MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4' into eventFiltering

pull/4076/head
mokaddem 2019-02-01 15:18:15 +01:00
parent eeae6f05b8 e5469aa16c
commit 1b8ff623fd
29 changed files with 1340 additions and 759 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

986
INSTALL/INSTALL.debian.sh Executable file
View File

@ -0,0 +1,986 @@
#!/usr/bin/env bash
#INSTALLATION INSTRUCTIONS
#------------------------- for Kali Linux
#
#0/ Quick MISP Instance on Kali Linux - Status
#---------------------------------------------
#
#1/ Prepare Kali with a MISP User
#--------------------------------
# To install MISP on Kali copy paste this in your r00t shell:
# wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.debian.sh && bash /tmp/misp-kali.sh
# /!\ Please read the installer script before randomly doing the above.
# The script is tested on a plain vanilla Kali Linux Boot CD and installs quite a few dependencies.
# Leave empty for NO debug messages.
DEBUG=
# Function Section
## Usage of this script
usage () {
echo "Please specify what type of MISP if you want to install."
space
echo "${0} -c | Install ONLY MISP Core" # core
echo " -V | Core + Viper" # viper
echo " -M | Core + MISP modules" # modules
echo " -D | Core + MISP dashboard" # dashboard
echo " -m | Core + Mail 2 MISP" # mail2
echo " -A | Install all of the above" # all
space
echo " -C | Only do pre-install checks and exit" # pre
space
echo "Options can be combined: ${0} -V -D # Will install Core+Viper+Dashboard"
space
}
checkOpt () {
# checkOpt feature
containsElement $1 "${options[@]}"
}
setOpt () {
options=()
for o in $@; do
option=$(
case "$o" in
("-c") echo "core" ;;
("-V") echo "viper" ;;
("-M") echo "modules" ;;
("-D") echo "dashboard" ;;
("-m") echo "mail2" ;;
("-A") echo "all" ;;
("-C") echo "pre" ;;
#(*) echo "$o is not a valid argument" ;;
esac)
options+=($option)
done
}
# Extract debian flavour
checkFlavour () {
FLAVOUR=$(lsb_release -s -i |tr [A-Z] [a-z])
}
# Dynamic horizontal spacer
space () {
# Check terminal width
num=`tput cols`
for i in `seq 1 $num`; do
echo -n "-"
done
echo ""
}
# Simple debug function with message
debug () {
echo $1
if [ ! -z $DEBUG ]; then
echo "Debug Mode, press enter to continue..."
read
fi
}
# Check if element is contained in array
containsElement () {
local e match="$1"
shift
for e; do [[ "$e" == "$match" ]] && return 0; done
return 1
}
# Simple function to check command exit code
checkFail () {
if [[ $2 -ne 0 ]]; then
echo "iAmError: $1"
echo "The last command exited with error code: $2"
exit $2
fi
}
# Check if misp user is present and if run as root
checkID () {
if [[ $EUID == 0 ]]; then
echo "This script cannot be run as a root"
exit 1
elif [[ $(id $MISP_USER >/dev/null; echo $?) -ne 0 ]]; then
echo "There is NO user called '$MISP_USER' create a user '$MISP_USER' or continue as $USER? (y/n) "
read ANSWER
ANSWER=$(echo $ANSWER |tr [A-Z] [a-z])
if [[ $ANSWER == "y" ]]; then
useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data $MISP_USER
echo $MISP_USER:$MISP_PASSWORD | chpasswd
echo "User $MISP_USER added, password is: $MISP_PASSWORD"
elif [[ $ANSWER == "n" ]]; then
echo "Using $USER as install user, hope that is what you want."
MISP_USER=$USER
else
echo "yes or no was asked, try again."
exit 1
fi
else
echo "User ${MISP_USER} exists, skipping creation"
fi
}
# check if sudo is installed
checkSudo () {
sudo -H -u $MISP_USER ls -la /tmp > /dev/null 2> /dev/null
if [[ $? -ne 0 ]]; then
echo "sudo seems to be not installed or working, please fix this before continuing the installation."
echo "apt install sudo # As root should be enough, make sure the $MISP_USER is able to run sudo."
exit 1
fi
}
# check is /usr/local/src is RW by misp user
checkUsrLocalSrc () {
if [[ -e /usr/local/src ]]; then
if [[ -w /usr/local/src ]]; then
echo "Good, /usr/local/src exists and is writeable as $MISP_USER"
else
echo -n "/usr/local/src need to be writeable by $MISP_USER, permission to fix? (y/n)"
read ANSWER
ANSWER=$(echo $ANSWER |tr [A-Z] [a-z])
fi
fi
}
# Because Kali is l33t we make sure we run as root
kaliOnRootR0ckz () {
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
elif [[ $(id $MISP_USER >/dev/null; echo $?) -ne 0 ]]; then
useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data $MISP_USER
echo $MISP_USER:$MISP_PASSWORD | chpasswd
else
# TODO: Make sure we consider this further down the road
echo "User ${MISP_USER} exists, skipping creation"
fi
}
# Setting generic MISP variables share by all flavours
MISPvars () {
# Local non-root MISP user
MISP_USER='misp'
MISP_PASSWORD='Password1234'
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
MISP_BASEURL='https://misp.local'
MISP_LIVE='1'
CAKE="$PATH_TO_MISP/app/Console/cake"
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='misp.local'
# OpenSSL configuration
OPENSSL_CN=$FQDN
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/php/7.3/apache2/php.ini
# apt config
export DEBIAN_FRONTEND=noninteractive
# sudo config to run $LUSER commands
SUDO="sudo -u ${MISP_USER}"
SUDO_WWW="sudo -u www-data"
echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
echo "User (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
}
# Installing core dependencies
installDeps () {
apt update
apt install -qy etckeeper
# Skip dist-upgrade for now, pulls in 500+ updated packages
#sudo apt -y dist-upgrade
gitMail=$(git config --global --get user.email ; echo $?)
if [ "$?" -eq "1" ]; then
git config --global user.email "root@kali.lan"
fi
gitUser=$(git config --global --get user.name ; echo $?)
if [ "$?" -eq "1" ]; then
git config --global user.name "Root User"
fi
apt install -qy postfix
apt install -qy \
curl gcc git gnupg-agent make openssl redis-server neovim zip libyara-dev python3-yara python3-redis python3-zmq \
mariadb-client \
mariadb-server \
apache2 apache2-doc apache2-utils \
libapache2-mod-php7.3 php7.3 php7.3-cli php7.3-mbstring php-pear php7.3-dev php7.3-json php7.3-xml php7.3-mysql php7.3-opcache php7.3-readline php-redis php-gnupg \
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools expect
installRNG
}
# Test and install software RNG
installRNG () {
modprobe tpm-rng 2> /dev/null
if [ "$?" -eq "0" ]; then
echo tpm-rng >> /etc/modules
fi
apt install -qy rng-tools # This might fail on TPM grounds, enable the security chip in your BIOS
service rng-tools start
if [ "$?" -eq "1" ]; then
apt purge -qy rng-tools
apt install -qy haveged
/etc/init.d/haveged start
fi
}
# On Kali, the redis start-up script is broken. This tries to fix it.
fixRedis () {
# As of 20190124 redis-server init.d scripts are broken and need to be replaced
mv /etc/init.d/redis-server /etc/init.d/redis-server_`date +%Y%m%d`
echo '#! /bin/sh
### BEGIN INIT INFO
# Provides: redis-server
# Required-Start: $syslog
# Required-Stop: $syslog
# Should-Start: $local_fs
# Should-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: redis-server - Persistent key-value db
# Description: redis-server - Persistent key-value db
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/bin/redis-server
DAEMON_ARGS=/etc/redis/redis.conf
NAME=redis-server
DESC=redis-server
PIDFILE=/var/run/redis.pid
test -x $DAEMON || exit 0
test -x $DAEMONBOOTSTRAP || exit 0
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
touch $PIDFILE
chown redis:redis $PIDFILE
if start-stop-daemon --start --quiet --umask 007 --pidfile $PIDFILE --chuid redis:redis --exec $DAEMON -- $DAEMON_ARGS
then
echo "$NAME."
else
echo "failed"
fi
;;
stop)
echo -n "Stopping $DESC: "
if start-stop-daemon --stop --retry 10 --quiet --oknodo --pidfile $PIDFILE --exec $DAEMON
then
echo "$NAME."
else
echo "failed"
fi
rm -f $PIDFILE
;;
restart|force-reload)
${0} stop
${0} start
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0' | tee /etc/init.d/redis-server
chmod 755 /etc/init.d/redis-server
/etc/init.d/redis-server start
}
# generate MISP apache conf
genApacheConf () {
echo "<VirtualHost _default_:80>
ServerAdmin admin@localhost.lu
ServerName misp.local
Redirect permanent / https://misp.local
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin admin@localhost.lu
ServerName misp.local
DocumentRoot $PATH_TO_MISP/app/webroot
<Directory $PATH_TO_MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
</VirtualHost>" | tee /etc/apache2/sites-available/misp-ssl.conf
}
# Add git pull update mechanism to rc.local - TODO: Make this better
gitPullAllRCLOCAL () {
sed -i -e '$i \git_dirs="/usr/local/src/misp-modules/ /var/www/misp-dashboard /usr/local/src/faup /usr/local/src/mail_to_misp /usr/local/src/misp-modules /usr/local/src/viper /var/www/misp-dashboard"\n' /etc/rc.local
sed -i -e '$i \for d in $git_dirs; do\n' /etc/rc.local
sed -i -e '$i \ echo "Updating ${d}"\n' /etc/rc.local
sed -i -e '$i \ cd $d && sudo git pull &\n' /etc/rc.local
sed -i -e '$i \done\n' /etc/rc.local
}
# Composer on php 7.2 does not need any special treatment the provided phar works well
composer72 () {
cd $PATH_TO_MISP/app
mkdir /var/www/.composer ; chown www-data:www-data /var/www/.composer
$SUDO_WWW php composer.phar require kamisama/cake-resque:4.1.2
$SUDO_WWW php composer.phar config vendor-dir Vendor
$SUDO_WWW php composer.phar install
}
# Composer on php 7.3 needs a recent version of composer.phar
composer73 () {
cd $PATH_TO_MISP/app
mkdir /var/www/.composer ; chown www-data:www-data /var/www/.composer
# Update composer.phar
# If hash changes, check here: https://getcomposer.org/download/ and replace with the correct one
# Current Sum for: v1.8.3
SHA384_SUM='48e3236262b34d30969dca3c37281b3b4bbe3221bda826ac6a9a62d6444cdb0dcd0615698a5cbe587c3f0fe57a54d8f5'
sudo -H -u www-data php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
sudo -H -u www-data php -r "if (hash_file('SHA384', 'composer-setup.php') === '$SHA384_SUM') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); exit(137); } echo PHP_EOL;"
checkFail "composer.phar checksum failed, please investigate manually. " $?
sudo -H -u www-data php composer-setup.php
sudo -H -u www-data php -r "unlink('composer-setup.php');"
$SUDO_WWW php composer.phar require kamisama/cake-resque:4.1.2
$SUDO_WWW php composer.phar config vendor-dir Vendor
$SUDO_WWW php composer.phar install
}
# Enable various core services
enableServices () {
update-rc.d mysql enable
update-rc.d apache2 enable
update-rc.d redis-server enable
}
# Main MISP Dashboard install function
mispDashboard () {
cd /var/www
mkdir misp-dashboard
chown www-data:www-data misp-dashboard
$SUDO_WWW git clone https://github.com/MISP/misp-dashboard.git
cd misp-dashboard
/var/www/misp-dashboard/install_dependencies.sh
sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
$SUDO_WWW bash /var/www/misp-dashboard/start_all.sh
apt install libapache2-mod-wsgi-py3 -y
echo "<VirtualHost *:8001>
ServerAdmin admin@misp.local
ServerName misp.local
DocumentRoot /var/www/misp-dashboard
WSGIDaemonProcess misp-dashboard \
user=misp group=misp \
python-home=/var/www/misp-dashboard/DASHENV \
processes=1 \
threads=15 \
maximum-requests=5000 \
listen-backlog=100 \
queue-timeout=45 \
socket-timeout=60 \
connect-timeout=15 \
request-timeout=60 \
inactivity-timeout=0 \
deadlock-timeout=60 \
graceful-timeout=15 \
eviction-timeout=0 \
shutdown-timeout=5 \
send-buffer-size=0 \
receive-buffer-size=0 \
header-buffer-size=0 \
response-buffer-size=0 \
server-metrics=Off
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
<Directory /var/www/misp-dashboard>
WSGIProcessGroup misp-dashboard
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
LogLevel info
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
ServerSignature Off
</VirtualHost>" | tee /etc/apache2/sites-available/misp-dashboard.conf
a2ensite misp-dashboard
}
# TODO: dashboardCAKE () { }
# Core cake commands
coreCAKE () {
$CAKE Live $MISP_LIVE
$CAKE Baseurl $MISP_BASEURL
$CAKE userInit -q
$CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
$CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
$CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
$CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
$CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
$CAKE Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
$CAKE Admin setSetting "GnuPG.password" "Password1234"
$CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
$CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
$CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
$CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
$CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
$CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
$CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
$CAKE Admin setSetting "Plugin.Import_services_enable" true
$CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Import_services_port" 6666
$CAKE Admin setSetting "Plugin.Import_timeout" 300
$CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
$CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
$CAKE Admin setSetting "Plugin.Export_services_enable" true
$CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Export_services_port" 6666
$CAKE Admin setSetting "Plugin.Export_timeout" 300
$CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
$CAKE Admin setSetting "MISP.host_org_id" 1
$CAKE Admin setSetting "MISP.email" "info@admin.test"
$CAKE Admin setSetting "MISP.disable_emailing" false
$CAKE Admin setSetting "MISP.contact" "info@admin.test"
$CAKE Admin setSetting "MISP.disablerestalert" true
$CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
$CAKE Admin setSetting "Plugin.Cortex_services_enable" false
$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
$CAKE Admin setSetting "Plugin.Cortex_timeout" 120
$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
$CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
$CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
$CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
$CAKE Admin setSetting "Plugin.Sightings_policy" 0
$CAKE Admin setSetting "Plugin.Sightings_anonymise" false
$CAKE Admin setSetting "Plugin.Sightings_range" 365
$CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
$CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
$CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
$CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
$CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
$CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
$CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
$CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
$CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
$CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
$CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
$CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
$CAKE Admin setSetting "MISP.language" "eng"
$CAKE Admin setSetting "MISP.proposals_block_attributes" false
$CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
$CAKE Admin setSetting "MISP.redis_port" 6379
$CAKE Admin setSetting "MISP.redis_database" 13
$CAKE Admin setSetting "MISP.redis_password" ""
$CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
$CAKE Admin setSetting "MISP.extended_alert_subject" false
$CAKE Admin setSetting "MISP.default_event_threat_level" 4
$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
$CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
$CAKE Admin setSetting "MISP.enableEventBlacklisting" true
$CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
$CAKE Admin setSetting "MISP.log_client_ip" false
$CAKE Admin setSetting "MISP.log_auth" false
$CAKE Admin setSetting "MISP.disableUserSelfManagement" false
$CAKE Admin setSetting "MISP.block_event_alert" false
$CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
$CAKE Admin setSetting "MISP.block_old_event_alert" false
$CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
$CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
$CAKE Admin setSetting "MISP.footermidleft" "This is an autogenerated install"
$CAKE Admin setSetting "MISP.footermidright" "Please configure accordingly and do not use in production"
$CAKE Admin setSetting "MISP.welcome_text_top" "Autogenerated install, please configure and harden accordingly"
$CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP on Kali"
$CAKE Admin setSetting "Security.password_policy_length" 12
$CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
$CAKE Admin setSetting "Session.autoRegenerate" 0
$CAKE Admin setSetting "Session.timeout" 600
$CAKE Admin setSetting "Session.cookie_timeout" 3600
$CAKE Live $MISP_LIVE
}
# Setup GnuPG key
setupGnuPG () {
echo "%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done" > /tmp/gen-key-script
$SUDO_WWW gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
$SUDO_WWW sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | $SUDO_WWW tee $PATH_TO_MISP/app/webroot/gpg.asc
}
updateGOWNT () {
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# TODO: Fix updateGalaxies
#$CAKE Admin updateGalaxies
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/galaxies/update
$CAKE Admin updateTaxonomies
# TODO: Fix updateWarningLists
#$CAKE Admin updateWarningLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
}
# Generate rc.local
genRCLOCAL () {
if [ ! -e /etc/rc.local ]; then
echo '#!/bin/sh -e' | tee -a /etc/rc.local
echo 'exit 0' | tee -a /etc/rc.local
chmod u+x /etc/rc.local
fi
sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
}
# Main MISP Modules install function
mispmodules () {
sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
$SUDO_WWW bash $PATH_TO_MISP/app/Console/worker/start.sh
cd /usr/local/src/
git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip3 install
pip3 install -I -r REQUIREMENTS
pip3 install -I .
pip3 install maec lief python-magic wand yara
pip3 install git+https://github.com/kbandla/pydeep.git
gem install pygments.rb
gem install asciidoctor-pdf --pre
$SUDO_WWW misp-modules -l 0.0.0.0 -s &
}
# Main Viper install function
viper () {
cd /usr/local/src/
debug "Installing Viper dependencies"
apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
pip3 install SQLAlchemy PrettyTable python-magic
debug "Cloning Viper"
git clone https://github.com/viper-framework/viper.git
chown -R $MISP_USER:$MISP_USER viper
cd viper
debug "Submodule update"
$SUDO git submodule update --init --recursive
debug "pip install scrapy"
pip3 install scrapy
debug "pip install reqs"
pip3 install -r requirements.txt
debug "pip uninstall yara"
pip3 uninstall yara -y
debug "Launching viper-cli"
$SUDO /usr/local/src/viper/viper-cli -h > /dev/null
debug "Launching viper-web"
$SUDO /usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper:/var/www/MISP/app/Console"' |tee /etc/environment
echo ". /etc/environment" >> /home/${MISP_USER}/.profile
debug "Setting misp_url/misp_key"
$SUDO sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" /home/${MISP_USER}/.viper/viper.conf
$SUDO sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" /home/${MISP_USER}/.viper/viper.conf
debug "Fixing admin.db with default password"
while [ "$(sqlite3 /home/${MISP_USER}/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'; echo $?)" -ne "0" ]; do
# FIXME This might lead to a race condition, the while loop is sub-par
chown $MISP_USER:$MISP_USER /home/${MISP_USER}/.viper/admin.db
echo "Updating viper-web admin password, giving process time to start-up, sleeping 5, 4, 3,…"
sleep 6
done
sed -i -e '$i \sudo -u misp /usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &\n' /etc/rc.local
}
# Main function to fix permissions to something sane
permissions () {
chown -R www-data:www-data $PATH_TO_MISP
chmod -R 750 $PATH_TO_MISP
chmod -R g+ws $PATH_TO_MISP/app/tmp
chmod -R g+ws $PATH_TO_MISP/app/files
chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
}
# Main mail2misp install function
mail2misp () {
cd /usr/local/src/
apt-get install -y cmake
git clone https://github.com/MISP/mail_to_misp.git
git clone git://github.com/stricaud/faup.git faup
chown -R ${MISP_USER}:${MISP_USER} faup mail_to_misp
cd faup
$SUDO mkdir -p build
cd build
$SUDO cmake .. && $SUDO make
make install
ldconfig
cd ../../
cd mail_to_misp
pip3 install -r requirements.txt
$SUDO cp mail_to_misp_config.py-example mail_to_misp_config.py
sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
}
# Final function to let the user know what happened
theEnd () {
space
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN" > /home/${MISP_USER}/mysql.txt
echo "User (misp) DB Password: $DBPASSWORD_MISP" >> /home/${MISP_USER}/mysql.txt
echo "Authkey: $AUTH_KEY" > /home/${MISP_USER}/MISP-authkey.txt
clear
space
echo "MISP Installed, access here: https://misp.local"
echo "User: admin@admin.test"
echo "Password: admin"
echo "MISP Dashboard, access here: http://misp.local:8001"
space
echo "The following files were created and need either protection or removal (shred on the CLI)"
echo "/home/${MISP_USER}/mysql.txt"
echo "/home/${MISP_USER}/MISP-authkey.txt"
cat /home/${MISP_USER}/mysql.txt
cat /home/${MISP_USER}/MISP-authkey.txt
space
echo "The LOCAL system credentials:"
echo "User: ${MISP_USER}"
echo "Password: ${MISP_PASSWORD}"
space
echo "viper-web installed, access here: http://misp.local:8888"
echo "viper-cli configured with your MISP Site Admin Auth Key"
echo "User: admin"
echo "Password: Password1234"
space
echo "To enable outgoing mails via postfix set a permissive SMTP server for the domains you want to contact:"
space
echo "sudo postconf -e 'relayhost = example.com'"
echo "sudo postfix reload"
space
echo "Enjoy using MISP. For any issues see here: https://github.com/MISP/MISP/issues"
su - ${MISP_USER}
}
# Main Kalin Install function
installMISPonKali () {
space
debug "Disabling sleep etc…"
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 0 2> /dev/null
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-timeout 0 2> /dev/null
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type 'nothing' 2> /dev/null
xset s 0 0 2> /dev/null
xset dpms 0 0 2> /dev/null
xset s off 2> /dev/null
debug "Installing dependencies"
installDeps
debug "Enabling redis and gnupg modules"
phpenmod -v 7.3 redis
phpenmod -v 7.3 gnupg
debug "Apache2 ops: dismod: status php7.2 - dissite: 000-default enmod: ssl rewrite headers php7.3 ensite: default-ssl"
a2dismod status
a2dismod php7.2
a2enmod ssl rewrite headers php7.3
a2dissite 000-default
a2ensite default-ssl
debug "Restarting mysql.service"
systemctl restart mysql.service
debug "Fixing redis rc script on Kali"
fixRedis
debug "git clone, submodule update everything"
mkdir $PATH_TO_MISP
chown www-data:www-data $PATH_TO_MISP
cd $PATH_TO_MISP
$SUDO_WWW git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
$SUDO_WWW git config core.filemode false
cd $PATH_TO_MISP
$SUDO_WWW git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
$SUDO_WWW git submodule foreach --recursive git config core.filemode false
cd $PATH_TO_MISP/app/files/scripts
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
debug "Installing python-cybox"
cd $PATH_TO_MISP/app/files/scripts/python-cybox
pip3 install .
debug "Installing python-stix"
cd $PATH_TO_MISP/app/files/scripts/python-stix
pip3 install .
# install STIX2.0 library to support STIX 2.0 export:
debug "Installing cti-python-stix2"
cd ${PATH_TO_MISP}/cti-python-stix2
pip3 install -I .
debug "Installing mixbox"
cd $PATH_TO_MISP/app/files/scripts/mixbox
pip3 install .
# install PyMISP
debug "Installing PyMISP"
cd $PATH_TO_MISP/PyMISP
pip3 install .
# Install Crypt_GPG and Console_CommandLine
debug "Installing pear Console_CommandLine"
pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
debug "Installing pear Crypt_GPG"
pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
debug "Installing composer with php 7.3 updates"
composer73
$SUDO_WWW cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
chown -R www-data:www-data $PATH_TO_MISP
chmod -R 750 $PATH_TO_MISP
chmod -R g+ws $PATH_TO_MISP/app/tmp
chmod -R g+ws $PATH_TO_MISP/app/files
chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
debug "Setting up database"
if [ ! -e /var/lib/mysql/misp/users.ibd ]; then
echo "
set timeout 10
spawn mysql_secure_installation
expect \"Enter current password for root (enter for none):\"
send -- \"\r\"
expect \"Set root password?\"
send -- \"y\r\"
expect \"New password:\"
send -- \"${DBPASSWORD_ADMIN}\r\"
expect \"Re-enter new password:\"
send -- \"${DBPASSWORD_ADMIN}\r\"
expect \"Remove anonymous users?\"
send -- \"y\r\"
expect \"Disallow root login remotely?\"
send -- \"y\r\"
expect \"Remove test database and access to it?\"
send -- \"y\r\"
expect \"Reload privilege tables now?\"
send -- \"y\r\"
expect eof" | expect -f -
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
enableServices
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
echo "<?php
class DATABASE_CONFIG {
public \$default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '$DBHOST',
'login' => '$DBUSER_MISP',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => '$DBPASSWORD_MISP',
'database' => '$DBNAME',
'prefix' => '',
'encoding' => 'utf8',
);
}" | $SUDO_WWW tee $PATH_TO_MISP/app/Config/database.php
else
echo "There might be a database already existing here: /var/lib/mysql/misp/users.ibd"
echo "Skipping any creations…"
sleep 3
fi
debug "Generating Certificate"
openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
debug "Generating Apache Conf"
genApacheConf
echo "127.0.0.1 misp.local" | tee -a /etc/hosts
debug "Installing MISP dashboard"
mispDashboard
debug "Disabling site default-ssl, enabling misp-ssl"
a2dissite default-ssl
a2ensite misp-ssl
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
debug "Restarting Apache2"
systemctl restart apache2
debug "Setting up logrotate"
cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
chmod 0640 /etc/logrotate.d/misp
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
chown -R www-data:www-data $PATH_TO_MISP/app/Config
chmod -R 750 $PATH_TO_MISP/app/Config
debug "Setting up GnuPG"
setupGnuPG
chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
debug "Running Core Cake commands"
coreCAKE
debug "Update: Galaxies, Template Objects, Warning Lists, Notice Lists, Taxonomies"
updateGOWNT
debug "Generating rc.local"
genRCLOCAL
gitPullAllRCLOCAL
debug "Installing misp-modules"
mispmodules
debug "Installing Viper"
viper
debug "Setting permissions"
permissions
debug "Running Then End!"
theEnd
}
debug "Checking for parameters or Kali Install"
if [[ $# -ne 1 && $0 != "/tmp/misp-kali.sh" ]]; then
usage
exit
else
debug "Setting install options with given parameters."
setOpt $@
checkOpt core && echo "core selected"
checkOpt viper && echo "viper selected"
checkOpt modules && echo "modules selected"
checkOpt dashboard && echo "dashboard selected"
checkOpt mail2 && echo "mail2 selected"
checkOpt all && echo "all selected"
checkOpt pre && echo "pre selected"
fi
debug "Checking flavour"
checkFlavour
debug "Setting MISP variables"
MISPvars
if [ "${FLAVOUR}" == "kali" ]; then
kaliOnRootR0ckz
installMISPonKali
exit
fi

673
INSTALL/INSTALL.kali.txt
View File

@ -1,673 +0,0 @@
#!/usr/bin/env bash
#INSTALLATION INSTRUCTIONS
#------------------------- for Kali Linux
#
#0/ Quick MISP Instance on Kali Linux - Status
#---------------------------------------------
#
#1/ Prepare Kali with a MISP User
#--------------------------------
# To install MISP on Kali copy paste this in your r00t shell:
# wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.kali.txt && bash /tmp/misp-kali.sh
# /!\ Please read the installer script before randomly doing the above.
# The script is tested on a plain vanilla Kali Linux Boot CD and installs quite a few dependencies.
# Bug: /tmp/misp-kali.sh: line 142: pip3: command not found
MISP_USER='misp'
MISP_PASSWORD='Password1234'
function kaliOnRootR0ckz() {
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
elif [[ $(id $MISP_USER >/dev/null; echo $?) -ne 0 ]]; then
useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data $MISP_USER
echo $MISP_USER:$MISP_PASSWORD | chpasswd
else
echo "User ${MISP_USER} exists, skipping creation"
fi
}
function installMISPonKali() {
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
MISP_BASEURL='https://misp.local'
MISP_LIVE='1'
CAKE="$PATH_TO_MISP/app/Console/cake"
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='misp.local'
# OpenSSL configuration
OPENSSL_CN=$FQDN
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/php/7.3/apache2/php.ini
# apt config
export DEBIAN_FRONTEND=noninteractive
# sudo config to run $LUSER commands
SUDO="sudo -u ${MISP_USER}"
SUDO_WWW="sudo -u www-data"
echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
echo "User (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
echo "-----------------------------------------------------------------------"
echo "Disabling sleep etc…"
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 0
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-timeout 0
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type 'nothing'
xset s 0 0 2> /dev/null
xset dpms 0 0 2> /dev/null
xset s off 2> /dev/null
apt update
apt install -qy etckeeper
# Skip dist-upgrade for now, pulls in 500+ updated packages
#sudo apt -y dist-upgrade
git config --global user.email "root@kali.lan"
git config --global user.name "Root User"
apt install -qy postfix
apt install -qy \
curl gcc git gnupg-agent make openssl redis-server neovim zip libyara-dev python3-yara python3-redis python3-zmq \
mariadb-client \
mariadb-server \
apache2 apache2-doc apache2-utils \
libapache2-mod-php7.3 php7.3 php7.3-cli php7.3-mbstring php-pear php7.3-dev php7.3-json php7.3-xml php7.3-mysql php7.3-opcache php7.3-readline php-redis php-gnupg \
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools expect
modprobe tpm-rng 2> /dev/null
if [ "$?" -eq "0" ]; then
echo tpm-rng >> /etc/modules
fi
apt install -qy rng-tools # This might fail on TPM grounds, enable the security chip in your BIOS
service rng-tools start
if [ "$?" -eq "1" ]; then
apt purge -qy rng-tools
apt install -qy haveged
/etc/init.d/haveged start
fi
phpenmod -v 7.3 redis
phpenmod -v 7.3 gnupg
a2dismod status
a2dismod php7.2
a2enmod ssl rewrite headers php7.3
a2dissite 000-default
a2ensite default-ssl
systemctl restart mysql.service
#update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
#update-alternatives --install /usr/bin/python python /usr/bin/python3.6 2
# As of 20190124 redis-server init.d scripts are broken and need to be replaced
mv /etc/init.d/redis-server /etc/init.d/redis-server_`date +%Y%m%d`
echo '#! /bin/sh
### BEGIN INIT INFO
# Provides: redis-server
# Required-Start: $syslog
# Required-Stop: $syslog
# Should-Start: $local_fs
# Should-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: redis-server - Persistent key-value db
# Description: redis-server - Persistent key-value db
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/bin/redis-server
DAEMON_ARGS=/etc/redis/redis.conf
NAME=redis-server
DESC=redis-server
PIDFILE=/var/run/redis.pid
test -x $DAEMON || exit 0
test -x $DAEMONBOOTSTRAP || exit 0
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
touch $PIDFILE
chown redis:redis $PIDFILE
if start-stop-daemon --start --quiet --umask 007 --pidfile $PIDFILE --chuid redis:redis --exec $DAEMON -- $DAEMON_ARGS
then
echo "$NAME."
else
echo "failed"
fi
;;
stop)
echo -n "Stopping $DESC: "
if start-stop-daemon --stop --retry 10 --quiet --oknodo --pidfile $PIDFILE --exec $DAEMON
then
echo "$NAME."
else
echo "failed"
fi
rm -f $PIDFILE
;;
restart|force-reload)
${0} stop
${0} start
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0' | tee /etc/init.d/redis-server
chmod 755 /etc/init.d/redis-server
/etc/init.d/redis-server start
mkdir $PATH_TO_MISP
chown www-data:www-data $PATH_TO_MISP
cd $PATH_TO_MISP
$SUDO_WWW git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
$SUDO_WWW git config core.filemode false
cd $PATH_TO_MISP
$SUDO_WWW git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
$SUDO_WWW git submodule foreach --recursive git config core.filemode false
cd $PATH_TO_MISP/app/files/scripts
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
cd $PATH_TO_MISP/app/files/scripts/python-cybox
pip3 install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
pip3 install .
# install STIX2.0 library to support STIX 2.0 export:
cd ${PATH_TO_MISP}/cti-python-stix2
pip3 install -I .
cd $PATH_TO_MISP/app/files/scripts/
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
cd $PATH_TO_MISP/app/files/scripts/mixbox
pip3 install .
# install PyMISP
cd $PATH_TO_MISP/PyMISP
pip3 install .
cd $PATH_TO_MISP/app
mkdir /var/www/.composer ; chown www-data:www-data /var/www/.composer
# Update composer.phar
sudo -H -u www-data php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
sudo -H -u www-data php -r "if (hash_file('SHA384', 'composer-setup.php') === '93b54496392c062774670ac18b134c3b3a95e5a5e5c8f1a9f115f203b75bf9a129d5daa8ba6a13e2cc8a1da0806388a8') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
sudo -H -u www-data php composer-setup.php
sudo -H -u www-data php -r "unlink('composer-setup.php');"
$SUDO_WWW php composer.phar require kamisama/cake-resque:4.1.2
$SUDO_WWW php composer.phar config vendor-dir Vendor
$SUDO_WWW php composer.phar install
$SUDO_WWW cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
chown -R www-data:www-data $PATH_TO_MISP
chmod -R 750 $PATH_TO_MISP
chmod -R g+ws $PATH_TO_MISP/app/tmp
chmod -R g+ws $PATH_TO_MISP/app/files
chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
if [ ! -e /var/lib/mysql/misp/users.ibd ]; then
echo "
set timeout 10
spawn mysql_secure_installation
expect \"Enter current password for root (enter for none):\"
send -- \"\r\"
expect \"Set root password?\"
send -- \"y\r\"
expect \"New password:\"
send -- \"${DBPASSWORD_ADMIN}\r\"
expect \"Re-enter new password:\"
send -- \"${DBPASSWORD_ADMIN}\r\"
expect \"Remove anonymous users?\"
send -- \"y\r\"
expect \"Disallow root login remotely?\"
send -- \"y\r\"
expect \"Remove test database and access to it?\"
send -- \"y\r\"
expect \"Reload privilege tables now?\"
send -- \"y\r\"
expect eof" | expect -f -
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
update-rc.d mysql enable
update-rc.d apache2 enable
update-rc.d redis-server enable
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
echo "<?php
class DATABASE_CONFIG {
public \$default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '$DBHOST',
'login' => '$DBUSER_MISP',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => '$DBPASSWORD_MISP',
'database' => '$DBNAME',
'prefix' => '',
'encoding' => 'utf8',
);
}" | $SUDO_WWW tee $PATH_TO_MISP/app/Config/database.php
else
echo "There might be a database already existing here: /var/lib/mysql/misp/users.ibd"
echo "Skipping any creations…"
sleep 3
fi
openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
if [ ! -e /etc/rc.local ]
then
echo '#!/bin/sh -e' | tee -a /etc/rc.local
echo 'exit 0' | tee -a /etc/rc.local
chmod u+x /etc/rc.local
fi
cd /var/www
mkdir misp-dashboard
chown www-data:www-data misp-dashboard
$SUDO_WWW git clone https://github.com/MISP/misp-dashboard.git
cd misp-dashboard
/var/www/misp-dashboard/install_dependencies.sh
sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
sed -i -e '$i \sudo -u misp /usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &\n' /etc/rc.local
sed -i -e '$i \git_dirs="/usr/local/src/misp-modules/ /var/www/misp-dashboard /usr/local/src/faup /usr/local/src/mail_to_misp /usr/local/src/misp-modules /usr/local/src/viper /var/www/misp-dashboard"\n' /etc/rc.local
sed -i -e '$i \for d in $git_dirs; do\n' /etc/rc.local
sed -i -e '$i \ echo "Updating ${d}"\n' /etc/rc.local
sed -i -e '$i \ cd $d && sudo git pull &\n' /etc/rc.local
sed -i -e '$i \done\n' /etc/rc.local
$SUDO_WWW bash /var/www/misp-dashboard/start_all.sh
apt install libapache2-mod-wsgi-py3 -y
echo "<VirtualHost _default_:80>
ServerAdmin admin@localhost.lu
ServerName misp.local
Redirect permanent / https://misp.local
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin admin@localhost.lu
ServerName misp.local
DocumentRoot $PATH_TO_MISP/app/webroot
<Directory $PATH_TO_MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
</VirtualHost>" | tee /etc/apache2/sites-available/misp-ssl.conf
echo "127.0.0.1 misp.local" | tee -a /etc/hosts
echo "<VirtualHost *:8001>
ServerAdmin admin@misp.local
ServerName misp.local
DocumentRoot /var/www/misp-dashboard
WSGIDaemonProcess misp-dashboard \
user=misp group=misp \
python-home=/var/www/misp-dashboard/DASHENV \
processes=1 \
threads=15 \
maximum-requests=5000 \
listen-backlog=100 \
queue-timeout=45 \
socket-timeout=60 \
connect-timeout=15 \
request-timeout=60 \
inactivity-timeout=0 \
deadlock-timeout=60 \
graceful-timeout=15 \
eviction-timeout=0 \
shutdown-timeout=5 \
send-buffer-size=0 \
receive-buffer-size=0 \
header-buffer-size=0 \
response-buffer-size=0 \
server-metrics=Off
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
<Directory /var/www/misp-dashboard>
WSGIProcessGroup misp-dashboard
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
LogLevel info
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
ServerSignature Off
</VirtualHost>" | tee /etc/apache2/sites-available/misp-dashboard.conf
a2dissite default-ssl
a2ensite misp-ssl
a2ensite misp-dashboard
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
systemctl restart apache2
cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
chmod 0640 /etc/logrotate.d/misp
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
chown -R www-data:www-data $PATH_TO_MISP/app/Config
chmod -R 750 $PATH_TO_MISP/app/Config
$CAKE Live $MISP_LIVE
$CAKE Baseurl $MISP_BASEURL
echo "%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done" > /tmp/gen-key-script
$SUDO_WWW gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
$SUDO_WWW sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | $SUDO_WWW tee $PATH_TO_MISP/app/webroot/gpg.asc
chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
$CAKE userInit -q
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
$CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
$CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
$CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
$CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
$CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
$CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
$CAKE Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
$CAKE Admin setSetting "GnuPG.password" "Password1234"
$CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
$CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
$CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
$CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
$CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
$CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
$CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
$CAKE Admin setSetting "Plugin.Import_services_enable" true
$CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Import_services_port" 6666
$CAKE Admin setSetting "Plugin.Import_timeout" 300
$CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
$CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
$CAKE Admin setSetting "Plugin.Export_services_enable" true
$CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Export_services_port" 6666
$CAKE Admin setSetting "Plugin.Export_timeout" 300
$CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
$CAKE Admin setSetting "MISP.host_org_id" 1
$CAKE Admin setSetting "MISP.email" "info@admin.test"
$CAKE Admin setSetting "MISP.disable_emailing" false
$CAKE Admin setSetting "MISP.contact" "info@admin.test"
$CAKE Admin setSetting "MISP.disablerestalert" true
$CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
$CAKE Admin setSetting "Plugin.Cortex_services_enable" false
$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
$CAKE Admin setSetting "Plugin.Cortex_timeout" 120
$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
$CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
$CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
$CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
$CAKE Admin setSetting "Plugin.Sightings_policy" 0
$CAKE Admin setSetting "Plugin.Sightings_anonymise" false
$CAKE Admin setSetting "Plugin.Sightings_range" 365
$CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
$CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
$CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
$CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
$CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
$CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
$CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
$CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
$CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
$CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
$CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
$CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
$CAKE Admin setSetting "MISP.language" "eng"
$CAKE Admin setSetting "MISP.proposals_block_attributes" false
$CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
$CAKE Admin setSetting "MISP.redis_port" 6379
$CAKE Admin setSetting "MISP.redis_database" 13
$CAKE Admin setSetting "MISP.redis_password" ""
$CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
$CAKE Admin setSetting "MISP.extended_alert_subject" false
$CAKE Admin setSetting "MISP.default_event_threat_level" 4
$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
$CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
$CAKE Admin setSetting "MISP.enableEventBlacklisting" true
$CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
$CAKE Admin setSetting "MISP.log_client_ip" false
$CAKE Admin setSetting "MISP.log_auth" false
$CAKE Admin setSetting "MISP.disableUserSelfManagement" false
$CAKE Admin setSetting "MISP.block_event_alert" false
$CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
$CAKE Admin setSetting "MISP.block_old_event_alert" false
$CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
$CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
$CAKE Admin setSetting "MISP.footermidleft" "This is an autogenerated install"
$CAKE Admin setSetting "MISP.footermidright" "Please configure accordingly and do not use in production"
$CAKE Admin setSetting "MISP.welcome_text_top" "Autogenerated install, please configure and harden accordingly"
$CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP on Kali"
$CAKE Admin setSetting "Security.password_policy_length" 12
$CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
$CAKE Admin setSetting "Session.autoRegenerate" 0
$CAKE Admin setSetting "Session.timeout" 600
$CAKE Admin setSetting "Session.cookie_timeout" 3600
$CAKE Live $MISP_LIVE
#$CAKE Admin updateGalaxies
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/galaxies/update
$CAKE Admin updateTaxonomies
#$CAKE Admin updateWarningLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
$SUDO_WWW bash $PATH_TO_MISP/app/Console/worker/start.sh
cd /usr/local/src/
git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip3 install
pip3 install -I -r REQUIREMENTS
pip3 install -I .
pip3 install maec lief python-magic wand yara
pip3 install git+https://github.com/kbandla/pydeep.git
gem install pygments.rb
gem install asciidoctor-pdf --pre
$SUDO_WWW misp-modules -l 0.0.0.0 -s &
cd /usr/local/src/
apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
pip3 install SQLAlchemy PrettyTable python-magic
git clone https://github.com/viper-framework/viper.git
chown -R $MISP_USER:$MISP_USER viper
cd viper
$SUDO git submodule update --init --recursive
pip3 install scrapy
pip3 install -r requirements.txt
pip3 uninstall yara -y
$SUDO /usr/local/src/viper/viper-cli -h > /dev/null
$SUDO /usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper:/var/www/MISP/app/Console"' |tee /etc/environment
echo ". /etc/environment" >> /home/${MISP_USER}/.profile
$SUDO sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" /home/${MISP_USER}/.viper/viper.conf
$SUDO sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" /home/${MISP_USER}/.viper/viper.conf
while [ "$(sqlite3 /home/${MISP_USER}/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'; echo $?)" -ne "0" ]; do
# FIXME This might lead to a race condition, the while loop is sub-par
chown $MISP_USER:$MISP_USER /home/${MISP_USER}/.viper/admin.db
echo "Updating viper-web admin password, giving process time to start-up, sleeping 5, 4, 3,…"
sleep 6
done
chown -R www-data:www-data $PATH_TO_MISP
chmod -R 750 $PATH_TO_MISP
chmod -R g+ws $PATH_TO_MISP/app/tmp
chmod -R g+ws $PATH_TO_MISP/app/files
chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
# TODO: fix faup
cd /usr/local/src/
apt-get install -y cmake
git clone https://github.com/MISP/mail_to_misp.git
git clone git://github.com/stricaud/faup.git faup
chown -R ${MISP_USER}:${MISP_USER} faup mail_to_misp
cd faup
$SUDO mkdir -p build
cd build
$SUDO cmake .. && $SUDO make
make install
ldconfig
cd ../../
cd mail_to_misp
pip3 install -r requirements.txt
$SUDO cp mail_to_misp_config.py-example mail_to_misp_config.py
sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
echo ""
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN" > /home/${MISP_USER}/mysql.txt
echo "User (misp) DB Password: $DBPASSWORD_MISP" >> /home/${MISP_USER}/mysql.txt
echo "Authkey: $AUTH_KEY" > /home/${MISP_USER}/MISP-authkey.txt
clear
echo "-------------------------------------------------------------------------"
echo "MISP Installed, access here: https://misp.local"
echo "User: admin@admin.test"
echo "Password: admin"
echo "MISP Dashboard, access here: http://misp.local:8001"
echo "-------------------------------------------------------------------------"
cat /home/${MISP_USER}/mysql.txt
cat /home/${MISP_USER}/MISP-authkey.txt
echo "-------------------------------------------------------------------------"
echo "The LOCAL system credentials:"
echo "User: ${MISP_USER}"
echo "Password: ${MISP_PASSWORD}"
echo "-------------------------------------------------------------------------"
echo "viper-web installed, access here: http://misp.local:8888"
echo "viper-cli configured with your MISP Site Admin Auth Key"
echo "User: admin"
echo "Password: Password1234"
echo "-------------------------------------------------------------------------"
echo "To enable outgoing mails via postfix set a permissive SMTP server for the domains you want to contact:"
echo ""
echo "sudo postconf -e 'relayhost = example.com'"
echo "sudo postfix reload"
echo "-------------------------------------------------------------------------"
echo "Enjoy using MISP. For any issues see here: https://github.com/MISP/MISP/issues"
su - misp
}
kaliOnRootR0ckz
installMISPonKali

1
INSTALL/INSTALL.kali.txt Symbolic link
View File

@ -0,0 +1 @@
INSTALL.debian.sh

2
INSTALL/apache.misp.centos7.ssl
View File

@ -32,7 +32,7 @@
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/misp.local.crt
SSLCertificateKeyFile /etc/pki/tls/private/misp.local.key
# SSLCertificateChainFile /etc/pki/tls/certs/misp-chain.crt
SSLCertificateChainFile /etc/pki/tls/certs/misp-chain.crt
LogLevel warn
ErrorLog /var/log/httpd/misp.local_error.log

2
PyMISP

@ -1 +1 @@
Subproject commit bab80181f17976cb6c5388e7bad49cbbf514fb89
Subproject commit dc5d40a327233895792b8148a7c87d5a1c2ebfb1

4
README.md
View File

@ -107,8 +107,8 @@ This software is licensed under [GNU Affero General Public License version 3](ht
* Copyright (C) 2012 Christophe Vandeplas
* Copyright (C) 2012 Belgian Defence
* Copyright (C) 2012 NATO / NCIRC
* Copyright (C) 2013-2018 Andras Iklody
* Copyright (C) 2015-2018 CIRCL - Computer Incident Response Center Luxembourg
* Copyright (C) 2013-2019 Andras Iklody
* Copyright (C) 2015-2019 CIRCL - Computer Incident Response Center Luxembourg
* Copyright (C) 2016 Andreas Ziegler
For more information, [the list of authors and contributors](AUTHORS) is available.

5
app/Controller/EventsController.php
View File

@ -3871,6 +3871,9 @@ class EventsController extends AppController
} else {
$data = $this->request->data;
}
if (!isset($data['request'])) {
$data = array('request' => $data);
}
$paramArray = array('id', 'withAttachment', 'tags', 'from', 'to', 'last');
foreach ($paramArray as $p) {
if (isset($data['request'][$p])) {
@ -3920,7 +3923,7 @@ class EventsController extends AppController
}
$this->set('data', $result['data']);
} else {
throw new Exception(h($result['message']));
throw new BadRequestException(h($result['message']));
}
}

4
app/Controller/ShadowAttributesController.php
View File

@ -824,7 +824,7 @@ class ShadowAttributesController extends AppController
$id = $temp['Attribute']['id'];
}
$existingAttribute = $this->ShadowAttribute->Event->Attribute->fetchAttributes($this->Auth->user(), array('Attriute.id' => $id));
$existingAttribute = $this->ShadowAttribute->Event->Attribute->fetchAttributes($this->Auth->user(), array('conditions' => array('Attribute.id' => $id)));
if (empty($existingAttribute)) {
throw new NotFoundException(__('Invalid attribute.'));
}
@ -833,6 +833,7 @@ class ShadowAttributesController extends AppController
if (empty($existingAttribute)) {
return new CakeResponse(array('body'=> json_encode(array('false' => true, 'errors' => 'Invalid Attribute.')), 'status'=>200, 'type' => 'json'));
}
$existingAttribute = $existingAttribute[0];
$this->ShadowAttribute->create();
$sa = array(
'old_id' => $existingAttribute['Attribute']['id'],
@ -861,6 +862,7 @@ class ShadowAttributesController extends AppController
if (empty($existingAttribute)) {
throw new NotFoundException(__('Invalid Attribute'));
}
$existingAttribute = $existingAttribute[0];
$this->set('id', $id);
$this->set('event_id', $existingAttribute['Attribute']['event_id']);
$this->render('ajax/deletionProposalConfirmationForm');

44
app/Model/Attribute.php
View File

@ -72,7 +72,8 @@ class Attribute extends AppModel
'port',
'nationality',
'cortex',
'boolean'
'boolean',
'anonymised'
);
public $primaryOnlyCorrelatingTypes = array(
@ -160,6 +161,7 @@ class Attribute extends AppModel
'AS' => array('desc' => 'Autonomous system', 'default_category' => 'Network activity', 'to_ids' => 0),
'snort' => array('desc' => 'An IDS rule in Snort rule-format', 'formdesc' => "An IDS rule in Snort rule-format. This rule will be automatically rewritten in the NIDS exports.", 'default_category' => 'Network activity', 'to_ids' => 1),
'bro' => array('desc' => 'An NIDS rule in the Bro rule-format', 'formdesc' => "An NIDS rule in the Bro rule-format.", 'default_category' => 'Network activity', 'to_ids' => 1),
'zeek' => array('desc' => 'An NIDS rule in the Zeek rule-format', 'formdesc' => "An NIDS rule in the Zeek rule-format.", 'default_category' => 'Network activity', 'to_ids' => 1),
'pattern-in-file' => array('desc' => 'Pattern in file that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1),
'pattern-in-traffic' => array('desc' => 'Pattern in network traffic that identifies the malware', 'default_category' => 'Network activity', 'to_ids' => 1),
'pattern-in-memory' => array('desc' => 'Pattern in memory dump that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1),
@ -292,7 +294,8 @@ class Attribute extends AppModel
'passenger-name-record-locator-number' => array('desc' => 'The Passenger Name Record Locator is a key under which the reservation for a trip is stored in the system. The PNR contains, among other data, the name, flight segments and address of the passenger. It is defined by a combination of five or six letters and numbers.', 'default_category' => 'Person', 'to_ids' => 0),
'mobile-application-id' => array('desc' => 'The application id of a mobile application', 'default_category' => 'Payload delivery', 'to_ids' => 1),
'cortex' => array('desc' => 'Cortex analysis result', 'default_category' => 'External analysis', 'to_ids' => 0),
'boolean' => array('desc' => 'Boolean value - to be used in objects', 'default_category' => 'Other', 'to_ids' => 0)
'boolean' => array('desc' => 'Boolean value - to be used in objects', 'default_category' => 'Other', 'to_ids' => 0),
'anonymised' => array('desc' => 'Anonymised value - described with the anonymisation object via a relationship', 'formdesc' => 'Anonymised value - described with the anonymisation object via a relationship.' , 'default_category' => 'Other', 'to_ids' => 0)
// Not convinced about this.
//'url-regex' => array('desc' => '', 'default_category' => 'Person', 'to_ids' => 0),
);
@ -302,76 +305,76 @@ class Attribute extends AppModel
public $categoryDefinitions = array(
'Internal reference' => array(
'desc' => 'Reference used by the publishing party (e.g. ticket number)',
'types' => array('text', 'link', 'comment', 'other', 'hex')
'types' => array('text', 'link', 'comment', 'other', 'hex', 'anonymised')
),
'Targeting data' => array(
'desc' => 'Internal Attack Targeting and Compromise Information',
'formdesc' => 'Targeting information to include recipient email, infected machines, department, and or locations.',
'types' => array('target-user', 'target-email', 'target-machine', 'target-org', 'target-location', 'target-external', 'comment')
'types' => array('target-user', 'target-email', 'target-machine', 'target-org', 'target-location', 'target-external', 'comment', 'anonymised')
),
'Antivirus detection' => array(
'desc' => 'All the info about how the malware is detected by the antivirus products',
'formdesc' => 'List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%). Attachment with list of detection or link to VirusTotal could be placed here as well.',
'types' => array('link', 'comment', 'text', 'hex', 'attachment', 'other')
'types' => array('link', 'comment', 'text', 'hex', 'attachment', 'other', 'anonymised')
),
'Payload delivery' => array(
'desc' => 'Information about how the malware is delivered',
'formdesc' => 'Information about the way the malware payload is initially delivered, for example information about the email or web-site, vulnerability used, originating IP etc. Malware sample itself should be attached here.',
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash','filename|impfuzzy', 'filename|pehash', 'mac-address', 'mac-eui-64', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'email-body', 'url', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'stix2-pattern', 'yara', 'sigma', 'mime-type', 'attachment', 'malware-sample', 'link', 'malware-type', 'comment', 'text', 'hex', 'vulnerability', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hostname|port', 'email-dst-display-name', 'email-src-display-name', 'email-header', 'email-reply-to', 'email-x-mailer', 'email-mime-boundary', 'email-thread-index', 'email-message-id', 'mobile-application-id', 'whois-registrant-email')
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash','filename|impfuzzy', 'filename|pehash', 'mac-address', 'mac-eui-64', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'email-body', 'url', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'stix2-pattern', 'yara', 'sigma', 'mime-type', 'attachment', 'malware-sample', 'link', 'malware-type', 'comment', 'text', 'hex', 'vulnerability', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hostname|port', 'email-dst-display-name', 'email-src-display-name', 'email-header', 'email-reply-to', 'email-x-mailer', 'email-mime-boundary', 'email-thread-index', 'email-message-id', 'mobile-application-id', 'whois-registrant-email', 'anonymised')
),
'Artifacts dropped' => array(
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|impfuzzy','filename|pehash', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory','pdb', 'stix2-pattern', 'yara', 'sigma', 'attachment', 'malware-sample', 'named pipe', 'mutex', 'windows-scheduled-task', 'windows-service-name', 'windows-service-displayname', 'comment', 'text', 'hex', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'other', 'cookie', 'gene', 'mime-type')
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|impfuzzy','filename|pehash', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory','pdb', 'stix2-pattern', 'yara', 'sigma', 'attachment', 'malware-sample', 'named pipe', 'mutex', 'windows-scheduled-task', 'windows-service-name', 'windows-service-displayname', 'comment', 'text', 'hex', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'other', 'cookie', 'gene', 'mime-type', 'anonymised')
),
'Payload installation' => array(
'desc' => 'Info on where the malware gets installed in the system',
'formdesc' => 'Location where the payload was placed in the system and the way it was installed. For example, a filename|md5 type attribute can be added here like this: c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.',
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|impfuzzy', 'filename|pehash', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'stix2-pattern', 'yara', 'sigma', 'vulnerability', 'attachment', 'malware-sample', 'malware-type', 'comment', 'text', 'hex', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'mobile-application-id', 'other', 'mime-type')
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|impfuzzy', 'filename|pehash', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'stix2-pattern', 'yara', 'sigma', 'vulnerability', 'attachment', 'malware-sample', 'malware-type', 'comment', 'text', 'hex', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'mobile-application-id', 'other', 'mime-type', 'anonymised')
),
'Persistence mechanism' => array(
'desc' => 'Mechanisms used by the malware to start at boot',
'formdesc' => 'Mechanisms used by the malware to start at boot. This could be a registry key, legitimate driver modification, LNK file in startup',
'types' => array('filename', 'regkey', 'regkey|value', 'comment', 'text', 'other', 'hex')
'types' => array('filename', 'regkey', 'regkey|value', 'comment', 'text', 'other', 'hex', 'anonymised')
),
'Network activity' => array(
'desc' => 'Information about network traffic generated by the malware',
'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hex', 'cookie', 'hostname|port', 'bro')
'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hex', 'cookie', 'hostname|port', 'bro', 'zeek', 'anonymised')
),
'Payload type' => array(
'desc' => 'Information about the final payload(s)',
'formdesc' => 'Information about the final payload(s). Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.',
'types' => array('comment', 'text', 'other')
'types' => array('comment', 'text', 'other', 'anonymised')
),
'Attribution' => array(
'desc' => 'Identification of the group, organisation, or country behind the attack',
'types' => array('threat-actor', 'campaign-name', 'campaign-id', 'whois-registrant-phone', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-org', 'whois-registrar', 'whois-creation-date','comment', 'text', 'x509-fingerprint-sha1','x509-fingerprint-md5', 'x509-fingerprint-sha256', 'other', 'dns-soa-email')
'types' => array('threat-actor', 'campaign-name', 'campaign-id', 'whois-registrant-phone', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-org', 'whois-registrar', 'whois-creation-date','comment', 'text', 'x509-fingerprint-sha1','x509-fingerprint-md5', 'x509-fingerprint-sha256', 'other', 'dns-soa-email', 'anonymised')
),
'External analysis' => array(
'desc' => 'Any other result from additional analysis of the malware like tools output',
'formdesc' => 'Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'bro','pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'github-repository', 'other', 'cortex')
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'bro', 'zeek', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'github-repository', 'other', 'cortex', 'anonymised')
),
'Financial fraud' => array(
'desc' => 'Financial Fraud indicators',
'formdesc' => 'Financial Fraud indicators, for example: IBAN Numbers, BIC codes, Credit card numbers, etc.',
'types' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number', 'comment', 'text', 'other', 'hex'),
'types' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number', 'comment', 'text', 'other', 'hex', 'anonymised'),
),
'Support Tool' => array(
'desc' => 'Tools supporting analysis or detection of the event',
'types' => array('link', 'text', 'attachment', 'comment', 'other', 'hex')
'types' => array('link', 'text', 'attachment', 'comment', 'other', 'hex', 'anonymised')
),
'Social network' => array(
'desc' => 'Social networks and platforms',
// email-src and email-dst or should we go with a new email type that is neither / both?
'types' => array('github-username', 'github-repository', 'github-organisation', 'jabber-id', 'twitter-id', 'email-src', 'email-dst', 'comment', 'text', 'other', 'whois-registrant-email')
'types' => array('github-username', 'github-repository', 'github-organisation', 'jabber-id', 'twitter-id', 'email-src', 'email-dst', 'comment', 'text', 'other', 'whois-registrant-email', 'anonymised')
),
'Person' => array(
'desc' => 'A human being - natural person',
'types' => array('first-name', 'middle-name', 'last-name', 'date-of-birth', 'place-of-birth', 'gender', 'passport-number', 'passport-country', 'passport-expiration', 'redress-number', 'nationality', 'visa-number', 'issue-date-of-the-visa', 'primary-residence', 'country-of-residence', 'special-service-request', 'frequent-flyer-number', 'travel-details', 'payment-details', 'place-port-of-original-embarkation', 'place-port-of-clearance', 'place-port-of-onward-foreign-destination', 'passenger-name-record-locator-number', 'comment', 'text', 'other', 'phone-number', 'identity-card-number')
'types' => array('first-name', 'middle-name', 'last-name', 'date-of-birth', 'place-of-birth', 'gender', 'passport-number', 'passport-country', 'passport-expiration', 'redress-number', 'nationality', 'visa-number', 'issue-date-of-the-visa', 'primary-residence', 'country-of-residence', 'special-service-request', 'frequent-flyer-number', 'travel-details', 'payment-details', 'place-port-of-original-embarkation', 'place-port-of-clearance', 'place-port-of-onward-foreign-destination', 'passenger-name-record-locator-number', 'comment', 'text', 'other', 'phone-number', 'identity-card-number', 'anonymised')
),
'Other' => array(
'desc' => 'Attributes that are not part of any other category or are meant to be used as a component in MISP objects in the future',
'types' => array('comment', 'text', 'other', 'size-in-bytes', 'counter', 'datetime', 'cpe', 'port', 'float', 'hex', 'phone-number', 'boolean')
'types' => array('comment', 'text', 'other', 'size-in-bytes', 'counter', 'datetime', 'cpe', 'port', 'float', 'hex', 'phone-number', 'boolean', 'anonymised')
)
);
@ -424,7 +427,7 @@ class Attribute extends AppModel
// This helps generate quick filtering for the event view, but we may reuse this and enhance it in the future for other uses (such as the API?)
public $typeGroupings = array(
'file' => array('attachment', 'pattern-in-file', 'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'malware-sample', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'x509-fingerprint-md5'),
'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'bro','pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256','ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5'),
'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'bro', 'zeek', 'pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256','ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5'),
'financial' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number')
);
@ -1160,6 +1163,8 @@ class Attribute extends AppModel
case 'AS':
case 'snort':
case 'bro':
case 'zeek':
case 'anonymised':
case 'pattern-in-file':
case 'pattern-in-traffic':
case 'pattern-in-memory':
@ -1339,6 +1344,7 @@ class Attribute extends AppModel
case 'authentihash':
case 'imphash':
case 'tlsh':
case 'anonymised':
case 'cdhash':
case 'email-src':
case 'email-dst':

5
app/Model/AttributeTag.php
View File

@ -62,6 +62,11 @@ class AttributeTag extends AppModel
}
}
public function softDelete($id)
{
$this->delete($id);
}
public function attachTagToAttribute($attribute_id, $event_id, $tag_id)
{
$existingAssociation = $this->find('first', array(

5
app/Model/EventTag.php
View File

@ -56,6 +56,11 @@ class EventTag extends AppModel
}
}
public function softDelete($id)
{
$this->delete($id);
}
// take an array of tag names to be included and an array with tagnames to be excluded and find all event IDs that fit the criteria
public function getEventIDsFromTags($includedTags, $excludedTags)
{

4
app/Model/Feed.php
View File

@ -372,7 +372,7 @@ class Feed extends AppModel
$results = $pipe->exec();
if (!$overrideLimit && count($objects) > 10000) {
foreach ($results as $k => $result) {
if ($result) {
if ($result && empty($objects[$k]['disable_correlation'])) {
if (isset($event['FeedCount'])) {
$event['FeedCount']++;
} else {
@ -383,7 +383,7 @@ class Feed extends AppModel
}
} else {
foreach ($results as $k => $result) {
if ($result) {
if ($result && empty($objects[$k]['disable_correlation'])) {
$hitIds[] = $k;
}
}

207
app/Model/Tag.php
View File

@ -413,4 +413,211 @@ class Tag extends AppModel
}
return $events;
}
public function fixMitreTags($user)
{
$full_print_buffer = '';
$this->GalaxyCluster = Classregistry::init('GalaxyCluster');
// first find all tags that are the bad tags:
// - the enterprise-, pre- and mobile-attack
// - the old version of the MITRE tag (without Txx, Pxx, ...)
$mitre_categories = array('attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'mitre-tool');
$mitre_stages = array('enterprise-attack', 'pre-attack', 'mobile-attack');
$cluster_names = $this->GalaxyCluster->find('list',
array('fields' => array('GalaxyCluster.tag_name'),
'group' => array('GalaxyCluster.id', 'GalaxyCluster.tag_name'),
'conditions' => array('GalaxyCluster.tag_name LIKE' => 'misp-galaxy:mitre-%')
));
// this is a mapping to keep track of what old tag we need to change (key) to what new tag(value)
// key = old_tag_id, value = new_tag_name
$mappings = array();
// First find all tags which are the old format, but who's string needs to be updated
// Example: mitre-malware="XAgentOSX" => mitre-malware="XAgentOSX - S0161"
// Once found we will add these to a mapping
foreach ($mitre_categories as $category) {
$tag_start = 'misp-galaxy:mitre-' . $category;
// print("<h2>### Searching for $category</h2>");
$tags = $this->find('all', array(
'conditions' => array('Tag.name LIKE' => $tag_start . '=%'),
'recursive' => -1));
// print_r($tags);
foreach ($tags as $tag) {
$old_tag_name = $tag['Tag']['name'];
$old_tag_id = $tag['Tag']['id'];
$old_tag_name_without_quote = rtrim($old_tag_name, '"') . ' -';
foreach ($cluster_names as $cluster_name) {
// print("Searching for $old_tag_name in $cluster_name<br>");
if (strstr($cluster_name, $old_tag_name_without_quote)) {
// print("FOUND - $old_tag_name - $cluster_name<br/>");
$mappings[$old_tag_id] = $cluster_name;
break;
}
}
}
}
// Now find all tags that are from the enterprise, pre-attack and mobile-attack galaxies
foreach ($mitre_stages as $stage) {
foreach ($mitre_categories as $category) {
$tag_start = 'misp-galaxy:mitre-' . $stage . '-' . $category;
// print("<h2>### Searching for $stage-$category</h2>");
$tags = $this->find('all', array(
'conditions' => array('Tag.name LIKE' => $tag_start . '=%'),
'recursive' => -1));
// print_r($tags);
foreach ($tags as $tag) {
$old_tag_name = $tag['Tag']['name'];
$old_tag_id = $tag['Tag']['id'];
$new_tag_name = str_replace($stage.'-', '', $old_tag_name);
// print("Changing $old_tag_name to $new_tag_name<br/>");
if (in_array($new_tag_name, $cluster_names)) {
// valid tag as it exists in the galaxies, add to mapping
$mappings[$old_tag_id] = $new_tag_name;
} else {
// invalid tag, do some more magic
// print("Invalid new tag ! $old_tag_name to $new_tag_name<br/>");
$old_tag_name_without_quote = rtrim($new_tag_name, '"');
$found = false;
foreach ($cluster_names as $cluster_name) {
// print("Searching for $old_tag_name in $cluster_name<br>");
if (strstr($cluster_name, $old_tag_name_without_quote)) {
// print("-> FOUND - $old_tag_name - $cluster_name<br/>");
$mappings[$old_tag_id] = $cluster_name;
$found = true;
break;
}
}
if (!$found) {
print("Issue with tag, could not find a substitution, skipping: $old_tag_name<br/>");
}
}
}
}
}
$full_print_buffer .= "<h2>Mappings</h2>";
$full_print_buffer .= "<pre>". print_r($mappings, true) . "</pre>";
// now we know which tags (they keys of the mapping) need to be changed
// find all events and attributes using these tags and update them with the new version
$this->EventTag = Classregistry::init('EventTag');
$this->AttributeTag = Classregistry::init('AttributeTag');
$this->Event = Classregistry::init('Event');
$this->Attribute = Classregistry::init('Attribute');
$full_print_buffer .= "<h2>Conversion</h2>";
foreach ($mappings as $old_tag_id => $new_tag_name) {
$print_buffer = "";
$print_buffer .= "$old_tag_id => $new_tag_name<br/>";
$changed = False;
$new_tag = array(
'name' => $new_tag_name,
'colour' => '#0088cc');
$new_tag_id = $this->captureTag($new_tag, $user);
$print_buffer .= "&nbsp; New tag id $new_tag_id<br>";
//
// Events
//
$ets = $this->EventTag->find('all', array(
'recursive' => -1,
'conditions' => array('tag_id' => $old_tag_id),
'contain' => array('Event')
));
foreach ($ets as $et) {
$event = $et['Event'];
// skip events that are not from this instance or are locked (coming form another MISP)
if ($event['locked'] || $event['org_id'] != $event['orgc_id']) {
$print_buffer .= "&nbsp; Skipping event ".$event['id']."... not from here<br>";
continue;
}
$changed = True;
// remove the old EventTag
$print_buffer .= "&nbsp; Deleting event_tag ".$et['EventTag']['id']." for event ".$event['id']."<br>";
$this->EventTag->softDelete($et['EventTag']['id']);
// add the new Tag to the event
$new_et = array('EventTag' => array(
'event_id' => $event['id'],
'tag_id' => $new_tag_id
));
// check if the tag is already attached to the event - WARNING if data structures change this might break
$exists = $this->EventTag->find('first', array(
'recursive' => -1,
'conditions' => $new_et['EventTag']));
if (empty($exists)) {
// tag not yet associated with event
$print_buffer .= "&nbsp; Saving new tag association: event_id=".$event['id']." tag_id=".$new_tag_id."<br>";
$this->EventTag->save($new_et);
// increment the Event timestamp and save the event
$print_buffer .= "&nbsp; Saving the event with incremented timestamp<br>";
$event['timestamp'] += 1;
$this->Event->save($event);
} else {
$print_buffer .= "&nbsp; Not adding new tag as it's already associated to the event: event_id=".$event['id']." tag_id=".$new_tag_id."<br>";
}
}
//
// Attributes with tags
//
// find all AttributeTags for this specific tag. We do not load the attribute immediately as it's faster/better to only do this additional lookup when needed. (data we need to change)
$ats = $this->AttributeTag->find('all', array(
'recursive' => -1,
'conditions' => array('tag_id' => $old_tag_id),
));
foreach ($ats as $at) {
// $print_buffer .= "&nbsp; ".print_r($at, true)."<br>";
$event = $this->Event->find('first', array(
'recursive' => -1,
'conditions' => array('id' => $at['AttributeTag']['event_id'])
))['Event'];
// $print_buffer .= "<pre>".print_r($event, true)."</pre>";
// skip events that are not from this instance or are locked (coming form another MISP)
if ($event['locked'] || $event['org_id'] != $event['orgc_id']) {
$print_buffer .= "&nbsp; Skipping attribute for event ".$event['id']."... not from here<br>";
continue;
}
$attribute = $this->Attribute->find('first', array(
'recursive' => -1,
'conditions' => array('id' => $at['AttributeTag']['attribute_id'])
))['Attribute'];
$changed = True;
// remove the old AttributeTag
$print_buffer .= "&nbsp; Deleting attribute_tag ".$at['AttributeTag']['id']." for attribute ".$attribute['id']." for event ".$event['id']."<br>";
$this->AttributeTag->softDelete($at['AttributeTag']['id']);
// add the new Tag to the event
$new_at = array('AttributeTag' => array(
'event_id' => $event['id'],
'attribute_id' => $attribute['id'],
'tag_id' => $new_tag_id
));
// check if the tag is already attached to the event - WARNING if data structures change this might break
$exists = $this->AttributeTag->find('first', array(
'recursive' => -1,
'conditions' => $new_at['AttributeTag']));
if (empty($exists)) {
// tag not yet associated with attribute
$print_buffer .= "&nbsp; Saving new tag association: attribute_id=".$attribute['id']." event_id=".$event['id']." tag_id=".$new_tag_id."<br>";
$this->AttributeTag->save($new_at);
// increment the Attribute/Event timestamp and save them
$print_buffer .= "&nbsp; Saving the attribute/event with incremented timestamp<br>";
$attribute['timestamp'] += 1;
$this->Attribute->save($attribute);
$event['timestamp'] += 1;
$this->Event->save($event);
} else {
$print_buffer .= "&nbsp; Not adding new tag as it's already associated to the attribute: attribute_id=".$attribute['id']." event_id=".$event['id']." tag_id=".$new_tag_id."<br>";
}
}
if ($changed) {
$full_print_buffer .= $print_buffer;
} else {
// print("Tag has no 'unlocked' events or attributes: $old_tag_id => $new_tag_name<br/>");
// $full_print_buffer .= $print_buffer;
}
}
return $full_print_buffer;
}
}

4
app/View/Organisations/view.ctp
View File

@ -68,6 +68,10 @@
?>
&nbsp;
</dd>
<dt><?php echo __('Creation time'); ?></dt>
<dd><?php echo h($org['Organisation']['date_created']); ?></dd>
<dt><?php echo __('Last modified'); ?></dt>
<dd><?php echo h($org['Organisation']['date_modified']); ?></dd>
<?php endif;?>
<?php
$optionalFields = array('sector' => 'Sector', 'nationality' => 'Nationality', 'type' => 'Organisation type', 'contacts' => 'Contact information');

2
app/files/misp-objects

@ -1 +1 @@
Subproject commit beb0ec8bb7556fdbd2cdb64f9566d5543c56192a
Subproject commit f5c7530e0b375cdd1b72a98f532dca731f8a0b80

2
app/files/scripts/misp2stix.py
View File

@ -817,7 +817,7 @@ class StixBuilder(object):
if to_parse:
return
to_ids, attributes_dict = self.create_file_attributes_dict(misp_object['Attribute'])
if 'malware-sample' in attributes_dict:
if 'malware-sample' in attributes_dict and isinstance(attributes_dict['malware-sample'], dict):
malware_sample = attributes_dict.pop('malware-sample')
filename, md5 = malware_sample['value'].split('|')
artifact_object = self.create_artifact_object(malware_sample['data'])

22
app/webroot/js/event-graph.js
View File

@ -10,7 +10,7 @@ var edges = new vis.DataSet();
var typeaheadDataSearch;
var event_last_change = $('#eventgraph_network').data('event-timestamp');
var scope_id = $('#eventgraph_network').data('event-id');
var user_email = $('#eventgraph_network').data('user-email');
var user_email = $('#eventgraph_network').data('user-email');
var container = document.getElementById('eventgraph_network');
var user_manipulation = $('#eventgraph_network').data('user-manipulation');
var is_siteadmin = $('#eventgraph_network').data('is-site-admin');
@ -111,7 +111,7 @@ class EventGraph {
for (var event_id in that.extended_event_points) {
if (that.extended_event_color_mapping[event_id] === undefined) {
eventGraph.extended_event_color_mapping[event_id] = getRandomColor(event_id);
eventGraph.extended_event_color_mapping[event_id] = getRandomColor(event_id);
}
var chosen_color = eventGraph.extended_event_color_mapping[event_id];
@ -1266,7 +1266,7 @@ class EventGraph {
eventGraph.nodes.get().forEach(function(nodeD) {
var nodeP = nodePositions[nodeD.id];
if (nodeP !== undefined && nodeD.group != 'obj_relation') {
var temp = {
var temp = {
id: nodeD.id,
x: nodeP.x,
y: nodeP.y,
@ -1284,8 +1284,8 @@ class EventGraph {
eventGraph.hiddenNode.forEach(function(node) {
hiddenNodeData.push(node.id);
});
var data = {
var data = {
eventId: scope_id,
eventLastChange: event_last_change,
nodes: nodeData,
@ -1294,7 +1294,7 @@ class EventGraph {
scope: eventGraph.scope_name,
keyType: eventGraph.scope_keyType
},
physics: {
physics: {
solver: eventGraph.solver,
repulsion: parseInt($('#slider_physic_node_repulsion').val()),
enabled: $('#checkbox_physics_enable').prop("checked")
@ -1545,8 +1545,8 @@ class MispInteraction {
return;
}
genericPopup('/objectReferences/add/'+edgeData.from, '#popover_form', function() {
$('#targetSelect').val(uuid);
$('option[value='+uuid+']').click()
$('#ObjectReferenceReferencedUuid').val(uuid);
objectReferenceInput();
});
}
@ -1722,7 +1722,7 @@ class MispInteraction {
function drawExtendedEventHull(ctx, nodes, color, text) {
ctx.fillStyle = color+'88';
var hull = getHullFromPoints(nodes);
var start = hull[0];
var end = hull[hull.length-1];
var prev = start;
@ -1738,7 +1738,7 @@ function drawExtendedEventHull(ctx, nodes, color, text) {
var centerY = (end.y+start.y)/2;
ctx.quadraticCurveTo(centerX,centerY,start.x,start.y);
ctx.fill();
var centroid = getCentroid(hull);
ctx.beginPath();
ctx.font="30px Verdana";
@ -1768,7 +1768,7 @@ function getHullFromPoints(points) {
var q;
do {
hull.push(points[p]);
q = (p+1) % n;
for (var i=0; i<n; i++) {
if (orientation(points[p], points[i], points[q]) == 2) {

4
app/webroot/js/misp.js
View File

@ -45,8 +45,8 @@ function fetchAddSightingForm(type, attribute_id, page, onvalue) {
function flexibleAddSighting(clicked, type, attribute_id, event_id, value, page, placement) {
$clicked = $(clicked);
var html = '<div>'
+ '<button class="btn btn-primary" onclick="addSighting(\'' + type + '\', \'' + attribute_id + '\', \'' + event_id + '\', \'' + page + '\')">'+'id'+'</button>'
+ '<button class="btn btn-primary" style="margin-left:5px;" onclick="fetchAddSightingForm(\'' + type + '\', \'' + attribute_id + '\', \'' + page + '\', true)">' + value + '</button>'
+ '<button class="btn btn-primary" onclick="addSighting(\'' + type + '\', \'' + attribute_id + '\', \'' + event_id + '\', \'' + page + '\')">This attribute</button>'
+ '<button class="btn btn-primary" style="margin-left:5px;" onclick="fetchAddSightingForm(\'' + type + '\', \'' + attribute_id + '\', \'' + page + '\', true)">Global value</button>'
+ '</div>';
openPopover(clicked, html, true, placement);
}

10
docs/INSTALL.debian9.md
View File

@ -101,16 +101,6 @@ sudo a2enmod ssl rewrite
sudo a2dissite 000-default
sudo a2ensite default-ssl
sudo a2enmod headers
# Switch to python3 by default (optional)
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.5 2
```
To flip between the 2 pythons use *update-alternatives*
```bash
sudo update-alternatives --config python
```
#### Apply all changes

2
docs/INSTALL.kali.md
View File

@ -8,7 +8,7 @@ This has been tested by @SteveClement on 20190115
To install MISP on Kali copy paste this in your r00t shell:
```bash
wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.kali.txt && bash /tmp/misp-kali.sh
wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.debian.sh && bash /tmp/misp-kali.sh
```
!!! notice

2
docs/INSTALL.rhel7.md
View File

@ -3,7 +3,7 @@
## 0/ Overview and Assumptions
{!generic/community.md!}
{!generic/rhelVScentos.md!}
!!! warning
The core MISP team cannot verify if this guide is working or not. Please help us in keeping it up to date and accurate.

4
docs/INSTALL.ubuntu1804.md
View File

@ -159,8 +159,8 @@ cd ${PATH_TO_MISP}/PyMISP
sudo -H -u www-data ${PATH_TO_MISP}/venv/bin/pip install .
# Install Crypt_GPG and Console_CommandLine
sudo -H -u www-data pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
sudo -H -u www-data pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
sudo pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
sudo pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
```
### 4/ CakePHP

3
docs/SSL.md Normal file
View File

@ -0,0 +1,3 @@
# Let's encrypt SSL with stock MISP install
This will explain how to enable [letsencrypt]*(https://letsencrypt.org/) on a stock Ubuntu/Debian MISP install.

12
docs/generic/MISP_CAKE_init_centos.md
View File

@ -57,6 +57,7 @@ sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disable_emailing" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.contact" "info@admin.test""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disablerestalert" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.default_event_tag_collection" 0"
# Provisional Cortex tunes
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_enable" false"
@ -108,7 +109,7 @@ sudo $RUN_PHP "$CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.extended_alert_subject" false"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.default_event_threat_level" 4"
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team""
##sudo $RUN_PHP '$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"'
##sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team""
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.enableEventBlacklisting" true"
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.enableOrgBlacklisting" true"
@ -134,22 +135,23 @@ sudo $RUN_PHP "$CAKE Admin setSetting "Session.timeout" 600"
sudo $RUN_PHP "$CAKE Admin setSetting "Session.cookie_timeout" 3600"
# Update the galaxies…
sudo $RUN_PHP "$CAKE Admin updateGalaxies"
##sudo $RUN_PHP "$CAKE Admin updateGalaxies"
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/galaxies/update
# Updating the taxonomies…
sudo $RUN_PHP "$CAKE Admin updateTaxonomies"
# Updating the warning lists…
##sudo $RUN_PHP "$CAKE Admin updateWarningLists"
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST http://127.0.0.1/warninglists/update
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
# Updating the notice lists…
## sudo $RUN_PHP "$CAKE Admin updateNoticeLists"
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST http://127.0.0.1/noticelists/update
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
# Updating the object templates…
##sudo $RUN_PHP "$CAKE Admin updateObjectTemplates"
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST http://127.0.0.1/objectTemplates/update
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
# Set MISP Live
sudo $RUN_PHP "$CAKE Live $MISP_LIVE"

8
docs/generic/misp-modules.md Normal file
View File

@ -0,0 +1,8 @@
#### Make some misp-modules available
```bash
sudo -H -u www-data $CAKE Admin setSetting "Plugin.Enrichment_asn_history_enabled" true
sudo -H -u www-data $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo -H -u www-data $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
```

3
docs/generic/rhelVScentos.md Normal file
View File

@ -0,0 +1,3 @@
!!! notice
There are technically only minor differences between CentOS and RHEL.<br />
For more information on what might differ, [this StackExchange](https://unix.stackexchange.com/questions/27323/is-centos-exactly-the-same-as-rhel) question might answer some questions.

4
docs/xINSTALL.centos6.md
View File

@ -4,6 +4,10 @@
### 0/ MISP CentOS 6 Minimal NetInstall - Status
--------------------------------------------
{!generic/community.md!}
{!generic/rhelVScentos.md!}
!!! notice
Semi-maintained and tested by @SteveClement, CentOS 6.10 on 20181025<br />
It is still considered experimental as not everything works seemlessly.

64
docs/xINSTALL.centos7.md
View File

@ -4,6 +4,10 @@
### 0/ MISP CentOS 7 Minimal NetInstall - Status
--------------------------------------------
{!generic/community.md!}
{!generic/rhelVScentos.md!}
!!! notice
Semi-maintained and tested by @SteveClement, CentOS 7.5-1804 on 20181113<br />
It is still considered experimental as not everything works seemlessly.
@ -55,7 +59,13 @@ sudo yum install centos-release-scl -y
sudo yum install vim -y
# Install the dependencies:
sudo yum install gcc git httpd zip redis mariadb mariadb-server python-devel python-pip python-zmq libxslt-devel zlib-devel ssdeep-devel -y
sudo yum install gcc git zip \
httpd \
mod_ssl \
redis \
mariadb mariadb-server \
python-devel python-pip python-zmq \
libxslt-devel zlib-devel ssdeep-devel -y
# Install PHP 7.1 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php71/
sudo yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysqlnd rh-php71-php-mbstring rh-php71-php-xml rh-php71-php-bcmath rh-php71-php-opcache -y
@ -64,13 +74,8 @@ sudo yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysql
# https://www.softwarecollections.org/en/scls/rhscl/rh-python36/
sudo yum install rh-python36 -y
# rh-php71-php only provided mod_ssl mod_php for httpd24-httpd from SCL
# if we want to use httpd from CentOS base we can use rh-php71-php-fpm instead
sudo systemctl enable rh-php71-php-fpm.service
sudo systemctl start rh-php71-php-fpm.service
sudo $RUN_PHP "pear channel-update pear.php.net"
sudo $RUN_PHP "pear install Crypt_GPG" # we need version >1.3.0
```
!!! notice
@ -97,7 +102,7 @@ sudo chown apache:apache $PATH_TO_MISP
cd /var/www
sudo -u apache git clone https://github.com/MISP/MISP.git
cd $PATH_TO_MISP
sudo -u apache git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
##sudo -u apache git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
# if the last shortcut doesn't work, specify the latest version manually
# example: git checkout tags/v2.4.XY
# the message regarding a "detached HEAD state" is expected behaviour
@ -108,6 +113,10 @@ sudo -u apache git submodule update --init --recursive
# Make git ignore filesystem permission differences for submodules
sudo -u apache git submodule foreach --recursive git config core.filemode false
# Install packaged pears
sudo $RUN_PHP "pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml"
sudo $RUN_PHP "pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml"
# Create a python3 virtualenv
sudo -u apache $RUN_PYTHON "virtualenv -p python3 $PATH_TO_MISP/venv"
sudo mkdir /usr/share/httpd/.cache
@ -174,7 +183,9 @@ sudo -u apache $RUN_PHP "php composer.phar require kamisama/cake-resque:4.1.2"
sudo -u apache $RUN_PHP "php composer.phar config vendor-dir Vendor"
sudo -u apache $RUN_PHP "php composer.phar install"
# CakeResque normally uses phpredis to connect to redis, but it has a (buggy) fallback connector through Redisent. It is highly advised to install phpredis using "yum install php-redis"
# CakeResque normally uses phpredis to connect to redis, but it has a (buggy)
# fallback connector through Redisent.
# It is highly advised to install phpredis using "yum install php-redis"
sudo $RUN_PHP "pecl install redis"
echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php71/php-fpm.d/redis.ini
sudo ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php71/php.d/99-redis.ini
@ -207,9 +218,11 @@ sudo chown -R root:apache /var/www/MISP
sudo find /var/www/MISP -type d -exec chmod g=rx {} \;
sudo chmod -R g+r,o= /var/www/MISP
sudo chmod -R 750 /var/www/MISP
sudo chmod -R g+ws /var/www/MISP/app/tmp
sudo chmod -R g+xws /var/www/MISP/app/tmp
sudo chmod -R g+ws /var/www/MISP/app/files
sudo chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
sudo chmod -R g+rw /var/www/MISP/venv
sudo chmod -R g+rw /var/www/MISP/.git
sudo chown apache:apache /var/www/MISP/app/files
sudo chown apache:apache /var/www/MISP/app/files/terms
sudo chown apache:apache /var/www/MISP/app/files/scripts/tmp
@ -263,8 +276,11 @@ sudo yum remove tcl expect -y
echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
sudo systemctl restart mariadb.service
```
#### Manual procedure:
```bash
# Enter the mysql shell
mysql -u root -p
```
@ -276,8 +292,7 @@ MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
MariaDB [(none)]> exit
```
#### copy/paste:
#### Same as Manual but for copy/paste foo:
```bash
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
@ -310,6 +325,21 @@ sudo -u apache cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DB
# A sample vhost can be found in /var/www/MISP/INSTALL/apache.misp.centos7
sudo cp /var/www/MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf
sudo rm /etc/httpd/conf.d/ssl.conf
sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf
sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf
echo $OPENSSL_CN
sudo systemctl start httpd.service
sudo openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096
sudo openssl genrsa -des3 -passout pass:x -out /tmp/misp.local.key 4096
sudo openssl rsa -passin pass:x -in /tmp/misp.local.key -out /etc/pki/tls/certs/misp.local.key
sudo rm /tmp/misp.local.key
sudo openssl req -new -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" -key /etc/pki/tls/certs/misp.local.key -out /etc/pki/tls/certs/misp.local.csr
sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/misp.local.csr -signkey /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.crt
sudo ln -s /etc/pki/tls/certs/misp.local.csr /etc/pki/tls/certs/misp-chain.crt
cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt
sudo systemctl restart httpd.service
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
@ -323,7 +353,9 @@ sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
sudo chcon -R -t usr_t /var/www/MISP/venv
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/.git
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/Config
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
@ -482,17 +514,17 @@ sudo yum install -y openjpeg-devel
sudo chmod 2777 /usr/local/src
sudo chown root:users /usr/local/src
cd /usr/local/src/
git clone https://github.com/MISP/misp-modules.git
sudo -u apache git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip install
sudo -u apache $PATH_TO_MISP/venv/bin/pip install -I -r REQUIREMENTS
sudo -u apache $PATH_TO_MISP/venv/bin/pip install .
sudo -H -u apache $PATH_TO_MISP/venv/bin/pip install -I -r REQUIREMENTS
sudo -H -u apache $PATH_TO_MISP/venv/bin/pip install .
sudo yum install rubygem-rouge rubygem-asciidoctor -y
##sudo gem install asciidoctor-pdf --pre
# install additional dependencies for extended object generation and extraction
sudo -u apache ${PATH_TO_MISP}/venv/bin/pip install maec lief python-magic pathlib
sudo -u apache ${PATH_TO_MISP}/venv/bin/pip install git+https://github.com/kbandla/pydeep.git
sudo -H -u apache ${PATH_TO_MISP}/venv/bin/pip install maec lief python-magic pathlib
sudo -H -u apache ${PATH_TO_MISP}/venv/bin/pip install git+https://github.com/kbandla/pydeep.git
# Start misp-modules
sudo -u apache ${PATH_TO_MISP}/venv/bin/misp-modules -l 0.0.0.0 -s &

9
docs/xINSTALL.debian_testing.md
View File

@ -107,15 +107,6 @@ sudo a2enmod ssl rewrite
sudo a2dissite 000-default
sudo a2ensite default-ssl
# Switch to python3 by default (optional)
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.6 2
```
To flip between the 2 pythons use *update-alternatives*
```bash
sudo update-alternatives --config python
```
#### Apply all changes

2
docs/xINSTALL.rhel7.md
View File

@ -5,6 +5,8 @@
{!generic/community.md!}
{!generic/rhelVScentos.md!}
!!! warning
The core MISP team cannot verify if this guide is working or not. Please help us in keeping it up to date and accurate.
Thus we also have difficulties in supporting RHEL issues but will do a best effort on a similar yet slightly different setup.