Modules for expansion services, import and export in MISP http://misp.github.io/misp-modules
 
 
 
 
Go to file
Raphaël Vinot 4a8ccb54fb Refactoring of domaintools expansion module 2016-12-15 16:49:56 +01:00
misp_modules Refactoring of domaintools expansion module 2016-12-15 16:49:56 +01:00
modules/expansion Merge pull request #28 from Rafiot/pip 2016-06-28 21:14:47 +02:00
tests Remove domaintools tests 2016-12-02 16:16:25 +01:00
var default var directory added 2016-02-18 09:25:51 +01:00
.gitignore Added body.json to gitignore 2016-08-17 13:01:41 +01:00
.travis.yml Ok we'll use the dep from misp-stix-converter. Surely this'll work? 2016-11-21 15:07:56 +00:00
LICENSE Create LICENSE 2016-09-05 07:26:29 +02:00
README.md DomainTools module added 2016-12-02 17:12:21 +01:00
README.rst Make it a package 2016-06-18 11:04:41 +09:00
REQUIREMENTS Update requirements list 2016-12-01 17:42:10 +01:00
setup.py Use git for everything we can 2016-11-21 15:20:57 +00:00

README.md

MISP modules

Build Status Coverage Status codecov

MISP modules are autonomous modules that can be used for expansion and other services in MISP.

The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.

MISP modules support is included in MISP starting from version 2.4.28.

For more information: Extending MISP with Python modules slides from MISP training.

Existing MISP modules

Expansion modules

  • ASN History - a hover and expansion module to expand an AS number with the ASN description and its history.
  • CIRCL Passive SSL - a hover and expansion module to expand IP addresses with the X.509 certificate seen.
  • CIRCL Passive DNS - a hover and expansion module to expand hostname and IP addresses with passive DNS information.
  • CVE - a hover module to give more information about a vulnerability (CVE).
  • DNS - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.
  • DomainTools - a hover and expansion module to get information from DomainTools whois.
  • EUPI - a hover and expansion module to get information about an URL from the Phishing Initiative project.
  • IPASN - a hover and expansion to get the BGP ASN of an IP address.
  • passivetotal - a passivetotal module that queries a number of different PassiveTotal datasets.
  • sourcecache - a module to cache a specific link from a MISP instance.
  • countrycode - a hover module to tell you what country a URL belongs to.
  • virustotal - an expansion module to pull known resolutions and malware samples related with an IP/Domain from virusTotal (this modules require a VirusTotal private API key)

Export modules

  • CEF module to export Common Event Format (CEF).

Import modules

  • OCR Optical Character Recognition (OCR) module for MISP to import attributes from images, scan or faxes.
  • stiximport - An import module to process STIX xml/json
  • VMRay - An import module to process VMRay export

How to install and start MISP modules?

sudo apt-get install python3-dev python3-pip libpq5
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
cd misp-modules
sudo pip3 install -I -r REQUIREMENTS
sudo pip3 install -I .
sudo vi /etc/rc.local, add this line: `sudo -u www-data misp-modules -s &`
/usr/local/bin/misp-modules #to start the modules

How to add your own MISP modules?

Create your module in misp_modules/modules/. The module should have at minimum three functions:

  • introspection function that returns a dict of the supported attributes (input and output) by your expansion module.
  • handler function which accepts a JSON document to expand the values and return a dictionary of the expanded values.
  • version function that returns a dict with the version and the associated meta-data including potential configurations required of the module.

Don't forget to return an error key and value if an error is raised to propagate it to the MISP user-interface.

If your module requires additional configuration (to be exposed via the MISP user-interface), a config array is added to the meta-data output containing all the potential configuration values:

"meta": {
      "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
      "config": [
        "username",
        "password"
      ],
      "module-type": [
        "expansion",
        "hover"
      ],

...

Module type

A MISP module can be of different types:

  • expansion - service related to an attribute that can be used to extend and update an existing event.
  • hover - service related to an attribute to provide additional information to the users without updating the event.
  • import/export - import / export data

module-type is an array where the list of supported types can be added.

Testing your modules?

MISP uses the modules function to discover the available MISP modules and their supported MISP attributes:

% curl -s http://127.0.0.1:6666/modules | jq .
[
  {
    "name": "passivetotal",
    "type": "expansion",
    "mispattributes": {
      "input": [
        "hostname",
        "domain",
        "ip-src",
        "ip-dst"
      ],
      "output": [
        "ip-src",
        "ip-dst",
        "hostname",
        "domain"
      ]
    },
    "meta": {
      "description": "PassiveTotal expansion service to expand values with multiple Passive DNS sources",
      "config": [
        "username",
        "password"
      ],
      "author": "Alexandre Dulaunoy",
      "version": "0.1"
    }
  },
  {
    "name": "sourcecache",
    "type": "expansion",
    "mispattributes": {
      "input": [
        "link"
      ],
      "output": [
        "link"
      ]
    },
    "meta": {
      "description": "Module to cache web pages of analysis reports, OSINT sources. The module returns a link of the cached page.",
      "author": "Alexandre Dulaunoy",
      "version": "0.1"
    }
  },
  {
    "name": "dns",
    "type": "expansion",
    "mispattributes": {
      "input": [
        "hostname",
        "domain"
      ],
      "output": [
        "ip-src",
        "ip-dst"
      ]
    },
    "meta": {
      "description": "Simple DNS expansion service to resolve IP address from MISP attributes",
      "author": "Alexandre Dulaunoy",
      "version": "0.1"
    }
  }
]

The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes.

Based on this information, a query can be built in a JSON format and saved as body.json:

{
  "hostname": "www.foo.be",
  "module": "dns"
}

Then you can POST this JSON format query towards the MISP object server:

curl -s http://127.0.0.1:6666/query -H "Content-Type: application/json" --data @body.json -X POST

The module should output the following JSON:

{
  "results": [
    {
      "types": [
        "ip-src",
        "ip-dst"
      ],
      "values": [
        "188.65.217.78"
      ]
    }
  ]
}

It is also possible to restrict the category options of the resolved attributes by passing a list of categories along (optional):

{
  "results": [
    {
      "types": [
        "ip-src",
        "ip-dst"
      ],
      "values": [
        "188.65.217.78"
      ],
      "categories": [
        "Network activity",
        "Payload delivery"
      ]
    }
  ]
}

For both the type and the category lists, the first item in the list will be the default setting on the interface.

How to contribute your own module?

Fork the project, add your module, test it and make a pull-request. Modules can be also private as you can add a module in your own MISP installation.