In the two previous posts on MISP
I covered the basic installation, configuration and usage of MISP, Malware Information Sharing Platform & Threat Sharing.
Visit the page from CIRCL.lu to get a good overview of the possibilities of MISP and a description of a practical use case.
If you need (commercial) support you should visit http://www.misp-project.org/.
This post will list a few useful configuration quirks or remarks that I encountered when using MISP.
MISP – Configuration
Detailed MISP email subject
By default, the subject line of a MISP notification message only contains the event ID and severity. There are situations where you’d like to have more details in the subject so that you can already judge whether the information needs immediate action.
The setting MISP.extended_alert_subject allows you to have an extended subject. One word of warning though. If you’re using encryption : the subject will not be encrypted. Be aware that you might leak some sensitive information this way. Below is an example how the two subject types look like. First with the option disabled, then with the option enabled.
Event 7 - Low - TLP Amber Event 8 - OSINT - Dissecting XXX... - Low - TLP Amber
Restarting the workers
If for one or the other reason you have to restart the workers from the command line then you have to take special care to check the log permissions. If you restart the workers as root, then the worker log will be owned by that user. Restarting the workers is done via :
Have a look at the logs. They should all be owned by www-data :
ls -l /var/www/MISP/app/tmp/logs/
If needed, you can change the ownership :
chown www-data /var/www/MISP/app/tmp/logs/*
Redirect MISP HTTP to HTTPs
The data that you store in MISP can be sensitive so ideally you only have it accessible via a secure website (HTTPs). In order to add some user convenience you should redirect the http requests to the https-site. This can all be done via the Apache configuration.
<VirtualHost *:80> ServerAdmin email@example.com ServerName misp.misp.misp ServerAlias misp-int.misp.misp Redirect permanent / https://misp.misp.misp LogLevel warn ErrorLog /var/log/apache2/misp.local_error.log CustomLog /var/log/apache2/misp.local_access.log combined ServerSignature Off </VirtualHost> <VirtualHost *:443> ServerAdmin firstname.lastname@example.org ServerName misp.misp.misp ServerAlias misp-int.misp.misp DocumentRoot /var/www/MISP/app/webroot <Directory /var/www/MISP/app/webroot> Options -Indexes AllowOverride all Order allow,deny allow from all </Directory> SSLEngine On SSLCertificateFile /etc/ssl/misp.misp.misp/misp.crt SSLCertificateKeyFile /etc/ssl/misp.misp.misp/misp.key SSLCertificateChainFile /etc/ssl/misp.misp.misp/mispCA.crt LogLevel warn ErrorLog /var/log/apache2/misp.local_error.log CustomLog /var/log/apache2/misp.local_access.log combined ServerSignature Off </VirtualHost>
Define the default sharing level
MISP allows you to define the group of people with whom you want to share your threat data. If you do not set it to your preferred default then it’s likely that at one given moment you’ll make an error and share your intel with the wrong group. Defining the sharing level is done with the setting default_event_distribution in the configuration file. There are three levels
- 0 : Your organisation only (default)
- 1 : This community only
- 2 : Connected communities
- 3 : All communities
You can set a similar configuration setting for the attributes. The setting default_attribute_distribution has the same values as default_event_distribution. Additionally it has the value event which allows the attribute to get the setting from the event to which it belongs.
Unable to save a user GPG key
If you want to include the GPG keys from your users then you have to make sure that the .gnupg directory is writable and readable by the web-user.
drwx------ 2 www-data www-data 4096 May 28 21:23 .gnupg
Images and MISP
MISP can be made more appealing to the eye by adding some graphics. You can set your organisation logo by adding an image (.png) that has the same name as your organisation in the directory
Similarly you can add a footer logo. Add an image to the directory
and define the footer logo in the config file (config.php).