From bb5f6fffae38acd8a348ec94282fe51a3712b4e4 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Fri, 2 Nov 2018 10:42:40 +0900 Subject: [PATCH 01/12] chg: [init] Added try/catch in case misp-modules is already running on a port, or port is in use... --- misp_modules/__init__.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/misp_modules/__init__.py b/misp_modules/__init__.py index 3bb7253..7d3c2ce 100644 --- a/misp_modules/__init__.py +++ b/misp_modules/__init__.py @@ -29,6 +29,7 @@ import fnmatch import argparse import re import datetime +import psutil import tornado.web import tornado.process @@ -241,7 +242,23 @@ def main(): service = [(r'/modules', ListModules), (r'/query', QueryModule)] application = tornado.web.Application(service) - application.listen(port, address=listen) + try: + application.listen(port, address=listen) + except Exception as e: + if e.errno == 98: + pids = psutil.pids() + for pid in pids: + p = psutil.Process(pid) + if p.name() == "misp-modules": + print("\n\n\n") + print(e) + print("\nmisp-modules is still running as PID: {}\n".format(pid)) + print("Please kill accordingly:") + print("sudo kill {}".format(pid)) + sys.exit(-1) + print(e) + print("misp-modules might still be running.") + log.info('MISP modules server started on {0} port {1}'.format(listen, port)) if args.t: log.info('MISP modules started in test-mode, quitting immediately.') From 74bf2f267874c5cf48757b2bc3a26a57389f4032 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Fri, 2 Nov 2018 10:44:46 +0900 Subject: [PATCH 02/12] chg: [tools] Added psutil as a dependency to detect misp-modules PID --- REQUIREMENTS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/REQUIREMENTS b/REQUIREMENTS index 6ab46cc..0aae71f 100644 --- a/REQUIREMENTS +++ b/REQUIREMENTS @@ -25,4 +25,5 @@ yara sigmatools stix2-patterns maclookup -vulners \ No newline at end of file +vulners +psutil From 7bafa939b07f426cde7eef121f65188e57143515 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 6 Nov 2018 00:48:36 +0900 Subject: [PATCH 03/12] new: [btc] Very simple BTC expansion chg: [req] yara-python is preferred --- REQUIREMENTS | 3 +- misp_modules/modules/expansion/__init__.py | 2 +- misp_modules/modules/expansion/btc.py | 50 ++++++++++++++++++++++ 3 files changed, 53 insertions(+), 2 deletions(-) create mode 100755 misp_modules/modules/expansion/btc.py diff --git a/REQUIREMENTS b/REQUIREMENTS index 0aae71f..cfaf9ad 100644 --- a/REQUIREMENTS +++ b/REQUIREMENTS @@ -21,9 +21,10 @@ domaintools_api pygeoip bs4 oauth2 -yara +yara-python sigmatools stix2-patterns maclookup vulners psutil +blockchain diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index f1c6d7a..73abd2e 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -1,3 +1,3 @@ from . import _vmray -__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] +__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'btc', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] diff --git a/misp_modules/modules/expansion/btc.py b/misp_modules/modules/expansion/btc.py new file mode 100755 index 0000000..da2fbe0 --- /dev/null +++ b/misp_modules/modules/expansion/btc.py @@ -0,0 +1,50 @@ +import json +import blockchain + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['btc'], 'output': ['text']} +moduleinfo = {'version': '0.1', 'author': 'Steve Clement', + 'description': 'Simple BTC expansion service to \ + get quick information from MISP attributes', + 'module-type': ['expansion', 'hover']} + +moduleconfig = [] + + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + if request.get('btc'): + toquery = request['btc'] + else: + return False + + try: + address = blockchain.blockexplorer.get_address(toquery) + except Exception as e: + misperrors['error'] = e + return misperrors + finalBalance = address.final_balance*(1/100000000) + totalRX = address.total_received*(1/100000000) + totalTX = address.total_sent*(1/100000000) + totalTransactions = address.n_tx + + answer = 'Current balance: \ + {} - \ + {} total received - \ + {} total sent - \ + {} transactions.\ + '.format(finalBalance, totalRX, totalTX, totalTransactions) + r = {'results': [{'types': mispattributes['output'], + 'values':[str(answer)]}]} + return r + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo From b4c519beda58839e74e079b780e61e7318e855cb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 6 Nov 2018 07:29:44 +0100 Subject: [PATCH 04/12] chg: [doc] btc module added to documentation --- doc/expansion/btc.json | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 doc/expansion/btc.json diff --git a/doc/expansion/btc.json b/doc/expansion/btc.json new file mode 100644 index 0000000..3aeceab --- /dev/null +++ b/doc/expansion/btc.json @@ -0,0 +1,3 @@ +{ + "description": "An expansion hover module to get a blockchain balance from a BTC address in MISP." +} From e8f1cd68dccf257e3b20eec6abef3e1fd4b46312 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 6 Nov 2018 07:31:55 +0100 Subject: [PATCH 05/12] chg: [doc] generated documentation updated --- doc/documentation.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/documentation.md b/doc/documentation.md index 20ee566..a11bcfb 100644 --- a/doc/documentation.md +++ b/doc/documentation.md @@ -10,6 +10,12 @@ Query an ASN description history service (https://github.com/CIRCL/ASN-Descripti ----- +#### [btc](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/btc.py) + +An expansion hover module to get a blockchain balance from a BTC address in MISP. + +----- + #### [circl_passivedns](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/circl_passivedns.py) From 815f1ec0ed36595ed4385e4813b22955aa3da732 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 6 Nov 2018 07:33:57 +0100 Subject: [PATCH 06/12] chg: [doc] btc module added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b8bd14d..5189bb0 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ ### Expansion modules * [ASN History](misp_modules/modules/expansion/asn_history.py) - a hover and expansion module to expand an AS number with the ASN description and its history. +* [BTC balance](misp_modules/modules/expansion/btc.py) - An expansion hover module to get a blockchain balance from a BTC address in MISP. * [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. * [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen. * [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to. From b01cb2832388782eda577e9f9c321c0ebd2a472c Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Wed, 7 Nov 2018 14:14:39 +0100 Subject: [PATCH 07/12] initial version of a Bitcoin module --- .../modules/expansion/btc_steroids.py | 185 ++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100755 misp_modules/modules/expansion/btc_steroids.py diff --git a/misp_modules/modules/expansion/btc_steroids.py b/misp_modules/modules/expansion/btc_steroids.py new file mode 100755 index 0000000..b379a63 --- /dev/null +++ b/misp_modules/modules/expansion/btc_steroids.py @@ -0,0 +1,185 @@ +import sys +import json +import requests +import time + +misperrors = {'error': 'Error'} +mispattributes = {'input': ['btc'], 'output': ['text']} +moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen', + 'description': 'BTC expansion service to \ + get quick information from MISP attributes', + 'module-type': ['hover']} + +moduleconfig = [] + +blockchain_firstseen='https://blockchain.info/q/addressfirstseen/' +blockchain_balance='https://blockchain.info/q/addressbalance/' +blockchain_totalreceived='https://blockchain.info/q/getreceivedbyaddress/' +blockchain_all='https://blockchain.info/rawaddr/' +converter = 'https://min-api.cryptocompare.com/data/pricehistorical?fsym=BTC&tsyms=USD,EUR&ts=' +converter_rls = 'https://min-api.cryptocompare.com/stats/rate/limit' +result_text = "" +g_rate_limit = 300 +start_time = 0 +conversion_rates = {} + +def get_consumption(output=False): + req = requests.get(converter_rls) + jreq = req.json() + minute = str(jreq['Minute']['CallsLeft']['Histo']) + hour = str(jreq['Hour']['CallsLeft']['Histo']) + # Debug out for the console + print("Calls left this minute / hour: " + minute + " / " + hour) + return minute, hour + + +def convert(btc, timestamp): + global g_rate_limit + global start_time + global now + global conversion_rates + date = time.strftime('%Y-%m-%d', time.localtime(timestamp)) + # Lookup conversion rates in the cache: + if date in conversion_rates: + (usd, eur) = conversion_rates[date] + else: + # If not cached, we have to get the converion rates + # We have to be careful with rate limiting on the server side + if g_rate_limit == 300: + minute, hour = get_consumption() + g_rate_limit -= 1 + now = time.time() + delta = now - start_time + #print(g_rate_limit) + if g_rate_limit <= 10: + minute, hour = get_consumption(output=True) + if int(minute) <= 10: + #print(minute) + #get_consumption(output=True) + time.sleep(3) + else: + mprint(minute) + start_time = time.time() + g_rate_limit = int(minute) + try: + req = requests.get(converter+str(timestamp)) + jreq = req.json() + usd = jreq['BTC']['USD'] + eur = jreq['BTC']['EUR'] + # Since we have the rates, store them in the cache + conversion_rates[date] = (usd, eur) + except Exception as ex: + mprint(ex) + get_consumption(output=True) + # Actually convert and return the values + u = usd * btc + e = eur * btc + return u,e + + +def mprint(input): + # Prepare the final print + global result_text + result_text = result_text + "\n" + str(input) + + +def handler(q=False): + global result_text + global conversion_rates + start_time = time.time() + now = time.time() + if q is False: + return False + request = json.loads(q) + click = False + # This means the magnifying glass has been clicked + if request.get('persistent') == 1: + click = True + # Otherwise the attribute was only hovered over + if request.get('btc'): + btc = request['btc'] + else: + return False + + mprint("\nAddress:\t" + btc) + try: + req = requests.get(blockchain_all+btc+"?limit=50&filter=5") + jreq = req.json() + except Exception as e: + #print(e) + mprint(req.text) + sys.exit(1) + + n_tx = jreq['n_tx'] + balance = float(jreq['final_balance'] / 100000000) + rcvd = float(jreq['total_received'] / 100000000) + sent = float(jreq['total_sent'] / 100000000) + output = 'Balance:\t{0:.10f} BTC (+{1:.10f} BTC / -{2:.10f} BTC)' + mprint(output.format(balance, rcvd, sent)) + if click is False: + mprint("Transactions:\t" + str(n_tx) + "\t (previewing up to 5 most recent)") + else: + mprint("Transactions:\t" + str(n_tx)) + mprint("======================================================================================") + i = 0 + while i < n_tx: + if click is False: + req = requests.get(blockchain_all+btc+"?limit=5&offset="+str(i)+"&filter=5") + if n_tx > 5: + n_tx = 5 + else: + req = requests.get(blockchain_all+btc+"?limit=50&offset="+str(i)+"&filter=5") + jreq = req.json() + if jreq['txs']: + for transactions in jreq['txs']: + sum = 0 + sum_counter = 0 + for tx in transactions['inputs']: + script_old = tx['script'] + if tx['prev_out']['value'] != 0 and tx['prev_out']['addr'] == btc: + datetime = time.strftime("%d %b %Y %H:%M:%S %Z", time.localtime(int(transactions['time']))) + value = float(tx['prev_out']['value'] / 100000000 ) + u,e = convert(value, transactions['time']) + mprint("#" + str(n_tx - i) + "\t" + str(datetime) + "\t-{0:10.8f} BTC {1:10.2f} USD\t{2:10.2f} EUR".format(value, u, e).rstrip('0')) + if script_old != tx['script']: + i += 1 + else: + sum_counter += 1 + sum += value + if sum_counter > 1: + u,e = convert(sum, transactions['time']) + mprint("\t\t\t\t\t----------------------------------------------") + mprint("#" + str(n_tx - i) + "\t\t\t\t Sum:\t-{0:10.8f} BTC {1:10.2f} USD\t{2:10.2f} EUR\n".format(sum, u, e).rstrip('0')) + for tx in transactions['out']: + if tx['value'] != 0 and tx['addr'] == btc: + datetime = time.strftime("%d %b %Y %H:%M:%S %Z", time.localtime(int(transactions['time']))) + value = float(tx['value'] / 100000000 ) + u,e = convert(value, transactions['time']) + mprint("#" + str(n_tx - i) + "\t" + str(datetime) + "\t {0:10.8f} BTC {1:10.2f} USD\t{2:10.2f} EUR".format(value, u, e).rstrip('0')) + #i += 1 + i += 1 + + r = { + 'results': [ + { + 'types': ['text'], + 'values':[ + str(result_text) + ] + } + ] + } + # Debug output on the console + print(result_text) + # Unset the result for the next request + result_text = "" + return r + + +def introspection(): + return mispattributes + + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo From 00b1b3214bc301378fa830a6686b13e70709a762 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Wed, 7 Nov 2018 14:28:28 +0100 Subject: [PATCH 08/12] added btc_steroids to the list --- misp_modules/modules/expansion/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index 73abd2e..2229316 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -1,3 +1,3 @@ from . import _vmray -__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'btc', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] +__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'btc', 'btc_steroids', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] From 06eba154b5dc7069538074f9a33ce7a2200000fd Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Wed, 7 Nov 2018 14:38:50 +0100 Subject: [PATCH 09/12] added btc_steroids --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5189bb0..da71d5f 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ ### Expansion modules * [ASN History](misp_modules/modules/expansion/asn_history.py) - a hover and expansion module to expand an AS number with the ASN description and its history. -* [BTC balance](misp_modules/modules/expansion/btc.py) - An expansion hover module to get a blockchain balance from a BTC address in MISP. +* [BTC balance](misp_modules/modules/expansion/btc.py) - An expansion hover module to get a blockchain balance from a BTC address in MISP. Uses the APIs from [https://blockchain.info](blockchain.info) and [https://cryptocompare.com](https://cryptocompare.com) +* [BTC transactions](misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP. * [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. * [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen. * [countrycode](misp_modules/modules/expansion/countrycode.py) - a hover module to tell you what country a URL belongs to. From 91f922b5c477b5c8cecfc70148d5aa99d0c389da Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Wed, 7 Nov 2018 22:53:21 +0900 Subject: [PATCH 10/12] chg: [btc] Removed simple PoC for btc expansion. --- README.md | 1 - misp_modules/modules/expansion/__init__.py | 2 +- misp_modules/modules/expansion/btc.py | 50 ---------------------- 3 files changed, 1 insertion(+), 52 deletions(-) delete mode 100755 misp_modules/modules/expansion/btc.py diff --git a/README.md b/README.md index da71d5f..01ec367 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,6 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ ### Expansion modules * [ASN History](misp_modules/modules/expansion/asn_history.py) - a hover and expansion module to expand an AS number with the ASN description and its history. -* [BTC balance](misp_modules/modules/expansion/btc.py) - An expansion hover module to get a blockchain balance from a BTC address in MISP. Uses the APIs from [https://blockchain.info](blockchain.info) and [https://cryptocompare.com](https://cryptocompare.com) * [BTC transactions](misp_modules/modules/expansion/btc_steroids.py) - An expansion hover module to get a blockchain balance and the transactions from a BTC address in MISP. * [CIRCL Passive DNS](misp_modules/modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information. * [CIRCL Passive SSL](misp_modules/modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen. diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index 2229316..1534fda 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -1,3 +1,3 @@ from . import _vmray -__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'btc', 'btc_steroids', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] +__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'btc_steroids', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] diff --git a/misp_modules/modules/expansion/btc.py b/misp_modules/modules/expansion/btc.py deleted file mode 100755 index da2fbe0..0000000 --- a/misp_modules/modules/expansion/btc.py +++ /dev/null @@ -1,50 +0,0 @@ -import json -import blockchain - -misperrors = {'error': 'Error'} -mispattributes = {'input': ['btc'], 'output': ['text']} -moduleinfo = {'version': '0.1', 'author': 'Steve Clement', - 'description': 'Simple BTC expansion service to \ - get quick information from MISP attributes', - 'module-type': ['expansion', 'hover']} - -moduleconfig = [] - - -def handler(q=False): - if q is False: - return False - request = json.loads(q) - if request.get('btc'): - toquery = request['btc'] - else: - return False - - try: - address = blockchain.blockexplorer.get_address(toquery) - except Exception as e: - misperrors['error'] = e - return misperrors - finalBalance = address.final_balance*(1/100000000) - totalRX = address.total_received*(1/100000000) - totalTX = address.total_sent*(1/100000000) - totalTransactions = address.n_tx - - answer = 'Current balance: \ - {} - \ - {} total received - \ - {} total sent - \ - {} transactions.\ - '.format(finalBalance, totalRX, totalTX, totalTransactions) - r = {'results': [{'types': mispattributes['output'], - 'values':[str(answer)]}]} - return r - - -def introspection(): - return mispattributes - - -def version(): - moduleinfo['config'] = moduleconfig - return moduleinfo From 463d7ae87458a60e3775c0923fee67bec37c51f0 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Wed, 7 Nov 2018 14:57:19 +0100 Subject: [PATCH 11/12] bug fix regarding leftovers between runs --- misp_modules/modules/expansion/btc_steroids.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/btc_steroids.py b/misp_modules/modules/expansion/btc_steroids.py index b379a63..c4edaa3 100755 --- a/misp_modules/modules/expansion/btc_steroids.py +++ b/misp_modules/modules/expansion/btc_steroids.py @@ -107,7 +107,8 @@ def handler(q=False): jreq = req.json() except Exception as e: #print(e) - mprint(req.text) + print(req.text) + result_text = "" sys.exit(1) n_tx = jreq['n_tx'] From 5d1583d88b87f6c08b9a9b513d89d777c6fd0f57 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 11 Nov 2018 15:49:14 +0100 Subject: [PATCH 12/12] chg: [onyphe] fix #252 --- misp_modules/modules/expansion/onyphe.py | 8 ++++---- misp_modules/modules/expansion/onyphe_full.py | 4 ++-- tests/bodyhashdd.json | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/misp_modules/modules/expansion/onyphe.py b/misp_modules/modules/expansion/onyphe.py index 86abe7a..c9bca0e 100644 --- a/misp_modules/modules/expansion/onyphe.py +++ b/misp_modules/modules/expansion/onyphe.py @@ -65,16 +65,16 @@ def handle_expansion(api, ip, misperrors): for r in result['results']: if r['@category'] == 'pastries': - if r['@type'] == 'pastebin': + if r['source'] == 'pastebin': urls_pasties.append('https://pastebin.com/raw/%s' % r['key']) elif r['@category'] == 'synscan': asn_list.append(r['asn']) os_target = r['os'] if os_target != 'Unknown': os_list.append(r['os']) - elif r['@category'] == 'resolver' and r['@type'] =='reverse': + elif r['@category'] == 'resolver' and r['type'] =='reverse': domains_resolver.append(r['reverse']) - elif r['@category'] == 'resolver' and r['@type'] =='forward': + elif r['@category'] == 'resolver' and r['type'] =='forward': domains_forward.append(r['forward']) result_filtered['results'].append({'types': ['url'], 'values': urls_pasties, @@ -105,4 +105,4 @@ def introspection(): def version(): moduleinfo['config'] = moduleconfig - return moduleinfo \ No newline at end of file + return moduleinfo diff --git a/misp_modules/modules/expansion/onyphe_full.py b/misp_modules/modules/expansion/onyphe_full.py index 7a05d12..3d6ef8e 100644 --- a/misp_modules/modules/expansion/onyphe_full.py +++ b/misp_modules/modules/expansion/onyphe_full.py @@ -315,7 +315,7 @@ def expand_pastries(api, misperror, **kwargs): status_ok = True for item in result['results']: if item['@category'] == 'pastries': - if item['@type'] == 'pastebin': + if item['source'] == 'pastebin': urls_pasties.append('https://pastebin.com/raw/%s' % item['key']) if 'domain' in item: @@ -374,4 +374,4 @@ def introspection(): def version(): moduleinfo['config'] = moduleconfig - return moduleinfo \ No newline at end of file + return moduleinfo diff --git a/tests/bodyhashdd.json b/tests/bodyhashdd.json index b6d256c..3bdfa82 100644 --- a/tests/bodyhashdd.json +++ b/tests/bodyhashdd.json @@ -1 +1 @@ -{"module": "hashdd", "md5": "838DE99E82C5B9753BAC96D82C1A8DCB"} +{"module": "hashdd", "md5": "838DE99E82C5B9753BAC96D82C1A8DCC"}