Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Similar documents
Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

PyMISP - (ab)using MISP API with PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Deep-dive into PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Incident Response tactics with Compromise Indicators

MISP Training: Galaxies

IntelMQ - a KISS incident handling automation project (IHAP)

MISP Galaxy. Threat Sharing. Team CIRCL. MISP CIRCL

From BASIS DD to Barista Application in Five Easy Steps

From BASIS DD to Barista Application in Five Easy Steps

Mass Asset Additions. Overview. Effective mm/dd/yy Page 1 of 47 Rev 1. Copyright Oracle, All rights reserved.

Leveraging ArcGIS Online Elevation and Hydrology Services. Steve Kopp, Jian Lange

NV-DVR09NET NV-DVR016NET

Open Notify API. Release 0.2. Nathan Bergey

Virtual Beach Building a GBM Model

WALKUP LC/MS FOR PHARMACEUTICAL R&D

Tryton Technical Training

Administering your Enterprise Geodatabase using Python. Jill Penney

Reaxys Medicinal Chemistry Fact Sheet

Geodatabase Best Practices. Dave Crawford Erik Hoel

cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software Freedom #0 in action

Enabling ENVI. ArcGIS for Server

ArcGIS Pro Q&A Session. NWGIS Conference, October 11, 2017 With John Sharrard, Esri GIS Solutions Engineer

Collaborative WRF-based research and education enabled by software containers

Changes in Esri GIS, practical ways to be ready for the future

Databases through Python-Flask and MariaDB

Android Services. Lecture 4. Operating Systems Practical. 26 October 2016

Troubleshooting Replication and Geodata Services. Liz Parrish & Ben Lin

IMS4 ARWIS. Airport Runway Weather Information System. Real-time data, forecasts and early warnings

Exelis and Esri Technologies for Defense and National Security. Cherie Muleh

Yes, the Library will be accessible via the new PULSE and the existing desktop version of PULSE.

new interface and features

epistasis Documentation

Configuring LDAP Authentication in iway Service Manager

Skyward. Requirements Specification Report. 12/7/2016 Version: 1.1. Team Name: Team Members: Sponsors: Mentor: Skyward

MySQL Attack Mitigation Using Deception Technology

An easy-to-use application that lets end users prepare and deploy background maps to your Carmenta based applications.

TECDIS and TELchart ECS Weather Overlay Guide

Frequently Asked Questions

The impacts of Open Government initiatives on SDIs

Account Setup. STEP 1: Create Enhanced View Account

Appendix 4 Weather. Weather Providers

Data Structures & Database Queries in GIS

Managing Imagery and Raster Data Using Mosaic Datasets

Converting workflows from ArcSDE Command line in ArcGIS 10.3.x

Socket Programming. Daniel Zappala. CS 360 Internet Programming Brigham Young University

Web GIS Deployment for Administrators. Vanessa Ramirez Solution Engineer, Natural Resources, Esri

ArcGIS 9 ArcGIS StreetMap Tutorial

The Application of 3D Web GIS In Land Administration - 3D Building Model System

Creating Questions in Word Importing Exporting Respondus 4.0. Importing Respondus 4.0 Formatting Questions

ArcGIS GeoAnalytics Server: An Introduction. Sarah Ambrose and Ravi Narayanan

Bentley Map V8i (SELECTseries 3)

Scripting Languages Fast development, extensible programs

ST-Links. SpatialKit. Version 3.0.x. For ArcMap. ArcMap Extension for Directly Connecting to Spatial Databases. ST-Links Corporation.

TDDD63 Project: API. September 13, 2014

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich March 16, 2015

What s New. August 2013

The integration of land change modeling framework FUTURES into GRASS GIS 7

GIS Functions and Integration. Tyler Pauley Associate Consultant

New SPOT Program. Customer Tutorial. Tim Barry Fire Weather Program Leader National Weather Service Tallahassee

Replication cluster on MariaDB 5.5 / ubuntu-server. Mark Schneider ms(at)it-infrastrukturen(dot)org

A Model of GIS Interoperability Based on JavaRMI

Time Series Analysis with SAR & Optical Satellite Data

Bloomsburg University Weather Viewer Quick Start Guide. Software Version 1.2 Date 4/7/2014

Collaborative Forecasts Implementation Guide

Cloud-based WRF Downscaling Simulations at Scale using Community Reanalysis and Climate Datasets

Non- browser TLS Woes

Introduction to Portal for ArcGIS. Hao LEE November 12, 2015

CHEMICAL INVENTORY ENTRY GUIDE

Arboretum Explorer: Using GIS to map the Arnold Arboretum

SimpleDreamEQ2. Upgrade kit equatorial mounts Synta EQ2, Celestron CG3. User guide. Micro GoTo system. Micro GoTo system

Python. Tutorial. Jan Pöschko. March 22, Graz University of Technology

Gridded Ambient Air Pollutant Concentrations for Southern California, User Notes authored by Beau MacDonald, 11/28/2017

Geodatabase Programming with Python John Yaist

Lab Manual for ICEN 553/453 Cyber-Physical Systems Fall 2018

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich June 8, 2015

Geo-enabling a Transactional Real Estate Management System A case study from the Minnesota Dept. of Transportation

Esri WebGIS Highlights of What s New, and the Road Ahead

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich January 26, 2015

Introduction to Portal for ArcGIS

Bentley Geospatial update

IndiFrag v2.1: An Object-based Fragmentation Analysis Software Tool

Introduction to Google Mapping Tools

Senior astrophysics Lab 2: Evolution of a 1 M star

Geodatabase Programming with Python

Animating Maps: Visual Analytics meets Geoweb 2.0

Collaborative Forecasts Implementation Guide

Outline. What is MapPlace? MapPlace Toolbar & PopUp Menu. Geology Themes 1:5M 1:1M BCGS 1:250,000. Terranes

Leveraging Web GIS: An Introduction to the ArcGIS portal

Watershed Modeling Orange County Hydrology Using GIS Data

GPS Mapping with Esri s Collector App. What We ll Cover

Citrine Informatics. Experimental design, PIF details, and data workshop. Chris Borg 26 February Citrine Informatics

GRASS GIS Development APIs

Using netcdf and HDF in ArcGIS. Nawajish Noman Dan Zimble Kevin Sigwart

Discovery and Access of Geospatial Resources using the Geoportal Extension. Marten Hogeweg Geoportal Extension Product Manager

Portal for ArcGIS: An Introduction

Outline. The European Commission s science and knowledge service. Introduction Rationale

Monte Python. the way back from cosmology to Fundamental Physics. Miguel Zumalacárregui. Nordic Institute for Theoretical Physics and UC Berkeley

Transcription:

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing Alexandre Dulaunoy Andras Iklody TLP:WHITE June 16, 2016

Why we want to go more modular... Ways to extend MISP before modules APIs (PyMISP, MISP API) Works really well No integration with the UI Change the core code Have to change the core of MISP, diverge from upstream Needs a deep understanding of MISP internals Let s not beat around the bush: Everyone hates PHP 2 of 23

Goals for the module system Have a way to extend MISP without altering the core Get started quickly without a need to study the internals Make the modules as light weight as possible Module developers should only have to worry about the data transformation Modules should have a simple and clean skeleton In a friendlier language - Python 3 of 23

MISP modules - extending MISP with Python scripts Extending MISP with expansion modules with zero customization in MISP. A simple ReST API between the modules and MISP allowing auto-discovery of new modules with their features. Benefit from existing Python modules in Viper or any other tools. MISP modules functionnality introduced in MISP 2.4.28. 4 of 23

MISP modules - installation MISP modules can be run on the same system or on a remote server. Python 3 is required to run MISP modules. git clone git@github.com:misp/misp-modules.git cd misp-modules pip3 install -r REQUIREMENTS cd bin python3 misp-modules.py 5 of 23

MISP modules - Simple REST API mechanism http://127.0.0.1:6666/modules - introspection interface to get all modules available returns a JSON with a description of each module http://127.0.0.1:6666/query - interface to query a specific module to send a JSON to query the module MISP autodiscovers the available modules and the MISP site administrator can enable modules as they wish. If a configuration is required for a module, MISP adds automatically the option in the server settings. 6 of 23

Finding available MISP modules curl -s http://127.0.0.1:6666/modules 1 { 2 " type ": " expansion ", 3 " name ": " dns ", 4 " meta ": { 5 " module - type ": [ 6 " expansion ", 7 " hover " 8 ], 9 " description ": " Simple DNS expansion service to resolve IP address from MISP attributes ", 10 " author ": " Alexandre Dulaunoy ", 11 " version ": "0.1" 12 }, 13 " mispattributes ": { 14 " output ": [ 15 "ip - src ", 16 "ip - dst " 17 ], 18 " input ": [ 19 " hostname ", 20 " domain " 21 ] 22 } 7 of 23

Querying a module curl -s http://127.0.0.1:6666/query -H Content-Type: application/json data @body.json -X POST body.json 1 {" module ": " dns ", " hostname ": " www. circl.lu"} and the response of the dns module: 1 {" results ": [{" values ": ["149.13.33.14"], 2 " types ": ["ip - src ", "ip - dst "]}]} 8 of 23

MISP modules - How it s integrated in the UI? 9 of 23

MISP modules - configuration in the UI 10 of 23

Creating your module (Skeleton) import import j s o n dns. r e s o l v e r m i s p e r r o r s = { e r r o r : E r r o r } m i s p a t t r i b u t e s = { i n p u t : [ ], output : [ ] } m o d u l e i n f o = { v e r s i o n :, a u t h o r :, d e s c r i p t i o n :, module type : [ ] } 11 of 23 def h a n d l e r ( q=f a l s e ) : i f q i s F a l s e : return F a l s e r e q u e s t = j s o n. l o a d s ( q ) r = { r e s u l t s : [ { t y p e s : [ ], v a l u e s : [ ] } ] } return r def i n t r o s p e c t i o n ( ) : return m i s p a t t r i b u t e s def v e r s i o n ( ) : return m o d u l e i n f o

Creating your module (metadata 1) m i s p e r r o r s = { e r r o r : E r r o r } m i s p a t t r i b u t e s = { i n p u t : [ hostname, domain ], output : [ ip s r c, ip d s t ] } m o d u l e i n f o = { v e r s i o n :, a u t h o r :, d e s c r i p t i o n :, module type : [ ] } 12 of 23

Creating your module (metadata 2) m i s p e r r o r s = { e r r o r : E r r o r } m i s p a t t r i b u t e s = { i n p u t : [ hostname, domain ], output : [ ip s r c, ip d s t ] } m o d u l e i n f o = { v e r s i o n : 0. 1, a u t h o r : A l e x a n d r e Dulaunoy, d e s c r i p t i o n : Simple DNS e x p a n s i o n s e r v i c e to r e s o l v e IP a d d r e s s from MISP a t t r i b u t e s, module type : [ e x p a n s i o n, hover ] } 13 of 23

Creating your module (handler 1) def h a n d l e r ( q=f a l s e ) : i f q i s F a l s e : return F a l s e r e q u e s t = j s o n. l o a d s ( q ) # MAGIC # MORE MAGIC r = { r e s u l t s : [ { t y p e s : o u t p u t t y p e s, v a l u e s : v a l u e s }, { t y p e s : o u t p u t t y p e s 2, v a l u e s : v a l u e s 2 } ] } return r 14 of 23

Creating your module (handler 2) i f r e q u e s t. get ( hostname ) : toquery = request [ hostname ] e l i f r e q u e s t. get ( domain ) : t o q u e r y = r e q u e s t [ domain ] e l s e : return F a l s e r = dns. r e s o l v e r. R e s o l v e r ( ) r. timeout = 2 r. l i f e t i m e = 2 r. n a m e s e r v e r s = [ 8. 8. 8. 8 ] t r y : answer = r. query ( toquery, A ) except dns. r e s o l v e r.nxdomain: m i s pe r r o rs [ e r r o r ] = NXDOMAIN return m i s p e r r o r s except dns. e x c e p t i o n. Timeout : m i s pe r r o rs [ e r r o r ] = Timeout return m i s p e r r o r s except : m i s p e r r o r s [ e r r o r ] = DNS r e s o l v i n g e r r o r return m i s p e r r o r s r = { r e s u l t s : [ { t y p e s : m i s p a t t r i b u t e s [ output ], v a l u e s : [ s t r ( answer [ 0 ] ) ] } ] } return r 15 of 23

Creating your module - finished DNS module import j s o n import dns. r e s o l v e r m i s p e r r o r s = { e r r o r : E r r o r } m i s p a t t r i b u t e s = { i n p u t : [ hostname, domain ], output : [ ip s r c, ip d s t ] } m o d u l e i n f o = { v e r s i o n : 0. 1, a u t h o r : A l e x a n d r e Dulaunoy, d e s c r i p t i o n : Simple DNS expansion s e r v i c e to r e s o l v e IP address from MISP a t t r i b u t e s, module type : [ expansion, hover ] } def handler ( q=false ) : i f q i s False : return F a l s e r e q u e s t = j s o n. l o a d s (q) i f request. get ( hostname ) : toquery = request [ hostname ] e l i f r e q u e s t. get ( domain ) : toquery = r e q u e s t [ domain ] e l s e : return F a l s e r = dns. r e s o l v e r. R e s o l v e r ( ) r. timeout = 2 r. l i f e t i m e = 2 r. n a m e s e r v e r s = [ 8. 8. 8. 8 ] t r y : answer = r. query ( toquery, A ) except dns. r e s o l v e r.nxdomain: m i s pe r r o rs [ e r r o r ] = NXDOMAIN return m i s p e r r o r s except dns. e x c e p t i o n. Timeout : m i s pe r r o rs [ e r r o r ] = Timeout return m i s p e r r o r s except : m i s pe r r o rs [ e r r o r ] = DNS r e s o l v i n g e r r o r return m i s p e r r o r s r = { r e s u l t s : [ { t y p e s : m i s p a t t r i b u t e s [ output ], v a l u e s : [ s t r ( answer [ 0 ] ) ] } ] } return r def introspection ( ) : return m i s p a t t r i b u t e s def v e r s i o n ( ) : return m o d u l e i n f o 16 of 23

Testing your module Copy your module dns.py in modules/expansion/ Restart the server misp-modules.py [ adulau : / git /misp modules / bin ] $ python3 misp modules. py 2016 03 20 19:25:43, 74 8 misp modules INFO MISP modules p a s s i v e t o t a l imported 2016 03 20 19:25:43, 78 7 misp modules INFO MISP modules s o u r c e c a c h e imported 2016 03 20 19:25:43, 78 9 misp modules INFO MISP modules cve imported 2016 03 20 19:25:43, 79 0 misp modules INFO MISP modules dns imported 2016 03 20 19:25:43, 79 7 misp modules INFO MISP modules s e r v e r s t a r t e d on TCP p o r t 6666 Check if your module is present in the introspection curl -s http://127.0.0.1:6666/modules If yes, test it directly with MISP or via curl 17 of 23

Code samples (Configuration) # C o n f i g u r a t i o n at the top moduleconfig = [ username, password ] # Code b l o c k i n the h a n d l e r i f r e q u e s t. get ( c o n f i g ) : i f ( r e q u e s t [ c o n f i g ]. get ( username ) i s None ) or ( r e q u e s t [ c o n f i g ]. get ( password ) i s None ) : m i sp e r r or s [ e r r o r ] = CIRCL Passive SSL a u t h e n t i c a t i o n i s missing return m i s p e r r o r s x = p y p s s l. PyPSSL ( b a s i c a u t h =( r e q u e s t [ c o n f i g ] [ username ], r e q u e s t [ c o n f i g ] [ password ] ) ) 18 of 23

Default module set asn history CIRCL PassiveDNS CIRCL PassiveSSL CVE DNS eupi IntelMQ (experimental) ipasn PassiveTotal - http://blog.passivetotal.org/misp-sharing-done-differently sourcecache 19 of 23

Upcoming additions to the module system - Import modules Similar to enrichment modules Input is a file upload or a text paste Output is a list of parsed attributes to be editend and verified by the user Some ideas for modules that we are looking into Reimplementing some of the current imports STIX 2.0 Import OpenIOC Import Connection to various sandboxes 20 of 23

Upcoming additions to the module system - Export modules Input initially will be an event Dynamic settings Later on to be expanded to event collections / attribute collections Output is a file in the export format served back to the user Some ideas for modules that we are looking into STIX 2.0 Export Bro export ArcSight output 21 of 23

Upcoming additions to the module system - General Expose the modules to the APIs Move the modules to background processes with a messaging system Difficulty is dealing with uncertain results on import 22 of 23

Q&A https://github.com/misp/misp-modules https://github.com/misp/ We welcome new modules and pull requests. MISP modules can be designed as standalone application. 23 of 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback