tzlocal==2.1
unicodecsv==0.14.1
url-normalize==1.4.2; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'
url-normalize==1.4.3; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'
urlarchiver==0.2
urllib3==1.25.10; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'
urllib3==1.26.2; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4.0'
validators==0.14.0
vt-graph-api==1.0.1
vulners==1.5.8
wand==0.6.3
vulners==1.5.9
wand==0.6.4
websocket-client==0.57.0
wrapt==1.12.1
xlrd==1.2.0
xlsxwriter==1.3.6
xlsxwriter==1.3.7
yara-python==3.8.1
yarl==1.6.0; python_version >= '3.5'
yarl==1.6.3; python_version >= '3.6'
zipp==3.4.0; python_version >= '3.6'

View File

@ -1,9 +0,0 @@
{
"description": "Module to access Farsight DNSDB Passive DNS.",
"logo": "logos/farsight.png",
"requirements": ["An access to the Farsight Passive DNS API (apikey)"],
"input": "A domain, hostname or IP address MISP attribute.",
"output": "Text containing information about the input, resulting from the query on the Farsight Passive DNS API.",
"references": ["https://www.farsightsecurity.com/"],
"features": "This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API. The API returns then the result of the query with some information about the value queried."
}

View File

@ -1,9 +0,0 @@
{
"description": "Module to access GreyNoise.io API",
"logo": "logos/greynoise.png",
"requirements": ["A Greynoise API key."],
"input": "An IP address.",
"output": "Additional information about the IP fetched from Greynoise API.",
"references": ["https://greynoise.io/", "https://github.com/GreyNoise-Intelligence/api.greynoise.io"],
"features": "The module takes an IP address as input and queries Greynoise for some additional information about it: basically it checks whether a given IP address is “Internet background noise”, or has been observed scanning or attacking devices across the Internet. The result is returned as text."
}

View File

@ -1,8 +0,0 @@
{
"description": "Module to export a MISP event in CEF format.",
"requirements": [],
"features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format.\nThus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data.",
"references": ["https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306?attachment-id=65537"],
"input": "MISP Event attributes",
"output": "Common Event Format file"
}

View File

@ -1,9 +0,0 @@
{
"description": "This module is used to export MISP events containing transaction objects into GoAML format.",
"logo": "logos/goAML.jpg",
"requirements": ["PyMISP","MISP objects"],
"features": "The module works as long as there is at least one transaction object in the Event.\n\nThen in order to have a valid GoAML document, please follow these guidelines:\n- For each transaction object, use either a bank-account, person, or legal-entity object to describe the origin of the transaction, and again one of them to describe the target of the transaction.\n- Create an object reference for both origin and target objects of the transaction.\n- A bank-account object needs a signatory, which is a person object, put as object reference of the bank-account.\n- A person can have an address, which is a geolocation object, put as object reference of the person.\n\nSupported relation types for object references that are recommended for each object are the folowing:\n- transaction:\n\t- 'from', 'from_my_client': Origin of the transaction - at least one of them is required.\n\t- 'to', 'to_my_client': Target of the transaction - at least one of them is required.\n\t- 'address': Location of the transaction - optional.\n- bank-account:\n\t- 'signatory': Signatory of a bank-account - the reference from bank-account to a signatory is required, but the relation-type is optional at the moment since this reference will always describe a signatory.\n\t- 'entity': Entity owning the bank account - optional.\n- person:\n\t- 'address': Address of a person - optional.",
"references": ["http://goaml.unodc.org/"],
"input": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.",
"output": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities)."
}

View File

@ -1,8 +0,0 @@
{
"description": "Lite export of a MISP event.",
"requirements": [],
"features": "This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty.",
"references": [],
"input": "MISP Event attributes",
"output": "Lite MISP Event"
}

View File

@ -1,9 +0,0 @@
{
"description": "Nexthink NXQL query export module",
"requirements": [],
"features": "This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell",
"references": ["https://doc.nexthink.com/Documentation/Nexthink/latest/APIAndIntegrations/IntroducingtheWebAPIV2"],
"input": "MISP Event attributes",
"output": "Nexthink NXQL queries",
"logo": "logos/nexthink.svg"
}

View File

@ -1,9 +0,0 @@
{
"description": "OSQuery export of a MISP event.",
"requirements": [],
"features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.",
"references": [],
"input": "MISP Event attributes",
"output": "osquery SQL queries",
"logo": "logos/osquery.png"
}

View File

@ -1,8 +0,0 @@
{
"description": "Simple export of a MISP event to PDF.",
"requirements": ["PyMISP", "reportlab"],
"features": "The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of reportlab, used to create the file, there is no special feature concerning the Event. Some parameters can be given through the config dict. 'MISP_base_url_for_dynamic_link' is your MISP URL, to attach an hyperlink to your event on your MISP instance from the PDF. Keep it clear to avoid hyperlinks in the generated pdf.\n 'MISP_name_for_metadata' is your CERT or MISP instance name. Used as text in the PDF' metadata\n 'Activate_textual_description' is a boolean (True or void) to activate the textual description/header abstract of an event\n 'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.\n 'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !\n 'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.\n 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option ",
"references": ["https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html"],
"input": "MISP Event",
"output": "MISP Event in a PDF file."
}

View File

@ -1,9 +0,0 @@
{
"description": "Module to export a structured CSV file for uploading to threatStream.",
"logo": "logos/threatstream.png",
"requirements": ["csv"],
"features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatStream.",
"references": ["https://www.anomali.com/platform/threatstream", "https://github.com/threatstream"],
"input": "MISP Event attributes",
"output": "ThreatStream CSV format file"
}

View File

@ -1,9 +0,0 @@
{
"description": "Module to export a structured CSV file for uploading to ThreatConnect.",
"logo": "logos/threatconnect.png",
"requirements": ["csv"],
"features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect.\nUsers should then provide, as module configuration, the source of data they export, because it is required by the output format.",
"references": ["https://www.threatconnect.com"],
"input": "MISP Event attributes",
"output": "ThreatConnect CSV format file"
}

View File

@ -1,65 +0,0 @@
# -*- coding: utf-8 -*-
import os
import json
module_types = ['expansion', 'export_mod', 'import_mod']
titles = ['Expansion Modules', 'Export Modules', 'Import Modules']
markdown = ["# MISP modules documentation\n"]
githublink = 'https://github.com/MISP/misp-modules/tree/master/misp_modules/modules'
def generate_doc(root_path):
for _path, title in zip(module_types, titles):
markdown.append('\n## {}\n'.format(title))
current_path = os.path.join(root_path, _path)
files = sorted(os.listdir(current_path))
githubpath = '{}/{}'.format(githublink, _path)
for _file in files:
modulename = _file.split('.json')[0]
githubref = '{}/{}.py'.format(githubpath, modulename)
markdown.append('\n#### [{}]({})\n'.format(modulename, githubref))
filename = os.path.join(current_path, _file)
with open(filename, 'rt') as f:
definition = json.loads(f.read())
if 'logo' in definition:
markdown.append('\n<img src={} height=60>\n'.format(definition.pop('logo')))
if 'description' in definition:
markdown.append('\n{}\n'.format(definition.pop('description')))
for field, value in sorted(definition.items()):
if value:
value = ', '.join(value) if isinstance(value, list) else '{}'.format(value.replace('\n', '\n>'))
markdown.append('- **{}**:\n>{}\n'.format(field, value))
markdown.append('\n-----\n')
with open('README.md', 'w') as w:
w.write(''.join(markdown))
def generate_docs_for_mkdocs(root_path):
for _path, title in zip(module_types, titles):
markdown = []
#markdown.append('## {}\n'.format(title))
current_path = os.path.join(root_path, _path)
files = sorted(os.listdir(current_path))
githubpath = '{}/{}'.format(githublink, _path)
for _file in files:
modulename = _file.split('.json')[0]
githubref = '{}/{}.py'.format(githubpath, modulename)
markdown.append('\n#### [{}]({})\n'.format(modulename, githubref))
filename = os.path.join(current_path, _file)
with open(filename, 'rt') as f:
definition = json.loads(f.read())
if 'logo' in definition:
markdown.append('\n<img src={} height=60>\n'.format(definition.pop('logo')))
if 'description' in definition:
markdown.append('\n{}\n'.format(definition.pop('description')))
for field, value in sorted(definition.items()):
if value:
value = ', '.join(value) if isinstance(value, list) else '{}'.format(value.replace('\n', '\n>'))
markdown.append('- **{}**:\n>{}\n'.format(field, value))
markdown.append('\n-----\n')
with open(root_path+"/../"+"/docs/"+_path+".md", 'w') as w:
w.write(''.join(markdown))
if __name__ == '__main__':
root_path = os.path.dirname(os.path.realpath(__file__))
generate_doc(root_path)
generate_docs_for_mkdocs(root_path)

View File

@ -1,8 +0,0 @@
{
"description": "Module to import MISP attributes from a csv file.",
"requirements": ["PyMISP"],
"features": "In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.\n\nThis header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').\n\nIf the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.",
"references": ["https://tools.ietf.org/html/rfc4180", "https://tools.ietf.org/html/rfc7111"],
"input": "CSV format file.",
"output": "MISP Event attributes"
}

View File

@ -1,9 +0,0 @@
{
"description": "Module to import Cuckoo JSON.",
"logo": "logos/cuckoo.png",
"requirements": [],
"features": "The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work.",
"references": ["https://cuckoosandbox.org/", "https://github.com/cuckoosandbox/cuckoo"],
"input": "Cuckoo JSON file",
"output": "MISP Event attributes"
}

View File

@ -1,8 +0,0 @@
{
"description": "Module to import emails in MISP.",
"requirements": [],
"features": "This module can be used to import e-mail text as well as attachments and urls.\n3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.",
"references": [],
"input": "E-mail file",
"output": "MISP Event attributes"
}

View File

@ -1,9 +0,0 @@
{
"description": "Module to import MISP objects about financial transactions from GoAML files.",
"logo": "logos/goAML.jpg",
"requirements": ["PyMISP"],
"features": "Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.",
"references": "http://goaml.unodc.org/",
"input": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).",
"output": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target."
}

View File

@ -1,8 +0,0 @@
{
"description": "Module to import MISP JSON format for merging MISP events.",
"requirements": [],
"features": "The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.",
"references": [],
"input": "MISP Event",
"output": "MISP Event attributes"
}

View File

@ -1,8 +0,0 @@
{
"description": "Optical Character Recognition (OCR) module for MISP.",
"requirements": [],
"features": "The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.",
"references": [],
"input": "Image",
"output": "freetext MISP attribute"
}

View File

@ -1,8 +0,0 @@
{
"description": "Module to import OpenIOC packages.",
"requirements": ["PyMISP"],
"features": "The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.",
"references": ["https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html"],
"input": "OpenIOC packages",
"output": "MISP Event attributes"
}

View File

@ -1,8 +0,0 @@
{
"description": "Module to import ThreatAnalyzer archive.zip / analysis.json files.",
"requirements": [],
"features": "The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format.\nThere is by the way no special feature for users to make the module work.",
"references": ["https://www.threattrack.com/malware-analysis.aspx"],
"input": "ThreatAnalyzer format file",
"output": "MISP Event attributes"
}

View File

@ -1,9 +0,0 @@
{
"description": "Module to import VMRay (VTI) results.",
"logo": "logos/vmray.png",
"requirements": ["vmray_rest_api"],
"features": "The module imports MISP Attributes from VMRay format, using the VMRay api.\nUsers should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.",
"references": ["https://www.vmray.com/"],
"input": "VMRay format",
"output": "MISP Event attributes"
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,68 @@
# -*- coding: utf-8 -*-
import os
import json
module_types = ['expansion', 'export_mod', 'import_mod']
titles = ['Expansion Modules', 'Export Modules', 'Import Modules']
githublink = 'https://github.com/MISP/misp-modules/tree/main/misp_modules/modules'
def generate_doc(module_type, root_path, logo_path='logos'):
markdown = []
current_path = os.path.join(root_path, 'website', module_type)
files = sorted(os.listdir(current_path))
githubpath = f'{githublink}/{module_type}'
for filename in files:
modulename = filename.split('.json')[0]
githubref = f'{githubpath}/{modulename}.py'
markdown.append(f'\n#### [{modulename}]({githubref})\n')
filename = os.path.join(current_path, filename)
with open(filename, 'rt') as f:
definition = json.loads(f.read())
if 'logo' in definition:
logo = os.path.join(logo_path, definition.pop('logo'))
markdown.append(f"\n<img src={logo} height=60>\n")
if 'description' in definition:
markdown.append(f"\n{definition.pop('description')}\n")
for field, value in sorted(definition.items()):
if not value:
continue
if isinstance(value, list):
markdown.append(handle_list(field, value))
continue
markdown.append(get_single_value(field, value.replace('\n', '\n>')))
markdown.append('\n-----\n')
return markdown
def get_single_value(field, value):
return f"- **{field}**:\n>{value}\n"
def handle_list(field, values):
if len(values) == 1:
return get_single_value(field, values[0])
values = '\n> - '.join(values)
return f"- **{field}**:\n> - {values}\n"
def write_doc(root_path):
markdown = ["# MISP modules documentation\n"]
for _path, title in zip(module_types, titles):
markdown.append(f'\n## {title}\n')
markdown.extend(generate_doc(_path, root_path))
with open('README.md', 'w') as w:
w.write(''.join(markdown))
def write_docs_for_mkdocs(root_path):
for _path, title in zip(module_types, titles):
markdown = generate_doc(_path, root_path, logo_path='../logos')
with open(os.path.join(root_path, 'mkdocs', f'{_path}.md'), 'w') as w:
w.write(''.join(markdown))
if __name__ == '__main__':
root_path = os.path.dirname(os.path.realpath(__file__))
write_doc(root_path)
write_docs_for_mkdocs(root_path)

View File

Before

Width:  |  Height:  |  Size: 6.8 KiB

After

Width:  |  Height:  |  Size: 6.8 KiB

View File

Before

Width:  |  Height:  |  Size: 171 KiB

After

Width:  |  Height:  |  Size: 171 KiB

View File

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

View File

Before

Width:  |  Height:  |  Size: 9.7 KiB

After

Width:  |  Height:  |  Size: 9.7 KiB

View File

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

View File

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

View File

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

View File

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

View File

Before

Width:  |  Height:  |  Size: 898 B

After

Width:  |  Height:  |  Size: 898 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 648 KiB

View File

Before

Width:  |  Height:  |  Size: 8.4 KiB

After

Width:  |  Height:  |  Size: 8.4 KiB

View File

Before

Width:  |  Height:  |  Size: 4.8 KiB

After

Width:  |  Height:  |  Size: 4.8 KiB

View File

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 61 KiB

View File

Before

Width:  |  Height:  |  Size: 9.4 KiB

After

Width:  |  Height:  |  Size: 9.4 KiB

View File

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

View File

Before

Width:  |  Height:  |  Size: 31 KiB

After

Width:  |  Height:  |  Size: 31 KiB

View File

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

View File

Before

Width:  |  Height:  |  Size: 112 KiB

After

Width:  |  Height:  |  Size: 112 KiB

View File

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

View File

Before

Width:  |  Height:  |  Size: 6.6 KiB

After

Width:  |  Height:  |  Size: 6.6 KiB

View File

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

View File

Before

Width:  |  Height:  |  Size: 9.6 KiB

After

Width:  |  Height:  |  Size: 9.6 KiB

View File

Before

Width:  |  Height:  |  Size: 7.0 KiB

After

Width:  |  Height:  |  Size: 7.0 KiB

View File

Before

Width:  |  Height:  |  Size: 1.8 KiB

After

Width:  |  Height:  |  Size: 1.8 KiB

View File

Before

Width:  |  Height:  |  Size: 4.9 KiB

After

Width:  |  Height:  |  Size: 4.9 KiB

View File

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

View File

Before

Width:  |  Height:  |  Size: 4.7 KiB

After

Width:  |  Height:  |  Size: 4.7 KiB

View File

Before

Width:  |  Height:  |  Size: 9.9 KiB

After

Width:  |  Height:  |  Size: 9.9 KiB

View File

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View File

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View File

Before

Width:  |  Height:  |  Size: 1.6 KiB

After

Width:  |  Height:  |  Size: 1.6 KiB

View File

Before

Width:  |  Height:  |  Size: 8.5 KiB

After

Width:  |  Height:  |  Size: 8.5 KiB

View File

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 19 KiB

View File

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

View File

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 36 KiB

View File

Before

Width:  |  Height:  |  Size: 7.8 KiB

After

Width:  |  Height:  |  Size: 7.8 KiB

View File

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

View File

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 38 KiB

View File

Before

Width:  |  Height:  |  Size: 7.8 KiB

After

Width:  |  Height:  |  Size: 7.8 KiB

View File

Before

Width:  |  Height:  |  Size: 33 KiB

After

Width:  |  Height:  |  Size: 33 KiB

View File

Before

Width:  |  Height:  |  Size: 27 KiB

After

Width:  |  Height:  |  Size: 27 KiB

View File

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

View File

Before

Width:  |  Height:  |  Size: 5.9 KiB

After

Width:  |  Height:  |  Size: 5.9 KiB

View File

Before

Width:  |  Height:  |  Size: 3.6 KiB

After

Width:  |  Height:  |  Size: 3.6 KiB

View File

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

View File

Before

Width:  |  Height:  |  Size: 3.0 KiB

After

Width:  |  Height:  |  Size: 3.0 KiB

View File

Before

Width:  |  Height:  |  Size: 6.0 KiB

After

Width:  |  Height:  |  Size: 6.0 KiB

View File

Before

Width:  |  Height:  |  Size: 3.4 KiB

After

Width:  |  Height:  |  Size: 3.4 KiB

View File

Before

Width:  |  Height:  |  Size: 37 KiB

After

Width:  |  Height:  |  Size: 37 KiB

View File

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 47 KiB

View File

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View File

Before

Width:  |  Height:  |  Size: 2.7 KiB

After

Width:  |  Height:  |  Size: 2.7 KiB

View File

Before

Width:  |  Height:  |  Size: 15 KiB

After

Width:  |  Height:  |  Size: 15 KiB

View File

Before

Width:  |  Height:  |  Size: 4.7 KiB

After

Width:  |  Height:  |  Size: 4.7 KiB

View File

Before

Width:  |  Height:  |  Size: 3.8 KiB

After

Width:  |  Height:  |  Size: 3.8 KiB

View File

Before

Width:  |  Height:  |  Size: 4.3 KiB

After

Width:  |  Height:  |  Size: 4.3 KiB

View File

Before

Width:  |  Height:  |  Size: 8.3 KiB

After

Width:  |  Height:  |  Size: 8.3 KiB

View File

Before

Width:  |  Height:  |  Size: 9.8 KiB

After

Width:  |  Height:  |  Size: 9.8 KiB

View File

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 61 KiB

View File

Before

Width:  |  Height:  |  Size: 1.1 KiB

After

Width:  |  Height:  |  Size: 1.1 KiB

View File

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View File

@ -1,8 +1,12 @@
{
"description": "On demand query API for OSINT.digitalside.it project.",
"requirements": ["The apiosintDS python library to query the OSINT.digitalside.it API."],
"requirements": [
"The apiosintDS python library to query the OSINT.digitalside.it API."
],
"input": "A domain, ip, url or hash attribute.",
"output": "Hashes and urls resulting from the query to OSINT.digitalside.it",
"references": ["https://osint.digitalside.it/#About"],
"references": [
"https://osint.digitalside.it/#About"
],
"features": "The module simply queries the API of OSINT.digitalside.it with a domain, ip, url or hash attribute.\n\nThe result of the query is then parsed to extract additional hashes or urls. A module parameters also allows to parse the hashes related to the urls.\n\nFurthermore, it is possible to cache the urls and hashes collected over the last 7 days by OSINT.digitalside.it"
}
}

View File

@ -1,9 +1,13 @@
{
"description": "Module to query APIVoid with some domain attributes.",
"logo": "logos/apivoid.png",
"requirements": ["A valid APIVoid API key with enough credits to proceed 2 queries"],
"logo": "apivoid.png",
"requirements": [
"A valid APIVoid API key with enough credits to proceed 2 queries"
],
"input": "A domain attribute.",
"output": "DNS records and SSL certificates related to the domain.",
"features": "This module takes a domain name and queries API Void to get the related DNS records and the SSL certificates. It returns then those pieces of data as MISP objects that can be added to the event.\n\nTo make it work, a valid API key and enough credits to proceed 2 queries (0.06 + 0.07 credits) are required.",
"references": ["https://www.apivoid.com/"]
}
"references": [
"https://www.apivoid.com/"
]
}

View File

@ -1,9 +1,13 @@
{
"description": "A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.",
"logo": "logos/assemblyline.png",
"requirements": ["assemblyline_client: Python library to query the AssemblyLine rest API."],
"logo": "assemblyline.png",
"requirements": [
"assemblyline_client: Python library to query the AssemblyLine rest API."
],
"input": "Link of an AssemblyLine submission report.",
"output": "MISP attributes & objects parsed from the AssemblyLine submission.",
"references": ["https://www.cyber.cg.ca/en/assemblyline"],
"references": [
"https://www.cyber.cg.ca/en/assemblyline"
],
"features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the used-ID and an API key or the password associated to the user-ID.\n\nThe submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.\n\nSome more data may be parsed in the future."
}
}

View File

@ -1,9 +1,13 @@
{
"description": "A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.",
"logo": "logos/assemblyline.png",
"requirements": ["assemblyline_client: Python library to query the AssemblyLine rest API."],
"logo": "assemblyline.png",
"requirements": [
"assemblyline_client: Python library to query the AssemblyLine rest API."
],
"input": "Sample, or url to submit to AssemblyLine.",
"output": "Link of the report generated in AssemblyLine.",
"references": ["https://www.cyber.gc.ca/en/assemblyline"],
"references": [
"https://www.cyber.gc.ca/en/assemblyline"
],
"features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.\n\nIf the sample or url is correctly submitted, you get then the link of the submission."
}
}

View File

@ -1,9 +1,13 @@
{
"description": "Query backscatter.io (https://backscatter.io/).",
"requirements": ["backscatter python library"],
"features": "The module takes a source or destination IP address as input and displays the information known by backscatter.io.\n\n",
"logo": "logos/backscatter_io.png",
"references": ["https://pypi.org/project/backscatter/"],
"requirements": [
"backscatter python library"
],
"features": "The module takes a source or destination IP address as input and displays the information known by backscatter.io.",
"logo": "backscatter_io.png",
"references": [
"https://pypi.org/project/backscatter/"
],
"input": "IP addresses.",
"output": "Text containing a history of the IP addresses especially on scanning based on backscatter.io information ."
}

View File

@ -1,8 +1,12 @@
{
"description": "Query BGP Ranking (https://bgpranking-ng.circl.lu/).",
"requirements": ["pybgpranking python library"],
"features": "The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.\n\n",
"references": ["https://github.com/D4-project/BGP-Ranking/"],
"requirements": [
"pybgpranking python library"
],
"features": "The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.",
"references": [
"https://github.com/D4-project/BGP-Ranking/"
],
"input": "Autonomous system number.",
"output": "An asn object with its related bgp-ranking object."
}

View File

@ -1,9 +1,13 @@
{
"description": "An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.",
"requirements": ["dnspython3: dns python library"],
"requirements": [
"dnspython3: dns python library"
],
"features": "The module queries a dns blacklist directly with the bitcoin address and get a response if the address has been abused.",
"logo": "logos/bitcoin.png",
"logo": "bitcoin.png",
"input": "btc address attribute.",
"output" : "Text to indicate if the BTC address has been abused.",
"references": ["https://btcblack.it/"]
}
"output": "Text to indicate if the BTC address has been abused.",
"references": [
"https://btcblack.it/"
]
}

View File

@ -1,6 +1,6 @@
{
"description": "An expansion hover module to get a blockchain balance from a BTC address in MISP.",
"logo": "logos/bitcoin.png",
"logo": "bitcoin.png",
"input": "btc address attribute.",
"output": "Text to describe the blockchain balance and the transactions related to the btc address in input."
}
}

Some files were not shown because too many files have changed in this diff Show More