From d7ad106723f4fde5de0b631db66dee9755a09fa9 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 25 Mar 2016 19:57:49 +0100
Subject: [PATCH 1/7] Add missing requirements

---
 REQUIREMENTS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/REQUIREMENTS b/REQUIREMENTS
index 5053373..65df17d 100644
--- a/REQUIREMENTS
+++ b/REQUIREMENTS
@@ -4,3 +4,4 @@ requests
 urlarchiver
 passivetotal
 PyPDNS
+pypssl

From 39f3c3b0f81f40c8f450ebd511bbebe251cc9920 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 27 Mar 2016 21:57:07 +0200
Subject: [PATCH 2/7] Slides reference added

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 2e36eab..04f7971 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,8 @@ without modifying core components. The API is available via a simple REST API wh
 
 MISP modules support is included in MISP starting from version 2.4.28.
 
+For more information: [Extending MISP with Python modules](https://www.circl.lu/assets/files/misp-training/3.1-MISP-modules.pdf) slides from MISP training.
+
 ## Existing MISP modules
 
 * [CVE](modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).

From 45d57433749216b7a7d9643eab4fbf95b9839a80 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 28 Mar 2016 11:57:24 +0200
Subject: [PATCH 3/7] dns MISP module - option to specify nameserver added

---
 modules/expansion/dns.py | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/modules/expansion/dns.py b/modules/expansion/dns.py
index 3f37c3f..099376d 100755
--- a/modules/expansion/dns.py
+++ b/modules/expansion/dns.py
@@ -1,9 +1,14 @@
 import json
 import dns.resolver
 
-misperrors = {'error' : 'Error'}
-mispattributes = {'input': ['hostname', 'domain'], 'output': ['ip-src', 'ip-dst']}
-moduleinfo = {'version': '0.1', 'author': 'Alexandre Dulaunoy', 'description': 'Simple DNS expansion service to resolve IP address from MISP attributes',  'module-type': ['expansion','hover']}
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['hostname', 'domain'], 'output': ['ip-src',
+                                                              'ip-dst']}
+moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy',
+              'description': 'Simple DNS expansion service to resolve IP address from MISP attributes',
+              'module-type': ['expansion', 'hover']}
+
+moduleconfig = ['nameserver']
 
 
 def handler(q=False):
@@ -19,7 +24,15 @@ def handler(q=False):
     r = dns.resolver.Resolver()
     r.timeout = 2
     r.lifetime = 2
-    r.nameservers = ['8.8.8.8']
+
+    if request.get('config'):
+        if request['config'].get('nameserver'):
+            nameservers = []
+            nameservers.append(request['config'].get('nameserver'))
+            r.nameservers = nameservers
+    else:
+        r.nameservers = ['8.8.8.8']
+
     try:
         answer = r.query(toquery, 'A')
     except dns.resolver.NXDOMAIN:
@@ -31,7 +44,9 @@ def handler(q=False):
     except:
         misperrors['error'] = "DNS resolving error"
         return misperrors
-    r = {'results': [{'types': mispattributes['output'], 'values':[str(answer[0])]}]}
+
+    r = {'results': [{'types': mispattributes['output'],
+                      'values':[str(answer[0])]}]}
     return r
 
 
@@ -40,4 +55,5 @@ def introspection():
 
 
 def version():
+    moduleinfo['config'] = moduleconfig
     return moduleinfo

From 233d73e65546631f60345fac7f28e341cdc512bf Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 30 Mar 2016 22:46:21 +0200
Subject: [PATCH 4/7] New modules added

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 04f7971..749a5fe 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,8 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 
 ## Existing MISP modules
 
+* [CIRCL Passive SSL](modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
+* [CIRCL Passive DNS](modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
 * [CVE](modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
 * [DNS](modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
 * [passivetotal](modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.

From 2699eef633735cf24608ba895b87fd7bb24c5750 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 1 Apr 2016 08:00:56 +0200
Subject: [PATCH 5/7] dns module test with option added

---
 tests/body.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/body.json b/tests/body.json
index 89ca947..a0bf718 100644
--- a/tests/body.json
+++ b/tests/body.json
@@ -1 +1 @@
-{"module": "dns", "hostname": "www.circl.lu"}
+{"module": "dns", "hostname": "www.circl.lu", "config" : {"nameserver":"8.8.8.8"}}

From bf57ce0b12012b0d4549c126c56435f69cc89484 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <Rafiot@users.noreply.github.com>
Date: Sun, 10 Apr 2016 16:35:32 +0200
Subject: [PATCH 6/7] Update README.md

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 749a5fe..594e5c1 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,8 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 ## How to install and start MISP modules?
 
 ~~~~bash
-git clone git@github.com:MISP/misp-modules.git
+apt-get install python-dev python3-pip
+git clone https://github.com/MISP/misp-modules.git
 cd misp-modules
 pip3 install -r REQUIREMENTS
 cd bin

From b7798b6373912ec79becd2901e79814d6ca0ad2c Mon Sep 17 00:00:00 2001
From: aaronkaplan <aaron@lo-res.org>
Date: Sun, 10 Apr 2016 17:35:47 +0200
Subject: [PATCH 7/7] initial example of intelmq connector/enrichtment. Need to
 change to use the eventDB RESTful API, not the postgresql DB

---
 modules/expansion/intelmq_eventdb.py | 67 ++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100755 modules/expansion/intelmq_eventdb.py

diff --git a/modules/expansion/intelmq_eventdb.py b/modules/expansion/intelmq_eventdb.py
new file mode 100755
index 0000000..0e40608
--- /dev/null
+++ b/modules/expansion/intelmq_eventdb.py
@@ -0,0 +1,67 @@
+import json
+import psycopg2
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'AS'], 'output': ['freetext']}
+moduleinfo = {'version': '0.1', 'author': 'L. Aaron Kaplan <kaplan@cert.at>', 'description': 'Module to access intelmqs eventdb', 'module-type': ['expansion', 'hover']}
+moduleconfig = ['username', 'password', 'hostname', 'database']
+
+
+def connect(user, password, host, dbname):
+    try:
+        conn = psycopg2.connect(database=dbname,  user=user,  host=host,  password=password)
+    except Exception as e:
+        print("I am unable to connect to the database: %s" %e)
+    return conn
+
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    #if request.get('hostname'):
+    #    toquery = request['hostname']
+    #elif request.get('domain'):
+    #    toquery = request['domain']
+    if request.get('ip-src'):
+        toquery = request['ip-src']
+    #elif request.get('ip-dst'):
+    #    toquery = request['ip-dst']
+    #elif request.get('AS'):
+    #    toquery = request['AS']
+    else:
+        misperrors['error'] = "Unsupported attributes type"
+        return misperrors
+
+    if (request.get('config')):
+        if (request['config'].get('username') is None) or (request['config'].get('password') is None):
+            misperrors['error'] = 'intelmq eventdb authentication is missing'
+            return misperrors
+
+    conn = connect(request['config']['username'], request['config']['password'], request['config']['hostname'], request['config']['database'])
+    cur = conn.cursor()
+    SQL1 = 'SELECT COUNT(*) from events where "source.ip" = \'%s\'' %(toquery)
+    try:
+        cur.execute(SQL1)
+    except Exception as e:
+        misperrors['error'] = 'can not query database'
+        print(e)
+        return misperrors
+
+    results = cur.fetchone()
+
+    out = ''
+    out = out + "{} ".format(results[0]) + " results found in the DB"
+
+    r = {'results': [{'types': mispattributes['output'], 'values': out}]}
+    conn.close()
+    return r
+
+
+def introspection():
+    return mispattributes
+
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo