MISP-Dashboard, real-time visualization of MISP events

You are running a MISP instance and you want to visualize the MISP events in real-time?

MISP-Dashboard can do that! An example :

Vimeo video :

In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via botvrij.eu.

MISP-Dashboard

MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.

MISP-ZMQ

The MISP ZeroMQ plugin allows real-time integration of the MISP activities (event publication, attribute creation or removal, sighting) via a flexible publish-subscribe model. The configuration and setup is described in the MISP handbook.

In essence you need to enable ZeroMQ in the MISP plugins. Before doing so (if not already done), make sure that there is PHP support for Redis

sudo apt-get install php-redis

and then go to the Diagnostics page. First check that redis is enabled.

Then, on the same Diagnostics page, Start ZeroMQ and verify that it’s working properly via the Status button.

Install MISP-Dashboard

Fetch the latest MISP-Dashboard repository.

git clone https://github.com/MISP/misp-dashboard.git

The repository contains a script to install dependencies but in my setup this did not cover everything. So I had to install these dependencies manually

sudo apt-get install python-virtualenv libzmq5-dev python3-dev python3-zmq

and then install the required dependencies (make sure you are in the directory of misp-dashboard)

./install_dependencies.sh

MISP-Dashboard also needs Flask (for the dashboard webserver) and redis support for Python.

sudo apt-get install python3-flask python3-redis

Configure MISP-Dashboard

The configuration of MISP-Dashboard can be found in the file config/config.cfg. I kept most of the default settings, except these

[RedisGlobal]
host=localhost
port=6379

[RedisLog]
db=0
channel=1
zmq_url=tcp://localhost:50000

Start MISP-Dashboard

You must first activate your virtualenv

. ./DASHENV/bin/activate

and then listen to the MISP feed by starting the zmq_subscribe

./zmq_subscriber.py

The visualization is done via Flesk. By default Flesk will run on localhost. You can either change this or tunnel the port via an SSH connection

ssh -L 8001:127.0.0.1:8001 misp.myhost.tld

Start the server (also from the virtualenv)

. ./DASHENV/bin/activate
./server.py

Patch MISP-Dashboard

When I ran zmq_subscribe and published an event to ZeroMQ I got an error

redis.exceptions.ResponseError: unknown command 'GEOADD'

I temporarily patched it by disabling serv_redis_db.geoadd in the function push_to_redis_geo

def push_to_redis_geo(keyCateg, lon, lat, content):
    now = datetime.datetime.now()
    today_str = str(now.year)+str(now.month)+str(now.day)
    keyname = "{}:{}".format(keyCateg, today_str)
    #serv_redis_db.geoadd(keyname, lon, lat, content)

Also see https://github.com/MISP/misp-dashboard/issues/1

Publish events to ZMQ

Publishing events to ZMQ is easy. Open the event and in the left menu choose Publish event to ZMQ