Quick installation guide to MISP modules
MISP modules offer a way to extend the default capabilities of MISP without necessarily having to modify or understand the core code. A lot of both open & closed source malware analysis tools are available. Check the misp modules repository to see if your favorite tools are supported (https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion). Modules can be used to both import and export data and to further enrich the existing IoCs.
Installation
Lets get started by installing the MISP modules extension in a Python virtualenv. Note that the following commands assume you’re using some modern Ubuntu distribution with Python 3 and MISP installed. Modules can be run on the same system you’re hosting MISP with or on a remote server.
Install required tools and packages
sudo apt install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr libpoppler-cpp-dev imagemagick virtualenv libopencv-dev zbar-tools libzbar0 libzbar-dev libfuzzy-dev -yStart MISP venv as user www-data
sudo -u www-data virtualenv -p python3 /var/www/MISP/venvClone and install the misp-modules repository
cd /usr/local/src/
git clone https://github.com/MISP/misp-modules.git --depth=1
cd misp-modules
sudo -u www-data /var/www/MISP/venv/bin/pip install -I -r REQUIREMENTS
sudo -u www-data /var/www/MISP/venv/bin/pip install .Add misp-modules.service to systemd and restart the daemon
sudo cp etc/systemd/system/misp-modules.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now misp-modulesStart modules
/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s &Misp modules should now be installed. Remember to make sure that the service is running as the correct user (definitely not root!).
Testing and enabling modules
You can confirm that the installation was successful by e.g. querying all available modules with the following command assuming your MISP is hosted at localhost:
curl -s https://127.0.0.1:6666/modulesThis should output a list of all modules available at your MISP environment which looks something like this:
... {
“meta”: {
“author”: “Evert Kors”,
“config”: [
“api_url”,
“api_key”
],
“description”: “Submit files and URLs to Cuckoo Sandbox”,
“module-type”: [
“expansion”,
“hover”
],
“version”: “0.1”
},
“mispattributes”: {
“input”: [
“attachment”,
“malware-sample”,
“url”,
“domain”
],
“output”: [
“text”
]
},
“name”: “cuckoo_submit”,
“type”: “expansion”
}...
You can now enable or disable modules using the MISP webUI:
Administration -> Server settings & maintenance -> Plugin settings
Once a module is installed and a relevant IoC appears on an event you can further enrich the data using said module by clicking * icon on the webUI
This blog post was written as a part of the Cincan project.
One of the goals of the project is to build shareable, repeatable & history preserving malware analysis pipelines using your favorite tools + CI + git + containers.
For more information see our project homepage.
