MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-modules/import_mod/index.html

797 lines
25 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="description" content="MISP Modules Project">
<link rel="canonical" href="https://www.misp-project.org/import_mod/">
<meta name="author" content="MISP Project">
<meta name="lang:clipboard.copy" content="Copy to clipboard">
<meta name="lang:clipboard.copied" content="Copied to clipboard">
<meta name="lang:search.language" content="en">
<meta name="lang:search.pipeline.stopwords" content="True">
<meta name="lang:search.pipeline.trimmer" content="True">
<meta name="lang:search.result.none" content="No matching documents">
<meta name="lang:search.result.one" content="1 matching document">
<meta name="lang:search.result.other" content="# matching documents">
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../img/favicon.ico">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.0">
<title>Import Modules - MISP Modules Documentation</title>
<link rel="stylesheet" href="../assets/stylesheets/application.0284f74d.css">
<link rel="stylesheet" href="../assets/stylesheets/application-palette.01803549.css">
<meta name="theme-color" content="">
<script src="../assets/javascripts/modernizr.74668098.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
<link rel="stylesheet" href="../assets/fonts/material-icons.css">
</head>
<body dir="ltr" data-md-color-primary="white" data-md-color-accent="blue">
<svg class="md-svg">
<defs>
<svg xmlns="http://www.w3.org/2000/svg" width="416" height="448" viewBox="0 0 416 448" id="__github"><path fill="currentColor" d="M160 304q0 10-3.125 20.5t-10.75 19T128 352t-18.125-8.5-10.75-19T96 304t3.125-20.5 10.75-19T128 256t18.125 8.5 10.75 19T160 304zm160 0q0 10-3.125 20.5t-10.75 19T288 352t-18.125-8.5-10.75-19T256 304t3.125-20.5 10.75-19T288 256t18.125 8.5 10.75 19T320 304zm40 0q0-30-17.25-51T296 232q-10.25 0-48.75 5.25Q229.5 240 208 240t-39.25-2.75Q130.75 232 120 232q-29.5 0-46.75 21T56 304q0 22 8 38.375t20.25 25.75 30.5 15 35 7.375 37.25 1.75h42q20.5 0 37.25-1.75t35-7.375 30.5-15 20.25-25.75T360 304zm56-44q0 51.75-15.25 82.75-9.5 19.25-26.375 33.25t-35.25 21.5-42.5 11.875-42.875 5.5T212 416q-19.5 0-35.5-.75t-36.875-3.125-38.125-7.5-34.25-12.875T37 371.5t-21.5-28.75Q0 312 0 260q0-59.25 34-99-6.75-20.5-6.75-42.5 0-29 12.75-54.5 27 0 47.5 9.875t47.25 30.875Q171.5 96 212 96q37 0 70 8 26.25-20.5 46.75-30.25T376 64q12.75 25.5 12.75 54.5 0 21.75-6.75 42 34 40 34 99.5z"/></svg>
</defs>
</svg>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#csvimport" tabindex="1" class="md-skip">
Skip to content
</a>
<header class="md-header" data-md-component="header">
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://www.misp-project.org/" title="MISP Modules Documentation" class="md-header-nav__button md-logo">
<img src="../img/misp.png" width="24" height="24">
</a>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<label class="md-icon md-icon--menu md-header-nav__button" for="__drawer"></label>
</div>
<div class="md-flex__cell md-flex__cell--stretch">
<div class="md-flex__ellipsis md-header-nav__title" data-md-component="title">
<span class="md-header-nav__topic">
MISP Modules Documentation
</span>
<span class="md-header-nav__topic">
Import Modules
</span>
</div>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<label class="md-icon md-icon--search md-header-nav__button" for="__search"></label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
</button>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="result">
<div class="md-search-result__meta">
Type to start searching
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<div class="md-header-nav__source">
<a href="https://github.com/MISP/misp-modules/" title="Go to repository" class="md-source" data-md-source="github">
<div class="md-source__icon">
<svg viewBox="0 0 24 24" width="24" height="24">
<use xlink:href="#__github" width="24" height="24"></use>
</svg>
</div>
<div class="md-source__repository">
MISP/misp-modules
</div>
</a>
</div>
</div>
</div>
</nav>
</header>
<div class="md-container">
<main class="md-main">
<div class="md-main__inner md-grid" data-md-component="container">
<div class="md-sidebar md-sidebar--primary" data-md-component="navigation">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" data-md-level="0">
<label class="md-nav__title md-nav__title--site" for="__drawer">
<a href="https://www.misp-project.org/" title="MISP Modules Documentation" class="md-nav__button md-logo">
<img src="../img/misp.png" width="48" height="48">
</a>
MISP Modules Documentation
</label>
<div class="md-nav__source">
<a href="https://github.com/MISP/misp-modules/" title="Go to repository" class="md-source" data-md-source="github">
<div class="md-source__icon">
<svg viewBox="0 0 24 24" width="24" height="24">
<use xlink:href="#__github" width="24" height="24"></use>
</svg>
</div>
<div class="md-source__repository">
MISP/misp-modules
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." title="Home" class="md-nav__link">
Home
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-2" type="checkbox" id="nav-2" checked>
<label class="md-nav__link" for="nav-2">
Modules
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-2">
Modules
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../expansion/" title="Expansion Modules" class="md-nav__link">
Expansion Modules
</a>
</li>
<li class="md-nav__item">
<a href="../export_mod/" title="Export Modules" class="md-nav__link">
Export Modules
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-toggle md-nav__toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Import Modules
</label>
<a href="./" title="Import Modules" class="md-nav__link md-nav__link--active">
Import Modules
</a>
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#csvimport" title="csvimport" class="md-nav__link">
csvimport
</a>
</li>
<li class="md-nav__item">
<a href="#cuckooimport" title="cuckooimport" class="md-nav__link">
cuckooimport
</a>
</li>
<li class="md-nav__item">
<a href="#email_import" title="email_import" class="md-nav__link">
email_import
</a>
</li>
<li class="md-nav__item">
<a href="#goamlimport" title="goamlimport" class="md-nav__link">
goamlimport
</a>
</li>
<li class="md-nav__item">
<a href="#joe_import" title="joe_import" class="md-nav__link">
joe_import
</a>
</li>
<li class="md-nav__item">
<a href="#mispjson" title="mispjson" class="md-nav__link">
mispjson
</a>
</li>
<li class="md-nav__item">
<a href="#ocr" title="ocr" class="md-nav__link">
ocr
</a>
</li>
<li class="md-nav__item">
<a href="#openiocimport" title="openiocimport" class="md-nav__link">
openiocimport
</a>
</li>
<li class="md-nav__item">
<a href="#threatanalyzer_import" title="threatanalyzer_import" class="md-nav__link">
threatanalyzer_import
</a>
</li>
<li class="md-nav__item">
<a href="#vmray_import" title="vmray_import" class="md-nav__link">
vmray_import
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../install/" title="Install Guides" class="md-nav__link">
Install Guides
</a>
</li>
<li class="md-nav__item">
<a href="../contribute/" title="Contribute" class="md-nav__link">
Contribute
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-toggle md-nav__toggle" data-md-toggle="nav-5" type="checkbox" id="nav-5">
<label class="md-nav__link" for="nav-5">
About
</label>
<nav class="md-nav" data-md-component="collapsible" data-md-level="1">
<label class="md-nav__title" for="nav-5">
About
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../license/" title="License" class="md-nav__link">
License
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary">
<label class="md-nav__title" for="__toc">Table of contents</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="#csvimport" title="csvimport" class="md-nav__link">
csvimport
</a>
</li>
<li class="md-nav__item">
<a href="#cuckooimport" title="cuckooimport" class="md-nav__link">
cuckooimport
</a>
</li>
<li class="md-nav__item">
<a href="#email_import" title="email_import" class="md-nav__link">
email_import
</a>
</li>
<li class="md-nav__item">
<a href="#goamlimport" title="goamlimport" class="md-nav__link">
goamlimport
</a>
</li>
<li class="md-nav__item">
<a href="#joe_import" title="joe_import" class="md-nav__link">
joe_import
</a>
</li>
<li class="md-nav__item">
<a href="#mispjson" title="mispjson" class="md-nav__link">
mispjson
</a>
</li>
<li class="md-nav__item">
<a href="#ocr" title="ocr" class="md-nav__link">
ocr
</a>
</li>
<li class="md-nav__item">
<a href="#openiocimport" title="openiocimport" class="md-nav__link">
openiocimport
</a>
</li>
<li class="md-nav__item">
<a href="#threatanalyzer_import" title="threatanalyzer_import" class="md-nav__link">
threatanalyzer_import
</a>
</li>
<li class="md-nav__item">
<a href="#vmray_import" title="vmray_import" class="md-nav__link">
vmray_import
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content">
<article class="md-content__inner md-typeset">
<h1>Import Modules</h1>
<h4 id="csvimport"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/csvimport.py">csvimport</a><a class="headerlink" href="#csvimport" title="Permanent link">&para;</a></h4>
<p>Module to import MISP attributes from a csv file.
- <strong>features</strong>:</p>
<blockquote>
<p>In order to parse data from a csv file, a header is required to let the module know which column is matching with known attribute fields / MISP types.</p>
<p>This header either comes from the csv file itself or is part of the configuration of the module and should be filled out in MISP plugin settings, each field separated by COMMAS. Fields that do not match with any type known in MISP or are not MISP attribute fields should be ignored in import, using a space or simply nothing between two separators (example: 'ip-src, , comment, ').</p>
<p>If the csv file already contains a header that does not start by a '#', you should tick the checkbox 'has_header' to avoid importing it and have potential issues. You can also redefine the header even if it is already contained in the file, by following the rules for headers explained earlier. One reason why you would redefine a header is for instance when you want to skip some fields, or some fields are not valid types.
- <strong>input</strong>:
CSV format file.
- <strong>output</strong>:
MISP Event attributes
- <strong>references</strong>:
<a href="https://tools.ietf.org/html/rfc4180">https://tools.ietf.org/html/rfc4180</a>, <a href="https://tools.ietf.org/html/rfc7111">https://tools.ietf.org/html/rfc7111</a>
- <strong>requirements</strong>:
PyMISP</p>
</blockquote>
<hr />
<h4 id="cuckooimport"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/cuckooimport.py">cuckooimport</a><a class="headerlink" href="#cuckooimport" title="Permanent link">&para;</a></h4>
<p><img src=logos/cuckoo.png height=60></p>
<p>Module to import Cuckoo JSON.
- <strong>features</strong>:</p>
<blockquote>
<p>The module simply imports MISP Attributes from a Cuckoo JSON format file. There is thus no special feature to make it work.
- <strong>input</strong>:
Cuckoo JSON file
- <strong>output</strong>:
MISP Event attributes
- <strong>references</strong>:
<a href="https://cuckoosandbox.org/">https://cuckoosandbox.org/</a>, <a href="https://github.com/cuckoosandbox/cuckoo">https://github.com/cuckoosandbox/cuckoo</a></p>
</blockquote>
<hr />
<h4 id="email_import"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/email_import.py">email_import</a><a class="headerlink" href="#email_import" title="Permanent link">&para;</a></h4>
<p>Module to import emails in MISP.
- <strong>features</strong>:</p>
<blockquote>
<p>This module can be used to import e-mail text as well as attachments and urls.
3 configuration parameters are then used to unzip attachments, guess zip attachment passwords, and extract urls: set each one of them to True or False to process or not the respective corresponding actions.
- <strong>input</strong>:
E-mail file
- <strong>output</strong>:
MISP Event attributes</p>
</blockquote>
<hr />
<h4 id="goamlimport"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/goamlimport.py">goamlimport</a><a class="headerlink" href="#goamlimport" title="Permanent link">&para;</a></h4>
<p><img src=logos/goAML.jpg height=60></p>
<p>Module to import MISP objects about financial transactions from GoAML files.
- <strong>features</strong>:</p>
<blockquote>
<p>Unlike the GoAML export module, there is here no special feature to import data from GoAML external files, since the module will import MISP Objects with their References on its own, as it is required for the export module to rebuild a valid GoAML document.
- <strong>input</strong>:
GoAML format file, describing financial transactions, with their origin and target (bank accounts, persons or entities).
- <strong>output</strong>:
MISP objects (transaction, bank-account, person, legal-entity, geolocation), with references, describing financial transactions and their origin and target.
- <strong>references</strong>:
<a href="http://goaml.unodc.org/">http://goaml.unodc.org/</a>
- <strong>requirements</strong>:
PyMISP</p>
</blockquote>
<hr />
<h4 id="joe_import"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/joe_import.py">joe_import</a><a class="headerlink" href="#joe_import" title="Permanent link">&para;</a></h4>
<p><img src=logos/joesandbox.png height=60></p>
<p>A module to import data from a Joe Sandbox analysis json report.
- <strong>features</strong>:</p>
<blockquote>
<p>Module using the new format of modules able to return attributes and objects.</p>
<p>The module returns the same results as the expansion module <a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/joesandbox_query.py">joesandbox_query</a> using the submission link of the analysis to get the json report.</p>
<ul>
<li><strong>input</strong>:
Json report of a Joe Sandbox analysis.</li>
<li><strong>output</strong>:
MISP attributes &amp; objects parsed from the analysis report.</li>
<li><strong>references</strong>:
<a href="https://www.joesecurity.org">https://www.joesecurity.org</a>, <a href="https://www.joesandbox.com/">https://www.joesandbox.com/</a></li>
</ul>
</blockquote>
<hr />
<h4 id="mispjson"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/mispjson.py">mispjson</a><a class="headerlink" href="#mispjson" title="Permanent link">&para;</a></h4>
<p>Module to import MISP JSON format for merging MISP events.
- <strong>features</strong>:</p>
<blockquote>
<p>The module simply imports MISP Attributes from an other MISP Event in order to merge events together. There is thus no special feature to make it work.
- <strong>input</strong>:
MISP Event
- <strong>output</strong>:
MISP Event attributes</p>
</blockquote>
<hr />
<h4 id="ocr"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/ocr.py">ocr</a><a class="headerlink" href="#ocr" title="Permanent link">&para;</a></h4>
<p>Optical Character Recognition (OCR) module for MISP.
- <strong>features</strong>:</p>
<blockquote>
<p>The module tries to recognize some text from an image and import the result as a freetext attribute, there is then no special feature asked to users to make it work.
- <strong>input</strong>:
Image
- <strong>output</strong>:
freetext MISP attribute</p>
</blockquote>
<hr />
<h4 id="openiocimport"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/openiocimport.py">openiocimport</a><a class="headerlink" href="#openiocimport" title="Permanent link">&para;</a></h4>
<p>Module to import OpenIOC packages.
- <strong>features</strong>:</p>
<blockquote>
<p>The module imports MISP Attributes from OpenIOC packages, there is then no special feature for users to make it work.
- <strong>input</strong>:
OpenIOC packages
- <strong>output</strong>:
MISP Event attributes
- <strong>references</strong>:
<a href="https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html">https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html</a>
- <strong>requirements</strong>:
PyMISP</p>
</blockquote>
<hr />
<h4 id="threatanalyzer_import"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/threatanalyzer_import.py">threatanalyzer_import</a><a class="headerlink" href="#threatanalyzer_import" title="Permanent link">&para;</a></h4>
<p>Module to import ThreatAnalyzer archive.zip / analysis.json files.
- <strong>features</strong>:</p>
<blockquote>
<p>The module imports MISP Attributes from a ThreatAnalyzer format file. This file can be either ZIP, or JSON format.
There is by the way no special feature for users to make the module work.
- <strong>input</strong>:
ThreatAnalyzer format file
- <strong>output</strong>:
MISP Event attributes
- <strong>references</strong>:
<a href="https://www.threattrack.com/malware-analysis.aspx">https://www.threattrack.com/malware-analysis.aspx</a></p>
</blockquote>
<hr />
<h4 id="vmray_import"><a href="https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/import_mod/vmray_import.py">vmray_import</a><a class="headerlink" href="#vmray_import" title="Permanent link">&para;</a></h4>
<p><img src=logos/vmray.png height=60></p>
<p>Module to import VMRay (VTI) results.
- <strong>features</strong>:</p>
<blockquote>
<p>The module imports MISP Attributes from VMRay format, using the VMRay api.
Users should then provide as the module configuration the API Key as well as the server url in order to fetch their data to import.
- <strong>input</strong>:
VMRay format
- <strong>output</strong>:
MISP Event attributes
- <strong>references</strong>:
<a href="https://www.vmray.com/">https://www.vmray.com/</a>
- <strong>requirements</strong>:
vmray_rest_api</p>
</blockquote>
<hr />
</article>
</div>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-nav">
<nav class="md-footer-nav__inner md-grid">
<a href="../export_mod/" title="Export Modules" class="md-flex md-footer-nav__link md-footer-nav__link--prev" rel="prev">
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-back md-footer-nav__button"></i>
</div>
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Previous
</span>
Export Modules
</span>
</div>
</a>
<a href="../install/" title="Install Guides" class="md-flex md-footer-nav__link md-footer-nav__link--next" rel="next">
<div class="md-flex__cell md-flex__cell--stretch md-footer-nav__title">
<span class="md-flex__ellipsis">
<span class="md-footer-nav__direction">
Next
</span>
Install Guides
</span>
</div>
<div class="md-flex__cell md-flex__cell--shrink">
<i class="md-icon md-icon--arrow-forward md-footer-nav__button"></i>
</div>
</a>
</nav>
</div>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-footer-copyright">
<div class="md-footer-copyright__highlight">
Copyright &copy; 2019 MISP Project
</div>
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
Material for MkDocs</a>
</div>
<div class="md-footer-social">
<link rel="stylesheet" href="../assets/fonts/font-awesome.css">
<a href="https://www.misp-project.org/" class="md-footer-social__link fa fa-globe"></a>
<a href="https://github.com/MISP" class="md-footer-social__link fa fa-github-alt"></a>
<a href="https://twitter.com/MISPProject" class="md-footer-social__link fa fa-twitter"></a>
</div>
</div>
</div>
</footer>
</div>
<script src="../assets/javascripts/application.245445c6.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:".."}})</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink