davehouser1
commented
4 years ago Any update on this?
Closed davehouser1 closed 4 years ago
davehouser1
commented
4 years ago Any update on this?
chrisr3d
commented
4 years ago I guess you used the module the right way, the issue came from the freetext import, which in this case was not the most appropriate tool to parse the results of the query to BGP ranking.
You got no result because the module actually gave some results returned as freetext and ingested in the freetext import parser, which only recognized the AS number itself and returned it. Then, since the same AS was already used as input, MISP did not add an already existing attribute so it looked like there is nothing returned.
I just updated the module and created a specific object to represent the ranking of an AS number as you can see in the following example:
The input of the module also changed:
{
"module": "bgpranking",
"attribute": {
"type": "AS",
"value": "AS174",
"uuid": "...",
"...": "..."
}
}You will need to make sure everything is correctly up-to-date (MISP, misp-objects, misp-modules) and then it should work, let me know if anything goes wrong and reopen if needed
davehouser1
commented
4 years ago Thanks for the response, I actually did figure out my problem a couple weeks back. I forgot to update this post. I gave up on the BGPranking for now, I may return to using it later. I was only using it to trouble shoot my custom misp module I created, which now works.
First of all, I found out doing a "sudo journalctl -f" allowed me to follow the python stdout / stderr when trying to run my code. The 'AS' value was working perfectly fine as input, but my misp module output I created was not formatted correctly. Hence why I was not getting any output. My code was creating a simple dictionary formatted like below:
Example:
{'key1':'value1','key2':'value2','key3':'value3',}I found online how to format the misp module output properly using this function (which I tweaked a little for my purposes):
def PrepForOutput(dct):
'''
This function is used to prep asn dictionary data for MISP-module output
format.
Converts a dictionary, into a list of dictionaries.
'''
prepped_data = []
for k, v in dct.items():
prepped_data.append({'type':k, 'value':v})
prepped_data = {'Attribute': prepped_data}
return prepped_data The output of the function was then passed as the return statement for the handler function. Which worked! Note: I am not sure this is the correct way to format / pass output for misp modules. However it worked for my purposes. Also the output was configured for my specific needs, this function may need to be adjusted for others based on your input values and how you want output formatted or if you have metadata you are working with. If anyone has some best practices they can offer that would be great.
System: Ubuntu 18.04, MISP 2.4.129 (all in one system)
Problem: I am unable to get any misp-module that takes AS as input to provide any output for an enrichment module.
Input: "AS", the value is an ASN number like 15169.
Expected output: Using '''mispattributes = {'input': ['AS'], 'output': ['freetext']}''' should be able to utilize AS values.
Current output: I tested with BGPRanking, and I keep getting "Array returned" but no values. I created my own MISP module which gathers whois data and puts it into a dictionary which I can call from. When "AS" is used as input, the enrichment module returns "Empty result".
Troubleshooting: I have tried using "AS" on several different versions of MISP (2.4.127-2.4.129). I tried using the BGPranking with no sucess. As a test I tried using a different source like 'ip-src', will pull this value as input, then I can run my code and output my dictionary values. Is there something special with "AS" as a value for input?
Question: How can I trouble shoot this? I tested my code I put in my custom misp-module and it works fine with different input values. Everything falls apart when I choose "AS" as input. Would love to do some type of print statement to see what my unit is receiving as input.
How do I actually use the BGPRanking? What is the desired input, just an ASN number?