Documentation about "Hover" and "Expansion"

[giray]

There is no documentation about "hover" and "expansion" that is supposed to come with the misp-modules.

[iglocska]

Sorry, missclick, didn't mean to close the issue.

[adulau]

Indeed the misp-book is not up-to-date with the misp-modules documentation

For the definition of hover and expansion:

https://github.com/MISP/misp-modules#module-type

We will have a look to update misp-book asap.

[giray]

Yeah I found that piece of documentation, however, it does not explain HOW its being utilized within MISP itself. Currently I'm struggling with it not doing anything at all. I'd expect MISP to make calls to port 6666 where the misp-modules application is running. It is configured under Administration -> Server Settings -> Plugins -> Enrichment. However no calls. Hence I'm wondering if I'm doing something wrong on the user end ...

[iglocska]

The modules should always show up in the enrichment settings, the hover / enrichment options shouldn't matter. The only difference between the two is what MISP is allowed to use the modules for:

Hover: If this is enabled MISP will query the module when a user hovers over an attribute with a matching type with the module's input mispattributes.

Enrichment: If this is enabled the small "explosion" icon will show up in the actions field of each attribute when viewing an event that is eligible to be used by the enrichment (again using the input part of the mispattributes).

Is there any chance you could share the module that you're working on? I can test it and check what's going wrong.

[giray]

I'm using the current modules that come with misp-modules, so based on your description I do expect something to pop up when hovering over an IP address, as the example attribute below, though I don't see anything happening, and don't see a "explosion" icon. I have "Propose Edit", "Propose Delete", "Edit" and "Delete"

Payload delivery | ip-src | 142.122.37.211 | E-mail Source IP | Yes |Inherit | 0 (0)

[iglocska]

Hmph. Can you paste the output of misp modules when you start the system?

[giray]

sure ...

/opt/Intelligence/MISP/misp-modules# 2016-08-04 10:38:49,290 - misp-modules - INFO - Helpers loaded cache.py 
2016-08-04 10:38:49,291 - misp-modules - INFO - MISP modules cve imported
2016-08-04 10:38:49,292 - misp-modules - INFO - MISP modules dns imported
2016-08-04 10:38:49,292 - misp-modules - INFO - MISP modules ipasn imported
2016-08-04 10:38:49,293 - misp-modules - INFO - MISP modules eupi imported
2016-08-04 10:38:49,296 - misp-modules - INFO - MISP modules passivetotal imported
2016-08-04 10:38:49,296 - misp-modules - INFO - MISP modules circl_passivedns imported
2016-08-04 10:38:49,297 - misp-modules - INFO - MISP modules sourcecache imported
2016-08-04 10:38:49,298 - misp-modules - INFO - MISP modules asn_history imported
2016-08-04 10:38:49,298 - misp-modules - INFO - MISP modules circl_passivessl imported
2016-08-04 10:38:49,301 - misp-modules - INFO - MISP modules server started on localhost port 6666