Merge remote-tracking branch 'origin/main'

Author: mokaddem

README.md

@@ -99,6 +99,7 @@ For further Information see the [license file](https://misp.github.io/misp-modul
 * [OCR Enrich](https://misp.github.io/misp-modules/expansion/#ocr-enrich) - Module to process some optical character recognition on pictures.
 * [ODS Enrich](https://misp.github.io/misp-modules/expansion/#ods-enrich) - Module to extract freetext from a .ods document.
 * [ODT Enrich](https://misp.github.io/misp-modules/expansion/#odt-enrich) - Module to extract freetext from a .odt document.
+* [Onion Lookup](https://misp.github.io/misp-modules/expansion/#onion-lookup) - MISP module using the MISP standard. Uses the onion-lookup service to get information about an onion.
 * [Onyphe Lookup](https://misp.github.io/misp-modules/expansion/#onyphe-lookup) - Module to process a query on Onyphe.
 * [Onyphe Full Lookup](https://misp.github.io/misp-modules/expansion/#onyphe-full-lookup) - Module to process a full query on Onyphe.
 * [AlienVault OTX Lookup](https://misp.github.io/misp-modules/expansion/#alienvault-otx-lookup) - Module to get information from AlienVault OTX.

documentation/README.md

@@ -1740,6 +1740,18 @@ Module to extract freetext from a .odt document.
 
 -----
 
+#### [Onion Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onion_lookup.py)
+
+<img src=logos/onion.png height=60>
+
+MISP module using the MISP standard. Uses the onion-lookup service to get information about an onion.
+[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onion_lookup.py)]
+
+- **references**:
+>https://onion.ail-project.org/
+
+-----
+
 #### [Onyphe Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py)
 
 <img src=logos/onyphe.jpg height=60>

documentation/logos/onion.png

@@ -1737,6 +1737,18 @@ Module to extract freetext from a .odt document.
 
 -----
 
+#### [Onion Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onion_lookup.py)
+
+<img src=../logos/onion.png height=60>
+
+MISP module using the MISP standard. Uses the onion-lookup service to get information about an onion.
+[[source code](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onion_lookup.py)]
+
+- **references**:
+>https://onion.ail-project.org/
+
+-----
+
 #### [Onyphe Lookup](https://github.com/MISP/misp-modules/tree/main/misp_modules/modules/expansion/onyphe.py)
 
 <img src=../logos/onyphe.jpg height=60>

documentation/mkdocs/expansion.md

@@ -78,6 +78,7 @@ For more information: [Extending MISP with Python modules](https://www.misp-proj
 * [OCR Enrich](https://misp.github.io/misp-modules/expansion/#ocr-enrich) - Module to process some optical character recognition on pictures.
 * [ODS Enrich](https://misp.github.io/misp-modules/expansion/#ods-enrich) - Module to extract freetext from a .ods document.
 * [ODT Enrich](https://misp.github.io/misp-modules/expansion/#odt-enrich) - Module to extract freetext from a .odt document.
+* [Onion Lookup](https://misp.github.io/misp-modules/expansion/#onion-lookup) - MISP module using the MISP standard. Uses the onion-lookup service to get information about an onion.
 * [Onyphe Lookup](https://misp.github.io/misp-modules/expansion/#onyphe-lookup) - Module to process a query on Onyphe.
 * [Onyphe Full Lookup](https://misp.github.io/misp-modules/expansion/#onyphe-full-lookup) - Module to process a full query on Onyphe.
 * [AlienVault OTX Lookup](https://misp.github.io/misp-modules/expansion/#alienvault-otx-lookup) - Module to get information from AlienVault OTX.

documentation/mkdocs/index.md

@@ -3,27 +3,120 @@
 
 sys.path.append('{}/lib'.format('/'.join((os.path.realpath(__file__)).split('/')[:-3])))
 
-__all__ = ['cuckoo_submit', 'vmray_submit', 'circl_passivedns', 'circl_passivessl',
-           'cluster25_expand', 'countrycode', 'cve', 'cve_advanced', 'cpe', 'dns', 'btc_steroids', 'domaintools',
-           'eupi', 'eql', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal',
-           'shodan', 'reversedns', 'geoip_asn', 'geoip_city', 'geoip_country', 'wiki', 'iprep',
-           'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon',
-           'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl',
-           'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator',
-           'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query', 'macaddress_io',
-           'intel471', 'backscatter_io', 'btc_scam_check', 'hibp', 'greynoise', 'macvendors',
-           'qrcode', 'ocr_enrich', 'pdf_enrich', 'docx_enrich', 'xlsx_enrich', 'pptx_enrich',
-           'ods_enrich', 'odt_enrich', 'joesandbox_submit', 'joesandbox_query', 'urlhaus',
-           'virustotal_public', 'apiosintds', 'urlscan', 'securitytrails', 'apivoid',
-           'assemblyline_submit', 'assemblyline_query', 'ransomcoindb', 'malwarebazaar',
-           'lastline_query', 'lastline_submit', 'sophoslabs_intelix', 'cytomic_orion', 'censys_enrich',
-           'trustar_enrich', 'recordedfuture', 'html_to_markdown', 'socialscan', 'passive_ssh',
-           'qintel_qsentry', 'mwdb', 'hashlookup', 'mmdb_lookup', 'ipqs_fraud_and_risk_scoring',
-           'clamav', 'jinja_template_rendering', 'hyasinsight', 'variotdbs', 'crowdsec',
-           'extract_url_components', 'ipinfo', 'whoisfreaks', 'ip2locationio', 'stairwell',
-           'google_threat_intelligence', 'vulnerability_lookup', 'vysion', 'mcafee_insights_enrich',
-           'threatfox', 'yeti', 'abuseipdb', 'vmware_nsx', 'sigmf_expand', 'google_safe_browsing',
-           'google_search', 'whois', 'triage_submit', 'virustotal_upload', 'malshare_upload', 'convert_markdown_to_pdf' ]
+__all__ = [
+    'cuckoo_submit',
+    'vmray_submit',
+    'circl_passivedns',
+    'circl_passivessl',
+    'cluster25_expand',
+    'countrycode',
+    'cve',
+    'cve_advanced',
+    'cpe',
+    'dns',
+    'btc_steroids',
+    'domaintools',
+    'eupi',
+    'eql',
+    'farsight_passivedns',
+    'ipasn',
+    'passivetotal',
+    'sourcecache',
+    'virustotal',
+    'shodan',
+    'reversedns',
+    'geoip_asn',
+    'geoip_city',
+    'geoip_country',
+    'wiki',
+    'iprep',
+    'threatminer',
+    'otx',
+    'threatcrowd',
+    'vulndb',
+    'crowdstrike_falcon',
+    'yara_syntax_validator',
+    'hashdd',
+    'onyphe',
+    'onyphe_full',
+    'rbl',
+    'xforceexchange',
+    'sigma_syntax_validator',
+    'stix2_pattern_syntax_validator',
+    'sigma_queries',
+    'dbl_spamhaus',
+    'vulners',
+    'yara_query',
+    'macaddress_io',
+    'intel471',
+    'backscatter_io',
+    'btc_scam_check',
+    'hibp',
+    'greynoise',
+    'macvendors',
+    'qrcode',
+    'ocr_enrich',
+    'pdf_enrich',
+    'docx_enrich',
+    'xlsx_enrich',
+    'pptx_enrich',
+    'ods_enrich',
+    'odt_enrich',
+    'joesandbox_submit',
+    'joesandbox_query',
+    'urlhaus',
+    'virustotal_public',
+    'apiosintds',
+    'urlscan',
+    'securitytrails',
+    'apivoid',
+    'assemblyline_submit',
+    'assemblyline_query',
+    'ransomcoindb',
+    'malwarebazaar',
+    'lastline_query',
+    'lastline_submit',
+    'sophoslabs_intelix',
+    'cytomic_orion',
+    'censys_enrich',
+    'trustar_enrich',
+    'recordedfuture',
+    'html_to_markdown',
+    'socialscan',
+    'passive_ssh',
+    'qintel_qsentry',
+    'mwdb',
+    'hashlookup',
+    'mmdb_lookup',
+    'ipqs_fraud_and_risk_scoring',
+    'clamav',
+    'jinja_template_rendering',
+    'hyasinsight',
+    'variotdbs',
+    'crowdsec',
+    'extract_url_components',
+    'ipinfo',
+    'whoisfreaks',
+    'ip2locationio',
+    'stairwell',
+    'google_threat_intelligence',
+    'vulnerability_lookup',
+    'vysion',
+    'mcafee_insights_enrich',
+    'threatfox',
+    'yeti',
+    'abuseipdb',
+    'vmware_nsx',
+    'sigmf_expand',
+    'google_safe_browsing',
+    'google_search',
+    'whois',
+    'triage_submit',
+    'virustotal_upload',
+    'malshare_upload',
+    'convert_markdown_to_pdf',
+    'onion_lookup',
+]
 
 
 minimum_required_fields = ('type', 'uuid', 'value')

misp_modules/lib/stix2misp.py

@@ -14,22 +14,25 @@
         # 'url',
         # Any other Attribute type...
     ],
-    'format': 'misp_standard'
+    'format': 'misp_standard',
 }
 
 moduleinfo = {
     'version': '1',
+    'author': 'Sami Mokaddem',
+    'name': 'Onion Lookup',
     'author': 'MISP',
-    'description': 'MISP module using the MISP standard. Uses the onion-lookup service to get information about an onion',
+    'description': 'MISP module using the MISP standard. Uses the onion-lookup service to get information about an onion.',
     'module-type': [  # possible module-types: 'expansion', 'hover' or both
         'expansion',
-        'hover'
-    ]
+        'hover',
+    ],
+    'references': ['https://onion.ail-project.org/'],
+    'logo': 'onion.png'
 }
 
 # config fields that your code expects from the site admin
-moduleconfig = [
-]
+moduleconfig = []
 
 
 def getDetails(onion_address):
@@ -47,6 +50,8 @@ def getDetails(onion_address):
   ],
 }
 '''
+
+
 def createObject(onion_details):
     misp_object = MISPObject('tor-hiddenservice')
     misp_object.comment = 'custom-comment2'
@@ -62,7 +67,6 @@ def createObject(onion_details):
     return misp_object
 
 
-
 def enrichOnion(misp_event, attribute):
     onion_address = attribute['value']
     onion_details = getDetails(onion_address)
@@ -85,7 +89,9 @@ def handler(q=False):
 
     # Input sanity check
     if not request.get('attribute') or not check_input_attribute(request['attribute']):
-        return {'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'}
+        return {
+            'error': f'{standard_error_message}, which should contain at least a type, a value and an uuid.'
+        }
     attribute = request['attribute']
 
     # Make sure the Attribute's type is one of the expected type
@@ -112,4 +118,3 @@ def introspection():
 def version():
     moduleinfo['config'] = moduleconfig
     return moduleinfo
-

misp_modules/lib/stix2misp_mapping.py

@@ -17,8 +17,9 @@
     "analysis_link": {
         "type": "String",
         "errorMessage": "Expected analysis link",
-        "message": "The link to a Lastline analysis"
-    },
+        "message": "The link to a Lastline analysis",
+        "required": True
+    }
 }
 
 inputSource = []