MISP
In the two previous posts on MISP
I covered the basic installation, configuration and usage of MISP, Malware Information Sharing Platform & Threat Sharing.
Visit the page from CIRCL.lu to get a good overview of the possibilities of MISP and a description of a practical use case.
If you need (commercial) support you should visit http://www.misp-project.org/.
This post will list a few useful configuration quirks or remarks that I encountered when using MISP.
MISP – Configuration
Detailed MISP email subject
By default, the subject line of a MISP notification message only contains the event ID and severity. There are situations where you’d like to have more details in the subject so that you can already judge whether the information needs immediate action.
The setting MISP.extended_alert_subject allows you to have an extended subject. One word of warning though. If you’re using encryption : the subject will not be encrypted. Be aware that you might leak some sensitive information this way. Below is an example how the two subject types look like. First with the option disabled, then with the option enabled.
1 | Event 7 - Low - TLP Amber |
2 | Event 8 - OSINT - Dissecting XXX... - Low - TLP Amber |
Restarting the workers
If for one or the other reason you have to restart the workers from the command line then you have to take special care to check the log permissions. If you restart the workers as root, then the worker log will be owned by that user. Restarting the workers is done via :
1 | /var/www/MISP/app/Console/worker/start.sh |
Have a look at the logs. They should all be owned by www-data :
1 | ls -l /var/www/MISP/app/tmp/logs/ |
If needed, you can change the ownership :
1 | chown www-data /var/www/MISP/app/tmp/logs/* |
Redirect MISP HTTP to HTTPs
The data that you store in MISP can be sensitive so ideally you only have it accessible via a secure website (HTTPs). In order to add some user convenience you should redirect the http requests to the https-site. This can all be done via the Apache configuration.
2 | ServerAdmin misp@misp.misp |
3 | ServerName misp.misp.misp |
4 | ServerAlias misp-int.misp.misp |
9 | ErrorLog /var/log/apache2/misp.local_error.log |
10 | CustomLog /var/log/apache2/misp.local_access.log combined |
15 | ServerAdmin misp@misp.misp |
16 | ServerName misp.misp.misp |
17 | ServerAlias misp-int.misp.misp |
19 | DocumentRoot /var/www/MISP/app/webroot |
20 | <Directory /var/www/MISP/app/webroot> |
28 | SSLCertificateFile /etc/ssl/misp.misp.misp/misp.crt |
29 | SSLCertificateKeyFile /etc/ssl/misp.misp.misp/misp.key |
30 | SSLCertificateChainFile /etc/ssl/misp.misp.misp/mispCA.crt |
33 | ErrorLog /var/log/apache2/misp.local_error.log |
34 | CustomLog /var/log/apache2/misp.local_access.log combined |
Define the default sharing level
MISP allows you to define the group of people with whom you want to share your threat data. If you do not set it to your preferred default then it’s likely that at one given moment you’ll make an error and share your intel with the wrong group. Defining the sharing level is done with the setting default_event_distribution in the configuration file. There are three levels
- 0 : Your organisation only (default)
- 1 : This community only
- 2 : Connected communities
- 3 : All communities
You can set a similar configuration setting for the attributes. The setting default_attribute_distribution has the same values as default_event_distribution. Additionally it has the value event which allows the attribute to get the setting from the event to which it belongs.
Unable to save a user GPG key
If you want to include the GPG keys from your users then you have to make sure that the .gnupg directory is writable and readable by the web-user.
1 | drwx------ 2 www-data www-data 4096 May 28 21:23 .gnupg |
Images and MISP
MISP can be made more appealing to the eye by adding some graphics. You can set your organisation logo by adding an image (.png) that has the same name as your organisation in the directory
1 | /var/www/MISP/app/webroot/img/orgs/ |
Similarly you can add a footer logo. Add an image to the directory
1 | /var/www/MISP/app/webroot/img/custom/ |
and define the footer logo in the config file (config.php).
Hie and thx for your explanation.
I ve a lab with 3 misps. They can sync events if they re distributed to ‘all’ (distrib setting), but if i use another distribution like connected communities or else nothing happens… I ve try to understand the content of the manual but its not understansable for me :). I m certainly stupid but can you explain what is a community and how to use other distributions models plz.
Thx a lot!
Hello Raph,
You will have to make sure that the organisations of the syncing users are set correctly. If that doesn’t help maybe it’s best to open an issue (via the github of MISP), describe your setup, how the syncing is setup exactly (which users pull/push) and which direction isn’t working.
koen
Hi all,
i have MISP installed in my lab. i want to send email notification to my personal email-id about events in misp. I have configured email address in misp but i am unable to receive email from MISP instance.
Can you guys help?
regards,
VJ
Hi,
Are mails being sent? What do the mail logs on the MISP instance tell you?
Is your SMTP server configured correctly?
Before trying to send mails via MISP, check if you can send a test mail from the MISP instance. On the MISP host, connect to the SMTP server via telnet tcp/25 and send a test message (fe. see https://blog.mailtrap.io/2016/07/26/how-to-test-smtp-server/).
kr,
koen