Getting started with MISP, Malware Information Sharing Platform & Threat Sharing – part 3

MISP

In the two previous posts on MISP

I covered the basic installation, configuration and usage of MISP, Malware Information Sharing Platform & Threat Sharing.

Visit the page from CIRCL.lu to get a good overview of the possibilities of MISP and a description of a practical use case.

If you need (commercial) support you should visit http://www.misp-project.org/.

This post will list a few useful configuration quirks or remarks that I encountered when using MISP.

MISP – Configuration

Detailed MISP email subject

By default, the subject line of a MISP notification message only contains the event ID and severity. There are situations where you’d like to have more details in the subject so that you can already judge whether the information needs immediate action.

The setting MISP.extended_alert_subject allows you to have an extended subject. One word of warning though. If you’re using encryption : the subject will not be encrypted. Be aware that you might leak some sensitive information this way. Below is an example how the two subject types look like. First with the option disabled, then with the option enabled.

Event 7 - Low - TLP Amber
Event 8 - OSINT - Dissecting  XXX... - Low - TLP Amber

Restarting the workers

If for one or the other reason you have to restart the workers from the command line then you have to take special care to check the log permissions. If you restart the workers as root, then the worker log will be owned by that user. Restarting the workers is done via :

/var/www/MISP/app/Console/worker/start.sh 

Have a look at the logs. They should all be owned by www-data :

ls -l /var/www/MISP/app/tmp/logs/

If needed, you can change the ownership :

chown www-data /var/www/MISP/app/tmp/logs/*

Redirect MISP HTTP to HTTPs

The data that you store in MISP can be sensitive so ideally you only have it accessible via a secure website (HTTPs). In order to add some user convenience you should redirect the http requests to the https-site. This can all be done via the Apache configuration.

<VirtualHost *:80>
        ServerAdmin misp@misp.misp
        ServerName misp.misp.misp
        ServerAlias misp-int.misp.misp

        Redirect permanent / https://misp.misp.misp

        LogLevel warn
        ErrorLog /var/log/apache2/misp.local_error.log
        CustomLog /var/log/apache2/misp.local_access.log combined
        ServerSignature Off
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin misp@misp.misp
        ServerName misp.misp.misp
        ServerAlias misp-int.misp.misp

        DocumentRoot /var/www/MISP/app/webroot
        <Directory /var/www/MISP/app/webroot>
                Options -Indexes
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>

        SSLEngine On
        SSLCertificateFile /etc/ssl/misp.misp.misp/misp.crt
        SSLCertificateKeyFile /etc/ssl/misp.misp.misp/misp.key
        SSLCertificateChainFile /etc/ssl/misp.misp.misp/mispCA.crt

        LogLevel warn
        ErrorLog /var/log/apache2/misp.local_error.log
        CustomLog /var/log/apache2/misp.local_access.log combined
        ServerSignature Off
</VirtualHost>

Define the default sharing level

MISP allows you to define the group of people with whom you want to share your threat data. If you do not set it to your preferred default then it’s likely that at one given moment you’ll make an error and share your intel with the wrong group. Defining the sharing level is done with the setting default_event_distribution in the configuration file. There are three levels

  • 0 : Your organisation only (default)
  • 1 : This community only
  • 2 : Connected communities
  • 3 : All communities

You can set a similar configuration setting for the attributes. The setting default_attribute_distribution has the same values as default_event_distribution. Additionally it has the value event which allows the attribute to get the setting from the event to which it belongs.

Unable to save a user GPG key

If you want to include the GPG keys from your users then you have to make sure that the .gnupg directory is writable and readable by the web-user.

drwx------  2 www-data www-data  4096 May 28 21:23 .gnupg

Images and MISP

MISP can be made more appealing to the eye by adding some graphics. You can set your organisation logo by adding an image (.png) that has the same name as your organisation in the directory

/var/www/MISP/app/webroot/img/orgs/

Similarly you can add a footer logo. Add an image to the directory

/var/www/MISP/app/webroot/img/custom/

and define the footer logo in the config file (config.php).

2 thoughts on “Getting started with MISP, Malware Information Sharing Platform & Threat Sharing – part 3

  1. Hie and thx for your explanation.

    I ve a lab with 3 misps. They can sync events if they re distributed to ‘all’ (distrib setting), but if i use another distribution like connected communities or else nothing happens… I ve try to understand the content of the manual but its not understansable for me :). I m certainly stupid but can you explain what is a community and how to use other distributions models plz.

    Thx a lot!

  2. Hello Raph,

    You will have to make sure that the organisations of the syncing users are set correctly. If that doesn’t help maybe it’s best to open an issue (via the github of MISP), describe your setup, how the syncing is setup exactly (which users pull/push) and which direction isn’t working.

    koen

Leave a Reply

Your email address will not be published. Required fields are marked *