mirror of https://github.com/MISP/MISP
Merge remote-tracking branch 'origin/2.4' into eventFiltering
commit
1b8ff623fd
|
@ -0,0 +1,986 @@
|
|||
#!/usr/bin/env bash
|
||||
#INSTALLATION INSTRUCTIONS
|
||||
#------------------------- for Kali Linux
|
||||
#
|
||||
#0/ Quick MISP Instance on Kali Linux - Status
|
||||
#---------------------------------------------
|
||||
#
|
||||
#1/ Prepare Kali with a MISP User
|
||||
#--------------------------------
|
||||
# To install MISP on Kali copy paste this in your r00t shell:
|
||||
# wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.debian.sh && bash /tmp/misp-kali.sh
|
||||
# /!\ Please read the installer script before randomly doing the above.
|
||||
# The script is tested on a plain vanilla Kali Linux Boot CD and installs quite a few dependencies.
|
||||
|
||||
# Leave empty for NO debug messages.
|
||||
DEBUG=
|
||||
|
||||
# Function Section
|
||||
|
||||
## Usage of this script
|
||||
usage () {
|
||||
echo "Please specify what type of MISP if you want to install."
|
||||
space
|
||||
echo "${0} -c | Install ONLY MISP Core" # core
|
||||
echo " -V | Core + Viper" # viper
|
||||
echo " -M | Core + MISP modules" # modules
|
||||
echo " -D | Core + MISP dashboard" # dashboard
|
||||
echo " -m | Core + Mail 2 MISP" # mail2
|
||||
echo " -A | Install all of the above" # all
|
||||
space
|
||||
echo " -C | Only do pre-install checks and exit" # pre
|
||||
space
|
||||
echo "Options can be combined: ${0} -V -D # Will install Core+Viper+Dashboard"
|
||||
space
|
||||
}
|
||||
|
||||
checkOpt () {
|
||||
# checkOpt feature
|
||||
containsElement $1 "${options[@]}"
|
||||
}
|
||||
|
||||
setOpt () {
|
||||
options=()
|
||||
for o in $@; do
|
||||
option=$(
|
||||
case "$o" in
|
||||
("-c") echo "core" ;;
|
||||
("-V") echo "viper" ;;
|
||||
("-M") echo "modules" ;;
|
||||
("-D") echo "dashboard" ;;
|
||||
("-m") echo "mail2" ;;
|
||||
("-A") echo "all" ;;
|
||||
("-C") echo "pre" ;;
|
||||
#(*) echo "$o is not a valid argument" ;;
|
||||
esac)
|
||||
options+=($option)
|
||||
done
|
||||
}
|
||||
|
||||
# Extract debian flavour
|
||||
checkFlavour () {
|
||||
FLAVOUR=$(lsb_release -s -i |tr [A-Z] [a-z])
|
||||
}
|
||||
|
||||
# Dynamic horizontal spacer
|
||||
space () {
|
||||
# Check terminal width
|
||||
num=`tput cols`
|
||||
for i in `seq 1 $num`; do
|
||||
echo -n "-"
|
||||
done
|
||||
echo ""
|
||||
}
|
||||
|
||||
# Simple debug function with message
|
||||
debug () {
|
||||
echo $1
|
||||
if [ ! -z $DEBUG ]; then
|
||||
echo "Debug Mode, press enter to continue..."
|
||||
read
|
||||
fi
|
||||
}
|
||||
|
||||
# Check if element is contained in array
|
||||
containsElement () {
|
||||
local e match="$1"
|
||||
shift
|
||||
for e; do [[ "$e" == "$match" ]] && return 0; done
|
||||
return 1
|
||||
}
|
||||
|
||||
# Simple function to check command exit code
|
||||
checkFail () {
|
||||
if [[ $2 -ne 0 ]]; then
|
||||
echo "iAmError: $1"
|
||||
echo "The last command exited with error code: $2"
|
||||
exit $2
|
||||
fi
|
||||
}
|
||||
|
||||
# Check if misp user is present and if run as root
|
||||
checkID () {
|
||||
if [[ $EUID == 0 ]]; then
|
||||
echo "This script cannot be run as a root"
|
||||
exit 1
|
||||
elif [[ $(id $MISP_USER >/dev/null; echo $?) -ne 0 ]]; then
|
||||
echo "There is NO user called '$MISP_USER' create a user '$MISP_USER' or continue as $USER? (y/n) "
|
||||
read ANSWER
|
||||
ANSWER=$(echo $ANSWER |tr [A-Z] [a-z])
|
||||
if [[ $ANSWER == "y" ]]; then
|
||||
useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data $MISP_USER
|
||||
echo $MISP_USER:$MISP_PASSWORD | chpasswd
|
||||
echo "User $MISP_USER added, password is: $MISP_PASSWORD"
|
||||
elif [[ $ANSWER == "n" ]]; then
|
||||
echo "Using $USER as install user, hope that is what you want."
|
||||
MISP_USER=$USER
|
||||
else
|
||||
echo "yes or no was asked, try again."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "User ${MISP_USER} exists, skipping creation"
|
||||
fi
|
||||
}
|
||||
|
||||
# check if sudo is installed
|
||||
checkSudo () {
|
||||
sudo -H -u $MISP_USER ls -la /tmp > /dev/null 2> /dev/null
|
||||
if [[ $? -ne 0 ]]; then
|
||||
echo "sudo seems to be not installed or working, please fix this before continuing the installation."
|
||||
echo "apt install sudo # As root should be enough, make sure the $MISP_USER is able to run sudo."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# check is /usr/local/src is RW by misp user
|
||||
checkUsrLocalSrc () {
|
||||
if [[ -e /usr/local/src ]]; then
|
||||
if [[ -w /usr/local/src ]]; then
|
||||
echo "Good, /usr/local/src exists and is writeable as $MISP_USER"
|
||||
else
|
||||
echo -n "/usr/local/src need to be writeable by $MISP_USER, permission to fix? (y/n)"
|
||||
read ANSWER
|
||||
ANSWER=$(echo $ANSWER |tr [A-Z] [a-z])
|
||||
fi
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# Because Kali is l33t we make sure we run as root
|
||||
kaliOnRootR0ckz () {
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "This script must be run as root"
|
||||
exit 1
|
||||
elif [[ $(id $MISP_USER >/dev/null; echo $?) -ne 0 ]]; then
|
||||
useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data $MISP_USER
|
||||
echo $MISP_USER:$MISP_PASSWORD | chpasswd
|
||||
else
|
||||
# TODO: Make sure we consider this further down the road
|
||||
echo "User ${MISP_USER} exists, skipping creation"
|
||||
fi
|
||||
}
|
||||
|
||||
# Setting generic MISP variables share by all flavours
|
||||
MISPvars () {
|
||||
# Local non-root MISP user
|
||||
MISP_USER='misp'
|
||||
MISP_PASSWORD='Password1234'
|
||||
|
||||
# MISP configuration variables
|
||||
PATH_TO_MISP='/var/www/MISP'
|
||||
MISP_BASEURL='https://misp.local'
|
||||
MISP_LIVE='1'
|
||||
CAKE="$PATH_TO_MISP/app/Console/cake"
|
||||
|
||||
# Database configuration
|
||||
DBHOST='localhost'
|
||||
DBNAME='misp'
|
||||
DBUSER_ADMIN='root'
|
||||
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
|
||||
DBUSER_MISP='misp'
|
||||
DBPASSWORD_MISP="$(openssl rand -hex 32)"
|
||||
|
||||
# Webserver configuration
|
||||
FQDN='misp.local'
|
||||
|
||||
# OpenSSL configuration
|
||||
OPENSSL_CN=$FQDN
|
||||
OPENSSL_C='LU'
|
||||
OPENSSL_ST='State'
|
||||
OPENSSL_L='Location'
|
||||
OPENSSL_O='Organization'
|
||||
OPENSSL_OU='Organizational Unit'
|
||||
OPENSSL_EMAILADDRESS='info@localhost'
|
||||
|
||||
# GPG configuration
|
||||
GPG_REAL_NAME='Autogenerated Key'
|
||||
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
|
||||
GPG_EMAIL_ADDRESS='admin@admin.test'
|
||||
GPG_KEY_LENGTH='2048'
|
||||
GPG_PASSPHRASE='Password1234'
|
||||
|
||||
# php.ini configuration
|
||||
upload_max_filesize=50M
|
||||
post_max_size=50M
|
||||
max_execution_time=300
|
||||
memory_limit=512M
|
||||
PHP_INI=/etc/php/7.3/apache2/php.ini
|
||||
|
||||
# apt config
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
# sudo config to run $LUSER commands
|
||||
SUDO="sudo -u ${MISP_USER}"
|
||||
SUDO_WWW="sudo -u www-data"
|
||||
|
||||
echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
|
||||
echo "User (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
|
||||
}
|
||||
|
||||
# Installing core dependencies
|
||||
installDeps () {
|
||||
apt update
|
||||
apt install -qy etckeeper
|
||||
# Skip dist-upgrade for now, pulls in 500+ updated packages
|
||||
#sudo apt -y dist-upgrade
|
||||
gitMail=$(git config --global --get user.email ; echo $?)
|
||||
if [ "$?" -eq "1" ]; then
|
||||
git config --global user.email "root@kali.lan"
|
||||
fi
|
||||
gitUser=$(git config --global --get user.name ; echo $?)
|
||||
if [ "$?" -eq "1" ]; then
|
||||
git config --global user.name "Root User"
|
||||
fi
|
||||
|
||||
apt install -qy postfix
|
||||
|
||||
apt install -qy \
|
||||
curl gcc git gnupg-agent make openssl redis-server neovim zip libyara-dev python3-yara python3-redis python3-zmq \
|
||||
mariadb-client \
|
||||
mariadb-server \
|
||||
apache2 apache2-doc apache2-utils \
|
||||
libapache2-mod-php7.3 php7.3 php7.3-cli php7.3-mbstring php-pear php7.3-dev php7.3-json php7.3-xml php7.3-mysql php7.3-opcache php7.3-readline php-redis php-gnupg \
|
||||
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
|
||||
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools expect
|
||||
|
||||
installRNG
|
||||
}
|
||||
|
||||
# Test and install software RNG
|
||||
installRNG () {
|
||||
modprobe tpm-rng 2> /dev/null
|
||||
if [ "$?" -eq "0" ]; then
|
||||
echo tpm-rng >> /etc/modules
|
||||
fi
|
||||
apt install -qy rng-tools # This might fail on TPM grounds, enable the security chip in your BIOS
|
||||
service rng-tools start
|
||||
|
||||
if [ "$?" -eq "1" ]; then
|
||||
apt purge -qy rng-tools
|
||||
apt install -qy haveged
|
||||
/etc/init.d/haveged start
|
||||
fi
|
||||
}
|
||||
|
||||
# On Kali, the redis start-up script is broken. This tries to fix it.
|
||||
fixRedis () {
|
||||
# As of 20190124 redis-server init.d scripts are broken and need to be replaced
|
||||
mv /etc/init.d/redis-server /etc/init.d/redis-server_`date +%Y%m%d`
|
||||
|
||||
echo '#! /bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: redis-server
|
||||
# Required-Start: $syslog
|
||||
# Required-Stop: $syslog
|
||||
# Should-Start: $local_fs
|
||||
# Should-Stop: $local_fs
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: redis-server - Persistent key-value db
|
||||
# Description: redis-server - Persistent key-value db
|
||||
### END INIT INFO
|
||||
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
DAEMON=/usr/bin/redis-server
|
||||
DAEMON_ARGS=/etc/redis/redis.conf
|
||||
NAME=redis-server
|
||||
DESC=redis-server
|
||||
PIDFILE=/var/run/redis.pid
|
||||
|
||||
test -x $DAEMON || exit 0
|
||||
test -x $DAEMONBOOTSTRAP || exit 0
|
||||
|
||||
set -e
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
echo -n "Starting $DESC: "
|
||||
touch $PIDFILE
|
||||
chown redis:redis $PIDFILE
|
||||
if start-stop-daemon --start --quiet --umask 007 --pidfile $PIDFILE --chuid redis:redis --exec $DAEMON -- $DAEMON_ARGS
|
||||
then
|
||||
echo "$NAME."
|
||||
else
|
||||
echo "failed"
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
echo -n "Stopping $DESC: "
|
||||
if start-stop-daemon --stop --retry 10 --quiet --oknodo --pidfile $PIDFILE --exec $DAEMON
|
||||
then
|
||||
echo "$NAME."
|
||||
else
|
||||
echo "failed"
|
||||
fi
|
||||
rm -f $PIDFILE
|
||||
;;
|
||||
|
||||
restart|force-reload)
|
||||
${0} stop
|
||||
${0} start
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0' | tee /etc/init.d/redis-server
|
||||
chmod 755 /etc/init.d/redis-server
|
||||
/etc/init.d/redis-server start
|
||||
}
|
||||
|
||||
# generate MISP apache conf
|
||||
genApacheConf () {
|
||||
echo "<VirtualHost _default_:80>
|
||||
ServerAdmin admin@localhost.lu
|
||||
ServerName misp.local
|
||||
|
||||
Redirect permanent / https://misp.local
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/misp.local_error.log
|
||||
CustomLog /var/log/apache2/misp.local_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost _default_:443>
|
||||
ServerAdmin admin@localhost.lu
|
||||
ServerName misp.local
|
||||
DocumentRoot $PATH_TO_MISP/app/webroot
|
||||
|
||||
<Directory $PATH_TO_MISP/app/webroot>
|
||||
Options -Indexes
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
Order allow,deny
|
||||
allow from all
|
||||
</Directory>
|
||||
|
||||
SSLEngine On
|
||||
SSLCertificateFile /etc/ssl/private/misp.local.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
|
||||
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/misp.local_error.log
|
||||
CustomLog /var/log/apache2/misp.local_access.log combined
|
||||
ServerSignature Off
|
||||
Header set X-Content-Type-Options nosniff
|
||||
Header set X-Frame-Options DENY
|
||||
</VirtualHost>" | tee /etc/apache2/sites-available/misp-ssl.conf
|
||||
}
|
||||
|
||||
# Add git pull update mechanism to rc.local - TODO: Make this better
|
||||
gitPullAllRCLOCAL () {
|
||||
sed -i -e '$i \git_dirs="/usr/local/src/misp-modules/ /var/www/misp-dashboard /usr/local/src/faup /usr/local/src/mail_to_misp /usr/local/src/misp-modules /usr/local/src/viper /var/www/misp-dashboard"\n' /etc/rc.local
|
||||
sed -i -e '$i \for d in $git_dirs; do\n' /etc/rc.local
|
||||
sed -i -e '$i \ echo "Updating ${d}"\n' /etc/rc.local
|
||||
sed -i -e '$i \ cd $d && sudo git pull &\n' /etc/rc.local
|
||||
sed -i -e '$i \done\n' /etc/rc.local
|
||||
}
|
||||
|
||||
# Composer on php 7.2 does not need any special treatment the provided phar works well
|
||||
composer72 () {
|
||||
cd $PATH_TO_MISP/app
|
||||
mkdir /var/www/.composer ; chown www-data:www-data /var/www/.composer
|
||||
$SUDO_WWW php composer.phar require kamisama/cake-resque:4.1.2
|
||||
$SUDO_WWW php composer.phar config vendor-dir Vendor
|
||||
$SUDO_WWW php composer.phar install
|
||||
}
|
||||
|
||||
# Composer on php 7.3 needs a recent version of composer.phar
|
||||
composer73 () {
|
||||
cd $PATH_TO_MISP/app
|
||||
mkdir /var/www/.composer ; chown www-data:www-data /var/www/.composer
|
||||
# Update composer.phar
|
||||
# If hash changes, check here: https://getcomposer.org/download/ and replace with the correct one
|
||||
# Current Sum for: v1.8.3
|
||||
SHA384_SUM='48e3236262b34d30969dca3c37281b3b4bbe3221bda826ac6a9a62d6444cdb0dcd0615698a5cbe587c3f0fe57a54d8f5'
|
||||
sudo -H -u www-data php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
sudo -H -u www-data php -r "if (hash_file('SHA384', 'composer-setup.php') === '$SHA384_SUM') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); exit(137); } echo PHP_EOL;"
|
||||
checkFail "composer.phar checksum failed, please investigate manually. " $?
|
||||
sudo -H -u www-data php composer-setup.php
|
||||
sudo -H -u www-data php -r "unlink('composer-setup.php');"
|
||||
$SUDO_WWW php composer.phar require kamisama/cake-resque:4.1.2
|
||||
$SUDO_WWW php composer.phar config vendor-dir Vendor
|
||||
$SUDO_WWW php composer.phar install
|
||||
}
|
||||
|
||||
# Enable various core services
|
||||
enableServices () {
|
||||
update-rc.d mysql enable
|
||||
update-rc.d apache2 enable
|
||||
update-rc.d redis-server enable
|
||||
}
|
||||
|
||||
# Main MISP Dashboard install function
|
||||
mispDashboard () {
|
||||
cd /var/www
|
||||
mkdir misp-dashboard
|
||||
chown www-data:www-data misp-dashboard
|
||||
$SUDO_WWW git clone https://github.com/MISP/misp-dashboard.git
|
||||
cd misp-dashboard
|
||||
/var/www/misp-dashboard/install_dependencies.sh
|
||||
sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
|
||||
sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
|
||||
$SUDO_WWW bash /var/www/misp-dashboard/start_all.sh
|
||||
apt install libapache2-mod-wsgi-py3 -y
|
||||
echo "<VirtualHost *:8001>
|
||||
ServerAdmin admin@misp.local
|
||||
ServerName misp.local
|
||||
|
||||
DocumentRoot /var/www/misp-dashboard
|
||||
|
||||
WSGIDaemonProcess misp-dashboard \
|
||||
user=misp group=misp \
|
||||
python-home=/var/www/misp-dashboard/DASHENV \
|
||||
processes=1 \
|
||||
threads=15 \
|
||||
maximum-requests=5000 \
|
||||
listen-backlog=100 \
|
||||
queue-timeout=45 \
|
||||
socket-timeout=60 \
|
||||
connect-timeout=15 \
|
||||
request-timeout=60 \
|
||||
inactivity-timeout=0 \
|
||||
deadlock-timeout=60 \
|
||||
graceful-timeout=15 \
|
||||
eviction-timeout=0 \
|
||||
shutdown-timeout=5 \
|
||||
send-buffer-size=0 \
|
||||
receive-buffer-size=0 \
|
||||
header-buffer-size=0 \
|
||||
response-buffer-size=0 \
|
||||
server-metrics=Off
|
||||
|
||||
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
|
||||
|
||||
<Directory /var/www/misp-dashboard>
|
||||
WSGIProcessGroup misp-dashboard
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
LogLevel info
|
||||
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
|
||||
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>" | tee /etc/apache2/sites-available/misp-dashboard.conf
|
||||
a2ensite misp-dashboard
|
||||
}
|
||||
|
||||
# TODO: dashboardCAKE () { }
|
||||
|
||||
# Core cake commands
|
||||
coreCAKE () {
|
||||
$CAKE Live $MISP_LIVE
|
||||
$CAKE Baseurl $MISP_BASEURL
|
||||
|
||||
$CAKE userInit -q
|
||||
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
|
||||
$CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
|
||||
$CAKE Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
|
||||
$CAKE Admin setSetting "GnuPG.password" "Password1234"
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
|
||||
$CAKE Admin setSetting "Plugin.Import_services_enable" true
|
||||
$CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Import_services_port" 6666
|
||||
$CAKE Admin setSetting "Plugin.Import_timeout" 300
|
||||
$CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||
$CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||
$CAKE Admin setSetting "Plugin.Export_services_enable" true
|
||||
$CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Export_services_port" 6666
|
||||
$CAKE Admin setSetting "Plugin.Export_timeout" 300
|
||||
$CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||
$CAKE Admin setSetting "MISP.host_org_id" 1
|
||||
$CAKE Admin setSetting "MISP.email" "info@admin.test"
|
||||
$CAKE Admin setSetting "MISP.disable_emailing" false
|
||||
$CAKE Admin setSetting "MISP.contact" "info@admin.test"
|
||||
$CAKE Admin setSetting "MISP.disablerestalert" true
|
||||
$CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_enable" false
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
$CAKE Admin setSetting "Plugin.Cortex_timeout" 120
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
|
||||
$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
|
||||
$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
|
||||
$CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
|
||||
$CAKE Admin setSetting "Plugin.Sightings_policy" 0
|
||||
$CAKE Admin setSetting "Plugin.Sightings_anonymise" false
|
||||
$CAKE Admin setSetting "Plugin.Sightings_range" 365
|
||||
$CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
|
||||
$CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
|
||||
$CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
|
||||
$CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
|
||||
$CAKE Admin setSetting "MISP.language" "eng"
|
||||
$CAKE Admin setSetting "MISP.proposals_block_attributes" false
|
||||
$CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
|
||||
$CAKE Admin setSetting "MISP.redis_port" 6379
|
||||
$CAKE Admin setSetting "MISP.redis_database" 13
|
||||
$CAKE Admin setSetting "MISP.redis_password" ""
|
||||
$CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
|
||||
$CAKE Admin setSetting "MISP.extended_alert_subject" false
|
||||
$CAKE Admin setSetting "MISP.default_event_threat_level" 4
|
||||
$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
$CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
$CAKE Admin setSetting "MISP.enableEventBlacklisting" true
|
||||
$CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
|
||||
$CAKE Admin setSetting "MISP.log_client_ip" false
|
||||
$CAKE Admin setSetting "MISP.log_auth" false
|
||||
$CAKE Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
$CAKE Admin setSetting "MISP.block_event_alert" false
|
||||
$CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
|
||||
$CAKE Admin setSetting "MISP.block_old_event_alert" false
|
||||
$CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
|
||||
$CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
|
||||
$CAKE Admin setSetting "MISP.footermidleft" "This is an autogenerated install"
|
||||
$CAKE Admin setSetting "MISP.footermidright" "Please configure accordingly and do not use in production"
|
||||
$CAKE Admin setSetting "MISP.welcome_text_top" "Autogenerated install, please configure and harden accordingly"
|
||||
$CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP on Kali"
|
||||
$CAKE Admin setSetting "Security.password_policy_length" 12
|
||||
$CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
|
||||
$CAKE Admin setSetting "Session.autoRegenerate" 0
|
||||
$CAKE Admin setSetting "Session.timeout" 600
|
||||
$CAKE Admin setSetting "Session.cookie_timeout" 3600
|
||||
$CAKE Live $MISP_LIVE
|
||||
}
|
||||
|
||||
# Setup GnuPG key
|
||||
setupGnuPG () {
|
||||
echo "%echo Generating a default key
|
||||
Key-Type: default
|
||||
Key-Length: $GPG_KEY_LENGTH
|
||||
Subkey-Type: default
|
||||
Name-Real: $GPG_REAL_NAME
|
||||
Name-Comment: $GPG_COMMENT
|
||||
Name-Email: $GPG_EMAIL_ADDRESS
|
||||
Expire-Date: 0
|
||||
Passphrase: $GPG_PASSPHRASE
|
||||
# Do a commit here, so that we can later print "done"
|
||||
%commit
|
||||
%echo done" > /tmp/gen-key-script
|
||||
|
||||
$SUDO_WWW gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
|
||||
|
||||
$SUDO_WWW sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | $SUDO_WWW tee $PATH_TO_MISP/app/webroot/gpg.asc
|
||||
}
|
||||
|
||||
updateGOWNT () {
|
||||
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
|
||||
|
||||
# TODO: Fix updateGalaxies
|
||||
#$CAKE Admin updateGalaxies
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/galaxies/update
|
||||
$CAKE Admin updateTaxonomies
|
||||
# TODO: Fix updateWarningLists
|
||||
#$CAKE Admin updateWarningLists
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
|
||||
}
|
||||
|
||||
# Generate rc.local
|
||||
genRCLOCAL () {
|
||||
if [ ! -e /etc/rc.local ]; then
|
||||
echo '#!/bin/sh -e' | tee -a /etc/rc.local
|
||||
echo 'exit 0' | tee -a /etc/rc.local
|
||||
chmod u+x /etc/rc.local
|
||||
fi
|
||||
|
||||
sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
|
||||
sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
|
||||
sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
|
||||
sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
|
||||
}
|
||||
|
||||
# Main MISP Modules install function
|
||||
mispmodules () {
|
||||
sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
|
||||
$SUDO_WWW bash $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
cd /usr/local/src/
|
||||
git clone https://github.com/MISP/misp-modules.git
|
||||
cd misp-modules
|
||||
# pip3 install
|
||||
pip3 install -I -r REQUIREMENTS
|
||||
pip3 install -I .
|
||||
pip3 install maec lief python-magic wand yara
|
||||
pip3 install git+https://github.com/kbandla/pydeep.git
|
||||
gem install pygments.rb
|
||||
gem install asciidoctor-pdf --pre
|
||||
$SUDO_WWW misp-modules -l 0.0.0.0 -s &
|
||||
}
|
||||
|
||||
# Main Viper install function
|
||||
viper () {
|
||||
cd /usr/local/src/
|
||||
debug "Installing Viper dependencies"
|
||||
apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
|
||||
pip3 install SQLAlchemy PrettyTable python-magic
|
||||
debug "Cloning Viper"
|
||||
git clone https://github.com/viper-framework/viper.git
|
||||
chown -R $MISP_USER:$MISP_USER viper
|
||||
cd viper
|
||||
debug "Submodule update"
|
||||
$SUDO git submodule update --init --recursive
|
||||
debug "pip install scrapy"
|
||||
pip3 install scrapy
|
||||
debug "pip install reqs"
|
||||
pip3 install -r requirements.txt
|
||||
debug "pip uninstall yara"
|
||||
pip3 uninstall yara -y
|
||||
debug "Launching viper-cli"
|
||||
$SUDO /usr/local/src/viper/viper-cli -h > /dev/null
|
||||
debug "Launching viper-web"
|
||||
$SUDO /usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
|
||||
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper:/var/www/MISP/app/Console"' |tee /etc/environment
|
||||
echo ". /etc/environment" >> /home/${MISP_USER}/.profile
|
||||
debug "Setting misp_url/misp_key"
|
||||
$SUDO sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" /home/${MISP_USER}/.viper/viper.conf
|
||||
$SUDO sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" /home/${MISP_USER}/.viper/viper.conf
|
||||
|
||||
debug "Fixing admin.db with default password"
|
||||
while [ "$(sqlite3 /home/${MISP_USER}/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'; echo $?)" -ne "0" ]; do
|
||||
# FIXME This might lead to a race condition, the while loop is sub-par
|
||||
chown $MISP_USER:$MISP_USER /home/${MISP_USER}/.viper/admin.db
|
||||
echo "Updating viper-web admin password, giving process time to start-up, sleeping 5, 4, 3,…"
|
||||
sleep 6
|
||||
done
|
||||
sed -i -e '$i \sudo -u misp /usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &\n' /etc/rc.local
|
||||
}
|
||||
|
||||
# Main function to fix permissions to something sane
|
||||
permissions () {
|
||||
chown -R www-data:www-data $PATH_TO_MISP
|
||||
chmod -R 750 $PATH_TO_MISP
|
||||
chmod -R g+ws $PATH_TO_MISP/app/tmp
|
||||
chmod -R g+ws $PATH_TO_MISP/app/files
|
||||
chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
|
||||
}
|
||||
|
||||
# Main mail2misp install function
|
||||
mail2misp () {
|
||||
cd /usr/local/src/
|
||||
apt-get install -y cmake
|
||||
git clone https://github.com/MISP/mail_to_misp.git
|
||||
git clone git://github.com/stricaud/faup.git faup
|
||||
chown -R ${MISP_USER}:${MISP_USER} faup mail_to_misp
|
||||
cd faup
|
||||
$SUDO mkdir -p build
|
||||
cd build
|
||||
$SUDO cmake .. && $SUDO make
|
||||
make install
|
||||
ldconfig
|
||||
cd ../../
|
||||
cd mail_to_misp
|
||||
pip3 install -r requirements.txt
|
||||
$SUDO cp mail_to_misp_config.py-example mail_to_misp_config.py
|
||||
sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
|
||||
sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
|
||||
}
|
||||
|
||||
# Final function to let the user know what happened
|
||||
theEnd () {
|
||||
space
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN" > /home/${MISP_USER}/mysql.txt
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP" >> /home/${MISP_USER}/mysql.txt
|
||||
echo "Authkey: $AUTH_KEY" > /home/${MISP_USER}/MISP-authkey.txt
|
||||
|
||||
clear
|
||||
space
|
||||
echo "MISP Installed, access here: https://misp.local"
|
||||
echo "User: admin@admin.test"
|
||||
echo "Password: admin"
|
||||
echo "MISP Dashboard, access here: http://misp.local:8001"
|
||||
space
|
||||
echo "The following files were created and need either protection or removal (shred on the CLI)"
|
||||
echo "/home/${MISP_USER}/mysql.txt"
|
||||
echo "/home/${MISP_USER}/MISP-authkey.txt"
|
||||
cat /home/${MISP_USER}/mysql.txt
|
||||
cat /home/${MISP_USER}/MISP-authkey.txt
|
||||
space
|
||||
echo "The LOCAL system credentials:"
|
||||
echo "User: ${MISP_USER}"
|
||||
echo "Password: ${MISP_PASSWORD}"
|
||||
space
|
||||
echo "viper-web installed, access here: http://misp.local:8888"
|
||||
echo "viper-cli configured with your MISP Site Admin Auth Key"
|
||||
echo "User: admin"
|
||||
echo "Password: Password1234"
|
||||
space
|
||||
echo "To enable outgoing mails via postfix set a permissive SMTP server for the domains you want to contact:"
|
||||
space
|
||||
echo "sudo postconf -e 'relayhost = example.com'"
|
||||
echo "sudo postfix reload"
|
||||
space
|
||||
echo "Enjoy using MISP. For any issues see here: https://github.com/MISP/MISP/issues"
|
||||
su - ${MISP_USER}
|
||||
}
|
||||
|
||||
# Main Kalin Install function
|
||||
installMISPonKali () {
|
||||
space
|
||||
debug "Disabling sleep etc…"
|
||||
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 0 2> /dev/null
|
||||
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-timeout 0 2> /dev/null
|
||||
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type 'nothing' 2> /dev/null
|
||||
xset s 0 0 2> /dev/null
|
||||
xset dpms 0 0 2> /dev/null
|
||||
xset s off 2> /dev/null
|
||||
|
||||
debug "Installing dependencies"
|
||||
installDeps
|
||||
|
||||
debug "Enabling redis and gnupg modules"
|
||||
phpenmod -v 7.3 redis
|
||||
phpenmod -v 7.3 gnupg
|
||||
|
||||
debug "Apache2 ops: dismod: status php7.2 - dissite: 000-default enmod: ssl rewrite headers php7.3 ensite: default-ssl"
|
||||
a2dismod status
|
||||
a2dismod php7.2
|
||||
a2enmod ssl rewrite headers php7.3
|
||||
a2dissite 000-default
|
||||
a2ensite default-ssl
|
||||
|
||||
debug "Restarting mysql.service"
|
||||
systemctl restart mysql.service
|
||||
|
||||
debug "Fixing redis rc script on Kali"
|
||||
fixRedis
|
||||
|
||||
debug "git clone, submodule update everything"
|
||||
mkdir $PATH_TO_MISP
|
||||
chown www-data:www-data $PATH_TO_MISP
|
||||
cd $PATH_TO_MISP
|
||||
$SUDO_WWW git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
|
||||
|
||||
$SUDO_WWW git config core.filemode false
|
||||
|
||||
cd $PATH_TO_MISP
|
||||
$SUDO_WWW git submodule update --init --recursive
|
||||
# Make git ignore filesystem permission differences for submodules
|
||||
$SUDO_WWW git submodule foreach --recursive git config core.filemode false
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||
|
||||
debug "Installing python-cybox"
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
pip3 install .
|
||||
debug "Installing python-stix"
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
pip3 install .
|
||||
# install STIX2.0 library to support STIX 2.0 export:
|
||||
debug "Installing cti-python-stix2"
|
||||
cd ${PATH_TO_MISP}/cti-python-stix2
|
||||
pip3 install -I .
|
||||
debug "Installing mixbox"
|
||||
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
||||
pip3 install .
|
||||
# install PyMISP
|
||||
debug "Installing PyMISP"
|
||||
cd $PATH_TO_MISP/PyMISP
|
||||
pip3 install .
|
||||
|
||||
# Install Crypt_GPG and Console_CommandLine
|
||||
debug "Installing pear Console_CommandLine"
|
||||
pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
|
||||
debug "Installing pear Crypt_GPG"
|
||||
pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
|
||||
|
||||
debug "Installing composer with php 7.3 updates"
|
||||
composer73
|
||||
|
||||
$SUDO_WWW cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
|
||||
|
||||
chown -R www-data:www-data $PATH_TO_MISP
|
||||
chmod -R 750 $PATH_TO_MISP
|
||||
chmod -R g+ws $PATH_TO_MISP/app/tmp
|
||||
chmod -R g+ws $PATH_TO_MISP/app/files
|
||||
chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
|
||||
|
||||
debug "Setting up database"
|
||||
if [ ! -e /var/lib/mysql/misp/users.ibd ]; then
|
||||
echo "
|
||||
set timeout 10
|
||||
spawn mysql_secure_installation
|
||||
expect \"Enter current password for root (enter for none):\"
|
||||
send -- \"\r\"
|
||||
expect \"Set root password?\"
|
||||
send -- \"y\r\"
|
||||
expect \"New password:\"
|
||||
send -- \"${DBPASSWORD_ADMIN}\r\"
|
||||
expect \"Re-enter new password:\"
|
||||
send -- \"${DBPASSWORD_ADMIN}\r\"
|
||||
expect \"Remove anonymous users?\"
|
||||
send -- \"y\r\"
|
||||
expect \"Disallow root login remotely?\"
|
||||
send -- \"y\r\"
|
||||
expect \"Remove test database and access to it?\"
|
||||
send -- \"y\r\"
|
||||
expect \"Reload privilege tables now?\"
|
||||
send -- \"y\r\"
|
||||
expect eof" | expect -f -
|
||||
|
||||
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
|
||||
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
|
||||
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
|
||||
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
|
||||
|
||||
enableServices
|
||||
|
||||
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
|
||||
|
||||
echo "<?php
|
||||
class DATABASE_CONFIG {
|
||||
public \$default = array(
|
||||
'datasource' => 'Database/Mysql',
|
||||
//'datasource' => 'Database/Postgres',
|
||||
'persistent' => false,
|
||||
'host' => '$DBHOST',
|
||||
'login' => '$DBUSER_MISP',
|
||||
'port' => 3306, // MySQL & MariaDB
|
||||
//'port' => 5432, // PostgreSQL
|
||||
'password' => '$DBPASSWORD_MISP',
|
||||
'database' => '$DBNAME',
|
||||
'prefix' => '',
|
||||
'encoding' => 'utf8',
|
||||
);
|
||||
}" | $SUDO_WWW tee $PATH_TO_MISP/app/Config/database.php
|
||||
else
|
||||
echo "There might be a database already existing here: /var/lib/mysql/misp/users.ibd"
|
||||
echo "Skipping any creations…"
|
||||
sleep 3
|
||||
fi
|
||||
|
||||
debug "Generating Certificate"
|
||||
openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
|
||||
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
|
||||
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
|
||||
|
||||
debug "Generating Apache Conf"
|
||||
genApacheConf
|
||||
|
||||
echo "127.0.0.1 misp.local" | tee -a /etc/hosts
|
||||
|
||||
debug "Installing MISP dashboard"
|
||||
mispDashboard
|
||||
|
||||
debug "Disabling site default-ssl, enabling misp-ssl"
|
||||
a2dissite default-ssl
|
||||
a2ensite misp-ssl
|
||||
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
do
|
||||
sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
||||
debug "Restarting Apache2"
|
||||
systemctl restart apache2
|
||||
|
||||
debug "Setting up logrotate"
|
||||
cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
|
||||
chmod 0640 /etc/logrotate.d/misp
|
||||
|
||||
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
|
||||
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
|
||||
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
|
||||
|
||||
chown -R www-data:www-data $PATH_TO_MISP/app/Config
|
||||
chmod -R 750 $PATH_TO_MISP/app/Config
|
||||
|
||||
debug "Setting up GnuPG"
|
||||
setupGnuPG
|
||||
|
||||
chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
|
||||
debug "Running Core Cake commands"
|
||||
coreCAKE
|
||||
|
||||
debug "Update: Galaxies, Template Objects, Warning Lists, Notice Lists, Taxonomies"
|
||||
updateGOWNT
|
||||
|
||||
debug "Generating rc.local"
|
||||
genRCLOCAL
|
||||
|
||||
gitPullAllRCLOCAL
|
||||
|
||||
debug "Installing misp-modules"
|
||||
mispmodules
|
||||
|
||||
debug "Installing Viper"
|
||||
viper
|
||||
|
||||
debug "Setting permissions"
|
||||
permissions
|
||||
|
||||
debug "Running Then End!"
|
||||
theEnd
|
||||
}
|
||||
|
||||
|
||||
debug "Checking for parameters or Kali Install"
|
||||
if [[ $# -ne 1 && $0 != "/tmp/misp-kali.sh" ]]; then
|
||||
usage
|
||||
exit
|
||||
else
|
||||
debug "Setting install options with given parameters."
|
||||
setOpt $@
|
||||
checkOpt core && echo "core selected"
|
||||
checkOpt viper && echo "viper selected"
|
||||
checkOpt modules && echo "modules selected"
|
||||
checkOpt dashboard && echo "dashboard selected"
|
||||
checkOpt mail2 && echo "mail2 selected"
|
||||
checkOpt all && echo "all selected"
|
||||
checkOpt pre && echo "pre selected"
|
||||
fi
|
||||
|
||||
debug "Checking flavour"
|
||||
checkFlavour
|
||||
debug "Setting MISP variables"
|
||||
MISPvars
|
||||
|
||||
if [ "${FLAVOUR}" == "kali" ]; then
|
||||
kaliOnRootR0ckz
|
||||
installMISPonKali
|
||||
exit
|
||||
fi
|
|
@ -1,673 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
#INSTALLATION INSTRUCTIONS
|
||||
#------------------------- for Kali Linux
|
||||
#
|
||||
#0/ Quick MISP Instance on Kali Linux - Status
|
||||
#---------------------------------------------
|
||||
#
|
||||
#1/ Prepare Kali with a MISP User
|
||||
#--------------------------------
|
||||
# To install MISP on Kali copy paste this in your r00t shell:
|
||||
# wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.kali.txt && bash /tmp/misp-kali.sh
|
||||
# /!\ Please read the installer script before randomly doing the above.
|
||||
# The script is tested on a plain vanilla Kali Linux Boot CD and installs quite a few dependencies.
|
||||
|
||||
|
||||
# Bug: /tmp/misp-kali.sh: line 142: pip3: command not found
|
||||
|
||||
|
||||
|
||||
MISP_USER='misp'
|
||||
MISP_PASSWORD='Password1234'
|
||||
|
||||
function kaliOnRootR0ckz() {
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "This script must be run as root"
|
||||
exit 1
|
||||
elif [[ $(id $MISP_USER >/dev/null; echo $?) -ne 0 ]]; then
|
||||
useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data $MISP_USER
|
||||
echo $MISP_USER:$MISP_PASSWORD | chpasswd
|
||||
else
|
||||
echo "User ${MISP_USER} exists, skipping creation"
|
||||
fi
|
||||
}
|
||||
|
||||
function installMISPonKali() {
|
||||
# MISP configuration variables
|
||||
PATH_TO_MISP='/var/www/MISP'
|
||||
MISP_BASEURL='https://misp.local'
|
||||
MISP_LIVE='1'
|
||||
CAKE="$PATH_TO_MISP/app/Console/cake"
|
||||
|
||||
# Database configuration
|
||||
DBHOST='localhost'
|
||||
DBNAME='misp'
|
||||
DBUSER_ADMIN='root'
|
||||
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
|
||||
DBUSER_MISP='misp'
|
||||
DBPASSWORD_MISP="$(openssl rand -hex 32)"
|
||||
|
||||
# Webserver configuration
|
||||
FQDN='misp.local'
|
||||
|
||||
# OpenSSL configuration
|
||||
OPENSSL_CN=$FQDN
|
||||
OPENSSL_C='LU'
|
||||
OPENSSL_ST='State'
|
||||
OPENSSL_L='Location'
|
||||
OPENSSL_O='Organization'
|
||||
OPENSSL_OU='Organizational Unit'
|
||||
OPENSSL_EMAILADDRESS='info@localhost'
|
||||
|
||||
# GPG configuration
|
||||
GPG_REAL_NAME='Autogenerated Key'
|
||||
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
|
||||
GPG_EMAIL_ADDRESS='admin@admin.test'
|
||||
GPG_KEY_LENGTH='2048'
|
||||
GPG_PASSPHRASE='Password1234'
|
||||
|
||||
# php.ini configuration
|
||||
upload_max_filesize=50M
|
||||
post_max_size=50M
|
||||
max_execution_time=300
|
||||
memory_limit=512M
|
||||
PHP_INI=/etc/php/7.3/apache2/php.ini
|
||||
|
||||
# apt config
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
# sudo config to run $LUSER commands
|
||||
SUDO="sudo -u ${MISP_USER}"
|
||||
SUDO_WWW="sudo -u www-data"
|
||||
|
||||
echo "Admin (${DBUSER_ADMIN}) DB Password: ${DBPASSWORD_ADMIN}"
|
||||
echo "User (${DBUSER_MISP}) DB Password: ${DBPASSWORD_MISP}"
|
||||
|
||||
echo "-----------------------------------------------------------------------"
|
||||
echo "Disabling sleep etc…"
|
||||
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 0
|
||||
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-timeout 0
|
||||
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type 'nothing'
|
||||
xset s 0 0 2> /dev/null
|
||||
xset dpms 0 0 2> /dev/null
|
||||
xset s off 2> /dev/null
|
||||
apt update
|
||||
apt install -qy etckeeper
|
||||
# Skip dist-upgrade for now, pulls in 500+ updated packages
|
||||
#sudo apt -y dist-upgrade
|
||||
git config --global user.email "root@kali.lan"
|
||||
git config --global user.name "Root User"
|
||||
apt install -qy postfix
|
||||
|
||||
apt install -qy \
|
||||
curl gcc git gnupg-agent make openssl redis-server neovim zip libyara-dev python3-yara python3-redis python3-zmq \
|
||||
mariadb-client \
|
||||
mariadb-server \
|
||||
apache2 apache2-doc apache2-utils \
|
||||
libapache2-mod-php7.3 php7.3 php7.3-cli php7.3-mbstring php-pear php7.3-dev php7.3-json php7.3-xml php7.3-mysql php7.3-opcache php7.3-readline php-redis php-gnupg \
|
||||
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
|
||||
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools expect
|
||||
|
||||
modprobe tpm-rng 2> /dev/null
|
||||
if [ "$?" -eq "0" ]; then
|
||||
echo tpm-rng >> /etc/modules
|
||||
fi
|
||||
apt install -qy rng-tools # This might fail on TPM grounds, enable the security chip in your BIOS
|
||||
service rng-tools start
|
||||
|
||||
if [ "$?" -eq "1" ]; then
|
||||
apt purge -qy rng-tools
|
||||
apt install -qy haveged
|
||||
/etc/init.d/haveged start
|
||||
fi
|
||||
|
||||
phpenmod -v 7.3 redis
|
||||
phpenmod -v 7.3 gnupg
|
||||
|
||||
a2dismod status
|
||||
a2dismod php7.2
|
||||
a2enmod ssl rewrite headers php7.3
|
||||
a2dissite 000-default
|
||||
a2ensite default-ssl
|
||||
|
||||
systemctl restart mysql.service
|
||||
|
||||
#update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
||||
#update-alternatives --install /usr/bin/python python /usr/bin/python3.6 2
|
||||
|
||||
# As of 20190124 redis-server init.d scripts are broken and need to be replaced
|
||||
mv /etc/init.d/redis-server /etc/init.d/redis-server_`date +%Y%m%d`
|
||||
|
||||
echo '#! /bin/sh
|
||||
### BEGIN INIT INFO
|
||||
# Provides: redis-server
|
||||
# Required-Start: $syslog
|
||||
# Required-Stop: $syslog
|
||||
# Should-Start: $local_fs
|
||||
# Should-Stop: $local_fs
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: redis-server - Persistent key-value db
|
||||
# Description: redis-server - Persistent key-value db
|
||||
### END INIT INFO
|
||||
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
DAEMON=/usr/bin/redis-server
|
||||
DAEMON_ARGS=/etc/redis/redis.conf
|
||||
NAME=redis-server
|
||||
DESC=redis-server
|
||||
PIDFILE=/var/run/redis.pid
|
||||
|
||||
test -x $DAEMON || exit 0
|
||||
test -x $DAEMONBOOTSTRAP || exit 0
|
||||
|
||||
set -e
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
echo -n "Starting $DESC: "
|
||||
touch $PIDFILE
|
||||
chown redis:redis $PIDFILE
|
||||
if start-stop-daemon --start --quiet --umask 007 --pidfile $PIDFILE --chuid redis:redis --exec $DAEMON -- $DAEMON_ARGS
|
||||
then
|
||||
echo "$NAME."
|
||||
else
|
||||
echo "failed"
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
echo -n "Stopping $DESC: "
|
||||
if start-stop-daemon --stop --retry 10 --quiet --oknodo --pidfile $PIDFILE --exec $DAEMON
|
||||
then
|
||||
echo "$NAME."
|
||||
else
|
||||
echo "failed"
|
||||
fi
|
||||
rm -f $PIDFILE
|
||||
;;
|
||||
|
||||
restart|force-reload)
|
||||
${0} stop
|
||||
${0} start
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0' | tee /etc/init.d/redis-server
|
||||
chmod 755 /etc/init.d/redis-server
|
||||
/etc/init.d/redis-server start
|
||||
|
||||
mkdir $PATH_TO_MISP
|
||||
chown www-data:www-data $PATH_TO_MISP
|
||||
cd $PATH_TO_MISP
|
||||
$SUDO_WWW git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
|
||||
|
||||
$SUDO_WWW git config core.filemode false
|
||||
|
||||
cd $PATH_TO_MISP
|
||||
$SUDO_WWW git submodule update --init --recursive
|
||||
# Make git ignore filesystem permission differences for submodules
|
||||
$SUDO_WWW git submodule foreach --recursive git config core.filemode false
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/python-cybox.git
|
||||
$SUDO_WWW git clone https://github.com/STIXProject/python-stix.git
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
pip3 install .
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
pip3 install .
|
||||
# install STIX2.0 library to support STIX 2.0 export:
|
||||
cd ${PATH_TO_MISP}/cti-python-stix2
|
||||
pip3 install -I .
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/
|
||||
$SUDO_WWW git clone https://github.com/CybOXProject/mixbox.git
|
||||
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
||||
pip3 install .
|
||||
|
||||
# install PyMISP
|
||||
cd $PATH_TO_MISP/PyMISP
|
||||
pip3 install .
|
||||
|
||||
cd $PATH_TO_MISP/app
|
||||
mkdir /var/www/.composer ; chown www-data:www-data /var/www/.composer
|
||||
# Update composer.phar
|
||||
sudo -H -u www-data php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
sudo -H -u www-data php -r "if (hash_file('SHA384', 'composer-setup.php') === '93b54496392c062774670ac18b134c3b3a95e5a5e5c8f1a9f115f203b75bf9a129d5daa8ba6a13e2cc8a1da0806388a8') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
|
||||
sudo -H -u www-data php composer-setup.php
|
||||
sudo -H -u www-data php -r "unlink('composer-setup.php');"
|
||||
$SUDO_WWW php composer.phar require kamisama/cake-resque:4.1.2
|
||||
$SUDO_WWW php composer.phar config vendor-dir Vendor
|
||||
$SUDO_WWW php composer.phar install
|
||||
|
||||
$SUDO_WWW cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
|
||||
|
||||
chown -R www-data:www-data $PATH_TO_MISP
|
||||
chmod -R 750 $PATH_TO_MISP
|
||||
chmod -R g+ws $PATH_TO_MISP/app/tmp
|
||||
chmod -R g+ws $PATH_TO_MISP/app/files
|
||||
chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
|
||||
|
||||
if [ ! -e /var/lib/mysql/misp/users.ibd ]; then
|
||||
echo "
|
||||
set timeout 10
|
||||
spawn mysql_secure_installation
|
||||
expect \"Enter current password for root (enter for none):\"
|
||||
send -- \"\r\"
|
||||
expect \"Set root password?\"
|
||||
send -- \"y\r\"
|
||||
expect \"New password:\"
|
||||
send -- \"${DBPASSWORD_ADMIN}\r\"
|
||||
expect \"Re-enter new password:\"
|
||||
send -- \"${DBPASSWORD_ADMIN}\r\"
|
||||
expect \"Remove anonymous users?\"
|
||||
send -- \"y\r\"
|
||||
expect \"Disallow root login remotely?\"
|
||||
send -- \"y\r\"
|
||||
expect \"Remove test database and access to it?\"
|
||||
send -- \"y\r\"
|
||||
expect \"Reload privilege tables now?\"
|
||||
send -- \"y\r\"
|
||||
expect eof" | expect -f -
|
||||
|
||||
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
|
||||
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
|
||||
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
|
||||
mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
|
||||
|
||||
update-rc.d mysql enable
|
||||
update-rc.d apache2 enable
|
||||
update-rc.d redis-server enable
|
||||
|
||||
$SUDO_WWW cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
|
||||
|
||||
echo "<?php
|
||||
class DATABASE_CONFIG {
|
||||
public \$default = array(
|
||||
'datasource' => 'Database/Mysql',
|
||||
//'datasource' => 'Database/Postgres',
|
||||
'persistent' => false,
|
||||
'host' => '$DBHOST',
|
||||
'login' => '$DBUSER_MISP',
|
||||
'port' => 3306, // MySQL & MariaDB
|
||||
//'port' => 5432, // PostgreSQL
|
||||
'password' => '$DBPASSWORD_MISP',
|
||||
'database' => '$DBNAME',
|
||||
'prefix' => '',
|
||||
'encoding' => 'utf8',
|
||||
);
|
||||
}" | $SUDO_WWW tee $PATH_TO_MISP/app/Config/database.php
|
||||
else
|
||||
echo "There might be a database already existing here: /var/lib/mysql/misp/users.ibd"
|
||||
echo "Skipping any creations…"
|
||||
sleep 3
|
||||
fi
|
||||
|
||||
openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
|
||||
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
|
||||
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
|
||||
|
||||
if [ ! -e /etc/rc.local ]
|
||||
then
|
||||
echo '#!/bin/sh -e' | tee -a /etc/rc.local
|
||||
echo 'exit 0' | tee -a /etc/rc.local
|
||||
chmod u+x /etc/rc.local
|
||||
fi
|
||||
|
||||
cd /var/www
|
||||
mkdir misp-dashboard
|
||||
chown www-data:www-data misp-dashboard
|
||||
$SUDO_WWW git clone https://github.com/MISP/misp-dashboard.git
|
||||
cd misp-dashboard
|
||||
/var/www/misp-dashboard/install_dependencies.sh
|
||||
sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
|
||||
sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
|
||||
sed -i -e '$i \sudo -u misp /usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &\n' /etc/rc.local
|
||||
sed -i -e '$i \git_dirs="/usr/local/src/misp-modules/ /var/www/misp-dashboard /usr/local/src/faup /usr/local/src/mail_to_misp /usr/local/src/misp-modules /usr/local/src/viper /var/www/misp-dashboard"\n' /etc/rc.local
|
||||
sed -i -e '$i \for d in $git_dirs; do\n' /etc/rc.local
|
||||
sed -i -e '$i \ echo "Updating ${d}"\n' /etc/rc.local
|
||||
sed -i -e '$i \ cd $d && sudo git pull &\n' /etc/rc.local
|
||||
sed -i -e '$i \done\n' /etc/rc.local
|
||||
$SUDO_WWW bash /var/www/misp-dashboard/start_all.sh
|
||||
|
||||
apt install libapache2-mod-wsgi-py3 -y
|
||||
|
||||
echo "<VirtualHost _default_:80>
|
||||
ServerAdmin admin@localhost.lu
|
||||
ServerName misp.local
|
||||
|
||||
Redirect permanent / https://misp.local
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/misp.local_error.log
|
||||
CustomLog /var/log/apache2/misp.local_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost _default_:443>
|
||||
ServerAdmin admin@localhost.lu
|
||||
ServerName misp.local
|
||||
DocumentRoot $PATH_TO_MISP/app/webroot
|
||||
|
||||
<Directory $PATH_TO_MISP/app/webroot>
|
||||
Options -Indexes
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
Order allow,deny
|
||||
allow from all
|
||||
</Directory>
|
||||
|
||||
SSLEngine On
|
||||
SSLCertificateFile /etc/ssl/private/misp.local.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
|
||||
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/misp.local_error.log
|
||||
CustomLog /var/log/apache2/misp.local_access.log combined
|
||||
ServerSignature Off
|
||||
Header set X-Content-Type-Options nosniff
|
||||
Header set X-Frame-Options DENY
|
||||
</VirtualHost>" | tee /etc/apache2/sites-available/misp-ssl.conf
|
||||
|
||||
echo "127.0.0.1 misp.local" | tee -a /etc/hosts
|
||||
|
||||
echo "<VirtualHost *:8001>
|
||||
ServerAdmin admin@misp.local
|
||||
ServerName misp.local
|
||||
|
||||
DocumentRoot /var/www/misp-dashboard
|
||||
|
||||
WSGIDaemonProcess misp-dashboard \
|
||||
user=misp group=misp \
|
||||
python-home=/var/www/misp-dashboard/DASHENV \
|
||||
processes=1 \
|
||||
threads=15 \
|
||||
maximum-requests=5000 \
|
||||
listen-backlog=100 \
|
||||
queue-timeout=45 \
|
||||
socket-timeout=60 \
|
||||
connect-timeout=15 \
|
||||
request-timeout=60 \
|
||||
inactivity-timeout=0 \
|
||||
deadlock-timeout=60 \
|
||||
graceful-timeout=15 \
|
||||
eviction-timeout=0 \
|
||||
shutdown-timeout=5 \
|
||||
send-buffer-size=0 \
|
||||
receive-buffer-size=0 \
|
||||
header-buffer-size=0 \
|
||||
response-buffer-size=0 \
|
||||
server-metrics=Off
|
||||
|
||||
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
|
||||
|
||||
<Directory /var/www/misp-dashboard>
|
||||
WSGIProcessGroup misp-dashboard
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
LogLevel info
|
||||
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
|
||||
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>" | tee /etc/apache2/sites-available/misp-dashboard.conf
|
||||
|
||||
a2dissite default-ssl
|
||||
a2ensite misp-ssl
|
||||
a2ensite misp-dashboard
|
||||
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
do
|
||||
sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
||||
systemctl restart apache2
|
||||
|
||||
cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
|
||||
chmod 0640 /etc/logrotate.d/misp
|
||||
|
||||
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
|
||||
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
|
||||
$SUDO_WWW cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
|
||||
|
||||
chown -R www-data:www-data $PATH_TO_MISP/app/Config
|
||||
chmod -R 750 $PATH_TO_MISP/app/Config
|
||||
$CAKE Live $MISP_LIVE
|
||||
$CAKE Baseurl $MISP_BASEURL
|
||||
|
||||
echo "%echo Generating a default key
|
||||
Key-Type: default
|
||||
Key-Length: $GPG_KEY_LENGTH
|
||||
Subkey-Type: default
|
||||
Name-Real: $GPG_REAL_NAME
|
||||
Name-Comment: $GPG_COMMENT
|
||||
Name-Email: $GPG_EMAIL_ADDRESS
|
||||
Expire-Date: 0
|
||||
Passphrase: $GPG_PASSPHRASE
|
||||
# Do a commit here, so that we can later print "done"
|
||||
%commit
|
||||
%echo done" > /tmp/gen-key-script
|
||||
|
||||
$SUDO_WWW gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
|
||||
|
||||
$SUDO_WWW sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | $SUDO_WWW tee $PATH_TO_MISP/app/webroot/gpg.asc
|
||||
|
||||
chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
|
||||
$CAKE userInit -q
|
||||
|
||||
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
|
||||
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
|
||||
$CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
|
||||
$CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
|
||||
$CAKE Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
|
||||
$CAKE Admin setSetting "GnuPG.password" "Password1234"
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
|
||||
$CAKE Admin setSetting "Plugin.Import_services_enable" true
|
||||
$CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Import_services_port" 6666
|
||||
$CAKE Admin setSetting "Plugin.Import_timeout" 300
|
||||
$CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||
$CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||
$CAKE Admin setSetting "Plugin.Export_services_enable" true
|
||||
$CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Export_services_port" 6666
|
||||
$CAKE Admin setSetting "Plugin.Export_timeout" 300
|
||||
$CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||
$CAKE Admin setSetting "MISP.host_org_id" 1
|
||||
$CAKE Admin setSetting "MISP.email" "info@admin.test"
|
||||
$CAKE Admin setSetting "MISP.disable_emailing" false
|
||||
$CAKE Admin setSetting "MISP.contact" "info@admin.test"
|
||||
$CAKE Admin setSetting "MISP.disablerestalert" true
|
||||
$CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_enable" false
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
$CAKE Admin setSetting "Plugin.Cortex_timeout" 120
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
|
||||
$CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
|
||||
$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
|
||||
$CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
|
||||
$CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
|
||||
$CAKE Admin setSetting "Plugin.Sightings_policy" 0
|
||||
$CAKE Admin setSetting "Plugin.Sightings_anonymise" false
|
||||
$CAKE Admin setSetting "Plugin.Sightings_range" 365
|
||||
$CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
|
||||
$CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
|
||||
$CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
|
||||
$CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
|
||||
$CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
|
||||
$CAKE Admin setSetting "MISP.language" "eng"
|
||||
$CAKE Admin setSetting "MISP.proposals_block_attributes" false
|
||||
$CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
|
||||
$CAKE Admin setSetting "MISP.redis_port" 6379
|
||||
$CAKE Admin setSetting "MISP.redis_database" 13
|
||||
$CAKE Admin setSetting "MISP.redis_password" ""
|
||||
$CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
|
||||
$CAKE Admin setSetting "MISP.extended_alert_subject" false
|
||||
$CAKE Admin setSetting "MISP.default_event_threat_level" 4
|
||||
$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
$CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
$CAKE Admin setSetting "MISP.enableEventBlacklisting" true
|
||||
$CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
|
||||
$CAKE Admin setSetting "MISP.log_client_ip" false
|
||||
$CAKE Admin setSetting "MISP.log_auth" false
|
||||
$CAKE Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
$CAKE Admin setSetting "MISP.block_event_alert" false
|
||||
$CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
|
||||
$CAKE Admin setSetting "MISP.block_old_event_alert" false
|
||||
$CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
|
||||
$CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
|
||||
$CAKE Admin setSetting "MISP.footermidleft" "This is an autogenerated install"
|
||||
$CAKE Admin setSetting "MISP.footermidright" "Please configure accordingly and do not use in production"
|
||||
$CAKE Admin setSetting "MISP.welcome_text_top" "Autogenerated install, please configure and harden accordingly"
|
||||
$CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP on Kali"
|
||||
$CAKE Admin setSetting "Security.password_policy_length" 12
|
||||
$CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
|
||||
$CAKE Admin setSetting "Session.autoRegenerate" 0
|
||||
$CAKE Admin setSetting "Session.timeout" 600
|
||||
$CAKE Admin setSetting "Session.cookie_timeout" 3600
|
||||
$CAKE Live $MISP_LIVE
|
||||
#$CAKE Admin updateGalaxies
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/galaxies/update
|
||||
$CAKE Admin updateTaxonomies
|
||||
#$CAKE Admin updateWarningLists
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
|
||||
sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
|
||||
sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
|
||||
sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
|
||||
sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
|
||||
sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
|
||||
$SUDO_WWW bash $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
cd /usr/local/src/
|
||||
git clone https://github.com/MISP/misp-modules.git
|
||||
cd misp-modules
|
||||
# pip3 install
|
||||
pip3 install -I -r REQUIREMENTS
|
||||
pip3 install -I .
|
||||
pip3 install maec lief python-magic wand yara
|
||||
pip3 install git+https://github.com/kbandla/pydeep.git
|
||||
gem install pygments.rb
|
||||
gem install asciidoctor-pdf --pre
|
||||
$SUDO_WWW misp-modules -l 0.0.0.0 -s &
|
||||
cd /usr/local/src/
|
||||
apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
|
||||
pip3 install SQLAlchemy PrettyTable python-magic
|
||||
git clone https://github.com/viper-framework/viper.git
|
||||
chown -R $MISP_USER:$MISP_USER viper
|
||||
cd viper
|
||||
$SUDO git submodule update --init --recursive
|
||||
pip3 install scrapy
|
||||
pip3 install -r requirements.txt
|
||||
pip3 uninstall yara -y
|
||||
$SUDO /usr/local/src/viper/viper-cli -h > /dev/null
|
||||
$SUDO /usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
|
||||
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper:/var/www/MISP/app/Console"' |tee /etc/environment
|
||||
echo ". /etc/environment" >> /home/${MISP_USER}/.profile
|
||||
$SUDO sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" /home/${MISP_USER}/.viper/viper.conf
|
||||
$SUDO sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" /home/${MISP_USER}/.viper/viper.conf
|
||||
|
||||
while [ "$(sqlite3 /home/${MISP_USER}/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'; echo $?)" -ne "0" ]; do
|
||||
# FIXME This might lead to a race condition, the while loop is sub-par
|
||||
chown $MISP_USER:$MISP_USER /home/${MISP_USER}/.viper/admin.db
|
||||
echo "Updating viper-web admin password, giving process time to start-up, sleeping 5, 4, 3,…"
|
||||
sleep 6
|
||||
done
|
||||
|
||||
chown -R www-data:www-data $PATH_TO_MISP
|
||||
chmod -R 750 $PATH_TO_MISP
|
||||
chmod -R g+ws $PATH_TO_MISP/app/tmp
|
||||
chmod -R g+ws $PATH_TO_MISP/app/files
|
||||
chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
|
||||
|
||||
# TODO: fix faup
|
||||
cd /usr/local/src/
|
||||
apt-get install -y cmake
|
||||
git clone https://github.com/MISP/mail_to_misp.git
|
||||
git clone git://github.com/stricaud/faup.git faup
|
||||
chown -R ${MISP_USER}:${MISP_USER} faup mail_to_misp
|
||||
cd faup
|
||||
$SUDO mkdir -p build
|
||||
cd build
|
||||
$SUDO cmake .. && $SUDO make
|
||||
make install
|
||||
ldconfig
|
||||
cd ../../
|
||||
cd mail_to_misp
|
||||
pip3 install -r requirements.txt
|
||||
$SUDO cp mail_to_misp_config.py-example mail_to_misp_config.py
|
||||
sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
|
||||
sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
|
||||
echo ""
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN" > /home/${MISP_USER}/mysql.txt
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP" >> /home/${MISP_USER}/mysql.txt
|
||||
echo "Authkey: $AUTH_KEY" > /home/${MISP_USER}/MISP-authkey.txt
|
||||
|
||||
clear
|
||||
echo "-------------------------------------------------------------------------"
|
||||
echo "MISP Installed, access here: https://misp.local"
|
||||
echo "User: admin@admin.test"
|
||||
echo "Password: admin"
|
||||
echo "MISP Dashboard, access here: http://misp.local:8001"
|
||||
echo "-------------------------------------------------------------------------"
|
||||
cat /home/${MISP_USER}/mysql.txt
|
||||
cat /home/${MISP_USER}/MISP-authkey.txt
|
||||
echo "-------------------------------------------------------------------------"
|
||||
echo "The LOCAL system credentials:"
|
||||
echo "User: ${MISP_USER}"
|
||||
echo "Password: ${MISP_PASSWORD}"
|
||||
echo "-------------------------------------------------------------------------"
|
||||
echo "viper-web installed, access here: http://misp.local:8888"
|
||||
echo "viper-cli configured with your MISP Site Admin Auth Key"
|
||||
echo "User: admin"
|
||||
echo "Password: Password1234"
|
||||
echo "-------------------------------------------------------------------------"
|
||||
echo "To enable outgoing mails via postfix set a permissive SMTP server for the domains you want to contact:"
|
||||
echo ""
|
||||
echo "sudo postconf -e 'relayhost = example.com'"
|
||||
echo "sudo postfix reload"
|
||||
echo "-------------------------------------------------------------------------"
|
||||
echo "Enjoy using MISP. For any issues see here: https://github.com/MISP/MISP/issues"
|
||||
su - misp
|
||||
}
|
||||
|
||||
kaliOnRootR0ckz
|
||||
installMISPonKali
|
|
@ -0,0 +1 @@
|
|||
INSTALL.debian.sh
|
|
@ -32,7 +32,7 @@
|
|||
SSLEngine On
|
||||
SSLCertificateFile /etc/pki/tls/certs/misp.local.crt
|
||||
SSLCertificateKeyFile /etc/pki/tls/private/misp.local.key
|
||||
# SSLCertificateChainFile /etc/pki/tls/certs/misp-chain.crt
|
||||
SSLCertificateChainFile /etc/pki/tls/certs/misp-chain.crt
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/httpd/misp.local_error.log
|
||||
|
|
2
PyMISP
2
PyMISP
|
@ -1 +1 @@
|
|||
Subproject commit bab80181f17976cb6c5388e7bad49cbbf514fb89
|
||||
Subproject commit dc5d40a327233895792b8148a7c87d5a1c2ebfb1
|
|
@ -107,8 +107,8 @@ This software is licensed under [GNU Affero General Public License version 3](ht
|
|||
* Copyright (C) 2012 Christophe Vandeplas
|
||||
* Copyright (C) 2012 Belgian Defence
|
||||
* Copyright (C) 2012 NATO / NCIRC
|
||||
* Copyright (C) 2013-2018 Andras Iklody
|
||||
* Copyright (C) 2015-2018 CIRCL - Computer Incident Response Center Luxembourg
|
||||
* Copyright (C) 2013-2019 Andras Iklody
|
||||
* Copyright (C) 2015-2019 CIRCL - Computer Incident Response Center Luxembourg
|
||||
* Copyright (C) 2016 Andreas Ziegler
|
||||
|
||||
For more information, [the list of authors and contributors](AUTHORS) is available.
|
||||
|
|
|
@ -3871,6 +3871,9 @@ class EventsController extends AppController
|
|||
} else {
|
||||
$data = $this->request->data;
|
||||
}
|
||||
if (!isset($data['request'])) {
|
||||
$data = array('request' => $data);
|
||||
}
|
||||
$paramArray = array('id', 'withAttachment', 'tags', 'from', 'to', 'last');
|
||||
foreach ($paramArray as $p) {
|
||||
if (isset($data['request'][$p])) {
|
||||
|
@ -3920,7 +3923,7 @@ class EventsController extends AppController
|
|||
}
|
||||
$this->set('data', $result['data']);
|
||||
} else {
|
||||
throw new Exception(h($result['message']));
|
||||
throw new BadRequestException(h($result['message']));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -824,7 +824,7 @@ class ShadowAttributesController extends AppController
|
|||
$id = $temp['Attribute']['id'];
|
||||
}
|
||||
|
||||
$existingAttribute = $this->ShadowAttribute->Event->Attribute->fetchAttributes($this->Auth->user(), array('Attriute.id' => $id));
|
||||
$existingAttribute = $this->ShadowAttribute->Event->Attribute->fetchAttributes($this->Auth->user(), array('conditions' => array('Attribute.id' => $id)));
|
||||
if (empty($existingAttribute)) {
|
||||
throw new NotFoundException(__('Invalid attribute.'));
|
||||
}
|
||||
|
@ -833,6 +833,7 @@ class ShadowAttributesController extends AppController
|
|||
if (empty($existingAttribute)) {
|
||||
return new CakeResponse(array('body'=> json_encode(array('false' => true, 'errors' => 'Invalid Attribute.')), 'status'=>200, 'type' => 'json'));
|
||||
}
|
||||
$existingAttribute = $existingAttribute[0];
|
||||
$this->ShadowAttribute->create();
|
||||
$sa = array(
|
||||
'old_id' => $existingAttribute['Attribute']['id'],
|
||||
|
@ -861,6 +862,7 @@ class ShadowAttributesController extends AppController
|
|||
if (empty($existingAttribute)) {
|
||||
throw new NotFoundException(__('Invalid Attribute'));
|
||||
}
|
||||
$existingAttribute = $existingAttribute[0];
|
||||
$this->set('id', $id);
|
||||
$this->set('event_id', $existingAttribute['Attribute']['event_id']);
|
||||
$this->render('ajax/deletionProposalConfirmationForm');
|
||||
|
|
|
@ -72,7 +72,8 @@ class Attribute extends AppModel
|
|||
'port',
|
||||
'nationality',
|
||||
'cortex',
|
||||
'boolean'
|
||||
'boolean',
|
||||
'anonymised'
|
||||
);
|
||||
|
||||
public $primaryOnlyCorrelatingTypes = array(
|
||||
|
@ -160,6 +161,7 @@ class Attribute extends AppModel
|
|||
'AS' => array('desc' => 'Autonomous system', 'default_category' => 'Network activity', 'to_ids' => 0),
|
||||
'snort' => array('desc' => 'An IDS rule in Snort rule-format', 'formdesc' => "An IDS rule in Snort rule-format. This rule will be automatically rewritten in the NIDS exports.", 'default_category' => 'Network activity', 'to_ids' => 1),
|
||||
'bro' => array('desc' => 'An NIDS rule in the Bro rule-format', 'formdesc' => "An NIDS rule in the Bro rule-format.", 'default_category' => 'Network activity', 'to_ids' => 1),
|
||||
'zeek' => array('desc' => 'An NIDS rule in the Zeek rule-format', 'formdesc' => "An NIDS rule in the Zeek rule-format.", 'default_category' => 'Network activity', 'to_ids' => 1),
|
||||
'pattern-in-file' => array('desc' => 'Pattern in file that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1),
|
||||
'pattern-in-traffic' => array('desc' => 'Pattern in network traffic that identifies the malware', 'default_category' => 'Network activity', 'to_ids' => 1),
|
||||
'pattern-in-memory' => array('desc' => 'Pattern in memory dump that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1),
|
||||
|
@ -292,7 +294,8 @@ class Attribute extends AppModel
|
|||
'passenger-name-record-locator-number' => array('desc' => 'The Passenger Name Record Locator is a key under which the reservation for a trip is stored in the system. The PNR contains, among other data, the name, flight segments and address of the passenger. It is defined by a combination of five or six letters and numbers.', 'default_category' => 'Person', 'to_ids' => 0),
|
||||
'mobile-application-id' => array('desc' => 'The application id of a mobile application', 'default_category' => 'Payload delivery', 'to_ids' => 1),
|
||||
'cortex' => array('desc' => 'Cortex analysis result', 'default_category' => 'External analysis', 'to_ids' => 0),
|
||||
'boolean' => array('desc' => 'Boolean value - to be used in objects', 'default_category' => 'Other', 'to_ids' => 0)
|
||||
'boolean' => array('desc' => 'Boolean value - to be used in objects', 'default_category' => 'Other', 'to_ids' => 0),
|
||||
'anonymised' => array('desc' => 'Anonymised value - described with the anonymisation object via a relationship', 'formdesc' => 'Anonymised value - described with the anonymisation object via a relationship.' , 'default_category' => 'Other', 'to_ids' => 0)
|
||||
// Not convinced about this.
|
||||
//'url-regex' => array('desc' => '', 'default_category' => 'Person', 'to_ids' => 0),
|
||||
);
|
||||
|
@ -302,76 +305,76 @@ class Attribute extends AppModel
|
|||
public $categoryDefinitions = array(
|
||||
'Internal reference' => array(
|
||||
'desc' => 'Reference used by the publishing party (e.g. ticket number)',
|
||||
'types' => array('text', 'link', 'comment', 'other', 'hex')
|
||||
'types' => array('text', 'link', 'comment', 'other', 'hex', 'anonymised')
|
||||
),
|
||||
'Targeting data' => array(
|
||||
'desc' => 'Internal Attack Targeting and Compromise Information',
|
||||
'formdesc' => 'Targeting information to include recipient email, infected machines, department, and or locations.',
|
||||
'types' => array('target-user', 'target-email', 'target-machine', 'target-org', 'target-location', 'target-external', 'comment')
|
||||
'types' => array('target-user', 'target-email', 'target-machine', 'target-org', 'target-location', 'target-external', 'comment', 'anonymised')
|
||||
),
|
||||
'Antivirus detection' => array(
|
||||
'desc' => 'All the info about how the malware is detected by the antivirus products',
|
||||
'formdesc' => 'List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%). Attachment with list of detection or link to VirusTotal could be placed here as well.',
|
||||
'types' => array('link', 'comment', 'text', 'hex', 'attachment', 'other')
|
||||
'types' => array('link', 'comment', 'text', 'hex', 'attachment', 'other', 'anonymised')
|
||||
),
|
||||
'Payload delivery' => array(
|
||||
'desc' => 'Information about how the malware is delivered',
|
||||
'formdesc' => 'Information about the way the malware payload is initially delivered, for example information about the email or web-site, vulnerability used, originating IP etc. Malware sample itself should be attached here.',
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash','filename|impfuzzy', 'filename|pehash', 'mac-address', 'mac-eui-64', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'email-body', 'url', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'stix2-pattern', 'yara', 'sigma', 'mime-type', 'attachment', 'malware-sample', 'link', 'malware-type', 'comment', 'text', 'hex', 'vulnerability', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hostname|port', 'email-dst-display-name', 'email-src-display-name', 'email-header', 'email-reply-to', 'email-x-mailer', 'email-mime-boundary', 'email-thread-index', 'email-message-id', 'mobile-application-id', 'whois-registrant-email')
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash','filename|impfuzzy', 'filename|pehash', 'mac-address', 'mac-eui-64', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'email-body', 'url', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'stix2-pattern', 'yara', 'sigma', 'mime-type', 'attachment', 'malware-sample', 'link', 'malware-type', 'comment', 'text', 'hex', 'vulnerability', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hostname|port', 'email-dst-display-name', 'email-src-display-name', 'email-header', 'email-reply-to', 'email-x-mailer', 'email-mime-boundary', 'email-thread-index', 'email-message-id', 'mobile-application-id', 'whois-registrant-email', 'anonymised')
|
||||
),
|
||||
'Artifacts dropped' => array(
|
||||
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|impfuzzy','filename|pehash', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory','pdb', 'stix2-pattern', 'yara', 'sigma', 'attachment', 'malware-sample', 'named pipe', 'mutex', 'windows-scheduled-task', 'windows-service-name', 'windows-service-displayname', 'comment', 'text', 'hex', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'other', 'cookie', 'gene', 'mime-type')
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|impfuzzy','filename|pehash', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory','pdb', 'stix2-pattern', 'yara', 'sigma', 'attachment', 'malware-sample', 'named pipe', 'mutex', 'windows-scheduled-task', 'windows-service-name', 'windows-service-displayname', 'comment', 'text', 'hex', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'other', 'cookie', 'gene', 'mime-type', 'anonymised')
|
||||
),
|
||||
'Payload installation' => array(
|
||||
'desc' => 'Info on where the malware gets installed in the system',
|
||||
'formdesc' => 'Location where the payload was placed in the system and the way it was installed. For example, a filename|md5 type attribute can be added here like this: c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.',
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|impfuzzy', 'filename|pehash', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'stix2-pattern', 'yara', 'sigma', 'vulnerability', 'attachment', 'malware-sample', 'malware-type', 'comment', 'text', 'hex', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'mobile-application-id', 'other', 'mime-type')
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|impfuzzy', 'filename|pehash', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'stix2-pattern', 'yara', 'sigma', 'vulnerability', 'attachment', 'malware-sample', 'malware-type', 'comment', 'text', 'hex', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'mobile-application-id', 'other', 'mime-type', 'anonymised')
|
||||
),
|
||||
'Persistence mechanism' => array(
|
||||
'desc' => 'Mechanisms used by the malware to start at boot',
|
||||
'formdesc' => 'Mechanisms used by the malware to start at boot. This could be a registry key, legitimate driver modification, LNK file in startup',
|
||||
'types' => array('filename', 'regkey', 'regkey|value', 'comment', 'text', 'other', 'hex')
|
||||
'types' => array('filename', 'regkey', 'regkey|value', 'comment', 'text', 'other', 'hex', 'anonymised')
|
||||
),
|
||||
'Network activity' => array(
|
||||
'desc' => 'Information about network traffic generated by the malware',
|
||||
'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hex', 'cookie', 'hostname|port', 'bro')
|
||||
'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hex', 'cookie', 'hostname|port', 'bro', 'zeek', 'anonymised')
|
||||
),
|
||||
'Payload type' => array(
|
||||
'desc' => 'Information about the final payload(s)',
|
||||
'formdesc' => 'Information about the final payload(s). Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
'types' => array('comment', 'text', 'other', 'anonymised')
|
||||
),
|
||||
'Attribution' => array(
|
||||
'desc' => 'Identification of the group, organisation, or country behind the attack',
|
||||
'types' => array('threat-actor', 'campaign-name', 'campaign-id', 'whois-registrant-phone', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-org', 'whois-registrar', 'whois-creation-date','comment', 'text', 'x509-fingerprint-sha1','x509-fingerprint-md5', 'x509-fingerprint-sha256', 'other', 'dns-soa-email')
|
||||
'types' => array('threat-actor', 'campaign-name', 'campaign-id', 'whois-registrant-phone', 'whois-registrant-email', 'whois-registrant-name', 'whois-registrant-org', 'whois-registrar', 'whois-creation-date','comment', 'text', 'x509-fingerprint-sha1','x509-fingerprint-md5', 'x509-fingerprint-sha256', 'other', 'dns-soa-email', 'anonymised')
|
||||
),
|
||||
'External analysis' => array(
|
||||
'desc' => 'Any other result from additional analysis of the malware like tools output',
|
||||
'formdesc' => 'Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
|
||||
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'bro','pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'github-repository', 'other', 'cortex')
|
||||
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'bro', 'zeek', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'github-repository', 'other', 'cortex', 'anonymised')
|
||||
),
|
||||
'Financial fraud' => array(
|
||||
'desc' => 'Financial Fraud indicators',
|
||||
'formdesc' => 'Financial Fraud indicators, for example: IBAN Numbers, BIC codes, Credit card numbers, etc.',
|
||||
'types' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number', 'comment', 'text', 'other', 'hex'),
|
||||
'types' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number', 'comment', 'text', 'other', 'hex', 'anonymised'),
|
||||
),
|
||||
'Support Tool' => array(
|
||||
'desc' => 'Tools supporting analysis or detection of the event',
|
||||
'types' => array('link', 'text', 'attachment', 'comment', 'other', 'hex')
|
||||
'types' => array('link', 'text', 'attachment', 'comment', 'other', 'hex', 'anonymised')
|
||||
),
|
||||
'Social network' => array(
|
||||
'desc' => 'Social networks and platforms',
|
||||
// email-src and email-dst or should we go with a new email type that is neither / both?
|
||||
'types' => array('github-username', 'github-repository', 'github-organisation', 'jabber-id', 'twitter-id', 'email-src', 'email-dst', 'comment', 'text', 'other', 'whois-registrant-email')
|
||||
'types' => array('github-username', 'github-repository', 'github-organisation', 'jabber-id', 'twitter-id', 'email-src', 'email-dst', 'comment', 'text', 'other', 'whois-registrant-email', 'anonymised')
|
||||
),
|
||||
'Person' => array(
|
||||
'desc' => 'A human being - natural person',
|
||||
'types' => array('first-name', 'middle-name', 'last-name', 'date-of-birth', 'place-of-birth', 'gender', 'passport-number', 'passport-country', 'passport-expiration', 'redress-number', 'nationality', 'visa-number', 'issue-date-of-the-visa', 'primary-residence', 'country-of-residence', 'special-service-request', 'frequent-flyer-number', 'travel-details', 'payment-details', 'place-port-of-original-embarkation', 'place-port-of-clearance', 'place-port-of-onward-foreign-destination', 'passenger-name-record-locator-number', 'comment', 'text', 'other', 'phone-number', 'identity-card-number')
|
||||
'types' => array('first-name', 'middle-name', 'last-name', 'date-of-birth', 'place-of-birth', 'gender', 'passport-number', 'passport-country', 'passport-expiration', 'redress-number', 'nationality', 'visa-number', 'issue-date-of-the-visa', 'primary-residence', 'country-of-residence', 'special-service-request', 'frequent-flyer-number', 'travel-details', 'payment-details', 'place-port-of-original-embarkation', 'place-port-of-clearance', 'place-port-of-onward-foreign-destination', 'passenger-name-record-locator-number', 'comment', 'text', 'other', 'phone-number', 'identity-card-number', 'anonymised')
|
||||
),
|
||||
'Other' => array(
|
||||
'desc' => 'Attributes that are not part of any other category or are meant to be used as a component in MISP objects in the future',
|
||||
'types' => array('comment', 'text', 'other', 'size-in-bytes', 'counter', 'datetime', 'cpe', 'port', 'float', 'hex', 'phone-number', 'boolean')
|
||||
'types' => array('comment', 'text', 'other', 'size-in-bytes', 'counter', 'datetime', 'cpe', 'port', 'float', 'hex', 'phone-number', 'boolean', 'anonymised')
|
||||
)
|
||||
);
|
||||
|
||||
|
@ -424,7 +427,7 @@ class Attribute extends AppModel
|
|||
// This helps generate quick filtering for the event view, but we may reuse this and enhance it in the future for other uses (such as the API?)
|
||||
public $typeGroupings = array(
|
||||
'file' => array('attachment', 'pattern-in-file', 'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy', 'authentihash', 'pehash', 'tlsh', 'cdhash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'malware-sample', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'x509-fingerprint-md5'),
|
||||
'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'bro','pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256','ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5'),
|
||||
'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'bro', 'zeek', 'pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256','ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5'),
|
||||
'financial' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number')
|
||||
);
|
||||
|
||||
|
@ -1160,6 +1163,8 @@ class Attribute extends AppModel
|
|||
case 'AS':
|
||||
case 'snort':
|
||||
case 'bro':
|
||||
case 'zeek':
|
||||
case 'anonymised':
|
||||
case 'pattern-in-file':
|
||||
case 'pattern-in-traffic':
|
||||
case 'pattern-in-memory':
|
||||
|
@ -1339,6 +1344,7 @@ class Attribute extends AppModel
|
|||
case 'authentihash':
|
||||
case 'imphash':
|
||||
case 'tlsh':
|
||||
case 'anonymised':
|
||||
case 'cdhash':
|
||||
case 'email-src':
|
||||
case 'email-dst':
|
||||
|
|
|
@ -62,6 +62,11 @@ class AttributeTag extends AppModel
|
|||
}
|
||||
}
|
||||
|
||||
public function softDelete($id)
|
||||
{
|
||||
$this->delete($id);
|
||||
}
|
||||
|
||||
public function attachTagToAttribute($attribute_id, $event_id, $tag_id)
|
||||
{
|
||||
$existingAssociation = $this->find('first', array(
|
||||
|
|
|
@ -56,6 +56,11 @@ class EventTag extends AppModel
|
|||
}
|
||||
}
|
||||
|
||||
public function softDelete($id)
|
||||
{
|
||||
$this->delete($id);
|
||||
}
|
||||
|
||||
// take an array of tag names to be included and an array with tagnames to be excluded and find all event IDs that fit the criteria
|
||||
public function getEventIDsFromTags($includedTags, $excludedTags)
|
||||
{
|
||||
|
|
|
@ -372,7 +372,7 @@ class Feed extends AppModel
|
|||
$results = $pipe->exec();
|
||||
if (!$overrideLimit && count($objects) > 10000) {
|
||||
foreach ($results as $k => $result) {
|
||||
if ($result) {
|
||||
if ($result && empty($objects[$k]['disable_correlation'])) {
|
||||
if (isset($event['FeedCount'])) {
|
||||
$event['FeedCount']++;
|
||||
} else {
|
||||
|
@ -383,7 +383,7 @@ class Feed extends AppModel
|
|||
}
|
||||
} else {
|
||||
foreach ($results as $k => $result) {
|
||||
if ($result) {
|
||||
if ($result && empty($objects[$k]['disable_correlation'])) {
|
||||
$hitIds[] = $k;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -413,4 +413,211 @@ class Tag extends AppModel
|
|||
}
|
||||
return $events;
|
||||
}
|
||||
|
||||
public function fixMitreTags($user)
|
||||
{
|
||||
$full_print_buffer = '';
|
||||
$this->GalaxyCluster = Classregistry::init('GalaxyCluster');
|
||||
// first find all tags that are the bad tags:
|
||||
// - the enterprise-, pre- and mobile-attack
|
||||
// - the old version of the MITRE tag (without Txx, Pxx, ...)
|
||||
$mitre_categories = array('attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'mitre-tool');
|
||||
$mitre_stages = array('enterprise-attack', 'pre-attack', 'mobile-attack');
|
||||
$cluster_names = $this->GalaxyCluster->find('list',
|
||||
array('fields' => array('GalaxyCluster.tag_name'),
|
||||
'group' => array('GalaxyCluster.id', 'GalaxyCluster.tag_name'),
|
||||
'conditions' => array('GalaxyCluster.tag_name LIKE' => 'misp-galaxy:mitre-%')
|
||||
));
|
||||
// this is a mapping to keep track of what old tag we need to change (key) to what new tag(value)
|
||||
// key = old_tag_id, value = new_tag_name
|
||||
$mappings = array();
|
||||
// First find all tags which are the old format, but who's string needs to be updated
|
||||
// Example: mitre-malware="XAgentOSX" => mitre-malware="XAgentOSX - S0161"
|
||||
// Once found we will add these to a mapping
|
||||
foreach ($mitre_categories as $category) {
|
||||
$tag_start = 'misp-galaxy:mitre-' . $category;
|
||||
// print("<h2>### Searching for $category</h2>");
|
||||
$tags = $this->find('all', array(
|
||||
'conditions' => array('Tag.name LIKE' => $tag_start . '=%'),
|
||||
'recursive' => -1));
|
||||
// print_r($tags);
|
||||
foreach ($tags as $tag) {
|
||||
$old_tag_name = $tag['Tag']['name'];
|
||||
$old_tag_id = $tag['Tag']['id'];
|
||||
$old_tag_name_without_quote = rtrim($old_tag_name, '"') . ' -';
|
||||
foreach ($cluster_names as $cluster_name) {
|
||||
// print("Searching for $old_tag_name in $cluster_name<br>");
|
||||
if (strstr($cluster_name, $old_tag_name_without_quote)) {
|
||||
// print("FOUND - $old_tag_name - $cluster_name<br/>");
|
||||
$mappings[$old_tag_id] = $cluster_name;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
// Now find all tags that are from the enterprise, pre-attack and mobile-attack galaxies
|
||||
foreach ($mitre_stages as $stage) {
|
||||
foreach ($mitre_categories as $category) {
|
||||
$tag_start = 'misp-galaxy:mitre-' . $stage . '-' . $category;
|
||||
// print("<h2>### Searching for $stage-$category</h2>");
|
||||
$tags = $this->find('all', array(
|
||||
'conditions' => array('Tag.name LIKE' => $tag_start . '=%'),
|
||||
'recursive' => -1));
|
||||
// print_r($tags);
|
||||
foreach ($tags as $tag) {
|
||||
$old_tag_name = $tag['Tag']['name'];
|
||||
$old_tag_id = $tag['Tag']['id'];
|
||||
$new_tag_name = str_replace($stage.'-', '', $old_tag_name);
|
||||
// print("Changing $old_tag_name to $new_tag_name<br/>");
|
||||
if (in_array($new_tag_name, $cluster_names)) {
|
||||
// valid tag as it exists in the galaxies, add to mapping
|
||||
$mappings[$old_tag_id] = $new_tag_name;
|
||||
} else {
|
||||
// invalid tag, do some more magic
|
||||
// print("Invalid new tag ! $old_tag_name to $new_tag_name<br/>");
|
||||
$old_tag_name_without_quote = rtrim($new_tag_name, '"');
|
||||
$found = false;
|
||||
foreach ($cluster_names as $cluster_name) {
|
||||
// print("Searching for $old_tag_name in $cluster_name<br>");
|
||||
if (strstr($cluster_name, $old_tag_name_without_quote)) {
|
||||
// print("-> FOUND - $old_tag_name - $cluster_name<br/>");
|
||||
$mappings[$old_tag_id] = $cluster_name;
|
||||
$found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!$found) {
|
||||
print("Issue with tag, could not find a substitution, skipping: $old_tag_name<br/>");
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
$full_print_buffer .= "<h2>Mappings</h2>";
|
||||
$full_print_buffer .= "<pre>". print_r($mappings, true) . "</pre>";
|
||||
// now we know which tags (they keys of the mapping) need to be changed
|
||||
// find all events and attributes using these tags and update them with the new version
|
||||
$this->EventTag = Classregistry::init('EventTag');
|
||||
$this->AttributeTag = Classregistry::init('AttributeTag');
|
||||
$this->Event = Classregistry::init('Event');
|
||||
$this->Attribute = Classregistry::init('Attribute');
|
||||
$full_print_buffer .= "<h2>Conversion</h2>";
|
||||
foreach ($mappings as $old_tag_id => $new_tag_name) {
|
||||
$print_buffer = "";
|
||||
$print_buffer .= "$old_tag_id => $new_tag_name<br/>";
|
||||
$changed = False;
|
||||
$new_tag = array(
|
||||
'name' => $new_tag_name,
|
||||
'colour' => '#0088cc');
|
||||
$new_tag_id = $this->captureTag($new_tag, $user);
|
||||
$print_buffer .= " New tag id $new_tag_id<br>";
|
||||
//
|
||||
// Events
|
||||
//
|
||||
$ets = $this->EventTag->find('all', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('tag_id' => $old_tag_id),
|
||||
'contain' => array('Event')
|
||||
));
|
||||
foreach ($ets as $et) {
|
||||
$event = $et['Event'];
|
||||
// skip events that are not from this instance or are locked (coming form another MISP)
|
||||
if ($event['locked'] || $event['org_id'] != $event['orgc_id']) {
|
||||
$print_buffer .= " Skipping event ".$event['id']."... not from here<br>";
|
||||
continue;
|
||||
}
|
||||
$changed = True;
|
||||
|
||||
// remove the old EventTag
|
||||
$print_buffer .= " Deleting event_tag ".$et['EventTag']['id']." for event ".$event['id']."<br>";
|
||||
$this->EventTag->softDelete($et['EventTag']['id']);
|
||||
|
||||
// add the new Tag to the event
|
||||
$new_et = array('EventTag' => array(
|
||||
'event_id' => $event['id'],
|
||||
'tag_id' => $new_tag_id
|
||||
));
|
||||
|
||||
// check if the tag is already attached to the event - WARNING if data structures change this might break
|
||||
$exists = $this->EventTag->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => $new_et['EventTag']));
|
||||
if (empty($exists)) {
|
||||
// tag not yet associated with event
|
||||
$print_buffer .= " Saving new tag association: event_id=".$event['id']." tag_id=".$new_tag_id."<br>";
|
||||
$this->EventTag->save($new_et);
|
||||
// increment the Event timestamp and save the event
|
||||
$print_buffer .= " Saving the event with incremented timestamp<br>";
|
||||
$event['timestamp'] += 1;
|
||||
$this->Event->save($event);
|
||||
} else {
|
||||
$print_buffer .= " Not adding new tag as it's already associated to the event: event_id=".$event['id']." tag_id=".$new_tag_id."<br>";
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Attributes with tags
|
||||
//
|
||||
// find all AttributeTags for this specific tag. We do not load the attribute immediately as it's faster/better to only do this additional lookup when needed. (data we need to change)
|
||||
$ats = $this->AttributeTag->find('all', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('tag_id' => $old_tag_id),
|
||||
));
|
||||
foreach ($ats as $at) {
|
||||
// $print_buffer .= " ".print_r($at, true)."<br>";
|
||||
$event = $this->Event->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('id' => $at['AttributeTag']['event_id'])
|
||||
))['Event'];
|
||||
// $print_buffer .= "<pre>".print_r($event, true)."</pre>";
|
||||
// skip events that are not from this instance or are locked (coming form another MISP)
|
||||
if ($event['locked'] || $event['org_id'] != $event['orgc_id']) {
|
||||
$print_buffer .= " Skipping attribute for event ".$event['id']."... not from here<br>";
|
||||
continue;
|
||||
}
|
||||
$attribute = $this->Attribute->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('id' => $at['AttributeTag']['attribute_id'])
|
||||
))['Attribute'];
|
||||
$changed = True;
|
||||
|
||||
// remove the old AttributeTag
|
||||
$print_buffer .= " Deleting attribute_tag ".$at['AttributeTag']['id']." for attribute ".$attribute['id']." for event ".$event['id']."<br>";
|
||||
$this->AttributeTag->softDelete($at['AttributeTag']['id']);
|
||||
|
||||
// add the new Tag to the event
|
||||
$new_at = array('AttributeTag' => array(
|
||||
'event_id' => $event['id'],
|
||||
'attribute_id' => $attribute['id'],
|
||||
'tag_id' => $new_tag_id
|
||||
));
|
||||
// check if the tag is already attached to the event - WARNING if data structures change this might break
|
||||
$exists = $this->AttributeTag->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => $new_at['AttributeTag']));
|
||||
if (empty($exists)) {
|
||||
// tag not yet associated with attribute
|
||||
$print_buffer .= " Saving new tag association: attribute_id=".$attribute['id']." event_id=".$event['id']." tag_id=".$new_tag_id."<br>";
|
||||
$this->AttributeTag->save($new_at);
|
||||
// increment the Attribute/Event timestamp and save them
|
||||
$print_buffer .= " Saving the attribute/event with incremented timestamp<br>";
|
||||
$attribute['timestamp'] += 1;
|
||||
$this->Attribute->save($attribute);
|
||||
$event['timestamp'] += 1;
|
||||
$this->Event->save($event);
|
||||
} else {
|
||||
$print_buffer .= " Not adding new tag as it's already associated to the attribute: attribute_id=".$attribute['id']." event_id=".$event['id']." tag_id=".$new_tag_id."<br>";
|
||||
}
|
||||
}
|
||||
|
||||
if ($changed) {
|
||||
$full_print_buffer .= $print_buffer;
|
||||
} else {
|
||||
// print("Tag has no 'unlocked' events or attributes: $old_tag_id => $new_tag_name<br/>");
|
||||
// $full_print_buffer .= $print_buffer;
|
||||
}
|
||||
}
|
||||
return $full_print_buffer;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -68,6 +68,10 @@
|
|||
?>
|
||||
|
||||
</dd>
|
||||
<dt><?php echo __('Creation time'); ?></dt>
|
||||
<dd><?php echo h($org['Organisation']['date_created']); ?></dd>
|
||||
<dt><?php echo __('Last modified'); ?></dt>
|
||||
<dd><?php echo h($org['Organisation']['date_modified']); ?></dd>
|
||||
<?php endif;?>
|
||||
<?php
|
||||
$optionalFields = array('sector' => 'Sector', 'nationality' => 'Nationality', 'type' => 'Organisation type', 'contacts' => 'Contact information');
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit beb0ec8bb7556fdbd2cdb64f9566d5543c56192a
|
||||
Subproject commit f5c7530e0b375cdd1b72a98f532dca731f8a0b80
|
|
@ -817,7 +817,7 @@ class StixBuilder(object):
|
|||
if to_parse:
|
||||
return
|
||||
to_ids, attributes_dict = self.create_file_attributes_dict(misp_object['Attribute'])
|
||||
if 'malware-sample' in attributes_dict:
|
||||
if 'malware-sample' in attributes_dict and isinstance(attributes_dict['malware-sample'], dict):
|
||||
malware_sample = attributes_dict.pop('malware-sample')
|
||||
filename, md5 = malware_sample['value'].split('|')
|
||||
artifact_object = self.create_artifact_object(malware_sample['data'])
|
||||
|
|
|
@ -10,7 +10,7 @@ var edges = new vis.DataSet();
|
|||
var typeaheadDataSearch;
|
||||
var event_last_change = $('#eventgraph_network').data('event-timestamp');
|
||||
var scope_id = $('#eventgraph_network').data('event-id');
|
||||
var user_email = $('#eventgraph_network').data('user-email');
|
||||
var user_email = $('#eventgraph_network').data('user-email');
|
||||
var container = document.getElementById('eventgraph_network');
|
||||
var user_manipulation = $('#eventgraph_network').data('user-manipulation');
|
||||
var is_siteadmin = $('#eventgraph_network').data('is-site-admin');
|
||||
|
@ -111,7 +111,7 @@ class EventGraph {
|
|||
|
||||
for (var event_id in that.extended_event_points) {
|
||||
if (that.extended_event_color_mapping[event_id] === undefined) {
|
||||
eventGraph.extended_event_color_mapping[event_id] = getRandomColor(event_id);
|
||||
eventGraph.extended_event_color_mapping[event_id] = getRandomColor(event_id);
|
||||
}
|
||||
var chosen_color = eventGraph.extended_event_color_mapping[event_id];
|
||||
|
||||
|
@ -1266,7 +1266,7 @@ class EventGraph {
|
|||
eventGraph.nodes.get().forEach(function(nodeD) {
|
||||
var nodeP = nodePositions[nodeD.id];
|
||||
if (nodeP !== undefined && nodeD.group != 'obj_relation') {
|
||||
var temp = {
|
||||
var temp = {
|
||||
id: nodeD.id,
|
||||
x: nodeP.x,
|
||||
y: nodeP.y,
|
||||
|
@ -1284,8 +1284,8 @@ class EventGraph {
|
|||
eventGraph.hiddenNode.forEach(function(node) {
|
||||
hiddenNodeData.push(node.id);
|
||||
});
|
||||
|
||||
var data = {
|
||||
|
||||
var data = {
|
||||
eventId: scope_id,
|
||||
eventLastChange: event_last_change,
|
||||
nodes: nodeData,
|
||||
|
@ -1294,7 +1294,7 @@ class EventGraph {
|
|||
scope: eventGraph.scope_name,
|
||||
keyType: eventGraph.scope_keyType
|
||||
},
|
||||
physics: {
|
||||
physics: {
|
||||
solver: eventGraph.solver,
|
||||
repulsion: parseInt($('#slider_physic_node_repulsion').val()),
|
||||
enabled: $('#checkbox_physics_enable').prop("checked")
|
||||
|
@ -1545,8 +1545,8 @@ class MispInteraction {
|
|||
return;
|
||||
}
|
||||
genericPopup('/objectReferences/add/'+edgeData.from, '#popover_form', function() {
|
||||
$('#targetSelect').val(uuid);
|
||||
$('option[value='+uuid+']').click()
|
||||
$('#ObjectReferenceReferencedUuid').val(uuid);
|
||||
objectReferenceInput();
|
||||
});
|
||||
}
|
||||
|
||||
|
@ -1722,7 +1722,7 @@ class MispInteraction {
|
|||
function drawExtendedEventHull(ctx, nodes, color, text) {
|
||||
ctx.fillStyle = color+'88';
|
||||
var hull = getHullFromPoints(nodes);
|
||||
|
||||
|
||||
var start = hull[0];
|
||||
var end = hull[hull.length-1];
|
||||
var prev = start;
|
||||
|
@ -1738,7 +1738,7 @@ function drawExtendedEventHull(ctx, nodes, color, text) {
|
|||
var centerY = (end.y+start.y)/2;
|
||||
ctx.quadraticCurveTo(centerX,centerY,start.x,start.y);
|
||||
ctx.fill();
|
||||
|
||||
|
||||
var centroid = getCentroid(hull);
|
||||
ctx.beginPath();
|
||||
ctx.font="30px Verdana";
|
||||
|
@ -1768,7 +1768,7 @@ function getHullFromPoints(points) {
|
|||
var q;
|
||||
do {
|
||||
hull.push(points[p]);
|
||||
|
||||
|
||||
q = (p+1) % n;
|
||||
for (var i=0; i<n; i++) {
|
||||
if (orientation(points[p], points[i], points[q]) == 2) {
|
||||
|
|
|
@ -45,8 +45,8 @@ function fetchAddSightingForm(type, attribute_id, page, onvalue) {
|
|||
function flexibleAddSighting(clicked, type, attribute_id, event_id, value, page, placement) {
|
||||
$clicked = $(clicked);
|
||||
var html = '<div>'
|
||||
+ '<button class="btn btn-primary" onclick="addSighting(\'' + type + '\', \'' + attribute_id + '\', \'' + event_id + '\', \'' + page + '\')">'+'id'+'</button>'
|
||||
+ '<button class="btn btn-primary" style="margin-left:5px;" onclick="fetchAddSightingForm(\'' + type + '\', \'' + attribute_id + '\', \'' + page + '\', true)">' + value + '</button>'
|
||||
+ '<button class="btn btn-primary" onclick="addSighting(\'' + type + '\', \'' + attribute_id + '\', \'' + event_id + '\', \'' + page + '\')">This attribute</button>'
|
||||
+ '<button class="btn btn-primary" style="margin-left:5px;" onclick="fetchAddSightingForm(\'' + type + '\', \'' + attribute_id + '\', \'' + page + '\', true)">Global value</button>'
|
||||
+ '</div>';
|
||||
openPopover(clicked, html, true, placement);
|
||||
}
|
||||
|
|
|
@ -101,16 +101,6 @@ sudo a2enmod ssl rewrite
|
|||
sudo a2dissite 000-default
|
||||
sudo a2ensite default-ssl
|
||||
sudo a2enmod headers
|
||||
|
||||
# Switch to python3 by default (optional)
|
||||
|
||||
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
||||
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.5 2
|
||||
```
|
||||
|
||||
To flip between the 2 pythons use *update-alternatives*
|
||||
```bash
|
||||
sudo update-alternatives --config python
|
||||
```
|
||||
|
||||
#### Apply all changes
|
||||
|
|
|
@ -8,7 +8,7 @@ This has been tested by @SteveClement on 20190115
|
|||
|
||||
To install MISP on Kali copy paste this in your r00t shell:
|
||||
```bash
|
||||
wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.kali.txt && bash /tmp/misp-kali.sh
|
||||
wget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.debian.sh && bash /tmp/misp-kali.sh
|
||||
```
|
||||
|
||||
!!! notice
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
## 0/ Overview and Assumptions
|
||||
|
||||
{!generic/community.md!}
|
||||
{!generic/rhelVScentos.md!}
|
||||
|
||||
!!! warning
|
||||
The core MISP team cannot verify if this guide is working or not. Please help us in keeping it up to date and accurate.
|
||||
|
|
|
@ -159,8 +159,8 @@ cd ${PATH_TO_MISP}/PyMISP
|
|||
sudo -H -u www-data ${PATH_TO_MISP}/venv/bin/pip install .
|
||||
|
||||
# Install Crypt_GPG and Console_CommandLine
|
||||
sudo -H -u www-data pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
|
||||
sudo -H -u www-data pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
|
||||
sudo pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml
|
||||
sudo pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml
|
||||
```
|
||||
|
||||
### 4/ CakePHP
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
# Let's encrypt SSL with stock MISP install
|
||||
|
||||
This will explain how to enable [letsencrypt]*(https://letsencrypt.org/) on a stock Ubuntu/Debian MISP install.
|
|
@ -57,6 +57,7 @@ sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disable_emailing" true"
|
|||
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.contact" "info@admin.test""
|
||||
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.disablerestalert" true"
|
||||
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true"
|
||||
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.default_event_tag_collection" 0"
|
||||
|
||||
# Provisional Cortex tunes
|
||||
sudo $RUN_PHP "$CAKE Admin setSetting "Plugin.Cortex_services_enable" false"
|
||||
|
@ -108,7 +109,7 @@ sudo $RUN_PHP "$CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40"
|
|||
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.extended_alert_subject" false"
|
||||
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.default_event_threat_level" 4"
|
||||
|
||||
##sudo $RUN_PHP "$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team""
|
||||
##sudo $RUN_PHP '$CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"'
|
||||
##sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team""
|
||||
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.enableEventBlacklisting" true"
|
||||
sudo $RUN_PHP "$CAKE Admin setSetting "MISP.enableOrgBlacklisting" true"
|
||||
|
@ -134,22 +135,23 @@ sudo $RUN_PHP "$CAKE Admin setSetting "Session.timeout" 600"
|
|||
sudo $RUN_PHP "$CAKE Admin setSetting "Session.cookie_timeout" 3600"
|
||||
|
||||
# Update the galaxies…
|
||||
sudo $RUN_PHP "$CAKE Admin updateGalaxies"
|
||||
##sudo $RUN_PHP "$CAKE Admin updateGalaxies"
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/galaxies/update
|
||||
|
||||
# Updating the taxonomies…
|
||||
sudo $RUN_PHP "$CAKE Admin updateTaxonomies"
|
||||
|
||||
# Updating the warning lists…
|
||||
##sudo $RUN_PHP "$CAKE Admin updateWarningLists"
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST http://127.0.0.1/warninglists/update
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
|
||||
|
||||
# Updating the notice lists…
|
||||
## sudo $RUN_PHP "$CAKE Admin updateNoticeLists"
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST http://127.0.0.1/noticelists/update
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
|
||||
|
||||
# Updating the object templates…
|
||||
##sudo $RUN_PHP "$CAKE Admin updateObjectTemplates"
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST http://127.0.0.1/objectTemplates/update
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
|
||||
|
||||
# Set MISP Live
|
||||
sudo $RUN_PHP "$CAKE Live $MISP_LIVE"
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
#### Make some misp-modules available
|
||||
|
||||
```bash
|
||||
sudo -H -u www-data $CAKE Admin setSetting "Plugin.Enrichment_asn_history_enabled" true
|
||||
sudo -H -u www-data $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
sudo -H -u www-data $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
```
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
!!! notice
|
||||
There are technically only minor differences between CentOS and RHEL.<br />
|
||||
For more information on what might differ, [this StackExchange](https://unix.stackexchange.com/questions/27323/is-centos-exactly-the-same-as-rhel) question might answer some questions.
|
|
@ -4,6 +4,10 @@
|
|||
### 0/ MISP CentOS 6 Minimal NetInstall - Status
|
||||
--------------------------------------------
|
||||
|
||||
{!generic/community.md!}
|
||||
|
||||
{!generic/rhelVScentos.md!}
|
||||
|
||||
!!! notice
|
||||
Semi-maintained and tested by @SteveClement, CentOS 6.10 on 20181025<br />
|
||||
It is still considered experimental as not everything works seemlessly.
|
||||
|
|
|
@ -4,6 +4,10 @@
|
|||
### 0/ MISP CentOS 7 Minimal NetInstall - Status
|
||||
--------------------------------------------
|
||||
|
||||
{!generic/community.md!}
|
||||
|
||||
{!generic/rhelVScentos.md!}
|
||||
|
||||
!!! notice
|
||||
Semi-maintained and tested by @SteveClement, CentOS 7.5-1804 on 20181113<br />
|
||||
It is still considered experimental as not everything works seemlessly.
|
||||
|
@ -55,7 +59,13 @@ sudo yum install centos-release-scl -y
|
|||
sudo yum install vim -y
|
||||
|
||||
# Install the dependencies:
|
||||
sudo yum install gcc git httpd zip redis mariadb mariadb-server python-devel python-pip python-zmq libxslt-devel zlib-devel ssdeep-devel -y
|
||||
sudo yum install gcc git zip \
|
||||
httpd \
|
||||
mod_ssl \
|
||||
redis \
|
||||
mariadb mariadb-server \
|
||||
python-devel python-pip python-zmq \
|
||||
libxslt-devel zlib-devel ssdeep-devel -y
|
||||
|
||||
# Install PHP 7.1 from SCL, see https://www.softwarecollections.org/en/scls/rhscl/rh-php71/
|
||||
sudo yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysqlnd rh-php71-php-mbstring rh-php71-php-xml rh-php71-php-bcmath rh-php71-php-opcache -y
|
||||
|
@ -64,13 +74,8 @@ sudo yum install rh-php71 rh-php71-php-fpm rh-php71-php-devel rh-php71-php-mysql
|
|||
# https://www.softwarecollections.org/en/scls/rhscl/rh-python36/
|
||||
sudo yum install rh-python36 -y
|
||||
|
||||
# rh-php71-php only provided mod_ssl mod_php for httpd24-httpd from SCL
|
||||
# if we want to use httpd from CentOS base we can use rh-php71-php-fpm instead
|
||||
sudo systemctl enable rh-php71-php-fpm.service
|
||||
sudo systemctl start rh-php71-php-fpm.service
|
||||
|
||||
sudo $RUN_PHP "pear channel-update pear.php.net"
|
||||
sudo $RUN_PHP "pear install Crypt_GPG" # we need version >1.3.0
|
||||
```
|
||||
|
||||
!!! notice
|
||||
|
@ -97,7 +102,7 @@ sudo chown apache:apache $PATH_TO_MISP
|
|||
cd /var/www
|
||||
sudo -u apache git clone https://github.com/MISP/MISP.git
|
||||
cd $PATH_TO_MISP
|
||||
sudo -u apache git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
|
||||
##sudo -u apache git checkout tags/$(git describe --tags `git rev-list --tags --max-count=1`)
|
||||
# if the last shortcut doesn't work, specify the latest version manually
|
||||
# example: git checkout tags/v2.4.XY
|
||||
# the message regarding a "detached HEAD state" is expected behaviour
|
||||
|
@ -108,6 +113,10 @@ sudo -u apache git submodule update --init --recursive
|
|||
# Make git ignore filesystem permission differences for submodules
|
||||
sudo -u apache git submodule foreach --recursive git config core.filemode false
|
||||
|
||||
# Install packaged pears
|
||||
sudo $RUN_PHP "pear install ${PATH_TO_MISP}/INSTALL/dependencies/Console_CommandLine/package.xml"
|
||||
sudo $RUN_PHP "pear install ${PATH_TO_MISP}/INSTALL/dependencies/Crypt_GPG/package.xml"
|
||||
|
||||
# Create a python3 virtualenv
|
||||
sudo -u apache $RUN_PYTHON "virtualenv -p python3 $PATH_TO_MISP/venv"
|
||||
sudo mkdir /usr/share/httpd/.cache
|
||||
|
@ -174,7 +183,9 @@ sudo -u apache $RUN_PHP "php composer.phar require kamisama/cake-resque:4.1.2"
|
|||
sudo -u apache $RUN_PHP "php composer.phar config vendor-dir Vendor"
|
||||
sudo -u apache $RUN_PHP "php composer.phar install"
|
||||
|
||||
# CakeResque normally uses phpredis to connect to redis, but it has a (buggy) fallback connector through Redisent. It is highly advised to install phpredis using "yum install php-redis"
|
||||
# CakeResque normally uses phpredis to connect to redis, but it has a (buggy)
|
||||
# fallback connector through Redisent.
|
||||
# It is highly advised to install phpredis using "yum install php-redis"
|
||||
sudo $RUN_PHP "pecl install redis"
|
||||
echo "extension=redis.so" |sudo tee /etc/opt/rh/rh-php71/php-fpm.d/redis.ini
|
||||
sudo ln -s ../php-fpm.d/redis.ini /etc/opt/rh/rh-php71/php.d/99-redis.ini
|
||||
|
@ -207,9 +218,11 @@ sudo chown -R root:apache /var/www/MISP
|
|||
sudo find /var/www/MISP -type d -exec chmod g=rx {} \;
|
||||
sudo chmod -R g+r,o= /var/www/MISP
|
||||
sudo chmod -R 750 /var/www/MISP
|
||||
sudo chmod -R g+ws /var/www/MISP/app/tmp
|
||||
sudo chmod -R g+xws /var/www/MISP/app/tmp
|
||||
sudo chmod -R g+ws /var/www/MISP/app/files
|
||||
sudo chmod -R g+ws /var/www/MISP/app/files/scripts/tmp
|
||||
sudo chmod -R g+rw /var/www/MISP/venv
|
||||
sudo chmod -R g+rw /var/www/MISP/.git
|
||||
sudo chown apache:apache /var/www/MISP/app/files
|
||||
sudo chown apache:apache /var/www/MISP/app/files/terms
|
||||
sudo chown apache:apache /var/www/MISP/app/files/scripts/tmp
|
||||
|
@ -263,8 +276,11 @@ sudo yum remove tcl expect -y
|
|||
echo [mysqld] |sudo tee /etc/my.cnf.d/bind-address.cnf
|
||||
echo bind-address=127.0.0.1 |sudo tee -a /etc/my.cnf.d/bind-address.cnf
|
||||
sudo systemctl restart mariadb.service
|
||||
```
|
||||
|
||||
|
||||
#### Manual procedure:
|
||||
```bash
|
||||
# Enter the mysql shell
|
||||
mysql -u root -p
|
||||
```
|
||||
|
@ -276,8 +292,7 @@ MariaDB [(none)]> grant all privileges on misp.* to misp@localhost ;
|
|||
MariaDB [(none)]> exit
|
||||
```
|
||||
|
||||
#### copy/paste:
|
||||
|
||||
#### Same as Manual but for copy/paste foo:
|
||||
```bash
|
||||
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
|
||||
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
|
||||
|
@ -310,6 +325,21 @@ sudo -u apache cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DB
|
|||
# A sample vhost can be found in /var/www/MISP/INSTALL/apache.misp.centos7
|
||||
|
||||
sudo cp /var/www/MISP/INSTALL/apache.misp.centos7.ssl /etc/httpd/conf.d/misp.ssl.conf
|
||||
sudo rm /etc/httpd/conf.d/ssl.conf
|
||||
sudo chmod 644 /etc/httpd/conf.d/misp.ssl.conf
|
||||
sudo sed -i '/Listen 80/a Listen 443' /etc/httpd/conf/httpd.conf
|
||||
echo $OPENSSL_CN
|
||||
sudo systemctl start httpd.service
|
||||
sudo openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 4096
|
||||
sudo openssl genrsa -des3 -passout pass:x -out /tmp/misp.local.key 4096
|
||||
sudo openssl rsa -passin pass:x -in /tmp/misp.local.key -out /etc/pki/tls/certs/misp.local.key
|
||||
sudo rm /tmp/misp.local.key
|
||||
sudo openssl req -new -subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" -key /etc/pki/tls/certs/misp.local.key -out /etc/pki/tls/certs/misp.local.csr
|
||||
sudo openssl x509 -req -days 365 -in /etc/pki/tls/certs/misp.local.csr -signkey /etc/pki/tls/private/misp.local.key -out /etc/pki/tls/certs/misp.local.crt
|
||||
sudo ln -s /etc/pki/tls/certs/misp.local.csr /etc/pki/tls/certs/misp-chain.crt
|
||||
cat /etc/pki/tls/certs/dhparam.pem |sudo tee -a /etc/pki/tls/certs/misp.local.crt
|
||||
|
||||
sudo systemctl restart httpd.service
|
||||
|
||||
# If a valid SSL certificate is not already created for the server, create a self-signed certificate:
|
||||
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
|
||||
|
@ -323,7 +353,9 @@ sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
|
|||
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
|
||||
sudo chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
|
||||
sudo chcon -R -t usr_t /var/www/MISP/venv
|
||||
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/.git
|
||||
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
|
||||
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/Config
|
||||
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp/logs
|
||||
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
|
||||
sudo chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
|
||||
|
@ -482,17 +514,17 @@ sudo yum install -y openjpeg-devel
|
|||
sudo chmod 2777 /usr/local/src
|
||||
sudo chown root:users /usr/local/src
|
||||
cd /usr/local/src/
|
||||
git clone https://github.com/MISP/misp-modules.git
|
||||
sudo -u apache git clone https://github.com/MISP/misp-modules.git
|
||||
cd misp-modules
|
||||
# pip install
|
||||
sudo -u apache $PATH_TO_MISP/venv/bin/pip install -I -r REQUIREMENTS
|
||||
sudo -u apache $PATH_TO_MISP/venv/bin/pip install .
|
||||
sudo -H -u apache $PATH_TO_MISP/venv/bin/pip install -I -r REQUIREMENTS
|
||||
sudo -H -u apache $PATH_TO_MISP/venv/bin/pip install .
|
||||
sudo yum install rubygem-rouge rubygem-asciidoctor -y
|
||||
##sudo gem install asciidoctor-pdf --pre
|
||||
|
||||
# install additional dependencies for extended object generation and extraction
|
||||
sudo -u apache ${PATH_TO_MISP}/venv/bin/pip install maec lief python-magic pathlib
|
||||
sudo -u apache ${PATH_TO_MISP}/venv/bin/pip install git+https://github.com/kbandla/pydeep.git
|
||||
sudo -H -u apache ${PATH_TO_MISP}/venv/bin/pip install maec lief python-magic pathlib
|
||||
sudo -H -u apache ${PATH_TO_MISP}/venv/bin/pip install git+https://github.com/kbandla/pydeep.git
|
||||
|
||||
# Start misp-modules
|
||||
sudo -u apache ${PATH_TO_MISP}/venv/bin/misp-modules -l 0.0.0.0 -s &
|
||||
|
|
|
@ -107,15 +107,6 @@ sudo a2enmod ssl rewrite
|
|||
sudo a2dissite 000-default
|
||||
sudo a2ensite default-ssl
|
||||
|
||||
# Switch to python3 by default (optional)
|
||||
|
||||
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
||||
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.6 2
|
||||
```
|
||||
|
||||
To flip between the 2 pythons use *update-alternatives*
|
||||
```bash
|
||||
sudo update-alternatives --config python
|
||||
```
|
||||
|
||||
#### Apply all changes
|
||||
|
|
|
@ -5,6 +5,8 @@
|
|||
|
||||
{!generic/community.md!}
|
||||
|
||||
{!generic/rhelVScentos.md!}
|
||||
|
||||
!!! warning
|
||||
The core MISP team cannot verify if this guide is working or not. Please help us in keeping it up to date and accurate.
|
||||
Thus we also have difficulties in supporting RHEL issues but will do a best effort on a similar yet slightly different setup.
|
||||
|
|
Loading…
Reference in New Issue