Modules for expansion services, import and export in MISP http://misp.github.io/misp-modules
 
 
 
 
Go to file
Alexandre Dulaunoy 2965433ffc Merge pull request #24 from eu-pi/eupi_hover
[EUPI] Change module for a simple hover status
2016-06-07 15:13:27 +02:00
bin Add option to specify listen address 2016-04-29 10:15:24 +02:00
helpers Value is not required 2016-04-19 07:57:36 +02:00
modules [EUPI] Simplify hover 2016-06-07 10:34:53 +02:00
tests dns module test with option added 2016-04-01 08:00:56 +02:00
var default var directory added 2016-02-18 09:25:51 +01:00
.gitignore Add CIRCL pssl module 2016-03-25 17:38:03 +01:00
.travis.yml Add redis server 2016-04-28 14:26:30 +02:00
README.md ASN History added 2016-05-08 16:33:54 +02:00
REQUIREMENTS Add ASN Description expansion module 2016-05-08 13:07:09 +02:00

README.md

MISP modules

Build Status

MISP modules are autonomous modules that can be used for expansion and other services in MISP.

The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.

MISP modules support is included in MISP starting from version 2.4.28.

For more information: Extending MISP with Python modules slides from MISP training.

Existing MISP modules

  • ASN History - a hover and expansion module to expand an AS number with the ASN description and its history.
  • CIRCL Passive SSL - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
  • CIRCL Passive DNS - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
  • CVE - a hover module to give more information about a vulnerability (CVE).
  • DNS - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
  • EUPI - a hover and expansion module to get information about an URL from the Phishing Initiative project.
  • IPASN - a hover and expansion to get the BGP ASN of an IP address.
  • passivetotal - a passivetotal module that queries a number of different PassiveTotal datasets.
  • sourcecache - a module to cache a specific link from a MISP instance.

How to install and start MISP modules?

apt-get install python3-dev python3-pip libpq5
git clone https://github.com/MISP/misp-modules.git
cd misp-modules
pip3 install -r REQUIREMENTS
cd bin
python3 misp-modules.py

How to add your own MISP modules?

Create your module in modules/expansion/. The module should have at minimum three functions:

  • introspection function that returns a dict of the supported attributes (input and output) by your expansion module.
  • handler function which accepts a JSON document to expand the values and return a dictionary of the expanded values.
  • version function that returns a dict with the version and the associated meta-data including potential configurations required of the module.

Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.

If your module requires additional configuration (to be exposed via the MISP user-interface), a config array is added to the meta-data output containing all the potential configuration values:

"meta": {
      "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
      "config": [
        "username",
        "password"
      ],
      "module-type": [
        "expansion",
        "hover"
      ],

...

Module type

A MISP module can be of two types:

  • expansion - service related to an attribute that can be used to extend and update an existing event.
  • hover - service related to an attribute to provide additional information to the users without updating the event.

module-type is an array where the list of supported types can be added.

Testing your modules?

MISP uses the modules function to discover the available MISP modules and their supported MISP attributes:

% curl -s http://127.0.0.1:6666/modules | jq .
[
  {
    "name": "passivetotal",
    "type": "expansion",
    "mispattributes": {
      "input": [
        "hostname",
        "domain",
        "ip-src",
        "ip-dst"
      ],
      "output": [
        "ip-src",
        "ip-dst",
        "hostname",
        "domain"
      ]
    },
    "meta": {
      "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
      "config": [
        "username",
        "password"
      ],
      "author": "Alexandre Dulaunoy",
      "version": "0.1"
    }
  },
  {
    "name": "sourcecache",
    "type": "expansion",
    "mispattributes": {
      "input": [
        "link"
      ],
      "output": [
        "link"
      ]
    },
    "meta": {
      "description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.",
      "author": "Alexandre Dulaunoy",
      "version": "0.1"
    }
  },
  {
    "name": "dns",
    "type": "expansion",
    "mispattributes": {
      "input": [
        "hostname",
        "domain"
      ],
      "output": [
        "ip-src",
        "ip-dst"
      ]
    },
    "meta": {
      "description": "Simple DNS expansion service to resolve IP address from MISP attributes",
      "author": "Alexandre Dulaunoy",
      "version": "0.1"
    }
  }
]

The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes.

Based on this information, a query can be built in a JSON format and saved as body.json:

{
  "hostname": "www.foo.be",
  "module": "dns"
}

Then you can POST this JSON format query towards the MISP object server:

curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @body.json -X POST

The module should output the following JSON:

{
  "results": [
    {
      "types": [
        "ip-src",
        "ip-dst"
      ],
      "values": [
        "188.65.217.78"
      ]
    }
  ]
}

How to contribute your own module?

Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.