Modules for expansion services, import and export in MISP
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Iglocska 9bd1ae6199 Merge branch 'master' of 6 years ago
bin Minimal logging added to the server 6 years ago
modules/expansion Changed the output format to include all matching attribute types 6 years ago
tests curl is now silent 6 years ago Minimal documentation added 6 years ago

MISP modules

MISP modules are autonomous modules that can be used for expansion and other services in MISP.

The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.

MISP modules support is included in MISP starting from version 2.4.X.

Existing MISP modules

  • DNS - a simple module to resolve MISP attributes like hostname and domain to expand IP addresses attributes.

How to add your own MISP modules?

Create your module in modules/expansion/. The module should have at minimum two functions:

  • introspection function that returns an array of the supported attributes by your expansion module.
  • handler function which accepts a JSON document to expand the values and return a dictionary of the expanded values.

Testing your modules?

MISP uses the modules function to discover the available MISP modules and their supported MISP attributes:

% curl -s | jq .
    "name": "dns",
    "mispattributes": [

The MISP module service returns the available modules in a JSON array containing each module name along with their supported input attributes.

Based on this information, a query can be built in a JSON format and saved as body.json:

{"module": "dns", "hostname": ""}

Then you can POST this JSON format query towards the MISP object server:

curl -s -H "Content-Type: application/json" --data @body.json -X POST