From 98f72489c59b01e0cd0ab81bd55c1973e830796b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Fri, 25 Mar 2016 15:39:55 +0100
Subject: [PATCH 1/2] Make loader more flexible

---
 bin/misp-modules.py           | 66 ++++++++++++++++++++---------------
 modules/__init__.py           |  0
 modules/expansion/__init__.py |  0
 3 files changed, 37 insertions(+), 29 deletions(-)
 create mode 100644 modules/__init__.py
 create mode 100644 modules/expansion/__init__.py

diff --git a/bin/misp-modules.py b/bin/misp-modules.py
index 99c3470..088a195 100755
--- a/bin/misp-modules.py
+++ b/bin/misp-modules.py
@@ -25,36 +25,40 @@ import tornado.web
 import importlib
 import json
 import logging
-import re
+import fnmatch
 
-runPath = os.path.dirname(os.path.realpath(__file__))
-sys.path.append(os.path.join(runPath, '..'))
 port = 6666
 
-log = logging.getLogger('misp-modules')
-formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
-handler = logging.StreamHandler(stream=sys.stdout)
-handler.setFormatter(formatter)
-handler.setLevel(logging.INFO)
 
-log.addHandler(handler)
-log.setLevel(logging.INFO)
+def init_logger():
+    log = logging.getLogger('misp-modules')
+    formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+    handler = logging.StreamHandler(stream=sys.stdout)
+    handler.setFormatter(formatter)
+    handler.setLevel(logging.INFO)
 
-modulesdir = '../modules/expansion'
+    log.addHandler(handler)
+    log.setLevel(logging.INFO)
+    return log
 
-mhandlers = {}
-modules = []
-for module in os.listdir(modulesdir):
-    if ".py" not in module or ".pyc" in module or ".py~" in module:
-        continue
-    if re.match("^\.", module):
-        continue
-    modulename = module.split(".")[0]
-    moduletype = os.path.split(modulesdir)[1]
-    modules.append(modulename)
-    log.info('MISP modules {0} imported'.format(modulename))
-    mhandlers[modulename] = importlib.import_module('modules.expansion.' + modulename)
-    mhandlers['type:' + modulename] = moduletype
+
+def load_modules(mod_dir):
+    sys.path.append(mod_dir)
+    mhandlers = {}
+    modules = []
+    for root, dirnames, filenames in os.walk(mod_dir):
+        if os.path.basename(root) == '__pycache__':
+            continue
+        for filename in fnmatch.filter(filenames, '*.py'):
+            if filename == '__init__.py':
+                continue
+            modulename = filename.split(".")[0]
+            moduletype = os.path.split(modulesdir)[1]
+            modules.append(modulename)
+            log.info('MISP modules {0} imported'.format(modulename))
+            mhandlers[modulename] = importlib.import_module(os.path.basename(root) + '.' + modulename)
+            mhandlers['type:' + modulename] = moduletype
+    return mhandlers, modules
 
 
 class ListModules(tornado.web.RequestHandler):
@@ -80,9 +84,13 @@ class QueryModule(tornado.web.RequestHandler):
         self.write(json.dumps(ret))
 
 
-service = [(r'/modules', ListModules), (r'/query', QueryModule)]
+if __name__ == '__main__':
+    modulesdir = '../modules'
+    log = init_logger()
+    mhandlers, modules = load_modules(modulesdir)
+    service = [(r'/modules', ListModules), (r'/query', QueryModule)]
 
-application = tornado.web.Application(service)
-log.info('MISP modules server started on TCP port {0}'.format(port))
-application.listen(port)
-tornado.ioloop.IOLoop.instance().start()
+    application = tornado.web.Application(service)
+    log.info('MISP modules server started on TCP port {0}'.format(port))
+    application.listen(port)
+    tornado.ioloop.IOLoop.instance().start()
diff --git a/modules/__init__.py b/modules/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/modules/expansion/__init__.py b/modules/expansion/__init__.py
new file mode 100644
index 0000000..e69de29

From be27730fd34eaa58d154f2c967d45985803ea3a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Fri, 25 Mar 2016 17:38:03 +0100
Subject: [PATCH 2/2] Add CIRCL pssl module

---
 .gitignore                             |  3 ++
 modules/expansion/circl_passivessl.py  | 41 ++++++++++++++++++++++++++
 tests/bodycircl_passivessl.json.sample |  1 +
 tests/query-circl_passivessl.sh        |  1 +
 4 files changed, 46 insertions(+)
 create mode 100644 .gitignore
 create mode 100755 modules/expansion/circl_passivessl.py
 create mode 100644 tests/bodycircl_passivessl.json.sample
 create mode 100644 tests/query-circl_passivessl.sh

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e69364e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*.pyc
+*.swp
+__pycache__
diff --git a/modules/expansion/circl_passivessl.py b/modules/expansion/circl_passivessl.py
new file mode 100755
index 0000000..c6d5a3f
--- /dev/null
+++ b/modules/expansion/circl_passivessl.py
@@ -0,0 +1,41 @@
+import json
+import pypssl
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['ip-src', 'ip-dst'], 'output': ['freetext']}
+moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot', 'description': 'Module to access CIRCL Passive SSL', 'module-type': ['expansion', 'hover']}
+moduleconfig = ['username', 'password']
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    if request.get('ip-src'):
+        toquery = request['ip-src']
+    elif request.get('ip-dst'):
+        toquery = request['ip-dst']
+    else:
+        misperrors['error'] = "Unsupported attributes type"
+        return misperrors
+
+    if request.get('config'):
+        if (request['config'].get('username') is None) or (request['config'].get('password') is None):
+            misperrors['error'] = 'CIRCL Passive SSL authentication is missing'
+            return misperrors
+
+    x = pypssl.PyPSSL(basic_auth=(request['config']['username'], request['config']['password']))
+    res = x.query(toquery)
+    out = res.get(toquery)
+
+    r = {'results': [{'types': mispattributes['output'], 'values': out}]}
+    return r
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo
diff --git a/tests/bodycircl_passivessl.json.sample b/tests/bodycircl_passivessl.json.sample
new file mode 100644
index 0000000..03294b8
--- /dev/null
+++ b/tests/bodycircl_passivessl.json.sample
@@ -0,0 +1 @@
+{"module": "circl_passivessl", "ip-src": "149.13.33.14", "config": {"username": "auser", "password": "somepass"} }
diff --git a/tests/query-circl_passivessl.sh b/tests/query-circl_passivessl.sh
new file mode 100644
index 0000000..9e06571
--- /dev/null
+++ b/tests/query-circl_passivessl.sh
@@ -0,0 +1 @@
+curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @bodycircl_passivessl.json -X POST