Merge branch 'main' of github.com:MISP/misp-modules into chrisr3d_patch

doc/expansion/farsight_passivedns.json

@@ -1,9 +0,0 @@
-{
-    "description": "Module to access Farsight DNSDB Passive DNS.",
-    "logo": "logos/farsight.png",
-    "requirements": ["An access to the Farsight Passive DNS API (apikey)", "The dnsdb2 python library"],
-    "input": "A domain, hostname or IP address MISP attribute.",
-    "output": "Passive-dns objects, resulting from the query on the Farsight Passive DNS API.",
-    "references": ["https://www.farsightsecurity.com/", "https://docs.dnsdb.info/dnsdb-api/"],
-    "features": "This module takes a domain, hostname or IP address MISP attribute as input to query the Farsight Passive DNS API.  \nThe results of rdata and rrset lookups are then returned and parsed into passive-dns objects.\n\nAn API key is required to submit queries to the API.  \nIt is also possible to define a custom server URL, and to set a limit of results to get.  \nThis limit is set for each lookup, which means we can have an up to the limit number of passive-dns objects resulting from an rdata query about an IP address, but an up to the limit number of passive-dns objects for each lookup queries about a domain or a hostname (== twice the limit).\n\nAdditionally to the lookup queries, responses from flex queries can be returned with the results.  \nTo get this additional data with the results, there is a `flex_queries` configuration parameter to set to `true`. The module submit then regex queries to the API, using the domain, hostname or IP address as keyword for the search. Passive-dns objects are returned next to the ones resulting from the lookup queries."
-}

doc/expansion/greynoise.json

@@ -1,9 +0,0 @@
-{
-    "description": "Module to access GreyNoise.io API",
-    "logo": "logos/greynoise.png",
-    "requirements": ["A Greynoise API key."],
-    "input": "An IP address.",
-    "output": "Additional information about the IP fetched from Greynoise API.",
-    "references": ["https://greynoise.io/", "https://github.com/GreyNoise-Intelligence/api.greynoise.io"],
-    "features": "The module takes an IP address as input and queries Greynoise for some additional information about it: basically it checks whether a given IP address is “Internet background noise”, or has been observed scanning or attacking devices across the Internet. The result is returned as text."
-}

doc/export_mod/cef_export.json

@@ -1,8 +0,0 @@
-{
-  "description": "Module to export a MISP event in CEF format.",
-  "requirements": [],
-  "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in Common Event Format.\nThus, there is no particular feature concerning MISP Events since any event can be exported. However, 4 configuration parameters recognized by CEF format are required and should be provided by users before exporting data: the device vendor, product and version, as well as the default severity of data.",
-  "references": ["https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306?attachment-id=65537"],
-  "input": "MISP Event attributes",
-  "output": "Common Event Format file"
-}

doc/export_mod/goamlexport.json

@@ -1,9 +0,0 @@
-{
-  "description": "This module is used to export MISP events containing transaction objects into GoAML format.",
-  "logo": "logos/goAML.jpg",
-  "requirements": ["PyMISP","MISP objects"],
-  "features": "The module works as long as there is at least one transaction object in the Event.\n\nThen in order to have a valid GoAML document, please follow these guidelines:\n- For each transaction object, use either a bank-account, person, or legal-entity object to describe the origin of the transaction, and again one of them to describe the target of the transaction.\n- Create an object reference for both origin and target objects of the transaction.\n- A bank-account object needs a signatory, which is a person object, put as object reference of the bank-account.\n- A person can have an address, which is a geolocation object, put as object reference of the person.\n\nSupported relation types for object references that are recommended for each object are the folowing:\n- transaction:\n\t- 'from', 'from_my_client': Origin of the transaction - at least one of them is required.\n\t- 'to', 'to_my_client': Target of the transaction - at least one of them is required.\n\t- 'address': Location of the transaction - optional.\n- bank-account:\n\t- 'signatory': Signatory of a bank-account - the reference from bank-account to a signatory is required, but the relation-type is optional at the moment since this reference will always describe a signatory.\n\t- 'entity': Entity owning the bank account - optional.\n- person:\n\t- 'address': Address of a person - optional.",
-  "references": ["http://goaml.unodc.org/"],
-  "input": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.",
-  "output": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities)."
-}

doc/export_mod/liteexport.json

@@ -1,8 +0,0 @@
-{
-  "description": "Lite export of a MISP event.",
-  "requirements": [],
-  "features": "This module is simply producing a json MISP event format file, but exporting only Attributes from the Event. Thus, MISP Events exported with this module should have attributes that are not internal references, otherwise the resulting event would be empty.",
-  "references": [],
-  "input": "MISP Event attributes",
-  "output": "Lite MISP Event"
-}

doc/export_mod/nexthinkexport.json

@@ -1,9 +0,0 @@
-{
-  "description": "Nexthink NXQL query export module",
-  "requirements": [],
-  "features": "This module export an event as Nexthink NXQL queries that can then be used in your own python3 tool or from wget/powershell",
-  "references": ["https://doc.nexthink.com/Documentation/Nexthink/latest/APIAndIntegrations/IntroducingtheWebAPIV2"],
-  "input": "MISP Event attributes",
-  "output": "Nexthink NXQL queries",
-  "logo": "logos/nexthink.svg"
-}

doc/export_mod/osqueryexport.json

@@ -1,9 +0,0 @@
-{
-  "description": "OSQuery export of a MISP event.",
-  "requirements": [],
-  "features": "This module export an event as osquery queries that can be used in packs or in fleet management solution like Kolide.",
-  "references": [],
-  "input": "MISP Event attributes",
-  "output": "osquery SQL queries",
-  "logo": "logos/osquery.png"
-}

doc/export_mod/pdfexport.json

@@ -1,8 +0,0 @@
-{
-  "description": "Simple export of a MISP event to PDF.",
-  "requirements": ["PyMISP", "reportlab"],
-  "features": "The module takes care of the PDF file building, and work with any MISP Event. Except the requirement of reportlab, used to create the file, there is no special feature concerning the Event. Some parameters can be given through the config dict. 'MISP_base_url_for_dynamic_link' is your MISP URL, to attach an hyperlink to your event on your MISP instance from the PDF. Keep it clear to avoid hyperlinks in the generated pdf.\n  'MISP_name_for_metadata' is your CERT or MISP instance name. Used as text in the PDF' metadata\n  'Activate_textual_description' is a boolean (True or void) to activate the textual description/header abstract of an event\n  'Activate_galaxy_description' is a boolean (True or void) to activate the description of event related galaxies.\n  'Activate_related_events' is a boolean (True or void) to activate the description of related event. Be aware this might leak information on confidential events linked to the current event !\n  'Activate_internationalization_fonts' is a boolean (True or void) to activate Noto fonts instead of default fonts (Helvetica). This allows the support of CJK alphabet. Be sure to have followed the procedure to download Noto fonts (~70Mo) in the right place (/tools/pdf_fonts/Noto_TTF), to allow PyMisp to find and use them during PDF generation.\n  'Custom_fonts_path' is a text (path or void) to the TTF file of your choice, to create the PDF with it. Be aware the PDF won't support bold/italic/special style anymore with this option ",
-  "references": ["https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html"],
-  "input": "MISP Event",
-  "output": "MISP Event in a PDF file."
-}

doc/export_mod/threatStream_misp_export.json

@@ -1,9 +0,0 @@
-{
-  "description": "Module to export a structured CSV file for uploading to threatStream.",
-  "logo": "logos/threatstream.png",
-  "requirements": ["csv"],
-  "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatStream.",
-  "references": ["https://www.anomali.com/platform/threatstream", "https://github.com/threatstream"],
-  "input": "MISP Event attributes",
-  "output": "ThreatStream CSV format file"
-}

doc/export_mod/threat_connect_export.json

@@ -1,9 +0,0 @@
-{
-  "description": "Module to export a structured CSV file for uploading to ThreatConnect.",
-  "logo": "logos/threatconnect.png",
-  "requirements": ["csv"],
-  "features": "The module takes a MISP event in input, to look every attribute. Each attribute matching with some predefined types is then exported in a CSV format recognized by ThreatConnect.\nUsers should then provide, as module configuration, the source of data they export, because it is required by the output format.",
-  "references": ["https://www.threatconnect.com"],
-  "input": "MISP Event attributes",
-  "output": "ThreatConnect CSV format file"
-}

doc/generate_documentation.py

@@ -1,65 +0,0 @@
-# -*- coding: utf-8 -*-
-import os
-import json
-
-module_types = ['expansion', 'export_mod', 'import_mod']
-titles = ['Expansion Modules', 'Export Modules', 'Import Modules']
-markdown = ["# MISP modules documentation\n"]
-githublink = 'https://github.com/MISP/misp-modules/tree/main/misp_modules/modules'
-
-
-def generate_doc(root_path):
-    for _path, title in zip(module_types, titles):
-        markdown.append('\n## {}\n'.format(title))
-        current_path = os.path.join(root_path, _path)
-        files = sorted(os.listdir(current_path))
-        githubpath = '{}/{}'.format(githublink, _path)
-        for _file in files:
-            modulename = _file.split('.json')[0]
-            githubref = '{}/{}.py'.format(githubpath, modulename)
-            markdown.append('\n#### [{}]({})\n'.format(modulename, githubref))
-            filename = os.path.join(current_path, _file)
-            with open(filename, 'rt') as f:
-                definition = json.loads(f.read())
-            if 'logo' in definition:
-                markdown.append('\n<img src={} height=60>\n'.format(definition.pop('logo')))
-            if 'description' in definition:
-                markdown.append('\n{}\n'.format(definition.pop('description')))
-            for field, value in sorted(definition.items()):
-                if value:
-                    value = ', '.join(value) if isinstance(value, list) else '{}'.format(value.replace('\n', '\n>'))
-                    markdown.append('- **{}**:\n>{}\n'.format(field, value))
-            markdown.append('\n-----\n')
-    with open('README.md', 'w') as w:
-        w.write(''.join(markdown))
-
-def generate_docs_for_mkdocs(root_path):
-    for _path, title in zip(module_types, titles):
-        markdown = []
-        #markdown.append('## {}\n'.format(title))
-        current_path = os.path.join(root_path, _path)
-        files = sorted(os.listdir(current_path))
-        githubpath = '{}/{}'.format(githublink, _path)
-        for _file in files:
-            modulename = _file.split('.json')[0]
-            githubref = '{}/{}.py'.format(githubpath, modulename)
-            markdown.append('\n#### [{}]({})\n'.format(modulename, githubref))
-            filename = os.path.join(current_path, _file)
-            with open(filename, 'rt') as f:
-                definition = json.loads(f.read())
-            if 'logo' in definition:
-                markdown.append('\n<img src={} height=60>\n'.format(definition.pop('logo')))
-            if 'description' in definition:
-                markdown.append('\n{}\n'.format(definition.pop('description')))
-            for field, value in sorted(definition.items()):
-                if value:
-                    value = ', '.join(value) if isinstance(value, list) else '{}'.format(value.replace('\n', '\n>'))
-                    markdown.append('- **{}**:\n>{}\n'.format(field, value))
-            markdown.append('\n-----\n')
-        with open(root_path+"/../"+"/docs/"+_path+".md", 'w') as w:
-            w.write(''.join(markdown))
-
-if __name__ == '__main__':
-    root_path = os.path.dirname(os.path.realpath(__file__))
-    generate_doc(root_path)
-    generate_docs_for_mkdocs(root_path)

doc/import_mod/csvimport.json

@@ -1,8 +0,0 @@
-{
-  "description": "Module to import MISP attributes from a csv file.",
-  "requirements": ["PyMISP"],
-  "features": "In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.\n\nThis header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').\n\nIf the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.",
-  "references": ["https://tools.ietf.org/html/rfc4180", "https://tools.ietf.org/html/rfc7111"],
-  "input": "CSV format file.",
-  "output": "MISP Event attributes"
-}

doc/import_mod/cuckooimport.json

@@ -1,9 +0,0 @@
-{
-  "description": "Module to import Cuckoo JSON.",
-  "logo": "logos/cuckoo.png",
-  "requirements": [],
-  "features": "The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work.",
-  "references": ["https://cuckoosandbox.org/", "https://github.com/cuckoosandbox/cuckoo"],
-  "input": "Cuckoo JSON file",
-  "output": "MISP Event attributes"
-}

doc/import_mod/email_import.json

@@ -1,8 +0,0 @@
-{
-  "description": "Module to import emails in MISP.",
-  "requirements": [],
-  "features": "This module can be used to import e-mail text as well as attachments and urls.\n3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.",
-  "references": [],
-  "input": "E-mail file",
-  "output": "MISP Event attributes"
-}

doc/import_mod/goamlimport.json

@@ -1,9 +0,0 @@
-{
-  "description": "Module to import MISP objects about financial transactions from GoAML files.",
-  "logo": "logos/goAML.jpg",
-  "requirements": ["PyMISP"],
-  "features": "Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.",
-  "references": "http://goaml.unodc.org/",
-  "input": "GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).",
-  "output": "MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target."
-}

doc/import_mod/mispjson.json

@@ -1,8 +0,0 @@
-{
-  "description": "Module to import MISP JSON format for merging MISP events.",
-  "requirements": [],
-  "features": "The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.",
-  "references": [],
-  "input": "MISP Event",
-  "output": "MISP Event attributes"
-}

doc/import_mod/ocr.json

@@ -1,8 +0,0 @@
-{
-  "description": "Optical Character Recognition (OCR) module for MISP.",
-  "requirements": [],
-  "features": "The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.",
-  "references": [],
-  "input": "Image",
-  "output": "freetext MISP attribute"
-}

doc/import_mod/openiocimport.json

@@ -1,8 +0,0 @@
-{
-  "description": "Module to import OpenIOC packages.",
-  "requirements": ["PyMISP"],
-  "features": "The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.",
-  "references": ["https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html"],
-  "input": "OpenIOC packages",
-  "output": "MISP Event attributes"
-}

doc/import_mod/threatanalyzer_import.json

@@ -1,8 +0,0 @@
-{
-  "description": "Module to import ThreatAnalyzer archive.zip / analysis.json files.",
-  "requirements": [],
-  "features": "The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format.\nThere is by the way no special feature for users to make the module work.",
-  "references": ["https://www.threattrack.com/malware-analysis.aspx"],
-  "input": "ThreatAnalyzer format file",
-  "output": "MISP Event attributes"
-}

doc/import_mod/vmray_import.json

@@ -1,9 +0,0 @@
-{
-  "description": "Module to import VMRay (VTI) results.",
-  "logo": "logos/vmray.png",
-  "requirements": ["vmray_rest_api"],
-  "features": "The module imports MISP Attributes from VMRay format, using the VMRay api.\nUsers should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.",
-  "references": ["https://www.vmray.com/"],
-  "input": "VMRay format",
-  "output": "MISP Event attributes"
-}

documentation/README.md

@@ -91,8 +91,6 @@ A module to submit samples and URLs to AssemblyLine for advanced analysis, and r
 Query backscatter.io (https://backscatter.io/).
 - **features**:
 >The module takes a source or destination IP address as input and displays the information known by backscatter.io.
->
->
 - **input**:
 >IP addresses.
 - **output**:
@@ -109,8 +107,6 @@ Query backscatter.io (https://backscatter.io/).
 Query BGP Ranking (https://bgpranking-ng.circl.lu/).
 - **features**:
 >The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.
->
->
 - **input**:
 >Autonomous system number.
 - **output**:
@@ -182,9 +178,11 @@ Module to access CIRCL Passive DNS.
 - **ouput**:
 >Passive DNS objects related to the input attribute.
 - **references**:
->https://www.circl.lu/services/passive-dns/, https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/
+> - https://www.circl.lu/services/passive-dns/
+> - https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/
 - **requirements**:
->pypdns: Passive DNS python library, A CIRCL passive DNS account with username & password
+> - pypdns: Passive DNS python library
+> - A CIRCL passive DNS account with username & password
 
 -----
 
@@ -204,7 +202,8 @@ Modules to access CIRCL Passive SSL.
 - **references**:
 >https://www.circl.lu/services/passive-ssl/
 - **requirements**:
->pypssl: Passive SSL python library, A CIRCL passive SSL account with username & password
+> - pypssl: Passive SSL python library
+> - A CIRCL passive SSL account with username & password
 
 -----
 
@@ -222,9 +221,9 @@ Module to expand country codes.
 
 -----
 
-#### [cpe](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/cpe.py)
+#### [cpe](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cpe.py)
 
-<img src=logos/cpe.py height=60>
+<img src=logos/cve.png height=60>
 
 An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
 - **features**:
@@ -310,7 +309,8 @@ An expansion module to submit files and URLs to Cuckoo Sandbox.
 - **output**:
 >A text field containing 'Cuckoo task id: <id>'
 - **references**:
->https://cuckoosandbox.org/, https://cuckoo.sh/docs/
+> - https://cuckoosandbox.org/
+> - https://cuckoo.sh/docs/
 - **requirements**:
 >Access to a Cuckoo Sandbox API and an API key if the API requires it. (api_url and api_key)
 
@@ -328,7 +328,8 @@ An expansion hover module to expand information about CVE id.
 - **output**:
 >Text giving information about the CVE related to the Vulnerability.
 - **references**:
->https://cve.circl.lu/, https://cve.mitre.org/
+> - https://cve.circl.lu/
+> - https://cve.mitre.org/
 
 -----
 
@@ -348,7 +349,8 @@ An expansion module to query the CIRCL CVE search API for more information about
 - **output**:
 >Additional information about the vulnerability, such as its cvss score, some references, or the related weaknesses and attack patterns.
 - **references**:
->https://cve.circl.lu, https://cve/mitre.org/
+> - https://cve.circl.lu
+> - https://cve/mitre.org/
 
 -----
 
@@ -364,7 +366,8 @@ An expansion module to enrich attributes in MISP by quering the Cytomic Orion AP
 - **output**:
 >MISP objects with sightings of the hash in Cytomic Orion. Includes files and machines.
 - **references**:
->https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/, https://www.cytomicmodel.com/solutions/
+> - https://www.vanimpe.eu/2020/03/10/integrating-misp-and-cytomic-orion/
+> - https://www.cytomicmodel.com/solutions/
 - **requirements**:
 >Access (license) to Cytomic Orion
 
@@ -459,7 +462,8 @@ DomainTools MISP expansion module.
 - **references**:
 >https://www.domaintools.com/
 - **requirements**:
->Domaintools python library, A Domaintools API access (username & apikey)
+> - Domaintools python library
+> - A Domaintools API access (username & apikey)
 
 -----
 
@@ -495,7 +499,8 @@ A module to query the Phishing Initiative service (https://phishing-initiative.l
 - **references**:
 >https://phishing-initiative.eu/?lang=en
 - **requirements**:
->pyeupi: eupi python library, An access to the Phishing Initiative API (apikey & url)
+> - pyeupi: eupi python library
+> - An access to the Phishing Initiative API (apikey & url)
 
 -----
 
@@ -519,7 +524,8 @@ Module to access Farsight DNSDB Passive DNS.
 - **output**:
 >Passive-dns objects, resulting from the query on the Farsight Passive DNS API.
 - **references**:
->https://www.farsightsecurity.com/, https://docs.dnsdb.info/dnsdb-api/
+> - https://www.farsightsecurity.com/
+> - https://docs.dnsdb.info/dnsdb-api/
 - **requirements**:
 >An access to the Farsight Passive DNS API (apikey), The dnsdb2 python library
 
@@ -611,7 +617,8 @@ Module to access GreyNoise.io API
 - **output**:
 >Additional information about the IP fetched from Greynoise API.
 - **references**:
->https://greynoise.io/, https://github.com/GreyNoise-Intelligence/api.greynoise.io
+> - https://greynoise.io/
+> - https://github.com/GreyNoise-Intelligence/api.greynoise.io
 - **requirements**:
 >A Greynoise API key.
 
@@ -706,9 +713,11 @@ Module to access intelmqs eventdb.
 - **output**:
 >Text giving information about the input using IntelMQ database.
 - **references**:
->https://github.com/certtools/intelmq, https://intelmq.readthedocs.io/en/latest/Developers-Guide/
+> - https://github.com/certtools/intelmq
+> - https://intelmq.readthedocs.io/en/latest/Developers-Guide/
 - **requirements**:
->psycopg2: Python library to support PostgreSQL, An access to the IntelMQ database (username, password, hostname and database reference)
+> - psycopg2: Python library to support PostgreSQL
+> - An access to the IntelMQ database (username, password, hostname and database reference)
 
 -----
 
@@ -764,7 +773,8 @@ This url can by the way come from the result of the [joesandbox_submit expansion
 - **output**:
 >MISP attributes & objects parsed from the analysis report.
 - **references**:
->https://www.joesecurity.org, https://www.joesandbox.com/
+> - https://www.joesecurity.org
+> - https://www.joesandbox.com/
 - **requirements**:
 >jbxapi: Joe Sandbox API python3 library
 
@@ -784,7 +794,8 @@ A module to submit files or URLs to Joe Sandbox for an advanced analysis, and re
 - **output**:
 >Link of the report generated in Joe Sandbox.
 - **references**:
->https://www.joesecurity.org, https://www.joesandbox.com/
+> - https://www.joesecurity.org
+> - https://www.joesandbox.com/
 - **requirements**:
 >jbxapi: Joe Sandbox API python3 library
 
@@ -843,9 +854,11 @@ MISP hover module for macaddress.io
 - **output**:
 >Text containing information on the MAC address fetched from a query on macaddress.io.
 - **references**:
->https://macaddress.io/, https://github.com/CodeLineFi/maclookup-python
+> - https://macaddress.io/
+> - https://github.com/CodeLineFi/maclookup-python
 - **requirements**:
->maclookup: macaddress.io python library, An access to the macaddress.io API (apikey)
+> - maclookup: macaddress.io python library
+> - An access to the macaddress.io API (apikey)
 
 -----
 
@@ -861,7 +874,8 @@ Module to access Macvendors API.
 - **output**:
 >Additional information about the MAC address.
 - **references**:
->https://macvendors.com/, https://macvendors.com/api
+> - https://macvendors.com/
+> - https://macvendors.com/api
 
 -----
 
@@ -907,7 +921,8 @@ Module to extract freetext from a .ods document.
 - **output**:
 >Text and freetext parsed from the document.
 - **requirements**:
->ezodf: Python package to create/manipulate OpenDocumentFormat files., pandas_ods_reader: Python library to read in ODS files.
+> - ezodf: Python package to create/manipulate OpenDocumentFormat files.
+> - pandas_ods_reader: Python library to read in ODS files.
 
 -----
 
@@ -939,9 +954,11 @@ Module to process a query on Onyphe.
 - **output**:
 >MISP attributes fetched from the Onyphe query.
 - **references**:
->https://www.onyphe.io/, https://github.com/sebdraven/pyonyphe
+> - https://www.onyphe.io/
+> - https://github.com/sebdraven/pyonyphe
 - **requirements**:
->onyphe python library, An access to the Onyphe API (apikey)
+> - onyphe python library
+> - An access to the Onyphe API (apikey)
 
 -----
 
@@ -959,9 +976,11 @@ Module to process a full query on Onyphe.
 - **output**:
 >MISP attributes fetched from the Onyphe query.
 - **references**:
->https://www.onyphe.io/, https://github.com/sebdraven/pyonyphe
+> - https://www.onyphe.io/
+> - https://github.com/sebdraven/pyonyphe
 - **requirements**:
->onyphe python library, An access to the Onyphe API (apikey)
+> - onyphe python library
+> - An access to the Onyphe API (apikey)
 
 -----
 
@@ -1046,7 +1065,8 @@ Module to get information from AlienVault OTX.
 - **references**:
 >https://www.passivetotal.org/register
 - **requirements**:
->Passivetotal python library, An access to the PassiveTotal API (apikey)
+> - Passivetotal python library
+> - An access to the PassiveTotal API (apikey)
 
 -----
 
@@ -1092,7 +1112,8 @@ Module to decode QR codes.
 - **output**:
 >The URL or bitcoin address the QR code is pointing to.
 - **requirements**:
->cv2: The OpenCV python library., pyzbar: Python library to read QR codes.
+> - cv2: The OpenCV python library.
+> - pyzbar: Python library to read QR codes.
 
 -----
 
@@ -1197,7 +1218,8 @@ An expansion modules for SecurityTrails.
 - **references**:
 >https://securitytrails.com/
 - **requirements**:
->dnstrails python library, An access to the SecurityTrails API (apikey)
+> - dnstrails python library
+> - An access to the SecurityTrails API (apikey)
 
 -----
 
@@ -1215,7 +1237,8 @@ Module to query on Shodan.
 - **references**:
 >https://www.shodan.io/
 - **requirements**:
->shodan python library, An access to the Shodan API (apikey)
+> - shodan python library
+> - An access to the Shodan API (apikey)
 
 -----
 
@@ -1253,7 +1276,8 @@ An expansion hover module to perform a syntax check on sigma rules.
 - **references**:
 >https://github.com/Neo23x0/sigma/wiki
 - **requirements**:
->Sigma python library, Yaml python library
+> - Sigma python library
+> - Yaml python library
 
 -----
 
@@ -1473,7 +1497,8 @@ Module to get advanced information from virustotal.
 - **output**:
 >MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.
 - **references**:
->https://www.virustotal.com/, https://developers.virustotal.com/reference
+> - https://www.virustotal.com/
+> - https://developers.virustotal.com/reference
 - **requirements**:
 >An access to the VirusTotal API (apikey), with a high request rate limit.
 
@@ -1497,7 +1522,8 @@ Module to get information from VirusTotal.
 - **output**:
 >MISP attributes and objects resulting from the parsing of the VirusTotal report concerning the input attribute.
 - **references**:
->https://www.virustotal.com, https://developers.virustotal.com/reference
+> - https://www.virustotal.com
+> - https://developers.virustotal.com/reference
 - **requirements**:
 >An access to the VirusTotal API (apikey)
 
@@ -1564,7 +1590,8 @@ An expansion hover module to expand information about CVE id using Vulners API.
 - **references**:
 >https://vulners.com/
 - **requirements**:
->Vulners python library, An access to the Vulners API
+> - Vulners python library
+> - An access to the Vulners API
 
 -----
 
@@ -1655,7 +1682,8 @@ An expansion & hover module to translate any hash attribute into a yara rule.
 - **output**:
 >YARA rule.
 - **references**:
->https://virustotal.github.io/yara/, https://github.com/virustotal/yara-python
+> - https://virustotal.github.io/yara/
+> - https://github.com/virustotal/yara-python
 - **requirements**:
 >yara-python python library
 
@@ -1743,7 +1771,8 @@ This module is used to export MISP events containing transaction objects into Go
 - **references**:
 >http://goaml.unodc.org/
 - **requirements**:
->PyMISP, MISP objects
+> - PyMISP
+> - MISP objects
 
 -----
 
@@ -1823,7 +1852,8 @@ Simple export of a MISP event to PDF.
 - **references**:
 >https://acrobat.adobe.com/us/en/acrobat/about-adobe-pdf.html
 - **requirements**:
->PyMISP, reportlab
+> - PyMISP
+> - reportlab
 
 -----
 
@@ -1845,7 +1875,8 @@ Module to export a structured CSV file for uploading to threatStream.
 - **output**:
 >ThreatStream CSV format file
 - **references**:
->https://www.anomali.com/platform/threatstream, https://github.com/threatstream
+> - https://www.anomali.com/platform/threatstream
+> - https://github.com/threatstream
 - **requirements**:
 >csv
 
@@ -1906,7 +1937,8 @@ Module to import MISP attributes from a csv file.
 - **output**:
 >MISP Event attributes
 - **references**:
->https://tools.ietf.org/html/rfc4180, https://tools.ietf.org/html/rfc7111
+> - https://tools.ietf.org/html/rfc4180
+> - https://tools.ietf.org/html/rfc7111
 - **requirements**:
 >PyMISP
 
@@ -1924,7 +1956,8 @@ Module to import Cuckoo JSON.
 - **output**:
 >MISP Event attributes
 - **references**:
->https://cuckoosandbox.org/, https://github.com/cuckoosandbox/cuckoo
+> - https://cuckoosandbox.org/
+> - https://github.com/cuckoosandbox/cuckoo
 
 -----
 
@@ -1968,14 +2001,13 @@ A module to import data from a Joe Sandbox analysis json report.
 >Module using the new format of modules able to return attributes and objects.
 >
 >The module returns the same results as the expansion module [joesandbox_query](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py) using the submission link of the analysis to get the json report.
->
->
 - **input**:
 >Json report of a Joe Sandbox analysis.
 - **output**:
 >MISP attributes & objects parsed from the analysis report.
 - **references**:
->https://www.joesecurity.org, https://www.joesandbox.com/
+> - https://www.joesecurity.org
+> - https://www.joesandbox.com/
 
 -----
 

documentation/generate_documentation.py

@@ -0,0 +1,68 @@
+# -*- coding: utf-8 -*-
+import os
+import json
+
+module_types = ['expansion', 'export_mod', 'import_mod']
+titles = ['Expansion Modules', 'Export Modules', 'Import Modules']
+githublink = 'https://github.com/MISP/misp-modules/tree/main/misp_modules/modules'
+
+
+def generate_doc(module_type, root_path, logo_path='logos'):
+    markdown = []
+    current_path = os.path.join(root_path, 'website', module_type)
+    files = sorted(os.listdir(current_path))
+    githubpath = f'{githublink}/{module_type}'
+    for filename in files:
+        modulename = filename.split('.json')[0]
+        githubref = f'{githubpath}/{modulename}.py'
+        markdown.append(f'\n#### [{modulename}]({githubref})\n')
+        filename = os.path.join(current_path, filename)
+        with open(filename, 'rt') as f:
+            definition = json.loads(f.read())
+        if 'logo' in definition:
+            logo = os.path.join(logo_path, definition.pop('logo'))
+            markdown.append(f"\n<img src={logo} height=60>\n")
+        if 'description' in definition:
+            markdown.append(f"\n{definition.pop('description')}\n")
+        for field, value in sorted(definition.items()):
+            if not value:
+                continue
+            if isinstance(value, list):
+                markdown.append(handle_list(field, value))
+                continue
+            markdown.append(get_single_value(field, value.replace('\n', '\n>')))
+        markdown.append('\n-----\n')
+    return markdown
+
+
+def get_single_value(field, value):
+    return f"- **{field}**:\n>{value}\n"
+
+
+def handle_list(field, values):
+    if len(values) == 1:
+        return get_single_value(field, values[0])
+    values = '\n> - '.join(values)
+    return f"- **{field}**:\n> - {values}\n"
+
+
+def write_doc(root_path):
+    markdown = ["# MISP modules documentation\n"]
+    for _path, title in zip(module_types, titles):
+        markdown.append(f'\n## {title}\n')
+        markdown.extend(generate_doc(_path, root_path))
+    with open('README.md', 'w') as w:
+        w.write(''.join(markdown))
+
+
+def write_docs_for_mkdocs(root_path):
+    for _path, title in zip(module_types, titles):
+        markdown = generate_doc(_path, root_path, logo_path='../logos')
+        with open(os.path.join(root_path, 'mkdocs', f'{_path}.md'), 'w') as w:
+            w.write(''.join(markdown))
+
+
+if __name__ == '__main__':
+    root_path = os.path.dirname(os.path.realpath(__file__))
+    write_doc(root_path)
+    write_docs_for_mkdocs(root_path)

documentation/website/expansion/apiosintds.json

@@ -1,8 +1,12 @@
 {
     "description": "On demand query API for OSINT.digitalside.it project.",
-    "requirements": ["The apiosintDS python library to query the OSINT.digitalside.it API."],
+    "requirements": [
+        "The apiosintDS python library to query the OSINT.digitalside.it API."
+    ],
     "input": "A domain, ip, url or hash attribute.",
     "output": "Hashes and urls resulting from the query to OSINT.digitalside.it",
-    "references": ["https://osint.digitalside.it/#About"],
+    "references": [
+        "https://osint.digitalside.it/#About"
+    ],
     "features": "The module simply queries the API of OSINT.digitalside.it with a domain, ip, url or hash attribute.\n\nThe result of the query is then parsed to extract additional hashes or urls. A module parameters also allows to parse the hashes related to the urls.\n\nFurthermore, it is possible to cache the urls and hashes collected over the last 7 days by OSINT.digitalside.it"
-}
+}

documentation/website/expansion/apivoid.json

@@ -1,9 +1,13 @@
 {
     "description": "Module to query APIVoid with some domain attributes.",
-    "logo": "logos/apivoid.png",
-    "requirements": ["A valid APIVoid API key with enough credits to proceed 2 queries"],
+    "logo": "apivoid.png",
+    "requirements": [
+        "A valid APIVoid API key with enough credits to proceed 2 queries"
+    ],
     "input": "A domain attribute.",
     "output": "DNS records and SSL certificates related to the domain.",
     "features": "This module takes a domain name and queries API Void to get the related DNS records and the SSL certificates. It returns then those pieces of data as MISP objects that can be added to the event.\n\nTo make it work, a valid API key and enough credits to proceed 2 queries (0.06 + 0.07 credits) are required.",
-    "references": ["https://www.apivoid.com/"]
-}
+    "references": [
+        "https://www.apivoid.com/"
+    ]
+}

documentation/website/expansion/assemblyline_query.json

@@ -1,9 +1,13 @@
 {
     "description": "A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.",
-    "logo": "logos/assemblyline.png",
-    "requirements": ["assemblyline_client: Python library to query the AssemblyLine rest API."],
+    "logo": "assemblyline.png",
+    "requirements": [
+        "assemblyline_client: Python library to query the AssemblyLine rest API."
+    ],
     "input": "Link of an AssemblyLine submission report.",
     "output": "MISP attributes & objects parsed from the AssemblyLine submission.",
-    "references": ["https://www.cyber.cg.ca/en/assemblyline"],
+    "references": [
+        "https://www.cyber.cg.ca/en/assemblyline"
+    ],
     "features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the used-ID and an API key or the password associated to the user-ID.\n\nThe submission ID extracted from the submission link is then used to query AssemblyLine and get the full submission report. This report is parsed to extract file objects and the associated IPs, domains or URLs the files are connecting to.\n\nSome more data may be parsed in the future."
-}
+}

documentation/website/expansion/assemblyline_submit.json

@@ -1,9 +1,13 @@
 {
     "description": "A module to submit samples and URLs to AssemblyLine for advanced analysis, and return the link of the submission.",
-    "logo": "logos/assemblyline.png",
-    "requirements": ["assemblyline_client: Python library to query the AssemblyLine rest API."],
+    "logo": "assemblyline.png",
+    "requirements": [
+        "assemblyline_client: Python library to query the AssemblyLine rest API."
+    ],
     "input": "Sample, or url to submit to AssemblyLine.",
     "output": "Link of the report generated in AssemblyLine.",
-    "references": ["https://www.cyber.gc.ca/en/assemblyline"],
+    "references": [
+        "https://www.cyber.gc.ca/en/assemblyline"
+    ],
     "features": "The module requires the address of the AssemblyLine server you want to query as well as your credentials used for this instance. Credentials include the user-ID and an API key or the password associated to the user-ID.\n\nIf the sample or url is correctly submitted, you get then the link of the submission."
-}
+}

documentation/website/expansion/backscatter_io.json

@@ -1,9 +1,13 @@
 {
     "description": "Query backscatter.io (https://backscatter.io/).",
-    "requirements": ["backscatter python library"],
-    "features": "The module takes a source or destination IP address as input and displays the information known by backscatter.io.\n\n",
-    "logo": "logos/backscatter_io.png",
-    "references": ["https://pypi.org/project/backscatter/"],
+    "requirements": [
+        "backscatter python library"
+    ],
+    "features": "The module takes a source or destination IP address as input and displays the information known by backscatter.io.",
+    "logo": "backscatter_io.png",
+    "references": [
+        "https://pypi.org/project/backscatter/"
+    ],
     "input": "IP addresses.",
     "output": "Text containing a history of the IP addresses especially on scanning based on backscatter.io information ."
 }

documentation/website/expansion/bgpranking.json

@@ -1,8 +1,12 @@
 {
     "description": "Query BGP Ranking (https://bgpranking-ng.circl.lu/).",
-    "requirements": ["pybgpranking python library"],
-    "features": "The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.\n\n",
-    "references": ["https://github.com/D4-project/BGP-Ranking/"],
+    "requirements": [
+        "pybgpranking python library"
+    ],
+    "features": "The module takes an AS number attribute as input and displays its description as well as its ranking position in BGP Ranking for a given day.",
+    "references": [
+        "https://github.com/D4-project/BGP-Ranking/"
+    ],
     "input": "Autonomous system number.",
     "output": "An asn object with its related bgp-ranking object."
 }

documentation/website/expansion/btc_scam_check.json

@@ -1,9 +1,13 @@
 {
     "description": "An expansion hover module to query a special dns blacklist to check if a bitcoin address has been abused.",
-    "requirements": ["dnspython3: dns python library"],
+    "requirements": [
+        "dnspython3: dns python library"
+    ],
     "features": "The module queries a dns blacklist directly with the bitcoin address and get a response if the address has been abused.",
-    "logo": "logos/bitcoin.png",
+    "logo": "bitcoin.png",
     "input": "btc address attribute.",
-    "output" : "Text to indicate if the BTC address has been abused.",
-    "references": ["https://btcblack.it/"]
-}
+    "output": "Text to indicate if the BTC address has been abused.",
+    "references": [
+        "https://btcblack.it/"
+    ]
+}

documentation/website/expansion/btc_steroids.json

@@ -1,6 +1,6 @@
 {
     "description": "An expansion hover module to get a blockchain balance from a BTC address in MISP.",
-    "logo": "logos/bitcoin.png",
+    "logo": "bitcoin.png",
     "input": "btc address attribute.",
     "output": "Text to describe the blockchain balance and the transactions related to the btc address in input."
-}
+}

documentation/website/expansion/censys_enrich.json

@@ -1,8 +1,12 @@
 {
     "description": "An expansion module to enrich attributes in MISP by quering the censys.io API",
-    "requirements": ["API credentials to censys.io"],
+    "requirements": [
+        "API credentials to censys.io"
+    ],
     "input": "IP, domain or certificate fingerprint (md5, sha1 or sha256)",
     "output": "MISP objects retrieved from censys, including open ports, ASN, Location of the IP, x509 details",
-    "references": ["https://www.censys.io"],
+    "references": [
+        "https://www.censys.io"
+    ],
     "features": "This module takes an IP, hostname or a certificate fingerprint and attempts to enrich it by querying the Censys API."
-}
+}

documentation/website/expansion/circl_passivedns.json

@@ -1,9 +1,15 @@
 {
     "description": "Module to access CIRCL Passive DNS.",
-    "logo": "logos/passivedns.png",
-    "requirements": ["pypdns: Passive DNS python library", "A CIRCL passive DNS account with username & password"],
+    "logo": "passivedns.png",
+    "requirements": [
+        "pypdns: Passive DNS python library",
+        "A CIRCL passive DNS account with username & password"
+    ],
     "input": "Hostname, domain, or ip-address attribute.",
     "ouput": "Passive DNS objects related to the input attribute.",
     "features": "This module takes a hostname, domain or ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive DNS REST API to get the asssociated passive dns entries and return them as MISP objects.\n\nTo make it work a username and a password are thus required to authenticate to the CIRCL Passive DNS API.",
-    "references": ["https://www.circl.lu/services/passive-dns/", "https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/"]
-}
+    "references": [
+        "https://www.circl.lu/services/passive-dns/",
+        "https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/"
+    ]
+}

documentation/website/expansion/circl_passivessl.json

@@ -1,9 +1,14 @@
 {
     "description": "Modules to access CIRCL Passive SSL.",
-    "logo": "logos/passivessl.png",
-    "requirements": ["pypssl: Passive SSL python library", "A CIRCL passive SSL account with username & password"],
+    "logo": "passivessl.png",
+    "requirements": [
+        "pypssl: Passive SSL python library",
+        "A CIRCL passive SSL account with username & password"
+    ],
     "input": "IP address attribute.",
     "output": "x509 certificate objects seen by the IP address(es).",
     "features": "This module takes an ip-address (ip-src or ip-dst) attribute as input, and queries the CIRCL Passive SSL REST API to gather the related certificates and return the corresponding MISP objects.\n\nTo make it work a username and a password are required to authenticate to the CIRCL Passive SSL API.",
-    "references": ["https://www.circl.lu/services/passive-ssl/"]
-}
+    "references": [
+        "https://www.circl.lu/services/passive-ssl/"
+    ]
+}

documentation/website/expansion/countrycode.json

@@ -3,4 +3,4 @@
     "input": "Hostname or domain attribute.",
     "output": "Text with the country code the input belongs to.",
     "features": "The module takes a domain or a hostname as input, and returns the country it belongs to.\n\nFor non country domains, a list of the most common possible extensions is used."
-}
+}

documentation/website/expansion/cpe.json

@@ -1,8 +1,10 @@
 {
     "description": "An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.",
-    "logo": "logos/cpe.py",
+    "logo": "cve.png",
     "input": "CPE attribute.",
     "output": "The vulnerabilities related to the CPE.",
-    "references": ["https://cve.circl.lu/api/"],
+    "references": [
+        "https://cve.circl.lu/api/"
+    ],
     "features": "The module takes a cpe attribute as input and queries the CVE search API to get its related vulnerabilities.  \nThe list of vulnerabilities is then parsed and returned as vulnerability objects.\n\nUsers can use their own CVE search API url by defining a value to the custom_API_URL parameter. If no custom API url is given, the default cve.circl.lu api url is used.\n\nIn order to limit the amount of data returned by CVE serach, users can also the limit parameter. With the limit set, the API returns only the requested number of vulnerabilities, sorted from the highest cvss score to the lowest one."
-}
+}