Merge branch 'main' of github.com:MISP/misp-modules

README.md

@@ -49,6 +49,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 * [CIRCL Passive SSL](https://misp.github.io/misp-modules/expansion/#circl-passive-ssl) - Modules to access CIRCL Passive SSL.
 * [ClaamAV](https://misp.github.io/misp-modules/expansion/#claamav) - Submit file to ClamAV
 * [Cluster25 Expand](https://misp.github.io/misp-modules/expansion/#cluster25-expand) - Module to query Cluster25 CTI.
+* [Markdown to PDF converter](https://misp.github.io/misp-modules/expansion/#markdown-to-pdf-converter) - Render the markdown (under GFM) into PDF. Requires pandoc (https://pandoc.org/), wkhtmltopdf (https://wkhtmltopdf.org/) and mermaid dependencies.
 * [Country Code](https://misp.github.io/misp-modules/expansion/#country-code) - Module to expand country codes.
 * [CPE Lookup](https://misp.github.io/misp-modules/expansion/#cpe-lookup) - An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
 * [CrowdSec CTI](https://misp.github.io/misp-modules/expansion/#crowdsec-cti) - Module to access CrowdSec CTI API.
@@ -58,7 +59,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 * [CVE Advanced Lookup](https://misp.github.io/misp-modules/expansion/#cve-advanced-lookup) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
 * [Cytomic Orion Lookup](https://misp.github.io/misp-modules/expansion/#cytomic-orion-lookup) - An expansion module to enrich attributes in MISP by quering the Cytomic Orion API
 * [DBL Spamhaus Lookup](https://misp.github.io/misp-modules/expansion/#dbl-spamhaus-lookup) - Checks Spamhaus DBL for a domain name.
-* [DNS Resolver](https://misp.github.io/misp-modules/expansion/#dns-resolver) - jj
+* [DNS Resolver](https://misp.github.io/misp-modules/expansion/#dns-resolver) - Simple DNS expansion service to resolve IP address from MISP attributes
 * [DOCX Enrich](https://misp.github.io/misp-modules/expansion/#docx-enrich) - Module to extract freetext from a .docx document.
 * [DomainTools Lookup](https://misp.github.io/misp-modules/expansion/#domaintools-lookup) - DomainTools MISP expansion module.
 * [EQL Query Generator](https://misp.github.io/misp-modules/expansion/#eql-query-generator) - EQL query generation for a MISP attribute.
@@ -143,7 +144,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 * [Wikidata Lookup](https://misp.github.io/misp-modules/expansion/#wikidata-lookup) - An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.
 * [IBM X-Force Exchange Lookup](https://misp.github.io/misp-modules/expansion/#ibm-x-force-exchange-lookup) - An expansion module for IBM X-Force Exchange.
 * [XLXS Enrich](https://misp.github.io/misp-modules/expansion/#xlxs-enrich) - Module to extract freetext from a .xlsx document.
-* [YARA Rule Generator](https://misp.github.io/misp-modules/expansion/#yara-rule-generator) - jj
+* [YARA Rule Generator](https://misp.github.io/misp-modules/expansion/#yara-rule-generator) - The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it.
 * [YARA Syntax Validator](https://misp.github.io/misp-modules/expansion/#yara-syntax-validator) - An expansion hover module to perform a syntax check on if yara rules are valid or not.
 * [Yeti Lookup](https://misp.github.io/misp-modules/expansion/#yeti-lookup) - Module to process a query on Yeti.
 

documentation/README.md

@@ -363,6 +363,35 @@ Module to query Cluster25 CTI.
 
 -----
 
+#### [Markdown to PDF converter](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/convert_markdown_to_pdf.py)
+
+Render the markdown (under GFM) into PDF. Requires pandoc (https://pandoc.org/), wkhtmltopdf (https://wkhtmltopdf.org/) and mermaid dependencies.
+[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/convert_markdown_to_pdf.py)]
+
+- **features**:
+>
+
+- **references**:
+>
+1. Install pandoc for your distribution
+2. Install wkhtmltopdf
+    - Ensure You have install the version with patched qt
+    - Ensure it supports margin options
+    - You can check the above by inspecting the extended help `wkhtmltopdf --extended-help`
+3. Install mermaid
+    - `npm install --global @mermaid-js/mermaid-cli`
+4. Install the pandoc-mermaid-filter from https://github.com/DavidCruciani/pandoc-mermaid-filter
+    - Easiest is to install the following:
+    ```bash
+        pip3 install git+https://github.com/DavidCruciani/pandoc-mermaid-filter
+    ```
+
+
+- **requirements**:
+>pandoc
+
+-----
+
 #### [Country Code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py)
 
 Module to expand country codes.
@@ -541,25 +570,22 @@ Submit files and URLs to Cuckoo Sandbox
 
 #### [CVE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py)
 
-<img src=logos/cve.png height=60>
+<img src=logos/vulnerability_lookyp.png height=60>
 
 An expansion hover module to expand information about CVE id.
 [[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py)]
 
 - **features**:
->The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs.
-
-- **config**:
->custom_API
+>The module takes a vulnerability attribute as input and queries Vulnerability Lookup to get additional information based on the Vulnerability ID.
 
 - **input**:
 >Vulnerability attribute.
 
 - **output**:
->Text giving information about the CVE related to the Vulnerability.
+>Additional information on the vulnerability, gathered from the Vulnerability Lookup API.
 
 - **references**:
-> - https://vulnerability.circl.lu/
+> - https://cve.circl.lu/
 > - https://cve.mitre.org/
 
 -----
@@ -664,7 +690,7 @@ Checks Spamhaus DBL for a domain name.
 
 #### [DNS Resolver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py)
 
-jj
+Simple DNS expansion service to resolve IP address from MISP attributes
 [[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py)]
 
 - **features**:
@@ -1611,6 +1637,7 @@ A hover and expansion module to enrich an ip with geolocation and ASN informatio
 - **config**:
 > - custom_API
 > - db_source_filter
+> - max_country_info_qt
 
 - **input**:
 >An IP address attribute (for example ip-src or ip-src|port).
@@ -2792,11 +2819,22 @@ Module to query VulnDB (RiskBasedSecurity.com).
 
 #### [Vulnerability Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py)
 
+<img src=logos/vulnerability_lookup.png height=60>
+
 An expansion module to query Vulnerability Lookup
 [[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py)]
 
 - **features**:
->
+>The module takes a vulnerability attribute as input and queries Vulnerability Lookup to gather additional information based on the Vulnerability ID. The result of the query is then parsed and converted into MISP content which can be added to the original event to enrich the input attribute.
+
+- **input**:
+>Vulnerability Attribute
+
+- **output**:
+>Additional information on the vulnerability, gathered from the Vulnerability Lookup API.
+
+- **references**:
+>https://vulnerability.circl.lu
 
 -----
 
@@ -3013,7 +3051,7 @@ Module to extract freetext from a .xlsx document.
 
 <img src=logos/yara.png height=60>
 
-jj
+The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it.
 [[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py)]
 
 - **features**:

documentation/mkdocs/expansion.md

@@ -360,6 +360,35 @@ Module to query Cluster25 CTI.
 
 -----
 
+#### [Markdown to PDF converter](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/convert_markdown_to_pdf.py)
+
+Render the markdown (under GFM) into PDF. Requires pandoc (https://pandoc.org/), wkhtmltopdf (https://wkhtmltopdf.org/) and mermaid dependencies.
+[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/convert_markdown_to_pdf.py)]
+
+- **features**:
+>
+
+- **references**:
+>
+1. Install pandoc for your distribution
+2. Install wkhtmltopdf
+    - Ensure You have install the version with patched qt
+    - Ensure it supports margin options
+    - You can check the above by inspecting the extended help `wkhtmltopdf --extended-help`
+3. Install mermaid
+    - `npm install --global @mermaid-js/mermaid-cli`
+4. Install the pandoc-mermaid-filter from https://github.com/DavidCruciani/pandoc-mermaid-filter
+    - Easiest is to install the following:
+    ```bash
+        pip3 install git+https://github.com/DavidCruciani/pandoc-mermaid-filter
+    ```
+
+
+- **requirements**:
+>pandoc
+
+-----
+
 #### [Country Code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/countrycode.py)
 
 Module to expand country codes.
@@ -538,25 +567,22 @@ Submit files and URLs to Cuckoo Sandbox
 
 #### [CVE Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py)
 
-<img src=../logos/cve.png height=60>
+<img src=../logos/vulnerability_lookyp.png height=60>
 
 An expansion hover module to expand information about CVE id.
 [[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/cve.py)]
 
 - **features**:
->The module takes a vulnerability attribute as input and queries the CIRCL CVE search API to get information about the vulnerability as it is described in the list of CVEs.
-
-- **config**:
->custom_API
+>The module takes a vulnerability attribute as input and queries Vulnerability Lookup to get additional information based on the Vulnerability ID.
 
 - **input**:
 >Vulnerability attribute.
 
 - **output**:
->Text giving information about the CVE related to the Vulnerability.
+>Additional information on the vulnerability, gathered from the Vulnerability Lookup API.
 
 - **references**:
-> - https://vulnerability.circl.lu/
+> - https://cve.circl.lu/
 > - https://cve.mitre.org/
 
 -----
@@ -661,7 +687,7 @@ Checks Spamhaus DBL for a domain name.
 
 #### [DNS Resolver](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py)
 
-jj
+Simple DNS expansion service to resolve IP address from MISP attributes
 [[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/dns.py)]
 
 - **features**:
@@ -1608,6 +1634,7 @@ A hover and expansion module to enrich an ip with geolocation and ASN informatio
 - **config**:
 > - custom_API
 > - db_source_filter
+> - max_country_info_qt
 
 - **input**:
 >An IP address attribute (for example ip-src or ip-src|port).
@@ -2789,11 +2816,22 @@ Module to query VulnDB (RiskBasedSecurity.com).
 
 #### [Vulnerability Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py)
 
+<img src=../logos/vulnerability_lookup.png height=60>
+
 An expansion module to query Vulnerability Lookup
 [[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/vulnerability_lookup.py)]
 
 - **features**:
->
+>The module takes a vulnerability attribute as input and queries Vulnerability Lookup to gather additional information based on the Vulnerability ID. The result of the query is then parsed and converted into MISP content which can be added to the original event to enrich the input attribute.
+
+- **input**:
+>Vulnerability Attribute
+
+- **output**:
+>Additional information on the vulnerability, gathered from the Vulnerability Lookup API.
+
+- **references**:
+>https://vulnerability.circl.lu
 
 -----
 
@@ -3010,7 +3048,7 @@ Module to extract freetext from a .xlsx document.
 
 <img src=../logos/yara.png height=60>
 
-jj
+The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it.
 [[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/yara_query.py)]
 
 - **features**:

documentation/mkdocs/index.md

@@ -28,6 +28,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [CIRCL Passive SSL](https://misp.github.io/misp-modules/expansion/#circl-passive-ssl) - Modules to access CIRCL Passive SSL.
 * [ClaamAV](https://misp.github.io/misp-modules/expansion/#claamav) - Submit file to ClamAV
 * [Cluster25 Expand](https://misp.github.io/misp-modules/expansion/#cluster25-expand) - Module to query Cluster25 CTI.
+* [Markdown to PDF converter](https://misp.github.io/misp-modules/expansion/#markdown-to-pdf-converter) - Render the markdown (under GFM) into PDF. Requires pandoc (https://pandoc.org/), wkhtmltopdf (https://wkhtmltopdf.org/) and mermaid dependencies.
 * [Country Code](https://misp.github.io/misp-modules/expansion/#country-code) - Module to expand country codes.
 * [CPE Lookup](https://misp.github.io/misp-modules/expansion/#cpe-lookup) - An expansion module to query the CVE search API with a cpe code to get its related vulnerabilities.
 * [CrowdSec CTI](https://misp.github.io/misp-modules/expansion/#crowdsec-cti) - Module to access CrowdSec CTI API.
@@ -37,7 +38,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [CVE Advanced Lookup](https://misp.github.io/misp-modules/expansion/#cve-advanced-lookup) - An expansion module to query the CIRCL CVE search API for more information about a vulnerability (CVE).
 * [Cytomic Orion Lookup](https://misp.github.io/misp-modules/expansion/#cytomic-orion-lookup) - An expansion module to enrich attributes in MISP by quering the Cytomic Orion API
 * [DBL Spamhaus Lookup](https://misp.github.io/misp-modules/expansion/#dbl-spamhaus-lookup) - Checks Spamhaus DBL for a domain name.
-* [DNS Resolver](https://misp.github.io/misp-modules/expansion/#dns-resolver) - jj
+* [DNS Resolver](https://misp.github.io/misp-modules/expansion/#dns-resolver) - Simple DNS expansion service to resolve IP address from MISP attributes
 * [DOCX Enrich](https://misp.github.io/misp-modules/expansion/#docx-enrich) - Module to extract freetext from a .docx document.
 * [DomainTools Lookup](https://misp.github.io/misp-modules/expansion/#domaintools-lookup) - DomainTools MISP expansion module.
 * [EQL Query Generator](https://misp.github.io/misp-modules/expansion/#eql-query-generator) - EQL query generation for a MISP attribute.
@@ -122,7 +123,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [Wikidata Lookup](https://misp.github.io/misp-modules/expansion/#wikidata-lookup) - An expansion hover module to extract information from Wikidata to have additional information about particular term for analysis.
 * [IBM X-Force Exchange Lookup](https://misp.github.io/misp-modules/expansion/#ibm-x-force-exchange-lookup) - An expansion module for IBM X-Force Exchange.
 * [XLXS Enrich](https://misp.github.io/misp-modules/expansion/#xlxs-enrich) - Module to extract freetext from a .xlsx document.
-* [YARA Rule Generator](https://misp.github.io/misp-modules/expansion/#yara-rule-generator) - jj
+* [YARA Rule Generator](https://misp.github.io/misp-modules/expansion/#yara-rule-generator) - The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it.
 * [YARA Syntax Validator](https://misp.github.io/misp-modules/expansion/#yara-syntax-validator) - An expansion hover module to perform a syntax check on if yara rules are valid or not.
 * [Yeti Lookup](https://misp.github.io/misp-modules/expansion/#yeti-lookup) - Module to process a query on Yeti.