Malware Information Sharing Platform (MISP) Now Offering Farsight DNSDB Flexible Search Capabilities
By Boris Taratine and Christian Studer
The Malware Information Sharing Platform (MISP) has updated Farsight DNSDB Passive DNS, a hover-and-expansion module to expand hostname and IP addresses with passive DNS information, to its platform users. The author of the new MISP module is Christophe Vandeplas.
MISP modules are autonomous pieces of Python code that can be run separately from your MISP installation and can be used to either populate MISP events with data imported from an external source, or enrich already existing data, for example by querying an external API to gather additional information. The latter is the use case for the farsight_passivedns module.
To utilise this module, you will need to update it if you haven't already. To do so, please, follow the steps in MISP Documentation.
The next step you need to do is to enable the module via MISP GUI Administration > Server Settings & Maintenance > Plugin settings > Enrichment:
You will also need to provide your DNSDB API key (trial version is available), API endpoint https://api.dnsdb.info, restrict the usage to your organisation, and define the number of results returned. These required settings are defined here.
Note: if you need to install the MISP modules, we strongly recommend you to follow the steps described here.
After this initial setup, the module will become available for enrichment of the events:
The way it works is as follows:
Let's say you have an event on your MISP server, at the time of this writing, and you have a 'hostname', 'domain', 'ip-src' or 'ip-dst' attribute that you want to query using Farsight DNSDB API.
To use the module, open the desired for enrichment event:
Position the mouse cursor near the asterisk on the right side of the event and click:
In the pop-up window, choose and click on farsight_passivedns module:
The module will be activated, and you will receive the results from DNSDB:
Upon review, you can submit the results by clicking on the Submit button at the bottom of the screen:
Once submitted, the results will appear attached to the event:
You may elect to share these results across the MISP platform for further investigations and collaboration.
Note: right next to the attribute values, you can also find a small lookup icon that you can click on to get a hover result. Be aware that depending on the available modules you have, it might take time to get the results. It is because all the results of all the modules available for the given attribute type will be run at the same time. The results in this case are only displayed and will not be merged into the event.
Moving forward, Farsight Security Inc and CIRCL plan will work closely to further improve this module to ensure the full power of the DNSDB API v.2 and Flexible Search capabilities are fully unleashed to the MISP community of World-Wide defenders.
Let’s together make the internet a safer place for everyone.
Farsight DNSDB is the world’s largest historical passive DNS database, with more than 100 Billion DNS records dating back to 2010.
The MISP threat sharing platform developed and maintained by CIRCL — Computer Incident Response Center Luxembourg – is a free and open source software, helping information sharing of threat intelligence including cybersecurity indicators. MISP modules are autonomous modules that can be used for expansion and other services in MISP.
MISP modules are autonomous modules that can be used for expansion and other services in MISP.
Boris Taratine is a Principal Architect for Farsight Security, Inc..
Christian Studer is with CIRCL - Computer Incident Response Center Luxembourg.