feat(*): Use misp-objects template and check IP before API call (#2)

julienloizelet · web-flow · commit 2207616adc9e · 2024-08-23T16:58:24.000+09:00
* feat(*): Add missing moduleinfo fields

* feat(*): Use crowdsec-ip-context template from misp-objects

fix(*): Check if IP is valid before CTI call
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,16 @@ The [public API](https://semver.org/spec/v2.0.0.html#spec-item-1)  for this proj
 
 ---
 
+## [2.1.1](https://github.com/crowdsecurity/cs-misp-module/releases/tag/v2.1.1) - 2024-08-23
+[_Compare with previous release_](https://github.com/crowdsecurity/cs-misp-module/compare/v2.1.0...v2.1.1)
+
+### Fixed
+
+- Check if the IP is valid before calling CrowdSec API
+- Use `crowdsec-ip-context` template from [MISP objects repository](https://github.com/MISP/misp-objects/tree/main/objects/crowdsec-ip-context)
+
+---
+
 
 ## [2.1.0](https://github.com/crowdsecurity/cs-misp-module/releases/tag/v2.1.0) - 2024-08-22
 [_Compare with previous release_](https://github.com/crowdsecurity/cs-misp-module/compare/v2.0.0...v2.1.0)
diff --git a/dev/crowdsec-ip-context-definition.json b/dev/crowdsec-ip-context-definition.json
@@ -0,0 +1,183 @@
+{
+  "attributes": {
+    "as-name": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Autonomous system name",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "as-num": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Autonomous system number",
+      "disable_correlation": true,
+      "misp-attribute": "AS",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "attack-details": {
+      "description": "Triggered scenarios",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "background-noise": {
+      "description": "High background noise scores highlight untargeted, mild threat mass-attacks",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 1
+    },
+    "behaviors": {
+      "description": "Attack categories",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "city": {
+      "description": "City of origin",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "classifications": {
+      "description": "Classification category of the IP address",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "country": {
+      "description": "Country of origin",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "country-code": {
+      "description": "Country Code",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "cves": {
+      "description": "CVEs exploited by the observed IP",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "dst-port": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Destination port",
+      "disable_correlation": true,
+      "misp-attribute": "port",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "false-positives": {
+      "description": "False positive category of the IP address",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "ip": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "IP Address",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
+    "ip-range": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "destination IP address",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
+    "ip-range-score": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "destination IP address",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 1
+    },
+    "latitude": {
+      "description": "Latitude of origin",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 1
+    },
+    "longitude": {
+      "description": "Longitude of origin",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 1
+    },
+    "mitre-techniques": {
+      "description": "MITRE ATT&CK techniques used by the observed IP",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "reputation": {
+      "description": "Real-time, actionable IP reputation score derived from trusted reports and consensus-validated data in CrowdSec CTI",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "reverse-dns": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Reverse DNS name",
+      "misp-attribute": "hostname",
+      "ui-priority": 1
+    },
+    "scores": {
+      "description": "Scores",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "target-countries": {
+      "description": "Target countries (top 10)",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "trust": {
+      "description": "Trust level",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 1
+    }
+  },
+  "description": "CrowdSec Threat Intelligence - IP CTI search",
+  "meta-category": "network",
+  "name": "crowdsec-ip-context",
+  "requiredOneOf": [
+    "ip"
+  ],
+  "uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f",
+  "version": 4
+}
diff --git a/dev/docker-compose.override.yml b/dev/docker-compose.override.yml
@@ -2,3 +2,7 @@ services:
   misp-modules:
     volumes:
       - ../cs-misp-module/src/misp_modules/modules/expansion/crowdsec.py:/usr/local/lib/python3.12/site-packages/misp_modules/modules/expansion/crowdsec.py
+      - ../cs-misp-module/dev/crowdsec-ip-context-definition.json:/usr/local/lib/python3.12/site-packages/pymisp/data/misp-objects/objects/crowdsec-ip-context/definition.json
+
+
+
diff --git a/docs/DEVELOPER.md b/docs/DEVELOPER.md
@@ -75,7 +75,10 @@ git clone git@github.com:misp/misp-docker.git
 Before running the docker environment, we need to create a volume so that our local sources are mounted in the misp-modules container.
 
 **Warning**: The python version that is hard-coded in the `docker-compose.override.yml` may change: it should be same version that is used by the misp-modules container.
-Please look the `python_version` value at the end of the `misp-modules/Pipfile` file.
+
+**Warning 2**: You can comment `the crowdsec-ip-context-definition.json` if you want to use the definition coming from 
+the [MISP Objects repository](https://github.com/MISP/misp-objects/blob/main/objects/crowdsec-ip-context/definition.json).
+If you need to modify the definition during the development, you can uncomment it and modify the`cs-misp-module/dev/crowdsec-ip-context-definition.json` file.
 
 ```bash
 cp cs-misp-module/dev/docker-compose.override.yml misp-docker/
@@ -212,18 +215,20 @@ Before creating a release, ensure to format correctly the `CHANGELOG.md` file an
 
 Then, you can use the [Create Release action](https://github.com/crowdsecurity/cs-misp-module/actions/workflows/release.yml).
 
+For the rest of the process, we will use the release version `vX.Y.Z` as an example.
+
 #### Retrieve zip for release
 
 At the end of the Create Release action run, you can download a zip containing the relevant files.  
 
 #### Create a branch for the Pull Request
 
-If your release is `vX.Y.Z`, you can create a `feat/release-X.Y.Z` branch:
+If your release `vX.Y.Z` has been published on `YYYY-MM-DD`, you can create a `feat/release-YYYYMMDD` branch:
 
 ```shell
 cd misp-modules
 git checkout amin
-git checkout -b feat/release-X.Y.Z
+git checkout -b feat/release-YYYYMMDD
 ```
 
 #### Update sources
@@ -239,7 +244,6 @@ Then, unzip the `crowdsec-misp-module-X.Y.Z.zip` archive and copy files in the r
 - `src/misp_modules/modules/expansion/crowdsec.py` -> `misp_modules/modules/expansion/crowdsec.py`
 
 
-
 Now, you can verify the diff.
 
 Once all seems fine, add and commit your modifications:
@@ -258,7 +262,7 @@ Change
 services:
   misp-modules:
     volumes:
-      - ../cs-misp-module/src/misp_modules/modules/expansion/crowdsec.py:/usr/local/lib/python?.??/site-packages/misp_modules/modules/expansion/crowdsec.py
+      - ../cs-misp-module/src/misp_modules/modules/expansion/crowdsec.py:/usr/local/lib/python3.12/site-packages/misp_modules/modules/expansion/crowdsec.py
 
 ```
 
@@ -268,78 +272,64 @@ to
 services:
   misp-modules:
     volumes:
-      - ../misp-modules/misp_modules/modules/expansion/crowdsec.py:/usr/local/lib/python?.??/site-packages/misp_modules/modules/expansion/crowdsec.py
+      - ../misp-modules/misp_modules/modules/expansion/crowdsec.py:/usr/local/lib/python3.12/site-packages/misp_modules/modules/expansion/crowdsec.py
 
 ```
 
+**Beware**: The python version that is hard-coded in the `docker-compose.override.yml` may change: it should be same version that is used by the misp-modules container.
+
 
 #### Open a Pull request
 
 Push your modification 
 
 ```shell
-git push origin feat/release-X.Y.Z
+git push origin feat/release-YYYYMMDD
 ```
 
-Now you can use the `feat/release-X.Y.Z` branch to open a pull request in the MISP modules repository.
+Now you can use the `feat/release-YYYYMMDD` branch to open a pull request in the MISP modules repository.
 For the pull request description, you could use the release version description that you wrote in the `CHANGELOG.md` file.
 
 
-
 ### During the pull request review
 
-As long as the pull request is in review state, we should not create a new release. 
-If there are modifications to do, we can do it directly on the `feat/release-X.Y.Z`. 
-All changes made to pass the pull request review must be back ported to a `feat/pr-review-X.Y.Z` branch created in this repository:
+If there are modifications to do, we use the `feat/pr-<pr-number>-ongoing` branch to do them: 
 
 ```shell
 cd cs-misp-module
 git checkout main
-git checkout -b feat/pr-review-X.Y.Z
+git checkout -b feat/pr-<pr-number>-ongoing
 ```
 
-### Once pull request is merged
+We have to update `feat/release-YYYYMMDD` and `feat/pr-<pr-number>-ongoing` branches simultaneously.
 
-If pull request has been merged without any modification, there is nothing more to do.
+If modifications are related to the public API of the module (defined at the top of `CHANGELOG.md`), a new release (patch, minor or major depending on the changes) 
+should be created. The release zip archive will be used to update once again the `feat/release-YYYYMMDD` in `misp-modules` fork, updating automatically the current pull request.
 
-If there were modifications, we need to update the sources anc create a patch release.
+If modifications are not related to the public API, the `feat/release-YYYYMMDD` and `feat/pr-<pr-number>-ongoing` branches should be updated directly.
 
-#### Sync fork with upstream
 
-First, sync the connector fork like we did [here](#sync-fork-with-upstream). 
+### Once pull request is merged
 
-#### Retrieve last version
+Pull Request should have been merged without any modification related to the public API of the module (defined at the top of `CHANGELOG.md`).
 
-After this, you should have the last version of the CrowdSec module in `misp_modules/modules/expansion/crowdsec.py`.
+Thus, it should be unnecessary to create a new release.
 
-You need to retrieve it and commit the differences.
+To backport remaining modifications (test files, documentation, etc.) to the `main` branch, we can merge the `feat/pr-<pr-number>-ongoing` branch into `main`:
 
 ```shell
 cd cs-misp-module
-git checkout feat/pr-review-X.Y.Z
-```
-
-Delete `src/misp_modules/modules/expansion/crowdsec.py`.
-
-Copy all files from the modules fork: 
-
-```
-cp -r ../misp-modules/misp_modules/modules/expansion/crowdsec.py ./src/misp_modules/modules/expansion/crowdsec.py
+git checkout main
+git merge feat/pr-<pr-number>-ongoing
+git push origin main
 ```
 
-Add and commit the result. Push the `feat/pr-review-X.Y.Z` and merge it into `main` with a pull request.
 
 
-#### Create a new minor release
 
-Once the `main` branch is updated, you can create a new minor `X.Y.Z+1` release with the following CHANGELOG content:
 
-```
-## Changed
 
-- Synchronize content with MISP modules release [A.B.C](https://github.com/MISP/misp-modules/releases/tag/A.B.C)
 
-```
 
 
 
diff --git a/src/misp_modules/modules/expansion/crowdsec.py b/src/misp_modules/modules/expansion/crowdsec.py
diff --git a/tests/resources/malicious_ip_result.json b/tests/resources/malicious_ip_result.json
