MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: [cve] fix CVE module to new vulnerability.circl.lu url

pull/681/head
Christophe Vandeplas 2024-08-09 09:53:14 +02:00
parent 291cbad875
commit dd3ac91afd
No known key found for this signature in database
GPG Key ID: BDC48619FFDC5A5B
10 changed files with 78 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -17,6 +17,7 @@ site*
#venv
venv*
.venv/
#vscode
.vscode*

30
documentation/README.md
View File

@ -260,10 +260,10 @@ Module to expand country codes.
An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
- **features**:
>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.
>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.
>The list of vulnerabilities is then parsed and returned as vulnerability objects.
>
>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.
>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.
>
>In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one.
- **input**:
@ -271,7 +271,7 @@ An expansion module to query the CVE search API with a cpe code to get its relat
- **output**:
>The vulnerabilities related to the CPE.
- **references**:
>https://cve.circl.lu/api/
>https://vulnerability.circl.lu/api/
-----
@ -381,7 +381,7 @@ An expansion hover module to expand information about CVE id.
- **output**:
>Text giving information about the CVE related to the Vulnerability.
- **references**:
> - https://cve.circl.lu/
> - https://vulnerability.circl.lu/
> - https://cve.mitre.org/
-----
@ -402,7 +402,7 @@ An expansion module to query the CIRCL CVE search API for more information about
- **output**:
>Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.
- **references**:
> - https://cve.circl.lu
> - https://vulnerability.circl.lu
> - https://cve/mitre.org/
-----
@ -766,7 +766,7 @@ Expansion module to fetch the html content from an url and convert it into markd
HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
- **features**:
>This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.
> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects.
> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects.
>
>An API key is required to submit queries to the HYAS Insight API.
>
@ -840,9 +840,9 @@ Module to access intelmqs eventdb.
An expansion module to query IP2Location.io to gather more information on a given IP address.
- **features**:
>The module takes an IP address attribute as input and queries the IP2Location.io API.
>Free plan user will get the basic geolocation informaiton, and different subsription plan will get more information on the IP address.
> Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan.
>The module takes an IP address attribute as input and queries the IP2Location.io API.
>Free plan user will get the basic geolocation informaiton, and different subsription plan will get more information on the IP address.
> Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan.
>
>More information on the responses content is available in the [documentation](https://www.ip2location.io/ip2location-documentation).
- **input**:
@ -878,7 +878,7 @@ Module to query an IP ASN history service (https://github.com/D4-project/IPASN-H
An expansion module to query ipinfo.io to gather more information on a given IP address.
- **features**:
>The module takes an IP address attribute as input and queries the ipinfo.io API.
>The module takes an IP address attribute as input and queries the ipinfo.io API.
>The geolocation information on the IP address is always returned.
>
>Depending on the subscription plan, the API returns different pieces of information then:
@ -904,7 +904,7 @@ An expansion module to query ipinfo.io to gather more information on a given IP
IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner.
- **features**:
>This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API.
> The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object.
> The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object.
> The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore.
- **input**:
>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone).
@ -1243,7 +1243,7 @@ Module to get information from AlienVault OTX.
An expansion module to query the CIRCL Passive SSH.
- **features**:
>The module queries the Passive SSH service from CIRCL.
>
>
> The module can be used an hover module but also an expansion model to add related MISP objects.
>
- **input**:
@ -1965,7 +1965,7 @@ Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
<img src=logos/whoisfreaks.png height=60>
An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
Our Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security.
Our Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security.
Explore our website's product section at https://whoisfreaks.com/ for a wide range of additional services catering to threat intelligence and attack surface analysis needs.
- **features**:
>The module takes a domain as input and queries the Whoisfreaks API with it.
@ -2104,7 +2104,7 @@ Module to process a query on Yeti.
> - https://github.com/sebdraven/pyeti
- **requirements**:
> - pyeti
> - API key
> - API key
-----
@ -2261,7 +2261,7 @@ Simple export of a MISP event to PDF.
> 'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.
> 'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !
> 'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.
> 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option
> 'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option
- **input**:
>MISP Event
- **output**:

28
documentation/mkdocs/expansion.md
View File

@ -257,10 +257,10 @@ Module to expand country codes.
An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
- **features**:
>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.
>The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.
>The list of vulnerabilities is then parsed and returned as vulnerability objects.
>
>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.
>Users can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.
>
>In order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one.
- **input**:
@ -268,7 +268,7 @@ An expansion module to query the CVE search API with a cpe code to get its relat
- **output**:
>The vulnerabilities related to the CPE.
- **references**:
>https://cve.circl.lu/api/
>https://vulnerability.circl.lu/api/
-----
@ -378,7 +378,7 @@ An expansion hover module to expand information about CVE id.
- **output**:
>Text giving information about the CVE related to the Vulnerability.
- **references**:
> - https://cve.circl.lu/
> - https://vulnerability.circl.lu/
> - https://cve.mitre.org/
-----
@ -399,7 +399,7 @@ An expansion module to query the CIRCL CVE search API for more information about
- **output**:
>Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.
- **references**:
> - https://cve.circl.lu
> - https://vulnerability.circl.lu
> - https://cve/mitre.org/
-----
@ -763,7 +763,7 @@ Expansion module to fetch the html content from an url and convert it into markd
HYAS Insight integration to MISP provides direct, high volume access to HYAS Insight data. It enables investigators and analysts to understand and defend against cyber adversaries and their infrastructure.
- **features**:
>This Module takes the IP Address, Domain, URL, Email, Phone Number, MD5, SHA1, Sha256, SHA512 MISP Attributes as input to query the HYAS Insight API.
> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects.
> The results of the HYAS Insight API are than are then returned and parsed into Hyas Insight Objects.
>
>An API key is required to submit queries to the HYAS Insight API.
>
@ -837,9 +837,9 @@ Module to access intelmqs eventdb.
An expansion module to query IP2Location.io to gather more information on a given IP address.
- **features**:
>The module takes an IP address attribute as input and queries the IP2Location.io API.
>Free plan user will get the basic geolocation informaiton, and different subsription plan will get more information on the IP address.
> Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan.
>The module takes an IP address attribute as input and queries the IP2Location.io API.
>Free plan user will get the basic geolocation informaiton, and different subsription plan will get more information on the IP address.
> Refer to [pricing page](https://www.ip2location.io/pricing) for more information on data available for each plan.
>
>More information on the responses content is available in the [documentation](https://www.ip2location.io/ip2location-documentation).
- **input**:
@ -875,7 +875,7 @@ Module to query an IP ASN history service (https://github.com/D4-project/IPASN-H
An expansion module to query ipinfo.io to gather more information on a given IP address.
- **features**:
>The module takes an IP address attribute as input and queries the ipinfo.io API.
>The module takes an IP address attribute as input and queries the ipinfo.io API.
>The geolocation information on the IP address is always returned.
>
>Depending on the subscription plan, the API returns different pieces of information then:
@ -901,7 +901,7 @@ An expansion module to query ipinfo.io to gather more information on a given IP
IPQualityScore MISP Expansion Module for IP reputation, Email Validation, Phone Number Validation, Malicious Domain and Malicious URL Scanner.
- **features**:
>This Module takes the IP Address, Domain, URL, Email and Phone Number MISP Attributes as input to query the IPQualityScore API.
> The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object.
> The results of the IPQualityScore API are than returned as IPQS Fraud and Risk Scoring Object.
> The object contains a copy of the enriched attribute with added tags presenting the verdict based on fraud score,risk score and other attributes from IPQualityScore.
- **input**:
>A MISP attribute of type IP Address(ip-src, ip-dst), Domain(hostname, domain), URL(url, uri), Email Address(email, email-src, email-dst, target-email, whois-registrant-email) and Phone Number(phone-number, whois-registrant-phone).
@ -1240,7 +1240,7 @@ Module to get information from AlienVault OTX.
An expansion module to query the CIRCL Passive SSH.
- **features**:
>The module queries the Passive SSH service from CIRCL.
>
>
> The module can be used an hover module but also an expansion model to add related MISP objects.
>
- **input**:
@ -1962,7 +1962,7 @@ Module to query a local instance of uwhois (https://github.com/rafiot/uwhoisd).
<img src=../logos/whoisfreaks.png height=60>
An expansion module for https://whoisfreaks.com/ that will provide an enriched analysis of the provided domain, including WHOIS and DNS information.
Our Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security.
Our Whois service, DNS Lookup API, and SSL analysis, equips organizations with comprehensive threat intelligence and attack surface analysis capabilities for enhanced security.
Explore our website's product section at https://whoisfreaks.com/ for a wide range of additional services catering to threat intelligence and attack surface analysis needs.
- **features**:
>The module takes a domain as input and queries the Whoisfreaks API with it.
@ -2101,6 +2101,6 @@ Module to process a query on Yeti.
> - https://github.com/sebdraven/pyeti
- **requirements**:
> - pyeti
> - API key
> - API key
-----

4
documentation/website/expansion/cpe.json
View File

@ -4,7 +4,7 @@
"input": "CPE attribute.",
"output": "The vulnerabilities related to the CPE.",
"references": [
"https://cve.circl.lu/api/"
"https://vulnerability.circl.lu/api/"
],
"features": "The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. \nThe list of vulnerabilities is then parsed and returned as vulnerability objects.\n\nUsers can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.\n\nIn order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one."
"features": "The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities. \nThe list of vulnerabilities is then parsed and returned as vulnerability objects.\n\nUsers can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default vulnerability.circl.lu api url is used.\n\nIn order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one."
}

2
documentation/website/expansion/cve.json
View File

@ -4,7 +4,7 @@
"input": "Vulnerability attribute.",
"output": "Text giving information about the CVE related to the Vulnerability.",
"references": [
"https://cve.circl.lu/",
"https://vulnerability.circl.lu/",
"https://cve.mitre.org/"
],
"features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs."

2
documentation/website/expansion/cve_advanced.json
View File

@ -4,7 +4,7 @@
"input": "Vulnerability attribute.",
"output": "Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.",
"references": [
"https://cve.circl.lu",
"https://vulnerability.circl.lu",
"https://cve/mitre.org/"
],
"features": "The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to gather additional information.\n\nThe result of the query is then parsed to return additional information about the vulnerability, like its cvss score or some references, as well as the potential related weaknesses and attack patterns.\n\nThe vulnerability additional data is returned in a vulnerability MISP object, and the related additional information are put into weakness and attack-pattern MISP objects."

11
misp_modules/modules/expansion/cve.py
View File

@ -3,9 +3,9 @@ import requests
misperrors = {'error': 'Error'}
mispattributes = {'input': ['vulnerability'], 'output': ['text']}
moduleinfo = {'version': '0.3', 'author': 'Alexandre Dulaunoy', 'description': 'An expansion hover module to expand information about CVE id.', 'module-type': ['hover']}
moduleinfo = {'version': '0.4', 'author': 'Alexandre Dulaunoy', 'description': 'An expansion hover module to expand information about CVE id.', 'module-type': ['hover']}
moduleconfig = ["custom_API"]
cveapi_url = 'https://cve.circl.lu/api/cve/'
cveapi_url = 'https://vulnerability.circl.lu/api/cve/'
def check_url(url):
@ -24,10 +24,9 @@ def handler(q=False):
r = requests.get("{}{}".format(api_url, request.get('vulnerability')))
if r.status_code == 200:
vulnerability = json.loads(r.text)
if vulnerability:
if vulnerability.get('summary'):
summary = vulnerability['summary']
else:
try:
summary = vulnerability['containers']['cna']['descriptions'][0]['value']
except Exception:
summary = 'Non existing CVE'
else:
misperrors['error'] = 'API not accessible'

2
tests/bodysourcecache.json
View File

@ -1 +1 @@
{"module": "sourcecache", "link": "http://cve.circl.lu/" }
{"module": "sourcecache", "link": "http://vulnerability.circl.lu/" }

24
tests/test.py
View File

@ -15,6 +15,7 @@ from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.header import Header
class TestModules(unittest.TestCase):
def setUp(self):
@ -30,9 +31,32 @@ class TestModules(unittest.TestCase):
def test_cve(self):
with open('tests/bodycve.json', 'r') as f:
response = requests.post(self.url + "query", data=f.read())
expected_response = {
'results': [
{
'types': ['text'],
'values': 'Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."'
}
]
}
self.assertDictEqual(response.json(), expected_response)
print(response.json())
response.connection.close()
def test_invalid_cve(self):
response = requests.post(self.url + "query", data='{"module": "cve", "vulnerability": "CVE-INVALID"}')
expected_response = {
'results': [
{
'types': ['text'],
'values': 'Non existing CVE'
}
]
}
self.assertDictEqual(response.json(), expected_response)
print(response.json())
response.connection.close()
def test_dns(self):
with open('tests/body.json', 'r') as f:
response = requests.post(self.url + "query", data=f.read())

17
tests/test_expansions.py
View File

@ -92,7 +92,7 @@ class TestExpansions(unittest.TestCase):
query = {'module': 'apiosintds', 'ip-dst': '10.10.10.10'}
response = self.misp_modules_post(query)
try:
self.assertTrue(self.get_values(response).startswith('IoC 10.10.10.10'))
except AssertionError:
@ -192,7 +192,7 @@ class TestExpansions(unittest.TestCase):
self.assertIn(self.get_values(response), results)
def test_cve(self):
query = {"module": "cve", "vulnerability": "CVE-2010-4444", "config": {"custom_API": "https://cve.circl.lu/api/cve/"}}
query = {"module": "cve", "vulnerability": "CVE-2010-4444", "config": {"custom_API": "https://vulnerability.circl.lu/api/cve/"}}
response = self.misp_modules_post(query)
self.assertTrue(self.get_values(response).startswith("Unspecified vulnerability in Oracle Sun Java System Access Manager"))
@ -548,6 +548,7 @@ class TestExpansions(unittest.TestCase):
query = {"module": "stix2_pattern_syntax_validator", "stix2-pattern": "[ipv4-addr:value = '8.8.8.8']"}
response = self.misp_modules_post(query)
self.assertEqual(self.get_values(response), 'Syntax valid')
def test_threatcrowd(self):
if LiveCI:
return True
@ -589,6 +590,7 @@ class TestExpansions(unittest.TestCase):
response = self.misp_modules_post(query)
self.assertTrue(self.get_values(response), result)
@unittest.skip("Service doesn't work")
def test_urlhaus(self):
query_types = ('domain', 'ip-src', 'sha256', 'url')
query_values = ('www.bestwpdesign.com', '79.118.195.239',
@ -768,9 +770,18 @@ class TestExpansions(unittest.TestCase):
def test_yara_query(self):
query = {"module": "yara_query", "md5": "b2a5abfeef9e36964281a31e17b57c97"}
response = self.misp_modules_post(query)
self.assertEqual(self.get_values(response), 'import "hash"\r\nrule MD5 {\r\n\tcondition:\r\n\t\thash.md5(0, filesize) == "b2a5abfeef9e36964281a31e17b57c97"\r\n}')
expected_result = 'import "hash"\r\nrule MD5 {\r\n\tcondition:\r\n\t\thash.md5(0, filesize) == "b2a5abfeef9e36964281a31e17b57c97"\r\n}'
self.assertEqual(self.get_values(response), expected_result)
def test_yara_validator(self):
query = {"module": "yara_syntax_validator", "yara": 'import "hash"\r\nrule MD5 {\r\n\tcondition:\r\n\t\thash.md5(0, filesize) == "b2a5abfeef9e36964281a31e17b57c97"\r\n}'}
response = self.misp_modules_post(query)
self.assertEqual(self.get_values(response), 'Syntax valid')
@unittest.skip("Not developed yet")
def test_yara_export(self):
query = {"module": "yara_export"}
response = self.misp_modules_post(query)
expected_result = ''
self.assertEqual(self.get_values(response), expected_result)