mirror of https://github.com/MISP/misp-modules
Merge branch 'master' of github.com:MISP/misp-modules
commit
c3c5b75157
53
README.md
53
README.md
|
@ -90,47 +90,41 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
|
||||||
* [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
|
* [ThreatAnalyzer](misp_modules/modules/import_mod/threatanalyzer_import.py) - An import module to process ThreatAnalyzer archive.zip/analysis.json sandbox exports.
|
||||||
* [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
|
* [VMRay](misp_modules/modules/import_mod/vmray_import.py) - An import module to process VMRay export.
|
||||||
|
|
||||||
## How to install and start MISP modules in a Python virtualenv?
|
## How to install and start MISP modules in a Python virtualenv? (recommended)
|
||||||
|
|
||||||
~~~~bash
|
~~~~bash
|
||||||
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick virtualenv
|
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick virtualenv libopencv-dev zbar-tools
|
||||||
sudo -u www-data virtualenv -p python3 /var/www/MISP/venv
|
sudo -u www-data virtualenv -p python3 /var/www/MISP/venv
|
||||||
cd /usr/local/src/
|
cd /usr/local/src/
|
||||||
sudo git clone https://github.com/MISP/misp-modules.git
|
sudo git clone https://github.com/MISP/misp-modules.git
|
||||||
cd misp-modules
|
cd misp-modules
|
||||||
sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS
|
sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS
|
||||||
sudo -u www-data /var/www/MISP/venv/bin/pip install .
|
sudo -u www-data /var/www/MISP/venv/bin/pip install .
|
||||||
sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local
|
# Start misp-modules as a service
|
||||||
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
|
sudo cp etc/systemd/system/misp-modules.service /etc/systemd/system/
|
||||||
~~~~
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl enable --now misp-modules
|
||||||
## How to install and start MISP modules on Debian-based distributions ?
|
|
||||||
|
|
||||||
~~~~bash
|
|
||||||
sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr imagemagick
|
|
||||||
cd /usr/local/src/
|
|
||||||
sudo git clone https://github.com/MISP/misp-modules.git
|
|
||||||
cd misp-modules
|
|
||||||
sudo pip3 install -I -r REQUIREMENTS
|
|
||||||
sudo pip3 install -I .
|
|
||||||
sudo sed -i -e '$i \sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s > /tmp/misp-modules_rc.local.log &\n' /etc/rc.local
|
|
||||||
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
|
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s & #to start the modules
|
||||||
~~~~
|
~~~~
|
||||||
|
|
||||||
## How to install and start MISP modules on RHEL-based distributions ?
|
## How to install and start MISP modules on RHEL-based distributions ?
|
||||||
As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository.
|
As of this writing, the official RHEL repositories only contain Ruby 2.0.0 and Ruby 2.1 or higher is required. As such, this guide installs Ruby 2.2 from the [SCL](https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.2_release_notes/chap-installation#sect-Installation-Subscribe) repository.
|
||||||
|
|
||||||
~~~~bash
|
~~~~bash
|
||||||
yum install rh-ruby22
|
sudo yum install rh-ruby22
|
||||||
|
sudo yum install openjpeg-devel
|
||||||
|
sudo yum install rubygem-rouge rubygem-asciidoctor zbar-devel opencv-devel
|
||||||
cd /var/www/MISP
|
cd /var/www/MISP
|
||||||
git clone https://github.com/MISP/misp-modules.git
|
git clone https://github.com/MISP/misp-modules.git
|
||||||
cd misp-modules
|
cd misp-modules
|
||||||
scl enable rh-python36 ‘python3 –m pip install cryptography’
|
sudo -u apache /usr/bin/scl enable rh-python36 "virtualenv -p python3 /var/www/MISP/venv"
|
||||||
scl enable rh-python36 ‘python3 –m pip install -I -r REQUIREMENTS’
|
sudo -u apache /var/www/MISP/venv/bin/pip install -U -I -r REQUIREMENTS
|
||||||
scl enable rh-python36 ‘python3 –m pip install –I .’
|
sudo -u apache /var/www/MISP/venv/bin/pip install -U .
|
||||||
~~~~
|
~~~~
|
||||||
|
|
||||||
Create the service file /etc/systemd/system/misp-modules.service :
|
Create the service file /etc/systemd/system/misp-modules.service :
|
||||||
~~~~
|
~~~~
|
||||||
[Unit]
|
echo "[Unit]
|
||||||
Description=MISP's modules
|
Description=MISP's modules
|
||||||
After=misp-workers.service
|
After=misp-workers.service
|
||||||
|
|
||||||
|
@ -138,15 +132,16 @@ After=misp-workers.service
|
||||||
Type=simple
|
Type=simple
|
||||||
User=apache
|
User=apache
|
||||||
Group=apache
|
Group=apache
|
||||||
ExecStart=/usr/bin/scl enable rh-python36 rh-ruby22 ‘/opt/rh/rh-python36/root/bin/misp-modules –l 127.0.0.1 –s’
|
ExecStart=/usr/bin/scl enable rh-python36 rh-ruby22 '/opt/rh/rh-python36/root/bin/misp-modules –l 127.0.0.1 –s'
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=10
|
RestartSec=10
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target" | sudo tee /etc/systemd/system/misp-modules.service
|
||||||
~~~~
|
~~~~
|
||||||
|
|
||||||
The `After=misp-workers.service` must be changed or removed if you have not created a misp-workers service.
|
The `After=misp-workers.service` must be changed or removed if you have not created a misp-workers service.
|
||||||
Then, enable the misp-modules service and start it ;
|
Then, enable the misp-modules service and start it:
|
||||||
~~~~bash
|
~~~~bash
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
systemctl enable --now misp-modules
|
systemctl enable --now misp-modules
|
||||||
|
@ -493,7 +488,7 @@ Download a pre-built virtual image from the [MISP training materials](https://ww
|
||||||
- Create a Host-Only adapter in VirtualBox
|
- Create a Host-Only adapter in VirtualBox
|
||||||
- Set your Misp OVA to that Host-Only adapter
|
- Set your Misp OVA to that Host-Only adapter
|
||||||
- Start the virtual machine
|
- Start the virtual machine
|
||||||
- Get the IP address of the virutal machine
|
- Get the IP address of the virtual machine
|
||||||
- SSH into the machine (Login info on training page)
|
- SSH into the machine (Login info on training page)
|
||||||
- Go into the misp-modules directory
|
- Go into the misp-modules directory
|
||||||
|
|
||||||
|
@ -513,14 +508,16 @@ Remove the contents of the build directory and re-install misp-modules.
|
||||||
|
|
||||||
~~~bash
|
~~~bash
|
||||||
sudo rm -fr build/*
|
sudo rm -fr build/*
|
||||||
sudo pip3 install --upgrade .
|
sudo -u www-data /var/www/MISP/venv/bin/pip install --upgrade .
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
SSH in with a different terminal and run `misp-modules` with debugging enabled.
|
SSH in with a different terminal and run `misp-modules` with debugging enabled.
|
||||||
|
|
||||||
~~~bash
|
~~~bash
|
||||||
sudo killall misp-modules
|
# In case misp-modules is not a service do:
|
||||||
misp-modules -d
|
# sudo killall misp-modules
|
||||||
|
sudo systemctl disable --now misp-modules
|
||||||
|
sudo -u www-data /var/www/MISP/venv/bin/misp-modules -d
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -8,4 +8,5 @@ __all__ = ['cuckoo_submit', 'vmray_submit', 'bgpranking', 'circl_passivedns', 'c
|
||||||
'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl',
|
'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl',
|
||||||
'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator',
|
'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator',
|
||||||
'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query', 'macaddress_io',
|
'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query', 'macaddress_io',
|
||||||
'intel471', 'backscatter_io', 'btc_scam_check', 'hibp', 'greynoise', 'macvendors', 'qrcode']
|
'intel471', 'backscatter_io', 'btc_scam_check', 'hibp', 'greynoise', 'macvendors',
|
||||||
|
'qrcode', 'ocr-enrich']
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
import json
|
||||||
|
import binascii
|
||||||
|
import cv2
|
||||||
|
import np
|
||||||
|
import pytesseract
|
||||||
|
|
||||||
|
misperrors = {'error': 'Error'}
|
||||||
|
mispattributes = {'input': ['attachment'],
|
||||||
|
'output': ['freetext', 'text']}
|
||||||
|
moduleinfo = {'version': '0.1', 'author': 'Sascha Rommelfangen',
|
||||||
|
'description': 'OCR decoder',
|
||||||
|
'module-type': ['expansion']}
|
||||||
|
|
||||||
|
moduleconfig = []
|
||||||
|
|
||||||
|
|
||||||
|
def handler(q=False):
|
||||||
|
if q is False:
|
||||||
|
return False
|
||||||
|
q = json.loads(q)
|
||||||
|
filename = q['attachment']
|
||||||
|
try:
|
||||||
|
img_array = np.frombuffer(binascii.a2b_base64(q['data']), np.uint8)
|
||||||
|
except Exception as e:
|
||||||
|
print(e)
|
||||||
|
err = "Couldn't fetch attachment (JSON 'data' is empty). Are you using the 'Query enrichment' action?"
|
||||||
|
misperrors['error'] = err
|
||||||
|
print(err)
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
image = img_array
|
||||||
|
image = cv2.imdecode(img_array, cv2.IMREAD_COLOR)
|
||||||
|
try:
|
||||||
|
decoded = pytesseract.image_to_string(image)
|
||||||
|
return {'results': [{'types': ['freetext'], 'values': decoded, 'comment': "OCR from file " + filename},
|
||||||
|
{'types': ['text'], 'values': decoded, 'comment': "ORC from file " + filename}]}
|
||||||
|
except Exception as e:
|
||||||
|
print(e)
|
||||||
|
err = "Couldn't analyze file type. Only images are supported right now."
|
||||||
|
misperrors['error'] = err
|
||||||
|
return misperrors
|
||||||
|
|
||||||
|
|
||||||
|
def introspection():
|
||||||
|
return mispattributes
|
||||||
|
|
||||||
|
|
||||||
|
def version():
|
||||||
|
moduleinfo['config'] = moduleconfig
|
||||||
|
return moduleinfo
|
Loading…
Reference in New Issue