new: [remote] Support for MISP specific transforms in remote mode

MISP · Dec 27, 2019 · f449751 · f449751
1 parent 4486093
commit f449751
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 20 deletions.
diff --git a/TRANSFORM_HUB_DISCLAIMER.md b/TRANSFORM_HUB_DISCLAIMER.md
@@ -0,0 +1,19 @@
+# MISP Maltego Remote Transform Disclaimer
+When using the MISP Maltego transforms using the Transform Hub (not the locally installed version) you need to know you are are sending data, including your MISP URL and API key to 3rd parties.
+
+The public Transform Distribution Server (TDS) is located on the Internet and is free for all to use. It’s a convenient way to immediately start writing remote transforms. Since this server is located on Paterva’s infrastructure data (entity, and settings) will be flowing from the Maltego GUI to this server. Paterva states they DO NOT store the details of your transforms (entities, MISP URL, API KEY).
+
+Finally it will flow further to a server managed by the MISP-maltego developer(s), where the transform code runs. We also DO NOT store or look at the details of your transforms (entities, MISP URL, API KEY). As you can see in the code (open source), this data is only used live in memory to provide the transform functionality. The only reasons why we would be seeing this data is by accident; while troubleshooting or by unintentional mis-configuration.
+
+We do keep standard HTTP logs for troubleshooting and anonymous statistics, although these contain the IP addresses of Paterva's TDS server, and not yours.
+
+**DO NOT use these Transform Hub transforms if you do not agree or if this is in violation with your MISP community.**
+
+If so, feel free to use the MISP-Maltego transform locally, where all the code runs on your own system. Installation instructions can be found [here]([https://github.com/MISP/MISP-maltego/blob/master/doc/README.md#installation](https://github.com/MISP/MISP-maltego/blob/master/doc/README.md#installation)). 
+
+
+## More info
+For more information please read Paterva's and Canari's documentation:
+* [http://www.canariproject.com/en/latest/canari.quickstart.html#making-transforms-remote](http://www.canariproject.com/en/latest/canari.quickstart.html#making-transforms-remote)
+* [https://docs.maltego.com/support/solutions/articles/15000020198-what-is-itds-](https://docs.maltego.com/support/solutions/articles/15000020198-what-is-itds-)
+* [https://www.paterva.com/buy/maltego-servers.php](https://www.paterva.com/buy/maltego-servers.php)
diff --git a/src/MISP_maltego/transforms/attributetoevent.py b/src/MISP_maltego/transforms/attributetoevent.py
@@ -18,8 +18,9 @@
 # @EnableDebugWindow
 class AttributeInMISP(Transform):
     """Green bookmark if known in MISP"""
-    display_name = 'in MISP?'
     input_type = Unknown
+    display_name = 'in MISP?'
+    remote = True
 
     def do_transform(self, request, response, config):
         response += check_update(config)
@@ -31,7 +32,7 @@ def do_transform(self, request, response, config):
         except Exception:
             pass
 
-        misp = get_misp_connection(config)
+        misp = get_misp_connection(config, request.parameters)
         events_json = misp.search(controller='events', value=maltego_misp_attribute.value, with_attachments=False)
         # we need to do really rebuild the Entity from scratch as request.entity is of type Unknown
         for e in events_json:
@@ -48,10 +49,11 @@ def do_transform(self, request, response, config):
 # class NetblockToAttributes(Transform):
 #     display_name = 'to MISP Attributes'
 #     input_type = Netblock
+#     remote = True
 
 #     def do_transform(self, request, response, config):
 #         maltego_misp_attribute = request.entity
-#         misp = get_misp_connection(config)
+#         misp = get_misp_connection(config, request.parameters)
 #         import ipaddress
 #         ip_start, ip_end = maltego_misp_attribute.value.split('-')
 #         # FIXME make this work with IPv4 and IPv6
@@ -66,8 +68,9 @@ def do_transform(self, request, response, config):
 
 # @EnableDebugWindow
 class AttributeToEvent(Transform):
-    display_name = 'to MISP Event'
     input_type = Unknown
+    display_name = 'to MISP Event'
+    remote = True
 
     def do_transform(self, request, response, config):
         response += check_update(config)
@@ -81,7 +84,7 @@ def do_transform(self, request, response, config):
             # placeholder for https://github.com/MISP/MISP-maltego/issues/11
             pass
 
-        misp = get_misp_connection(config)
+        misp = get_misp_connection(config, request.parameters)
         # from Galaxy
         if 'properties.mispgalaxy' in request.entity.fields:
             tag_name = get_entity_property(request.entity, 'tag_name')

diff --git a/src/MISP_maltego/transforms/common/util.py b/src/MISP_maltego/transforms/common/util.py
@@ -165,24 +165,36 @@ def check_update(config):
     return None
 
 
-def get_misp_connection(config=None):
+def get_misp_connection(config=None, parameters=None):
     global misp_connection
     if misp_connection:
         return misp_connection
     if not config:
         raise MaltegoException("ERROR: MISP connection not yet established, and config not provided as parameter.")
-    if config['MISP_maltego.local.misp_verify'] in ['True', 'true', 1, 'yes', 'Yes']:
-        misp_verify = True
-    else:
-        misp_verify = False
-    if config['MISP_maltego.local.misp_debug'] in ['True', 'true', 1, 'yes', 'Yes']:
-        misp_debug = True
-    else:
-        misp_debug = False
+    misp_verify = True
+    misp_debug = False
+    misp_url = None
+    misp_key = None
     try:
-        misp_connection = PyMISP(config['MISP_maltego.local.misp_url'], config['MISP_maltego.local.misp_key'], misp_verify, 'json', misp_debug)
+        if is_local_exec_mode():
+            misp_url = config['MISP_maltego.local.misp_url']
+            misp_key = config['MISP_maltego.local.misp_key']
+            if config['MISP_maltego.local.misp_verify'] in ['False', 'false', 0, 'no', 'No']:
+                misp_verify = False
+            if config['MISP_maltego.local.misp_debug'] in ['True', 'true', 1, 'yes', 'Yes']:
+                misp_debug = True
+        if is_remote_exec_mode():
+            try:
+                misp_url = parameters['mispurl'].value
+                misp_key = parameters['mispkey'].value
+            except AttributeError:
+                raise MaltegoException("ERROR: mispurl and mispkey need to be set to something valid")
+            misp_connection = PyMISP(misp_url, misp_key, misp_verify, 'json', misp_debug)
     except Exception:
-        raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your MISP_Maltego.conf settings")
+        if is_local_exec_mode():
+            raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your MISP_Maltego.conf settings.")
+        if is_remote_exec_mode():
+            raise MaltegoException("ERROR: Cannot connect to MISP server. Please verify your settings (MISP URL and API key), and ensure the MISP server is reachable from the internet.")
     return misp_connection
 
 

diff --git a/src/MISP_maltego/transforms/eventtoattributes.py b/src/MISP_maltego/transforms/eventtoattributes.py
@@ -37,7 +37,7 @@ def do_transform(self, request, response, config):
         self.config = config
         self.response += check_update(config)
         maltego_misp_event = request.entity
-        self.misp = get_misp_connection(config)
+        self.misp = get_misp_connection(config, request.parameters)
         event_id = maltego_misp_event.id
         search_result = self.misp.search(controller='events', eventid=event_id, with_attachments=False)
         if search_result:
@@ -88,6 +88,7 @@ def gen_response_relations(self):
 class EventToAll(EventToTransform):
     input_type = MISPEvent
     description = 'Expands an Event to Attributes, Objects, Tags, Galaxies'
+    remote = True
 
     def do_transform(self, request, response, config):
         if super().do_transform(request, response, config):
@@ -103,6 +104,7 @@ def do_transform(self, request, response, config):
 class EventToAttributes(EventToTransform):
     input_type = MISPEvent
     description = 'Expands an Event to Attributes'
+    remote = True
 
     def do_transform(self, request, response, config):
         if super().do_transform(request, response, config):
@@ -115,6 +117,7 @@ def do_transform(self, request, response, config):
 class EventToTags(EventToTransform):
     input_type = MISPEvent
     description = 'Expands an Event to Tags and Galaxies'
+    remote = True
 
     def do_transform(self, request, response, config):
         if super().do_transform(request, response, config):
@@ -128,6 +131,7 @@ def do_transform(self, request, response, config):
 class EventToGalaxies(EventToTransform):
     input_type = MISPEvent
     description = 'Expands an Event to Galaxies'
+    remote = True
 
     def do_transform(self, request, response, config):
         if super().do_transform(request, response, config):
@@ -140,6 +144,7 @@ def do_transform(self, request, response, config):
 class EventToObjects(EventToTransform):
     input_type = MISPEvent
     description = 'Expands an Event to Objects'
+    remote = True
 
     def do_transform(self, request, response, config):
         if super().do_transform(request, response, config):
@@ -152,6 +157,7 @@ def do_transform(self, request, response, config):
 class EventToRelations(EventToTransform):
     input_type = MISPEvent
     description = 'Expands an Event to related Events'
+    remote = True
 
     def do_transform(self, request, response, config):
         if super().do_transform(request, response, config):
@@ -165,11 +171,12 @@ class ObjectToAttributes(Transform):
     """"Expands an object to its attributes"""
     input_type = MISPObject
     description = 'Expands an Object to Attributes'
+    remote = True
 
     def do_transform(self, request, response, config):
         response += check_update(config)
         maltego_object = request.entity
-        misp = get_misp_connection(config)
+        misp = get_misp_connection(config, request.parameters)
         event_json = misp.get_event(maltego_object.event_id)
         for o in event_json['Event']['Object']:
             if o['uuid'] == maltego_object.uuid:
@@ -188,11 +195,12 @@ class ObjectToRelations(Transform):
     """Expands an object to the relations of the object"""
     input_type = MISPObject
     description = 'Expands an Object to Relations'
+    remote = True
 
     def do_transform(self, request, response, config):
         response += check_update(config)
         maltego_object = request.entity
-        misp = get_misp_connection(config)
+        misp = get_misp_connection(config, request.parameters)
         event_json = misp.get_event(maltego_object.event_id)
         for o in event_json['Event']['Object']:
             if o['uuid'] == maltego_object.uuid:

diff --git a/src/MISP_maltego/transforms/galaxytoevent.py b/src/MISP_maltego/transforms/galaxytoevent.py
@@ -22,11 +22,12 @@ class GalaxyToEvents(Transform):
 
     # The transform input entity type.
     input_type = MISPGalaxy
+    remote = True
 
     def do_transform(self, request, response, config):
         response += check_update(config)
         maltego_misp_galaxy = request.entity
-        misp = get_misp_connection(config)
+        misp = get_misp_connection(config, request.parameters)
         if maltego_misp_galaxy.tag_name:
             tag_name = maltego_misp_galaxy.tag_name
         else: