dnMisp 1.0.2.3

.NET Standard 2.0 This package targets .NET Standard 2.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet add package dnMisp --version 1.0.2.3                

                    
                

            
NuGet\Install-Package dnMisp -Version 1.0.2.3
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="dnMisp" Version="1.0.2.3" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
paket add dnMisp --version 1.0.2.3                

                    
                

            
#r "nuget: dnMisp, 1.0.2.3"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
// Install dnMisp as a Cake Addin
#addin nuget:?package=dnMisp&version=1.0.2.3

// Install dnMisp as a Cake Tool
#tool nuget:?package=dnMisp&version=1.0.2.3

.NET Core License Nuget

dnMisp

dnMisp is a simple, MISP Rest API consumer .Net Standard 2.0 library.

Setup

Package manager

Install-Package dnMisp

.Net CLI

dotnet add package dnMisp

Available features

The beta version is very focused on the management of IOCs, and the management & administration of organisations and users has not yet been integrated.

Here is a more detailed description of what has and has not been integrated.

Supported

  • Events: Get, Add, Update, Remove, Push to ZMQ

  • Attributes: Get, Add, Update, Remove

  • Tag: Add, Remove a tag

  • Proposal: Add

  • Add, Remove:

    • malware sample
    • hashes
    • detection link
    • detection name
    • attachments
    • reg keys
    • patterns
    • pipes
    • mutex
    • yara rules
    • threat actor
    • network activity:
      • ip dest, src
      • hostname
      • domain, domain IP
      • URIs
      • user Agents
      • traffic pattern
      • snort rules
      • ASNs
      • 'other' network activities
    • email attributes (source, destination, subject, attachment, header)
    • targeting data (email, user, machine, organization, location, external)
    • internal reference (links, comments, text, others)
    • others (comments, counters, texts)

    Not yet supported:

    • galaxies & galaxy clusters
    • proposals
    • users
    • organisations
    • servers
    • feeds
    • sightings
    • warning lists
    • notice lists

    Feels free to contribute to add new or missing features !

Compatibility

.NET Standard 2+
.NET 5+
.NET Core 2+
.NET Framework 1 4.6.1+
Mono 5.4+
Xamarin.iOS 10.14+
Xamarin.Mac 3.8+
Xamarin.Android 8+
Universal Windows Platform 10.0.16299+
Unity 2018.1+

Usage

General features

How to create a new Misp consumer instance:

MispConsumer _mispClient = MispConsumer.Create<MispConsumer>(
    YourConfig.MispUri,
    YourConfig.MispAuthKey);

Getting an event by its identifier:

/* Get event by event ID */
MispEvent mispEvent = await _mispClient.GetEvent(mispEventId);

Download a malware sample by its hash:

/* Download a malware by hash */
MalwareSampleList results = (await _mispClient.DownloadMalware(md5))?.Results;

if (results == null)
	return;

foreach (var item in results)
{
    string mispEventId = item.EventId;
    string base64data = item.Base64;

    // Do stuff there
}

Using search API:

/* Search events */
RestSearchQuery query = new RestSearchQuery()
{
    Tags = new RestSearchOperator<string>
    {
        Or = {
            "ATT&CK:T1064:Scripting",
            "VT:attachment",
            "YARA:File_Is_Office_Open_XML"
        },
        Not =
        {
            "YARA:File_Is_Office_Doc"
        }
    },
    Limit = 10,
    Page = 1,
    Last = "5d"
};

List<MispEvent> events = await _mispClient.SearchEvent(query);
foreach (var @event in events)
{
    // Do stuff there
}

Playing with attributes

Getting full attribute list from a Misp event :

List<dnMisp.Objects.Attribute> attributes = await _mispClient.GetAttributesList(mispEventId);

Create Mutex attributes:

var attr = _mispClient.CreateMutex(mispEventId, mutexName, comment: "your comment here");

Create Registry Key attributes:

var attr = _mispClient.CreateRegKey(mispEventId, regKey, regValue, comment: "your comment here");

Then, you can upload any created attribute:

var response = await _mispClient.AddAttribute(mispEventId, attr);

Removing an attribute:

string response = await _mispClient.DeleteAttribute(int.Parse(v.Value), true);

Tags

Creating new tags:

string response = await _mispClient.AddTag(new TagRequest(new Tag("_TAG_NAME_", Color.FromArgb(254, Color.Orange), isExportable)));

Adding tag to a Misp Event:

string response = await _mispClient.AddTag(mispEventId, $"_TAG_NAME_");

Misp Objects

Creating malware sample Misp Object (this does not upload the sample):

MispMalware mispObj = new MispMalware(
    fileStream, // Sample stream content
    filename,	// Filename) 
{ 
    Comment = "Powered by dnMisp" // Your comment here 
};

Upload a Misp object (malware sample, script, other):

MispObjectUpload response = await _mispClient.AddObject(
    mispEventId,
    mispObj, 
    "90" // Misp Object Template ID
);

Removing a Misp object:

var response = await _mispClient.RemoveObject(v);

Credits

  • This project is under copyright of the Airbus CERT and distributed under the Apache 2.0 license
Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
1.0.2.7 435 10/12/2021
1.0.2.6 354 8/20/2021
1.0.2.5 297 8/11/2021
1.0.2.4 320 8/11/2021
1.0.2.3 325 8/11/2021
1.0.2.2 305 8/11/2021
1.0.2.1 308 8/11/2021
1.0.2 315 8/11/2021