PyPI - misp-modules - Versions diffs - 3.0.2__tar.gz → 3.0.4__tar.gz - Mend

misp-modules 3.0.2tar.gz → 3.0.4tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (216) hide show

{misp_modules-3.0.2 → misp_modules-3.0.4}/PKG-INFO RENAMED Viewed

@@ -1,8 +1,9 @@
-Metadata-Version: 2.3
+Metadata-Version: 2.4
 Name: misp-modules
-Version: 3.0.2
+Version: 3.0.4
 Summary: MISP modules are autonomous modules that can be used for expansion and other services in MISP
-License: AGPL-3.0-only
+License-Expression: AGPL-3.0-only
+License-File: LICENSE
 Author: Alexandre Dulaunoy
 Author-email: alexandre.dulaunoy@circl.lu
 Requires-Python: >=3.9,<3.13
@@ -14,6 +15,7 @@ Classifier: Programming Language :: Python :: 3
 Classifier: Topic :: Security
 Provides-Extra: all
 Provides-Extra: minimal
+Requires-Dist: anyrun-sdk (>=1.10.10,<2.0.0)
 Requires-Dist: apiosintds ; extra == "all"
 Requires-Dist: assemblyline_client ; extra == "all"
 Requires-Dist: backscatter ; extra == "all"
@@ -156,6 +158,12 @@ In order to provide documentation about some modules that require specific input
 - **input** - description of the format of data used in input
 - **output** - description of the format given as the result of the module execution
+## OpenAPI and API explorer
+When the service is running you can discover the available endpoints in a machine-readable way via `/openapi.json`.
+An interactive Swagger UI that consumes the same specification is available at `/openapi`.
+The specification is generated during service startup, so restart `misp-modules` after adding or removing modules to refresh what those endpoints expose.
 ## Licenses
 For further Information see the [license file](https://misp.github.io/misp-modules/license/).
@@ -163,6 +171,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 ## Expansion Modules
 * [Abuse IPDB](https://misp.github.io/misp-modules/expansion/#abuse-ipdb) - AbuseIPDB MISP expansion module
+* [ANYRUN Sandbox Submit](https://misp.github.io/misp-modules/expansion/#anyrun-sandbox-submit) - A module designed to submit URLs or files to the ANY.RUN Sandbox for analysis and return the unique analysis link and ID.
 * [OSINT DigitalSide](https://misp.github.io/misp-modules/expansion/#osint-digitalside) - On demand query API for OSINT.digitalside.it project.
 * [APIVoid](https://misp.github.io/misp-modules/expansion/#apivoid) - Module to query APIVoid with some domain attributes.
 * [AssemblyLine Query](https://misp.github.io/misp-modules/expansion/#assemblyline-query) - A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.
@@ -235,6 +244,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 * [Qintel QSentry Lookup](https://misp.github.io/misp-modules/expansion/#qintel-qsentry-lookup) - A hover and expansion module which queries Qintel QSentry for ip reputation data
 * [QR Code Decode](https://misp.github.io/misp-modules/expansion/#qr-code-decode) - Module to decode QR codes.
 * [RandomcoinDB Lookup](https://misp.github.io/misp-modules/expansion/#randomcoindb-lookup) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
+* [r7_akb](https://misp.github.io/misp-modules/expansion/#r7_akb) - Enrich CVEs via AttackerKB and return structured MISP events. Handles rate limits, regex CVE detection, and markdown cleanup.
 * [Real-time Blackhost Lists Lookup](https://misp.github.io/misp-modules/expansion/#real-time-blackhost-lists-lookup) - Module to check an IPv4 address against known RBLs.
 * [Recorded Future Enrich](https://misp.github.io/misp-modules/expansion/#recorded-future-enrich) - Module to enrich attributes with threat intelligence from Recorded Future.
 * [Reverse DNS](https://misp.github.io/misp-modules/expansion/#reverse-dns) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
@@ -292,6 +302,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 * [YARA Rule Export](https://misp.github.io/misp-modules/export_mod/#yara-rule-export) - This module is used to export MISP events to YARA.
 ## Import Modules
+* [ANYRUN Sandbox Import](https://misp.github.io/misp-modules/import_mod/#anyrun-sandbox-import) - A module designed to retrieve an analysis report from the ANY.RUN Sandbox by its unique ID and extract results (such as verdict, malware tags, and IOCs), converting them into MISP attributes within your event.
 * [PDNS COF Importer](https://misp.github.io/misp-modules/import_mod/#pdns-cof-importer) - Passive DNS Common Output Format (COF) MISP importer
 * [CSV Import](https://misp.github.io/misp-modules/import_mod/#csv-import) - Module to import MISP attributes from a csv file.
 * [Cuckoo Sandbox Import](https://misp.github.io/misp-modules/import_mod/#cuckoo-sandbox-import) - Module to import Cuckoo JSON.
@@ -312,6 +323,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 ## Action Modules
 * [Mattermost](https://misp.github.io/misp-modules/action_mod/#mattermost) - Simplistic module to send message to a Mattermost channel.
+* [Nextcloud talk](https://misp.github.io/misp-modules/action_mod/#nextcloud-talk) - Simplistic module to send a message to a Nextcloud talk conversation.
 * [Slack](https://misp.github.io/misp-modules/action_mod/#slack) - Simplistic module to send messages to a Slack channel.
 * [Test action](https://misp.github.io/misp-modules/action_mod/#test-action) - This module is merely a test, always returning true. Triggers on event publishing.

{misp_modules-3.0.2 → misp_modules-3.0.4}/README.md RENAMED Viewed

@@ -30,6 +30,12 @@ In order to provide documentation about some modules that require specific input
 - **input** - description of the format of data used in input
 - **output** - description of the format given as the result of the module execution
+## OpenAPI and API explorer
+When the service is running you can discover the available endpoints in a machine-readable way via `/openapi.json`.
+An interactive Swagger UI that consumes the same specification is available at `/openapi`.
+The specification is generated during service startup, so restart `misp-modules` after adding or removing modules to refresh what those endpoints expose.
 ## Licenses
 For further Information see the [license file](https://misp.github.io/misp-modules/license/).
@@ -37,6 +43,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 ## Expansion Modules
 * [Abuse IPDB](https://misp.github.io/misp-modules/expansion/#abuse-ipdb) - AbuseIPDB MISP expansion module
+* [ANYRUN Sandbox Submit](https://misp.github.io/misp-modules/expansion/#anyrun-sandbox-submit) - A module designed to submit URLs or files to the ANY.RUN Sandbox for analysis and return the unique analysis link and ID.
 * [OSINT DigitalSide](https://misp.github.io/misp-modules/expansion/#osint-digitalside) - On demand query API for OSINT.digitalside.it project.
 * [APIVoid](https://misp.github.io/misp-modules/expansion/#apivoid) - Module to query APIVoid with some domain attributes.
 * [AssemblyLine Query](https://misp.github.io/misp-modules/expansion/#assemblyline-query) - A module tu query the AssemblyLine API with a submission ID to get the submission report and parse it.
@@ -109,6 +116,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 * [Qintel QSentry Lookup](https://misp.github.io/misp-modules/expansion/#qintel-qsentry-lookup) - A hover and expansion module which queries Qintel QSentry for ip reputation data
 * [QR Code Decode](https://misp.github.io/misp-modules/expansion/#qr-code-decode) - Module to decode QR codes.
 * [RandomcoinDB Lookup](https://misp.github.io/misp-modules/expansion/#randomcoindb-lookup) - Module to access the ransomcoinDB (see https://ransomcoindb.concinnity-risks.com)
+* [r7_akb](https://misp.github.io/misp-modules/expansion/#r7_akb) - Enrich CVEs via AttackerKB and return structured MISP events. Handles rate limits, regex CVE detection, and markdown cleanup.
 * [Real-time Blackhost Lists Lookup](https://misp.github.io/misp-modules/expansion/#real-time-blackhost-lists-lookup) - Module to check an IPv4 address against known RBLs.
 * [Recorded Future Enrich](https://misp.github.io/misp-modules/expansion/#recorded-future-enrich) - Module to enrich attributes with threat intelligence from Recorded Future.
 * [Reverse DNS](https://misp.github.io/misp-modules/expansion/#reverse-dns) - Simple Reverse DNS expansion service to resolve reverse DNS from MISP attributes.
@@ -166,6 +174,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 * [YARA Rule Export](https://misp.github.io/misp-modules/export_mod/#yara-rule-export) - This module is used to export MISP events to YARA.
 ## Import Modules
+* [ANYRUN Sandbox Import](https://misp.github.io/misp-modules/import_mod/#anyrun-sandbox-import) - A module designed to retrieve an analysis report from the ANY.RUN Sandbox by its unique ID and extract results (such as verdict, malware tags, and IOCs), converting them into MISP attributes within your event.
 * [PDNS COF Importer](https://misp.github.io/misp-modules/import_mod/#pdns-cof-importer) - Passive DNS Common Output Format (COF) MISP importer
 * [CSV Import](https://misp.github.io/misp-modules/import_mod/#csv-import) - Module to import MISP attributes from a csv file.
 * [Cuckoo Sandbox Import](https://misp.github.io/misp-modules/import_mod/#cuckoo-sandbox-import) - Module to import Cuckoo JSON.
@@ -186,6 +195,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 ## Action Modules
 * [Mattermost](https://misp.github.io/misp-modules/action_mod/#mattermost) - Simplistic module to send message to a Mattermost channel.
+* [Nextcloud talk](https://misp.github.io/misp-modules/action_mod/#nextcloud-talk) - Simplistic module to send a message to a Nextcloud talk conversation.
 * [Slack](https://misp.github.io/misp-modules/action_mod/#slack) - Simplistic module to send messages to a Slack channel.
 * [Test action](https://misp.github.io/misp-modules/action_mod/#test-action) - This module is merely a test, always returning true. Triggers on event publishing.

{misp_modules-3.0.2 → misp_modules-3.0.4}/misp_modules/__init__.py RENAMED Viewed

@@ -58,6 +58,8 @@ def is_valid_module(module: importlib.abc.Traversable) -> bool:
         return False
     if module.name == "__init__.py":
         return False
+    if module.name.startswith("_"):
+        return False
     if not module.name.endswith(".py"):
         return False
     return True

{misp_modules-3.0.2 → misp_modules-3.0.4}/misp_modules/__main__.py RENAMED Viewed

@@ -41,14 +41,46 @@ from tornado import concurrent as tornado_concurrent
 from tornado import ioloop
 import misp_modules
+from misp_modules import openapi as openapi_builder
 # See https://github.com/MISP/misp-modules/issues/662
 MAX_BUFFER_SIZE = 1073741824
 # Global variables
 MODULES_HANDLERS = {}
+OPENAPI_DOCUMENT = {}
 LOGGER = logging.getLogger("misp-modules")
+SWAGGER_UI_TEMPLATE = (
+    "<!DOCTYPE html>\n"
+    "<html lang='en'>\n"
+    "<head>\n"
+    "  <meta charset='utf-8' />\n"
+    "  <title>MISP Modules API Explorer</title>\n"
+    "  <link rel='stylesheet' href='https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css' />\n"
+    "</head>\n"
+    "<body>\n"
+    "  <div id='swagger-ui'></div>\n"
+    "  <script src='https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui-bundle.min.js'></script>\n"
+    "  <script src='https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui-standalone-preset.js'></script>\n"
+    "  <script>\n"
+    "    window.addEventListener('load', function() {\n"
+    "      const ui = SwaggerUIBundle({\n"
+    "        url: '__SPEC_URL__',\n"
+    "        dom_id: '#swagger-ui',\n"
+    "        presets: [\n"
+    "          SwaggerUIBundle.presets.apis,\n"
+    "          SwaggerUIStandalonePreset\n"
+    "        ],\n"
+    "        layout: 'StandaloneLayout'\n"
+    "      });\n"
+    "      window.ui = ui;\n"
+    "    });\n"
+    "  </script>\n"
+    "</body>\n"
+    "</html>\n"
+)
 # Module that, if present, guarantees that the extra 'all' has been installed
 DEGRADED_SENTINEL_MODULE = "yara"
 DEGRADED_MESSAGE = [
@@ -132,6 +164,30 @@ class HealthCheck(tornado.web.RequestHandler):
         self.write(orjson.dumps({"status": True}))
+class OpenAPISpec(tornado.web.RequestHandler):
+    """OpenAPI specification handler."""
+    def get(self):
+        LOGGER.debug("OpenAPI spec request")
+        if not OPENAPI_DOCUMENT:
+            self.send_error(503)
+            return
+        self.set_header("Content-Type", "application/json")
+        self.write(orjson.dumps(OPENAPI_DOCUMENT))
+class SwaggerUI(tornado.web.RequestHandler):
+    """Swagger UI explorer handler."""
+    def get(self):
+        LOGGER.debug("Swagger UI request")
+        if not OPENAPI_DOCUMENT:
+            self.send_error(503)
+            return
+        self.set_header("Content-Type", "text/html; charset=utf-8")
+        self.write(SWAGGER_UI_TEMPLATE.replace('__SPEC_URL__', '/openapi.json'))
 class ListModules(tornado.web.RequestHandler):
     """ListModules handler."""
@@ -197,7 +253,7 @@ class QueryModule(tornado.web.RequestHandler):
 def main():
     """Init function."""
-    global MODULES_HANDLERS
+    global MODULES_HANDLERS  # noqa: F824
     signal.signal(signal.SIGINT, handle_signal)
     signal.signal(signal.SIGTERM, handle_signal)
@@ -249,6 +305,17 @@ def main():
             MODULES_HANDLERS[f"type:{module_name}"] = module_type.name
             LOGGER.info("CUSTOM MISP module %s (type=%s) imported", module_name, module_type.name)
+    global OPENAPI_DOCUMENT  # noqa: PLW0603
+    try:
+        OPENAPI_DOCUMENT = openapi_builder.build_document(
+            MODULES_HANDLERS,
+            listen=args.listen,
+            port=args.port,
+        )
+    except Exception:
+        LOGGER.exception("Failed to build OpenAPI document; continuing without it")
+        OPENAPI_DOCUMENT = {}
     try:
         server = tornado.httpserver.HTTPServer(
             tornado.web.Application(
@@ -257,6 +324,8 @@ def main():
                     (r"/query", QueryModule),
                     (r"/healthcheck", HealthCheck),
                     (r"/version", VersionCheck),
+                    (r"/openapi.json", OpenAPISpec),
+                    (r"/openapi", SwaggerUI),
                 ]
             ),
             max_buffer_size=MAX_BUFFER_SIZE,

misp_modules-3.0.4/misp_modules/lib/anyrun_sandbox/config.py ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ class Config:
2	+ INTEGRATION: str = 'MISP:0.1'

misp_modules-3.0.4/misp_modules/lib/anyrun_sandbox/parser.py ADDED Viewed

@@ -0,0 +1,147 @@
+import json
+from http import HTTPStatus
+from pymisp import MISPEvent, MISPObject
+from anyrun import RunTimeException
+from anyrun.connectors.sandbox.operation_systems import WindowsConnector, LinuxConnector, AndroidConnector
+class AnyRunParser:
+    """
+    Implements functionality for parsing ANY.RUN Sandbox reports into MISP objects and attributes
+    """
+    def __init__(
+        self,
+        config: dict[str, str],
+        analysis_uuid: str,
+        connector: WindowsConnector | LinuxConnector | AndroidConnector
+    ) -> None:
+        self._event = MISPEvent()
+        self._connector = connector
+        self._analysis_uuid = analysis_uuid
+        self._config = config
+    def generate_results(self) -> dict[str, dict]:
+        """
+        Enriches the results dictionary with ANY.RUN report objects
+        :return: MISP results dictionary
+        """
+        self._check_analysis_completion()
+        summary = self._connector.get_analysis_report(self._analysis_uuid)
+        self._add_report()
+        if self._check_option("IOCs"):
+            self._add_indicators()
+        if self._check_option("Tags"):
+            self._add_tags(summary)
+        if self._check_option("MITRE"):
+            self._add_mitre_galaxies(summary)
+        results = json.loads(self._event.to_json())
+        return {
+            "results": {
+                key: results[key]
+                for key in ("Attribute", "Object", "Tag")
+                if (key in results and results[key])
+            }
+        }
+    def _check_analysis_completion(self) -> None:
+        """
+        Checks if ANY.RUN Sandbox analysis is completed
+        :raises RunTimeException: If analysis is not completed
+        """
+        status = self._connector.get_analysis_report(self._analysis_uuid).get("data").get("status")
+        if status != "done":
+            raise RunTimeException(
+                f"Analysis is running. Please, wait a few minutes to request a report",
+                HTTPStatus.BAD_REQUEST
+            )
+    def _add_indicators(self) -> None:
+        """
+        Converts ANY.RUN indicators to the MISP attributes
+        """
+        if iocs := self._connector.get_analysis_report(self._analysis_uuid, report_format="ioc"):
+            for ioc in iocs:
+                if ioc.get("type") in ("domain", "ip", "sha256") and ioc.get("reputation") in (1, 2):
+                    ioc_type = ioc.get("type")
+                    ioc_reputation = {1: "Suspicious", 2: "Malicious"}.get(ioc.get("reputation"))
+                    attribute = self._event.add_attribute(
+                        type=ioc_type if ioc_type in ("domain", "sha256") else "ip-dst",
+                        value=ioc.get("ioc"),
+                        categories="Network activity" if ioc_type in ("ip", "domain") else "Payload delivery",
+                        comment=f"{ioc_reputation} IoC from https://app.any.run/tasks/{self._analysis_uuid}."
+                    )
+                    attribute.add_tag("ANY.RUN Sandbox")
+    def _add_tags(self, summary: dict) -> None:
+        """
+        Converts ANY.RUN analysis tags to the MISP tags
+        :param summary: ANY.RUN Sandbox report
+        """
+        self._event.add_tag("ANY.RUN Sandbox")
+        if tags := summary.get("data").get("analysis").get("tags"):
+            for tag in tags:
+                self._event.add_tag(tag.get("tag"))
+    def _add_mitre_galaxies(self, summary: dict) -> None:
+        """
+        Converts ANY.RUN analysis mitre techniques to the MISP Galaxies
+        :param summary: ANY.RUN Sandbox report
+        """
+        if mitre_techniques := summary.get("data").get("mitre"):
+            for entry in mitre_techniques:
+                if entry:
+                    mitre_name = entry.get("name")
+                    mitre_id = entry.get("id")
+                    self._event.add_tag(f'misp-galaxy:mitre-attack-pattern="{mitre_name} - {mitre_id}"')
+    def _add_report(self) -> None:
+        """
+        Converts ANY.RUN analysis HTML report and external references to the MISP attributes
+        :return:
+        """
+        report = self._connector.get_analysis_report(self._analysis_uuid, report_format="html")
+        self._event.add_attribute(
+            type="text",
+            value=f"ANY.RUN Sandbox verdict: {self._connector.get_analysis_verdict(self._analysis_uuid)}",
+            categories="Other",
+            comment="ANYRUN Sandbox Analysis verdict."
+        )
+        self._event.add_attribute(
+            type="link",
+            value=f"https://app.any.run/tasks/{self._analysis_uuid}",
+            categories="External analysis",
+            comment="ANYRUN Sandbox Analysis report."
+        )
+        self._event.add_attribute(
+            type="attachment",
+            value="report.html",
+            data=report.encode(),
+            comment="ANYRUN Sandbox Analysis report."
+        )
+    def _check_option(self, option_name: str) -> bool:
+        """
+        Checks if option is active
+        :param option_name: Option name to check
+        :return: True if option is enabled else False
+        """
+        return bool(int(self._config.get(option_name)))

misp_modules-3.0.4/misp_modules/lib/anyrun_sandbox/submitter.py ADDED Viewed

@@ -0,0 +1,164 @@
+import io
+import base64
+import zipfile
+from anyrun import RunTimeException
+from anyrun.connectors import SandboxConnector
+from anyrun.connectors.sandbox.operation_systems import WindowsConnector, LinuxConnector, AndroidConnector
+from anyrun_sandbox.config import Config
+class AnyRunSubmitter:
+    """
+    Implements functionality for sending MISP entities to the ANY.RUN sandbox
+    """
+    def __init__(self, request: dict) -> None:
+        self._request = request
+        self._config: dict = request.get("config")
+    def submit(self) -> str:
+        """
+        Configures ANY.RUN Sandbox environment and executes the analysis
+        :return: ANY.RUN Sandbox analysis uuid
+        """
+        self._parse_config()
+        self._sanitize_config()
+        if self._os_type == "windows":
+            with SandboxConnector.windows(self._token, Config.INTEGRATION) as connector:
+                analysis_uuid = self._process_analysis(connector)
+        elif self._os_type in ("ubuntu", "debian"):
+            with SandboxConnector.linux(self._token, Config.INTEGRATION) as connector:
+                analysis_uuid = self._process_analysis(connector)
+        elif self._os_type == "android":
+            with SandboxConnector.android(self._token, Config.INTEGRATION) as connector:
+                analysis_uuid = self._process_analysis(connector)
+        else:
+            raise RunTimeException(
+                f"Received invalid OS type: {self._os_type}. Supports: windows, ubuntu, debian, android"
+            )
+        return analysis_uuid
+    def _parse_config(self) -> None:
+        """
+        Configures analysis options according to the chosen environment
+        """
+        self._token = self._config.pop("api_key", "")
+        self._os_type = self._config.pop("os_type", "")
+        if not any((self._token, self._os_type)):
+            raise RunTimeException(f"ANYRUN Sandbox API-KEY and OS type must be specified.")
+        if "url" in self._request:
+            self._prepare_url_params()
+            self._config["obj_url"] = self._request.get("url")
+        elif "malware-sample" in self._request:
+            self._prepare_file_params()
+            self._prepare_file_content("malware-sample")
+        elif "attachment" in self._request:
+            self._prepare_file_params()
+            self._prepare_file_content("attachment")
+        else:
+            raise RunTimeException("Received invalid Object. Supports: url, attachment, malware-sample.")
+    def _process_analysis(self, connector: WindowsConnector | LinuxConnector | AndroidConnector) -> str:
+        """
+        Executes analysis
+        :param connector: Instance of the ANY.RUN connector
+        :return: ANY.RUN Sandbox analysis uuid
+        """
+        connector.check_authorization()
+        if "obj_url" in self._config:
+            analysis_uuid = connector.run_url_analysis(**self._config)
+        else:
+            analysis_uuid = connector.run_file_analysis(**self._config)
+        return analysis_uuid
+    def _prepare_url_params(self) -> None:
+        """
+        Prepares analysis configuration for the url submission
+        """
+        if self._os_type != "windows":
+            self._config.pop("env_version", "")
+            self._config.pop("env_bitness", "")
+            self._config.pop("env_type", "")
+        self._config.pop("obj_ext_extension", "")
+        self._config.pop("obj_ext_startfolder", "")
+        self._config.pop("obj_ext_cmd", "")
+        self._config.pop("obj_force_elevation", "")
+        self._config.pop("run_as_root", "")
+    def _prepare_file_params(self) -> None:
+        """
+        Prepares analysis configuration for the file submission
+        """
+        self._config.pop("obj_ext_browser", "")
+        if self._os_type == "windows":
+            self._config.pop("run_as_root", "")
+        elif self._os_type in ("ubuntu", "debian"):
+            self._config.pop("env_version", "")
+            self._config.pop("env_bitness", "")
+            self._config.pop("env_type", "")
+            self._config.pop("obj_force_elevation", "")
+            self._config["env_os"] = self._os_type
+        elif self._os_type == "android":
+            self._config.pop("env_version", "")
+            self._config.pop("env_bitness", "")
+            self._config.pop("env_type", "")
+            self._config.pop("obj_force_elevation", "")
+            self._config.pop("obj_ext_startfolder", "")
+            self._config.pop("run_as_root", "")
+    def _prepare_file_content(self, sample_type: str) -> None:
+        """
+        Prepares file content to the analysis
+        :param sample_type: Attachment or malware-sample MISP entity
+        """
+        if sample_type == "attachment":
+            filename = self._request.get("attachment")
+            file_content = self._extract_file_content(self._request.get("data"))
+        else:
+            filename = self._request.get("malware-sample").split("|", 1)[0]
+            file_content = self._extract_file_content(self._request.get("data"), is_encoded=True)
+        self._config["filename"] = filename
+        self._config["file_content"] = file_content
+    def _sanitize_config(self) -> None:
+        """
+        Removes empty parameters from the analysis configuration
+        """
+        temp_config = dict()
+        for key, value in self._config.items():
+            if value is not None:
+                temp_config[key] = value
+        self._config = temp_config
+    @staticmethod
+    def _extract_file_content(file_content: str, is_encoded: bool = False) -> bytes:
+        """
+        Extracts file content from the **malware-sample** MISP entity
+        :param file_content: Base64 file content
+        :param is_encoded: Marks if **malware-sample** or **attachment** entity received
+        :return: File bytes payload
+        """
+        data = base64.b64decode(file_content)
+        if is_encoded:
+            with zipfile.ZipFile(io.BytesIO(data)) as file:
+                data = file.read(file.namelist()[0], pwd=b"infected")
+        return data

misp_modules-3.0.4/misp_modules/modules/action_mod/nextcloud_talk.py ADDED Viewed

@@ -0,0 +1,129 @@
+import json
+import requests
+from ._utils import utils
+misperrors = {"error": "Error"}
+# config fields that your code expects from the site admin
+moduleconfig = {
+    "params": {
+        "nextcloud_baseurl": {
+            "type": "string",
+            "description": "The Nexctloud domain or URL",
+            "value": "https://example.nextcloud.org:443",
+        },
+        "nextcloud_app_uuid_login": {
+            "type": "string",
+            "description": "The nextcloud username",
+        },
+        "app_access_token": {
+            "type": "string",
+            "description": "The nextcloud application token",
+        },
+        "nextcloud_conversation_token": {
+            "type": "string",
+            "description": "The token of the conversation the message should be sent to",
+        },
+        "message_template": {
+            "type": "large_string",
+            "description": "The template to be used to generate the message to be posted",
+            "value": "The **template** will be rendered using *Jinja2*!",
+            "jinja_supported": True,
+        },
+    },
+    # Blocking modules break the exection of the current of action
+    "blocking": False,
+    # Indicates whether parts of the data passed to this module should be filtered. Filtered data can be found under the `filteredItems` key
+    "support_filters": True,
+    # Indicates whether the data passed to this module should be compliant with the MISP core format
+    "expect_misp_core_format": False,
+}
+# returns either "boolean" or "data"
+# Boolean is used to simply signal that the execution has finished.
+# For blocking modules the actual boolean value determines whether we break execution
+returns = "boolean"
+moduleinfo = {
+    "version": "0.1",
+    "author": "Jeroen Pinoy",
+    "description": "Simplistic module to send a message to a Nextcloud talk conversation.",
+    "module-type": ["action"],
+    "name": "Nextcloud talk",
+    "logo": "",
+    "requirements": [],
+    "features": "",
+    "references": [],
+    "input": "",
+    "output": "",
+}
+def createPost(request):
+    params = request["params"]
+    nextcloud_baseurl = params["nextcloud_baseurl"]
+    nextcloud_conversation_token = params["nextcloud_conversation_token"]
+    # Construct the API endpoint
+    endpoint = f"{nextcloud_baseurl}/ocs/v2.php/apps/spreed/api/v1/chat/{nextcloud_conversation_token}"
+    # Headers required for the API call
+    headers = {
+        'OCS-APIRequest': 'true',
+        'Accept': 'application/json',
+        'Content-Type': 'application/json'
+    }
+    data = {}
+    if "matchingData" in request:
+        data = request["matchingData"]
+    else:
+        data = request["data"]
+    if params["message_template"]:
+        message = utils.renderTemplate(data, params["message_template"])
+    else:
+        message = "```\n{}\n```".format(json.dumps(data))
+    # Message data
+    message_data = {
+        'message': message
+    }
+    try:
+        # Make POST request to send message
+        requests.post(
+            endpoint,
+            headers=headers,
+            auth=(params["nextcloud_app_uuid_login"], params["app_access_token"]),
+            json=message_data
+        )
+        return True
+    except requests.exceptions.RequestException:
+        return True
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    createPost(request)
+    r = {"data": True}
+    return r
+def introspection():
+    modulesetup = {}
+    try:
+        modulesetup["config"] = moduleconfig
+    except NameError:
+        pass
+    return modulesetup
+def version():
+    moduleinfo["config"] = moduleconfig
+    return moduleinfo

misp-modules 3.0.2__tar.gz → 3.0.4__tar.gz

misp-modules 3.0.2tar.gz → 3.0.4tar.gz