From d7ad106723f4fde5de0b631db66dee9755a09fa9 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Fri, 25 Mar 2016 19:57:49 +0100
Subject: [PATCH 1/7] Add missing requirements
---
REQUIREMENTS | 1 +
1 file changed, 1 insertion(+)
diff --git a/REQUIREMENTS b/REQUIREMENTS
index 5053373..65df17d 100644
--- a/REQUIREMENTS
+++ b/REQUIREMENTS
@@ -4,3 +4,4 @@ requests
urlarchiver
passivetotal
PyPDNS
+pypssl
From 39f3c3b0f81f40c8f450ebd511bbebe251cc9920 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 27 Mar 2016 21:57:07 +0200
Subject: [PATCH 2/7] Slides reference added
---
README.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/README.md b/README.md
index 2e36eab..04f7971 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,8 @@ without modifying core components. The API is available via a simple REST API wh
MISP modules support is included in MISP starting from version 2.4.28.
+For more information: [Extending MISP with Python modules](https://www.circl.lu/assets/files/misp-training/3.1-MISP-modules.pdf) slides from MISP training.
+
## Existing MISP modules
* [CVE](modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
From 45d57433749216b7a7d9643eab4fbf95b9839a80 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Mon, 28 Mar 2016 11:57:24 +0200
Subject: [PATCH 3/7] dns MISP module - option to specify nameserver added
---
modules/expansion/dns.py | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/modules/expansion/dns.py b/modules/expansion/dns.py
index 3f37c3f..099376d 100755
--- a/modules/expansion/dns.py
+++ b/modules/expansion/dns.py
@@ -1,9 +1,14 @@
import json
import dns.resolver
-misperrors = {'error' : 'Error'}
-mispattributes = {'input': ['hostname', 'domain'], 'output': ['ip-src', 'ip-dst']}
-moduleinfo = {'version': '0.1', 'author': 'Alexandre Dulaunoy', 'description': 'Simple DNS expansion service to resolve IP address from MISP attributes', 'module-type': ['expansion','hover']}
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['hostname', 'domain'], 'output': ['ip-src',
+ 'ip-dst']}
+moduleinfo = {'version': '0.2', 'author': 'Alexandre Dulaunoy',
+ 'description': 'Simple DNS expansion service to resolve IP address from MISP attributes',
+ 'module-type': ['expansion', 'hover']}
+
+moduleconfig = ['nameserver']
def handler(q=False):
@@ -19,7 +24,15 @@ def handler(q=False):
r = dns.resolver.Resolver()
r.timeout = 2
r.lifetime = 2
- r.nameservers = ['8.8.8.8']
+
+ if request.get('config'):
+ if request['config'].get('nameserver'):
+ nameservers = []
+ nameservers.append(request['config'].get('nameserver'))
+ r.nameservers = nameservers
+ else:
+ r.nameservers = ['8.8.8.8']
+
try:
answer = r.query(toquery, 'A')
except dns.resolver.NXDOMAIN:
@@ -31,7 +44,9 @@ def handler(q=False):
except:
misperrors['error'] = "DNS resolving error"
return misperrors
- r = {'results': [{'types': mispattributes['output'], 'values':[str(answer[0])]}]}
+
+ r = {'results': [{'types': mispattributes['output'],
+ 'values':[str(answer[0])]}]}
return r
@@ -40,4 +55,5 @@ def introspection():
def version():
+ moduleinfo['config'] = moduleconfig
return moduleinfo
From 233d73e65546631f60345fac7f28e341cdc512bf Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 30 Mar 2016 22:46:21 +0200
Subject: [PATCH 4/7] New modules added
---
README.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/README.md b/README.md
index 04f7971..749a5fe 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,8 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
## Existing MISP modules
+* [CIRCL Passive SSL](modules/expansion/circl_passivessl.py) - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
+* [CIRCL Passive DNS](modules/expansion/circl_passivedns.py) - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
* [CVE](modules/expansion/cve.py) - a hover module to give more information about a vulnerability (CVE).
* [DNS](modules/expansion/dns.py) - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
* [passivetotal](modules/expansion/passivetotal.py) - a [passivetotal](https://www.passivetotal.org/) module that queries a number of different PassiveTotal datasets.
From 2699eef633735cf24608ba895b87fd7bb24c5750 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Fri, 1 Apr 2016 08:00:56 +0200
Subject: [PATCH 5/7] dns module test with option added
---
tests/body.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/body.json b/tests/body.json
index 89ca947..a0bf718 100644
--- a/tests/body.json
+++ b/tests/body.json
@@ -1 +1 @@
-{"module": "dns", "hostname": "www.circl.lu"}
+{"module": "dns", "hostname": "www.circl.lu", "config" : {"nameserver":"8.8.8.8"}}
From bf57ce0b12012b0d4549c126c56435f69cc89484 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?=
Date: Sun, 10 Apr 2016 16:35:32 +0200
Subject: [PATCH 6/7] Update README.md
---
README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 749a5fe..594e5c1 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,8 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
## How to install and start MISP modules?
~~~~bash
-git clone git@github.com:MISP/misp-modules.git
+apt-get install python-dev python3-pip
+git clone https://github.com/MISP/misp-modules.git
cd misp-modules
pip3 install -r REQUIREMENTS
cd bin
From b7798b6373912ec79becd2901e79814d6ca0ad2c Mon Sep 17 00:00:00 2001
From: aaronkaplan
Date: Sun, 10 Apr 2016 17:35:47 +0200
Subject: [PATCH 7/7] initial example of intelmq connector/enrichtment. Need to
change to use the eventDB RESTful API, not the postgresql DB
---
modules/expansion/intelmq_eventdb.py | 67 ++++++++++++++++++++++++++++
1 file changed, 67 insertions(+)
create mode 100755 modules/expansion/intelmq_eventdb.py
diff --git a/modules/expansion/intelmq_eventdb.py b/modules/expansion/intelmq_eventdb.py
new file mode 100755
index 0000000..0e40608
--- /dev/null
+++ b/modules/expansion/intelmq_eventdb.py
@@ -0,0 +1,67 @@
+import json
+import psycopg2
+
+misperrors = {'error': 'Error'}
+mispattributes = {'input': ['hostname', 'domain', 'ip-src', 'ip-dst', 'AS'], 'output': ['freetext']}
+moduleinfo = {'version': '0.1', 'author': 'L. Aaron Kaplan ', 'description': 'Module to access intelmqs eventdb', 'module-type': ['expansion', 'hover']}
+moduleconfig = ['username', 'password', 'hostname', 'database']
+
+
+def connect(user, password, host, dbname):
+ try:
+ conn = psycopg2.connect(database=dbname, user=user, host=host, password=password)
+ except Exception as e:
+ print("I am unable to connect to the database: %s" %e)
+ return conn
+
+
+def handler(q=False):
+ if q is False:
+ return False
+ request = json.loads(q)
+ #if request.get('hostname'):
+ # toquery = request['hostname']
+ #elif request.get('domain'):
+ # toquery = request['domain']
+ if request.get('ip-src'):
+ toquery = request['ip-src']
+ #elif request.get('ip-dst'):
+ # toquery = request['ip-dst']
+ #elif request.get('AS'):
+ # toquery = request['AS']
+ else:
+ misperrors['error'] = "Unsupported attributes type"
+ return misperrors
+
+ if (request.get('config')):
+ if (request['config'].get('username') is None) or (request['config'].get('password') is None):
+ misperrors['error'] = 'intelmq eventdb authentication is missing'
+ return misperrors
+
+ conn = connect(request['config']['username'], request['config']['password'], request['config']['hostname'], request['config']['database'])
+ cur = conn.cursor()
+ SQL1 = 'SELECT COUNT(*) from events where "source.ip" = \'%s\'' %(toquery)
+ try:
+ cur.execute(SQL1)
+ except Exception as e:
+ misperrors['error'] = 'can not query database'
+ print(e)
+ return misperrors
+
+ results = cur.fetchone()
+
+ out = ''
+ out = out + "{} ".format(results[0]) + " results found in the DB"
+
+ r = {'results': [{'types': mispattributes['output'], 'values': out}]}
+ conn.close()
+ return r
+
+
+def introspection():
+ return mispattributes
+
+
+def version():
+ moduleinfo['config'] = moduleconfig
+ return moduleinfo