Misp and ntop in so-manager-api work

Author: Reavershark

.env.example

@@ -20,6 +20,7 @@ AUTH_PASS=password
 ### Services
 ## MISP
 MISP_HOSTNAME=misp-sopoc.example.com
+MISP_API_KEY=apikey
 
 ## Netdata
 NETDATA_HOSTNAME=netdata-sopoc.example.com

Setup.md

@@ -27,7 +27,7 @@ The host device needs to be reachable over the internet to acquire https certifi
 
 ### MISP
 
-MISP needs to know the external hostname. T
+MISP needs to know the external hostname.
 This is set in `MISP_HOSTNAME`, for example `misp-sopoc.duckdns.org`.
 
 ### Ntop
@@ -109,7 +109,8 @@ Misp starts with a default login:
 - Open the "Edit my profile" page.
 - Change email to "`AUTH_USER`@`MISP_HOSTNAME`", both set earlier in `.env`.
 - Go to the "My profile" page.
-- Copy the AuthKey, this is the api key used by securityonion-misp.
+- Copy the AuthKey, change the `MISP_API_KEY` in `.env` to this key.
+- This is also the api key used by securityonion-misp.
 
 ### Security Onion
 

docker-compose.so-manager.yml

@@ -11,6 +11,8 @@ services:
     build: so-manager/react
   so-manager-api:
     build: so-manager/api
+    environment:
+      - MISP_API_KEY=${MISP_API_KEY}
   so-manager-gotty-host:
     build: so-manager/gotty
     command: gotty -p 80 -w ssh debian@${DOCKER_GATEWAY}

so-manager/api/source/apis/misp.d

@@ -0,0 +1,54 @@
+module apis.misp;
+
+import vibe.data.json;
+import vibe.web.rest;
+import vibe.http.common : HTTPMethod;
+
+import std.process : environment;
+import std.exception : enforce;
+
+import std.algorithm : map, uniq;
+import std.array : array;
+
+@safe:
+
+@path("/")
+interface IMispAPI
+{
+  @headerParam("auth", "Authorization")
+  {
+    // POST /attributes/restSearch
+    @path("attributes/restSearch")
+    @method(HTTPMethod.POST)
+    @bodyParam("value", "value")
+    Json searchAttributes(string auth, string value);
+  }
+}
+
+auto getMispApi()
+{
+  return new RestInterfaceClient!IMispAPI("http://misp-proxy/");
+}
+
+void queryMisp(string value, ref Json result)
+{
+  import vibe.core.log : logInfo;
+
+  Json response;
+  response = getMispApi().searchAttributes(environment["MISP_API_KEY"], value);
+
+  Json attributes = response["response"]["Attribute"];
+  enforce(attributes.type == Json.Type.array);
+
+  if (attributes.length == 0)
+  {
+    result["errors"] ~= "Host not found in MISP";
+    return;
+  }
+
+  response["mispMatches"] = attributes.length;
+  response["mispEvents"] = attributes.get!(Json[])
+    .map!(a => a["Event"]["uuid"])
+    .uniq
+    .array;
+}

so-manager/api/source/apis/ntop.d

@@ -1,6 +1,5 @@
 module apis.ntop;
 
-//import std.exception;
 import std.datetime : SysTime;
 
 import vibe.data.json;

so-manager/api/source/app.d

@@ -14,6 +14,7 @@ import std.exception;
 import std.datetime;
 
 import apis.ntop;
+import apis.misp;
 
 @safe:
 
@@ -32,6 +33,7 @@ class RestAPI : IRestAPI
     result["errors"] = Json.emptyArray;
 
     queryNtopIP(_ip, result);
+    queryMisp(_ip, result);
 
     return result;
   }