In this blog post, we are going to cover how to install MISP on Ubuntu 18.04. Once MISP is installed, we will do an introduction to the PyMISP API to store indicators of compromise (IOCs) in MISP and query IOCs from MISP. This blog post will serve as the foundation for future blog posts moving forward.
Goals
- Install/Setup MISP on Ubuntu 18.04
- Learn how to use PyMISP to add IOCs to MISP
- Learn how to use PyMISP to query IOCs from MISP
Background
What is an IOC?
Indicators of Compromise (IOC) are pieces of forensic data that can be used to identify potentially malicious activity on a system or network. The following pieces of data can be used as an IOC:
- File paths
- File hashes
- File names
- IP addresses
- Domains
- URLs
- e-mail addresses
- Hex string
- x509 cert
- etc
What is Malware Information Sharing Platform and Threat Sharing (MISP)?
MISP is an open-source software solution for collecting, storing, distributing and sharing cybersecurity indicators and threats about cybersecurity incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.
The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of said information by Network Intrusion Detection Systems (NIDS), LIDS but also log analysis tools, SIEMs.
MISP event
MISP events are encapsulations for contextually linked information. Linked information will include things such as IP addresses, domains, malicious binaries, file hashes, and etc. For example, let’s say your NIDS detects web scanner activity. The event would container for the attributes associated with this event such as source IP address, URIs scanned, HTTP methods, and etc.
MISP object
MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing. The objects are just shared like any other attributes in MISP even if the other MISP instances don’t have the template of the object.
MISP attributes
Attributes in MISP can be network indicators such as (e.g. IP address), system indicators (e.g. a string in memory) or even bank account details. A type (e.g. MD5, url) is how an attribute is described. An attribute is always in a category (e.g. Payload delivery) which puts it in a context. A category is what describes an attribute. An IDS flag on an attribute allows to determine if an attribute can be automated (such as being exported as an IDS ruleset or used for detection). If the IDS flag is not present, the attribute can be useful for contextualisation only.
MISP feed
MISP includes a set of public OSINT feeds in its default configuration. The feeds can be used as a source of correlations for all of your events and attributes without the need to import them directly into your system. The MISP feed system allows for fast correlation but also for a quick comparison of the feeds against one another.
Install/Setup MISP on Ubuntu 18.04.3
Install MISP with install.sh
sudo apt-get update -y && sudo apt-get upgrade -ysudo apt-get install mysql-client -ywget https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.shchmod +x INSTALL.sh./INSTALL.sh -A- Enter “<FQDN of MISP>” into MISP_BASEURL
- Enter “Y” to create misp user
- Enter “<FQDN of MISP>” into MISP_BASEURL
sudo ufw allow 80/tcpsudo ufw allow 443/tcp
Change admin password
- Browse to https://<FQDN of MISP>/users/login
- Username:
[email protected] - Password:
admin
- Username:
- Enter new password
Create an organization
- Select Administration > Add Organisations
- Enter “<ORG name> into Organisation Identifier
- Select “Generate UUID”
- Select “Submit” at the bottom
Create admin for new org
- Administration> Add user
- Enter “admin@<fqdn>” for email
- Check “Set password”
- Select “<new org name>” for Organisation
- Select “Org” for Role
- Select submit
Create API user for new org
- Administration> Add user
- Enter “api_user@<fqdn>” for email
- Select “<new org name>” for Organisation
- Select “Publisher” for Role
- Select submit
Enable threat intel feeds
To enable feeds you will need to login to MISP with the “superadmin” account which is the “[email protected]” account.
- Sync Actions > List feeds
- Find a feed such as “Feodo IP Blocklist”
- Select the “Edit” icon
- Check “Enabled”
- Check “Caching Enabled”
- Select “Edit” at the bottom
IPython + PyMISP
- In the MISP console select Administrator then List Users
- Look for “api_user@<fqdn>” and copy “auth key”
- Open a terminal
brew install python3 ipythonpip3 install -U pymispipython
Connect a MISP instance with PyMISP
from pymisp import ExpandedPyMISP misp_url = 'https://<FQDN of MISP>' misp_key = "<Enter MISP API key>" misp_verifycert = False # Init misp connector misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
Create a MISP event
from pymisp import ExpandedPyMISP, PyMISP, MISPEvent # Create event event_obj = MISPEvent() event_obj.distribution = 1 event_obj.threat_level_id = 1 event_obj.analysis = 1 event_obj.info = "Event from notebook 2" # Add event to MISP event = misp.add_event(event_obj) event_id, event_uuid = event['Event']['id'], event['Event']['uuid'] print (event_id, event_uuid)
Add an object to MISP event
from pymisp import MISPAttribute # Define attributes attr_type = "ip-src" value = "8.8.8.8" category = "Network activity" to_ids = False # Create attribute object attribute = MISPAttribute() attribute.type = attr_type attribute.value = value attribute.category = category attribute.to_ids = to_ids # Add attributes to event attribute_to_change = misp.add_attribute(event_id, attribute) # Print event print(attribute_to_change['Attribute']['id'], attribute_to_change)
Search MISP for IOC
# Search for an IOC in MISP misp.search(controller='attributes', type_attribute="ip-src", value="8.8.8.8")
Future topics
- Ingesting IOCs from Malware Traffic Analysis
- Ingesting IOCs from @MalwareHunterTeam on Twitter
- Ingesting Suricata alerts into IOCs with a model to decay old events
- Generate Suricata rules from MISP intel
- Generate OSquery rules from MISP intel
- Correlating MISP intel with MITRE ATT&CK
- Ingest honeypot data into MISP
- Ingest WAF data into MISP
- Make your own MISP intel publicly available
Great post. Your blog is an awesome source of information. I see that you’re on LinkedIn. Do you have a twitter account?
Twitter account: @CptOfEvilMinion
I need help please. When I want to do this : “./misp_install.sh -A ” (The 5 steeps), I cant. My terminal write : “This script cannot be run as a root”. Can you help me ?
You need to run the script with a user who has sudo privileges but not as root.
Go here for more information: https://misp.github.io/MISP/INSTALL.ubuntu1804/
hi have u done soem integration with misp and graylog lookup adapter ?
Hey Anders,
I have not done any research on how to connect MISP and Graylog. However, I found this blog post by Graylog on how to ingest MISP data. Good luck!
-o misp_install.sh
-o: command not found
Hi, I had this error:
-o misp_install.sh
-o: command not found
This has been fixed. Thanks for submitting this issue 🙂
Hi,
I need help with PyMISP examples to create:
-Galaxy
-Cluster
-Sighting
Thanks
Hey, glad to see you reading my content. The content requests you are making are more advanced topics than this blog post is meant to cover. The purpose of this post is an intro into MISP +PyMISP to get people started. However, I will take this into consideration for future blog posts on MISP.
thanks