Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Similar documents
Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

PyMISP - (ab)using MISP API with PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Deep-dive into PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Incident Response tactics with Compromise Indicators

MISP Training: Galaxies

IntelMQ - a KISS incident handling automation project (IHAP)

MISP Galaxy. Threat Sharing. Team CIRCL. MISP CIRCL

Databases through Python-Flask and MariaDB

Geodatabase Best Practices. Dave Crawford Erik Hoel

From BASIS DD to Barista Application in Five Easy Steps

Converting workflows from ArcSDE Command line in ArcGIS 10.3.x

From BASIS DD to Barista Application in Five Easy Steps

Tryton Technical Training

Yes, the Library will be accessible via the new PULSE and the existing desktop version of PULSE.

WALKUP LC/MS FOR PHARMACEUTICAL R&D

Administering your Enterprise Geodatabase using Python. Jill Penney

Virtual Beach Building a GBM Model

Appendix 4 Weather. Weather Providers

Tox Issues with virtualenv GNU Guix guix-tox. Guix-tox. A functional version of tox. Cyril Roelandt January 30, /35

cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software Freedom #0 in action

Troubleshooting Replication and Geodata Services. Liz Parrish & Ben Lin

Mass Asset Additions. Overview. Effective mm/dd/yy Page 1 of 47 Rev 1. Copyright Oracle, All rights reserved.

ArcGIS Pro Q&A Session. NWGIS Conference, October 11, 2017 With John Sharrard, Esri GIS Solutions Engineer

NV-DVR09NET NV-DVR016NET

IMS4 ARWIS. Airport Runway Weather Information System. Real-time data, forecasts and early warnings

Reaxys Medicinal Chemistry Fact Sheet

Geo-enabling a Transactional Real Estate Management System A case study from the Minnesota Dept. of Transportation

From Geographics Stella to Bentley Map Stella Map. Kimmo Soukki, Account Manager Bentley Finland

Skyward. Requirements Specification Report. 12/7/2016 Version: 1.1. Team Name: Team Members: Sponsors: Mentor: Skyward

GIS Functions and Integration. Tyler Pauley Associate Consultant

Frequently Asked Questions

Leveraging ArcGIS Online Elevation and Hydrology Services. Steve Kopp, Jian Lange

Bentley Map V8i (SELECTseries 3)

Bentley Geospatial update

Arboretum Explorer: Using GIS to map the Arnold Arboretum

new interface and features

Configuring LDAP Authentication in iway Service Manager

TECDIS and TELchart ECS Weather Overlay Guide

Open Notify API. Release 0.2. Nathan Bergey

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich March 16, 2015

Creating Questions in Word Importing Exporting Respondus 4.0. Importing Respondus 4.0 Formatting Questions

Replication cluster on MariaDB 5.5 / ubuntu-server. Mark Schneider ms(at)it-infrastrukturen(dot)org

Example: sending one bit of information across noisy channel. Effects of the noise: flip the bit with probability p.

Senior astrophysics Lab 2: Evolution of a 1 M star

MySQL Attack Mitigation Using Deception Technology

epistasis Documentation

ArcGIS 9 ArcGIS StreetMap Tutorial

Enabling ENVI. ArcGIS for Server

The impacts of Open Government initiatives on SDIs

The conceptual view. by Gerrit Muller University of Southeast Norway-NISE

Android Services. Lecture 4. Operating Systems Practical. 26 October 2016

Changes in Esri GIS, practical ways to be ready for the future

Bloomsburg University Weather Viewer Quick Start Guide. Software Version 1.2 Date 4/7/2014

Collaborative WRF-based research and education enabled by software containers

Geodatabase Programming with Python John Yaist

Geography 281 Map Making with GIS Project Four: Comparing Classification Methods

Lab Manual for ICEN 553/453 Cyber-Physical Systems Fall 2018

What s New. August 2013

Bentley Map Advancing GIS for the World s Infrastructure

Geospatial Products V8i (SELECTseries 1)

Animating Maps: Visual Analytics meets Geoweb 2.0

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich June 8, 2015

Geodatabase Programming with Python

GPS Mapping with Esri s Collector App. What We ll Cover

Scripting Languages Fast development, extensible programs

Basics HTTP. requests. Ryan E. Freckleton. PySprings. May 24, 2016

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich January 26, 2015

Data Structures & Database Queries in GIS

Web Development Paradigms and how django and GAE webapp approach them.

Migration to the New BI360

The Application of 3D Web GIS In Land Administration - 3D Building Model System

Introduction to Portal for ArcGIS. Hao LEE November 12, 2015

Exelis and Esri Technologies for Defense and National Security. Cherie Muleh

Virtual Beach Making Nowcast Predictions

Web GIS Deployment for Administrators. Vanessa Ramirez Solution Engineer, Natural Resources, Esri

MapOSMatic, free city maps for everyone!

SimpleDreamEQ2. Upgrade kit equatorial mounts Synta EQ2, Celestron CG3. User guide. Micro GoTo system. Micro GoTo system

ST-Links. SpatialKit. Version 3.0.x. For ArcMap. ArcMap Extension for Directly Connecting to Spatial Databases. ST-Links Corporation.

GIS Solution For Electric Utilities With Integration With Distribution Management System

Watershed Modeling Orange County Hydrology Using GIS Data

New York State. Electronic Certificate of Need. HCS Coordinator. Overview. Version 1.0

Performing Advanced Cartography with Esri Production Mapping

Introduction to Portal for ArcGIS

An easy-to-use application that lets end users prepare and deploy background maps to your Carmenta based applications.

New SPOT Program. Customer Tutorial. Tim Barry Fire Weather Program Leader National Weather Service Tallahassee

Esri WebGIS Highlights of What s New, and the Road Ahead

The integration of land change modeling framework FUTURES into GRASS GIS 7

Minutes Kick Off meeting Spatial Data Services Working Group. Minutes Kick Off meeting Spatial Data Services Working Group Creator

Smart Data Collection and Real-time Digital Cartography

Spatial Data Infrastructure Concepts and Components. Douglas Nebert U.S. Federal Geographic Data Committee Secretariat

Account Setup. STEP 1: Create Enhanced View Account

Continuous Performance Testing Shopware Developer Conference. Kore Nordmann 08. June 2013

Geologi for samfunnet

Overlay Transport Virtualization (OTV) Unicast-Mode Transport Infrastructure Deployment

A Model of GIS Interoperability Based on JavaRMI

Managing Imagery and Raster Data Using Mosaic Datasets

Outline. The European Commission s science and knowledge service. Introduction Rationale

Transcription:

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing MISP Project @MISPProject TLP:WHITE MISP Training - @SWITCH - 20161206

Why we want to go more modular... Ways to extend MISP before modules APIs (PyMISP, MISP API) Works really well No integration with the UI Change the core code Have to change the core of MISP, diverge from upstream Needs a deep understanding of MISP internals Let s not beat around the bush: Everyone hates PHP 2 of 32

Goals for the module system Have a way to extend MISP without altering the core Get started quickly without a need to study the internals Make the modules as light weight as possible Module developers should only have to worry about the data transformation Modules should have a simple and clean skeleton In a friendlier language - Python 3 of 32

MISP modules - extending MISP with Python scripts 4 of 32 Extending MISP with expansion modules with zero customization in MISP. A simple ReST API between the modules and MISP allowing auto-discovery of new modules with their features. Benefit from existing Python modules in Viper or any other tools. MISP modules functionnality introduced in MISP 2.4.28. MISP import/export modules introduced in MISP 2.4.50.

MISP modules - installation MISP modules can be run on the same system or on a remote server. Python 3 is required to run MISP modules. sudo apt-get install python3-dev python3-pip libpq5 cd /usr/local/src/ sudo git clone https://github.com/misp/misp-modules.git cd misp-modules sudo pip3 install upgrade -r REQUIREMENTS sudo pip3 install upgrade. sudo vi /etc/rc.local, add this line: sudo -u www-data misp-modules -s & 5 of 32

MISP modules - Simple REST API mechanism http://127.0.0.1:6666/modules - introspection interface to get all modules available returns a JSON with a description of each module http://127.0.0.1:6666/query - interface to query a specific module to send a JSON to query the module MISP autodiscovers the available modules and the MISP site administrator can enable modules as they wish. If a configuration is required for a module, MISP adds automatically the option in the server settings. 6 of 32

Finding available MISP modules curl -s http://127.0.0.1:6666/modules 1 { 2 " type ": " expansion ", 3 " name ": " dns ", 4 " meta ": { 5 " module - type ": [ 6 " expansion ", 7 " hover " 8 ], 9 " description ": " Simple DNS expansion service to resolve IP address from MISP attributes ", 10 " author ": " Alexandre Dulaunoy ", 11 " version ": "0.1" 12 }, 13 " mispattributes ": { 14 " output ": [ 15 "ip - src ", 16 "ip - dst " 17 ], 18 " input ": [ 19 " hostname ", 20 " domain " 21 ] 22 } 7 of 32

Querying a module curl -s http://127.0.0.1:6666/query -H Content-Type: application/json data @body.json -X POST body.json 1 {" module ": " dns ", " hostname ": " www. circl.lu"} and the response of the dns module: 1 {" results ": [{" values ": ["149.13.33.14"], 2 " types ": ["ip - src ", "ip - dst "]}]} 8 of 32

MISP modules - How it s integrated in the UI? 9 of 32

MISP modules - configuration in the UI 10 of 32

MISP modules - main types of modules Expansion modules - enrich data that is in MISP Hover type - showing the expanded values directly on the attributes Expansion type - showing and adding the expanded values via a proposal form Import modules - import new data into MISP Export modules - export existing data from MISP 11 of 32

Creating your Expansion module (Skeleton) import import j s o n dns. r e s o l v e r m i s p e r r o r s = { e r r o r : E r r o r } m i s p a t t r i b u t e s = { i n p u t : [ ], output : [ ] } m o d u l e i n f o = { v e r s i o n :, a u t h o r :, d e s c r i p t i o n :, module type : [ ] } 12 of 32 def h a n d l e r ( q=f a l s e ) : i f q i s F a l s e : return F a l s e r e q u e s t = j s o n. l o a d s ( q ) r = { r e s u l t s : [ { t y p e s : [ ], v a l u e s : [ ] } ] } return r def i n t r o s p e c t i o n ( ) : return m i s p a t t r i b u t e s def v e r s i o n ( ) : return m o d u l e i n f o

Creating your Expansion module (metadata 1) m i s p e r r o r s = { e r r o r : E r r o r } m i s p a t t r i b u t e s = { i n p u t : [ hostname, domain ], output : [ ip s r c, ip d s t ] } m o d u l e i n f o = { v e r s i o n :, a u t h o r :, d e s c r i p t i o n :, module type : [ ] } 13 of 32

Creating your Expansion module (metadata 2) m i s p e r r o r s = { e r r o r : E r r o r } m i s p a t t r i b u t e s = { i n p u t : [ hostname, domain ], output : [ ip s r c, ip d s t ] } m o d u l e i n f o = { v e r s i o n : 0. 1, a u t h o r : A l e x a n d r e Dulaunoy, d e s c r i p t i o n : Simple DNS e x p a n s i o n s e r v i c e to r e s o l v e IP a d d r e s s from MISP a t t r i b u t e s, module type : [ e x p a n s i o n, hover ] } 14 of 32

Creating your Expansion module (handler 1) def h a n d l e r ( q=f a l s e ) : i f q i s F a l s e : return F a l s e r e q u e s t = j s o n. l o a d s ( q ) # MAGIC # MORE MAGIC r = { r e s u l t s : [ { t y p e s : o u t p u t t y p e s, v a l u e s : v a l u e s }, { t y p e s : o u t p u t t y p e s 2, v a l u e s : v a l u e s 2 } ] } return r 15 of 32

Creating your Expansion module (handler 2) i f r e q u e s t. get ( hostname ) : toquery = request [ hostname ] e l i f r e q u e s t. get ( domain ) : t o q u e r y = r e q u e s t [ domain ] e l s e : return F a l s e r = dns. r e s o l v e r. R e s o l v e r ( ) r. timeout = 2 r. l i f e t i m e = 2 r. n a m e s e r v e r s = [ 8. 8. 8. 8 ] t r y : answer = r. query ( toquery, A ) except dns. r e s o l v e r.nxdomain: m i s pe r r o rs [ e r r o r ] = NXDOMAIN return m i s p e r r o r s except dns. e x c e p t i o n. Timeout : m i s pe r r o rs [ e r r o r ] = Timeout return m i s p e r r o r s except : m i s p e r r o r s [ e r r o r ] = DNS r e s o l v i n g e r r o r return m i s p e r r o r s r = { r e s u l t s : [ { t y p e s : m i s p a t t r i b u t e s [ output ], v a l u e s : [ s t r ( answer [ 0 ] ) ] } ] } return r 16 of 32

Creating your module - finished DNS module import j s o n import dns. r e s o l v e r m i s p e r r o r s = { e r r o r : E r r o r } m i s p a t t r i b u t e s = { i n p u t : [ hostname, domain ], output : [ ip s r c, ip d s t ] } m o d u l e i n f o = { v e r s i o n : 0. 1, a u t h o r : A l e x a n d r e Dulaunoy, d e s c r i p t i o n : Simple DNS expansion s e r v i c e to r e s o l v e IP address from MISP a t t r i b u t e s, module type : [ expansion, hover ] } def handler ( q=false ) : i f q i s False : return F a l s e r e q u e s t = j s o n. l o a d s (q) i f request. get ( hostname ) : toquery = request [ hostname ] e l i f r e q u e s t. get ( domain ) : toquery = r e q u e s t [ domain ] e l s e : return F a l s e r = dns. r e s o l v e r. R e s o l v e r ( ) r. timeout = 2 r. l i f e t i m e = 2 r. n a m e s e r v e r s = [ 8. 8. 8. 8 ] t r y : answer = r. query ( toquery, A ) except dns. r e s o l v e r.nxdomain: m i s pe r r o rs [ e r r o r ] = NXDOMAIN return m i s p e r r o r s except dns. e x c e p t i o n. Timeout : m i s pe r r o rs [ e r r o r ] = Timeout return m i s p e r r o r s except : m i s pe r r o rs [ e r r o r ] = DNS r e s o l v i n g e r r o r return m i s p e r r o r s r = { r e s u l t s : [ { t y p e s : m i s p a t t r i b u t e s [ output ], v a l u e s : [ s t r ( answer [ 0 ] ) ] } ] } return r def introspection ( ) : return m i s p a t t r i b u t e s def v e r s i o n ( ) : return m o d u l e i n f o 17 of 32

Testing your module Copy your module dns.py in modules/expansion/ Restart the server misp-modules.py [ adulau : / git /misp modules / bin ] $ python3 misp modules. py 2016 03 20 19:25:43, 74 8 misp modules INFO MISP modules p a s s i v e t o t a l imported 2016 03 20 19:25:43, 78 7 misp modules INFO MISP modules s o u r c e c a c h e imported 2016 03 20 19:25:43, 78 9 misp modules INFO MISP modules cve imported 2016 03 20 19:25:43, 79 0 misp modules INFO MISP modules dns imported 2016 03 20 19:25:43, 79 7 misp modules INFO MISP modules s e r v e r s t a r t e d on TCP p o r t 6666 Check if your module is present in the introspection curl -s http://127.0.0.1:6666/modules If yes, test it directly with MISP or via curl 18 of 32

Code samples (Configuration) # C o n f i g u r a t i o n at the top moduleconfig = [ username, password ] # Code b l o c k i n the h a n d l e r i f r e q u e s t. get ( c o n f i g ) : i f ( r e q u e s t [ c o n f i g ]. get ( username ) i s None ) or ( r e q u e s t [ c o n f i g ]. get ( password ) i s None ) : m i sp e r r or s [ e r r o r ] = CIRCL Passive SSL a u t h e n t i c a t i o n i s missing return m i s p e r r o r s x = p y p s s l. PyPSSL ( b a s i c a u t h =( r e q u e s t [ c o n f i g ] [ username ], r e q u e s t [ c o n f i g ] [ password ] ) ) 19 of 32

Default expansion module set asn history CIRCL Passive DNS CIRCL Passive SSL Country code lookup CVE information expansion DNS resolver eupi (checking url in phishing database) IntelMQ (experimental) ipasn PassiveTotal - http://blog.passivetotal.org/misp-sharing-done-differently sourcecache Virustotal Whois 20 of 32

Import modules Similar to expansion modules Input is a file upload or a text paste Output is a list of parsed attributes to be editend and verified by the user System is still new but some modules already exist OCR module Simple STIX import module Many ideas for future modules (OpenIOC import, connector to sandboxes, STIX 2.0, etc) 21 of 32

Creating your Import module (Skeleton) import j s o n m i s p e r r o r s = { e r r o r : E r r o r } u s e r C o n f i g = { number1 : { type : I n t e g e r, r e g e x : /ˆ[0 4] $/ i, errormessage : Expected a number in range [0 4], message : Column number used f o r value } } ; i n p u t S o u r c e = [ f i l e, p a s t e ] m o d u l e i n f o = { v e r s i o n :, a u t h o r :, d e s c r i p t i o n :, module type : [ import ] } m o d u l e c o n f i g =[] def handler (q=false ) : i f q is False : return F a l s e r e q u e s t = j s o n. l o a d s (q) r e q u e s t [ data ] = base64. b64decode ( r e q u e s t [ data ] ) r = { r e s u l t s : [ { c a t e g o r i e s : [ ], t y p e s : [ ], v a l u e s : [ ] } ] } return r def introspection ( ) : return { userconfig : userconfig, inputsource : inputsource, moduleconfig : moduleconfig } def v e r s i o n ( ) : return m o d u l e i n f o 22 of 32

Creating your import module (userconfig and inputsource) u s e r C o n f i g = { number1 : { type : I n t e g e r, r e g e x : /ˆ[0 4] $/ i, errormessage : Expected a number i n range [0 4], message : Column number used f o r v a l u e } } ; i n p u t S o u r c e = [ f i l e, p a s t e ] 23 of 32

Creating your import module (Handler) def handler ( q=false ) : i f q i s F a l s e : return F a l s e r e q u e s t = j s o n. l o a d s ( q ) r e q u e s t [ data ] = base64. b64decode ( r e q u e s t [ data ] ) r = { r e s u l t s : [ { c a t e g o r i e s : [ ], t y p e s : [ ], v a l u e s : [ ] } ] } return r 24 of 32

Creating your import module (Introspection) 25 of 32 def i n t r o s p e c t i o n ( ) : modulesetup = {} t r y : u s e r C o n f i g modulesetup [ u s e r C o n f i g ] = u s e r C o n f i g except NameError : pass t r y : moduleconfig modulesetup [ moduleconfig ] = moduleconfig except NameError : pass t r y : i n p u t S o u r c e modulesetup [ i n p u t S o u r c e ] = i n p u t S o u r c e except NameError : pass return modulesetup

Export modules Input is currently only a single event Dynamic settings Later on to be expanded to event collections / attribute collections Output is a file in the export format served back to the user Export modules was recently introduced but a CEF export module already available Lots of ideas for upcoming modules 26 of 32

Creating your Export module (Skeleton) import j s o n inputsource = [ event ] o u t p u t F i l e E x t e n s i o n = t x t responsetype = application / txt m o d u l e i n f o = { v e r s i o n : 0. 1, a u t h o r : Andras I k l o d y, d e s c r i p t i o n : Skeleton export module, module type : [ e x p o r t ] } def handler ( q=false ) : i f q i s False : return F a l s e r e q u e s t = j s o n. l o a d s (q) # i n s e r t your magic here! output = my magic ( request [ data ] ) r = { data : base64. b64encode ( output. encode ( utf 8 ) ). decode ( utf 8 )} return r def introspection ( ) : return { userconfig : userconfig, inputsource : inputsource, moduleconfig : moduleconfig, outputfileextension : outputfileextension } def v e r s i o n ( ) : return m o d u l e i n f o 27 of 32

Creating your export module (settings) i n p u t S o u r c e = [ e v e n t ] o u t p u t F i l e E x t e n s i o n = t x t responsetype = a p p l i c a t i o n / t x t 28 of 32

Creating your export module (handler) def handler ( q=false ) : i f q i s F a l s e : return F a l s e r e q u e s t = j s o n. l o a d s ( q ) # i n s e r t your magic h e r e! output = my magic ( r e q u e s t [ data ] ) r = { data : base64. b64encode ( output. encode ( utf 8 ) ). decode ( utf 8 )} return r 29 of 32

Creating your export module (introspection) 30 of 32 def i n t r o s p e c t i o n ( ) : modulesetup = {} t r y : responsetype modulesetup [ responsetype ] = responsetype except NameError : pass t r y : u s e r C o n f i g modulesetup [ u s e r C o n f i g ] = u s e r C o n f i g except NameError : pass t r y : moduleconfig modulesetup [ moduleconfig ] = moduleconfig except NameError : pass t r y : o u t p u t F i l e E x t e n s i o n modulesetup [ o u t p u t F i l e E x t e n s i o n ] = o u t p u t F i l e E x t e n s i o n except NameError : pass t r y : i n p u t S o u r c e modulesetup [ i n p u t S o u r c e ] = i n p u t S o u r c e

Upcoming additions to the module system - General Expose the modules to the APIs Move the modules to background processes with a messaging system Difficulty is dealing with uncertain results on import (without the user having final say) 31 of 32

Q&A https://github.com/misp/misp-modules https://github.com/misp/ We welcome new modules and pull requests. MISP modules can be designed as standalone application. 32 of 32

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback