dnMisp is a simple, MISP Rest API consumer .Net Standard 2.0 library.
Install-Package dnMisp
dotnet add package dnMisp
The beta version is very focused on the management of IOCs, and the management & administration of organisations and users has not yet been integrated.
Here is a more detailed description of what has and has not been integrated.
-
Events: Get, Add, Update, Remove, Push to ZMQ
-
Attributes: Get, Add, Update, Remove
-
Tag: Add, Remove a tag
-
Proposal: Add
-
Add, Remove:
- malware sample
- hashes
- detection link
- detection name
- attachments
- reg keys
- patterns
- pipes
- mutex
- yara rules
- threat actor
- network activity:
- ip dest, src
- hostname
- domain, domain IP
- URIs
- user Agents
- traffic pattern
- snort rules
- ASNs
- 'other' network activities
- email attributes (source, destination, subject, attachment, header)
- targeting data (email, user, machine, organization, location, external)
- internal reference (links, comments, text, others)
- others (comments, counters, texts)
- galaxies & galaxy clusters
- proposals
- users
- organisations
- servers
- feeds
- sightings
- warning lists
- notice lists
Feels free to contribute to add new or missing features !
| .NET Standard | 2+ |
|---|---|
| .NET | 5+ |
| .NET Core | 2+ |
| .NET Framework 1 | 4.6.1+ |
| Mono | 5.4+ |
| Xamarin.iOS | 10.14+ |
| Xamarin.Mac | 3.8+ |
| Xamarin.Android | 8+ |
| Universal Windows Platform | 10.0.16299+ |
| Unity | 2018.1+ |
How to create a new Misp consumer instance:
MispConsumer _mispClient = MispConsumer.Create<MispConsumer>(
YourConfig.MispUri,
YourConfig.MispAuthKey);Getting an event by its identifier:
/* Get event by event ID */
MispEvent mispEvent = await _mispClient.GetEvent(mispEventId);Download a malware sample by its hash:
/* Download a malware by hash */
MalwareSampleList results = (await _mispClient.DownloadMalware(md5))?.Results;
if (results == null)
return;
foreach (var item in results)
{
string mispEventId = item.EventId;
string base64data = item.Base64;
// Do stuff there
}Using search API:
/* Search events */
RestSearchQuery query = new RestSearchQuery()
{
Tags = new RestSearchOperator<string>
{
Or = {
"ATT&CK:T1064:Scripting",
"VT:attachment",
"YARA:File_Is_Office_Open_XML"
},
Not =
{
"YARA:File_Is_Office_Doc"
}
},
Limit = 10,
Page = 1,
Last = "5d"
};
List<MispEvent> events = await _mispClient.SearchEvent(query);
foreach (var @event in events)
{
// Do stuff there
}Getting full attribute list from a Misp event :
List<dnMisp.Objects.Attribute> attributes = await _mispClient.GetAttributesList(mispEventId);Create Mutex attributes:
var attr = _mispClient.CreateMutex(mispEventId, mutexName, comment: "your comment here");Create Registry Key attributes:
var attr = _mispClient.CreateRegKey(mispEventId, regKey, regValue, comment: "your comment here");Then, you can upload any created attribute:
var response = await _mispClient.AddAttribute(mispEventId, attr);Removing an attribute:
string response = await _mispClient.DeleteAttribute(int.Parse(v.Value), true);Creating new tags:
string response = await _mispClient.AddTag(new TagRequest(new Tag("_TAG_NAME_", Color.FromArgb(254, Color.Orange), isExportable)));Adding tag to a Misp Event:
string response = await _mispClient.AddTag(mispEventId, $"_TAG_NAME_");Creating malware sample Misp Object (this does not upload the sample):
MispMalware mispObj = new MispMalware(
fileStream, // Sample stream content
filename, // Filename)
{
Comment = "Powered by dnMisp" // Your comment here
};Upload a Misp object (malware sample, script, other):
MispObjectUpload response = await _mispClient.AddObject(
mispEventId,
mispObj,
"90" // Misp Object Template ID
);Removing a Misp object:
var response = await _mispClient.RemoveObject(v);- This project is under copyright of the Airbus CERT and distributed under the Apache 2.0 license