mirror of https://github.com/MISP/MISP
Merge remote-tracking branch 'upstream/2.4' into sharingGraph
commit
225c34ef0b
|
@ -339,10 +339,6 @@ doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
|
|||
-subj "/C=<Country>/ST=<State>/L=<Locality>/O=<Organization>/OU=<Organizational Unit Name>/CN=<QDN.here>/emailAddress=admin@<your.FQDN.here>" \
|
||||
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
|
||||
|
||||
doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
|
||||
-subj "/C=LU/ST=Lxu/L=Lux/O=Test/CN=192.168.99.50/emailAddress=admin@admin.test" \
|
||||
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
|
||||
|
||||
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
|
||||
|
||||
doas mkdir /var/log/apache2/
|
||||
|
@ -505,4 +501,4 @@ Optional features
|
|||
# ZeroMQ depends on the Python client for Redis
|
||||
```
|
||||
doas pkg_add -v py3-zmq
|
||||
```
|
||||
```
|
||||
|
|
|
@ -10,6 +10,10 @@ Some configurables used below:
|
|||
|
||||
```
|
||||
# MISP configuration variables
|
||||
PATH_TO_MISP='/var/www/MISP'
|
||||
CAKE="$PATH_TO_MISP/app/Console/cake"
|
||||
MISP_BASEURL=''
|
||||
MISP_LIVE='1'
|
||||
|
||||
# Database configuration
|
||||
DBHOST='localhost'
|
||||
|
@ -20,23 +24,20 @@ DBUSER_MISP='misp'
|
|||
DBPASSWORD_MISP="$(openssl rand -hex 32)"
|
||||
|
||||
# Webserver configuration
|
||||
PATH_TO_MISP='/var/www/MISP'
|
||||
MISP_BASEURL=''
|
||||
MISP_LIVE='1'
|
||||
FQDN='localhost'
|
||||
|
||||
# OpenSSL configuration
|
||||
OPENSSL_CN='Common Name'
|
||||
OPENSSL_C='LU'
|
||||
OPENSSL_ST='State'
|
||||
OPENSSL_L='Location'
|
||||
OPENSSL_O='Organization'
|
||||
OPENSSL_OU='Organizational Unit'
|
||||
OPENSSL_CN='Common Name'
|
||||
OPENSSL_EMAILADDRESS='info@localhost'
|
||||
|
||||
# GPG configuration
|
||||
GPG_REAL_NAME='Autogenerated Key'
|
||||
GPG_COMMENT='WARNING: MISP AutoGenerated VM consider this Key VOID!'
|
||||
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
|
||||
GPG_EMAIL_ADDRESS='admin@admin.test'
|
||||
GPG_KEY_LENGTH='2048'
|
||||
GPG_PASSPHRASE='Password1234'
|
||||
|
@ -47,6 +48,9 @@ post_max_size=50M
|
|||
max_execution_time=300
|
||||
memory_limit=512M
|
||||
PHP_INI=/etc/php/7.0/apache2/php.ini
|
||||
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP"
|
||||
```
|
||||
|
||||
1/ Minimal Debian install
|
||||
|
@ -103,6 +107,11 @@ libapache2-mod-php7.0 php7.0 php7.0-cli php7.0-dev php7.0-json php7.0-xml php7.0
|
|||
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
|
||||
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
|
||||
|
||||
# Start rng-tools to get more entropy (optional)
|
||||
# If you get TPM errors, enable "Security chip" in BIOS (keep secure boot disabled)
|
||||
sudo apt install rng-tools
|
||||
sudo service rng-tools start
|
||||
|
||||
# Secure the MariaDB installation (especially by setting a strong root password)
|
||||
sudo mysql_secure_installation
|
||||
|
||||
|
@ -324,10 +333,10 @@ class DATABASE_CONFIG {
|
|||
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
|
||||
sudo chmod -R 750 $PATH_TO_MISP/app/Config
|
||||
# Set some MISP directives with the command line tool
|
||||
sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
|
||||
sudo $CAKE Live $MISP_LIVE
|
||||
|
||||
# Change base url
|
||||
sudo $PATH_TO_MISP/app/Console/cake Baseurl $MISP_BASEURL
|
||||
sudo $CAKE Baseurl $MISP_BASEURL
|
||||
|
||||
# example: 'baseurl' => 'https://<your.FQDN.here>',
|
||||
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
|
||||
|
@ -358,7 +367,7 @@ sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-k
|
|||
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
|
||||
|
||||
# And export the public key to the webroot
|
||||
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS > $PATH_TO_MISP/MISP/app/webroot/gpg.asc"
|
||||
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
|
||||
|
||||
# To make the background workers start on boot
|
||||
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
|
@ -370,77 +379,127 @@ then
|
|||
fi
|
||||
|
||||
# Initialize user and fetch Auth Key
|
||||
sudo -E $PATH_TO_MISP/app/Console/cake userInit -q
|
||||
sudo -E $CAKE userInit -q
|
||||
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
|
||||
|
||||
# Setup some more MISP default via cake CLI
|
||||
|
||||
# Tune global time outs
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.autoRegenerate" 0
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.timeout" 600
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.cookie_timeout" 3600
|
||||
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
|
||||
sudo $CAKE Admin setSetting "Session.timeout" 600
|
||||
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
|
||||
|
||||
# Enable GnuPG
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.email" "admin@admin.test"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.password" "Password1234"
|
||||
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
|
||||
sudo $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
|
||||
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
|
||||
|
||||
# Enable Enrichment set better timeouts
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
|
||||
|
||||
# Enable Import modules set better timout
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_timeout" 300
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||
|
||||
# Enable Export modules set better timout
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_timeout" 300
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||
|
||||
# Enable installer org and tune some configurables
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.email" "info@admin.test"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disable_emailing" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.contact" "info@admin.test"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disablerestalert" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.showCorrelationsOnIndex" true
|
||||
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
|
||||
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
|
||||
sudo $CAKE Admin setSetting "MISP.disable_emailing" true
|
||||
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
|
||||
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
|
||||
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
|
||||
|
||||
# Provisional Cortex tunes
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
|
||||
|
||||
# Various plugin sightings settings
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
|
||||
|
||||
# Plugin CustomAuth tuneable
|
||||
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
|
||||
|
||||
# RPZ Plugin settings
|
||||
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
|
||||
|
||||
# Force defaults to make MISP Server Settings less RED
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.language" "eng"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.proposals_block_attributes" false
|
||||
sudo $CAKE Admin setSetting "MISP.language" "eng"
|
||||
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
|
||||
|
||||
## Redis block
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_port" 6379
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_database" 13
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_password" ""
|
||||
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
|
||||
|
||||
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
|
||||
sudo $CAKE Admin setSetting "MISP.redis_database" 13
|
||||
sudo $CAKE Admin setSetting "MISP.redis_password" ""
|
||||
|
||||
# Force defaults to make MISP Server Settings less YELLOW
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.ssdeep_correlation_threshold" 40
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.extended_alert_subject" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.default_event_threat_level" 4
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.enableEventBlacklisting" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.enableOrgBlacklisting" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.log_client_ip" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.log_auth" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_event_alert" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_age" ""
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.incoming_tags_disabled_by_default" false
|
||||
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
|
||||
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
|
||||
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
|
||||
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
|
||||
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
|
||||
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
|
||||
sudo $CAKE Admin setSetting "MISP.log_auth" false
|
||||
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
|
||||
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
|
||||
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
|
||||
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
|
||||
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
|
||||
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
|
||||
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings"
|
||||
|
||||
# Force defaults to make MISP Server Settings less GREEN
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Security.password_policy_length" 12
|
||||
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
|
||||
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
|
||||
# Tune global time outs
|
||||
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
|
||||
sudo $CAKE Admin setSetting "Session.timeout" 600
|
||||
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
|
||||
|
||||
# Now log in using the webinterface:
|
||||
# The default user/pass = admin@admin.test/admin
|
||||
|
@ -452,21 +511,23 @@ sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Security.password_policy_l
|
|||
# Don't forget to change the email, password and authentication key after installation.
|
||||
|
||||
# Set MISP Live
|
||||
sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
|
||||
sudo $CAKE Live $MISP_LIVE
|
||||
|
||||
# Update the galaxies…
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin updateGalaxies
|
||||
sudo $CAKE Admin updateGalaxies
|
||||
|
||||
# Updating the taxonomies…
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/taxonomies/update
|
||||
sudo $CAKE Admin updateTaxonomies
|
||||
|
||||
# Updating the warning lists…
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
|
||||
sudo $CAKE Admin updateWarningLists
|
||||
|
||||
# Updating the notice lists…
|
||||
## sudo $CAKE Admin updateNoticeLists
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
|
||||
|
||||
# Updating the object templates…
|
||||
##sudo $CAKE Admin updateObjectTemplates
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
|
||||
|
||||
# Add the following lines before the last line (exit 0). Make sure that you replace www-data with your apache user:
|
||||
|
@ -508,6 +569,9 @@ sudo chown -R www-data:www-data $PATH_TO_MISP/<directory path with an indicated
|
|||
# $PATH_TO_MISP/app/tmp/logs/resque-scheduler-error.log
|
||||
# $PATH_TO_MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
|
||||
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP"
|
||||
|
||||
|
||||
Recommended actions
|
||||
-------------------
|
||||
|
@ -527,12 +591,6 @@ Optional features
|
|||
# ZeroMQ depends on the Python client for Redis
|
||||
sudo pip3 install redis
|
||||
|
||||
# Debian has an ancient version of ZeroMQ, so manually install a current version
|
||||
|
||||
## Install ZeroMQ and prerequisites
|
||||
sudo apt-get install pkg-config
|
||||
cd /usr/local/src/
|
||||
|
||||
## install pyzmq
|
||||
sudo pip3 install pyzmq
|
||||
|
||||
|
@ -592,21 +650,27 @@ sudo a2ensite misp-dashboard
|
|||
|
||||
|
||||
# Enable ZeroMQ for misp-dashboard
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
|
||||
|
||||
|
||||
Install viper framework
|
||||
-----------------------
|
||||
|
||||
/!\ Has libyara issues
|
||||
|
||||
cd /usr/local/src/
|
||||
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
|
||||
sudo pip3 install SQLAlchemy PrettyTable python-magic
|
||||
|
@ -615,6 +679,7 @@ cd viper
|
|||
sudo git submodule init
|
||||
sudo git submodule update
|
||||
sudo pip3 install -r requirements.txt
|
||||
sudo pip3 uninstall yara -y
|
||||
/usr/local/src/viper/viper-cli -h
|
||||
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
|
||||
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper"' |sudo tee /etc/environment
|
||||
|
|
|
@ -12,6 +12,10 @@ Some configurables used below:
|
|||
|
||||
```
|
||||
# MISP configuration variables
|
||||
PATH_TO_MISP='/var/www/MISP'
|
||||
CAKE="$PATH_TO_MISP/app/Console/cake"
|
||||
MISP_BASEURL=''
|
||||
MISP_LIVE='1'
|
||||
|
||||
# Database configuration
|
||||
DBHOST='localhost'
|
||||
|
@ -22,18 +26,15 @@ DBUSER_MISP='misp'
|
|||
DBPASSWORD_MISP="$(openssl rand -hex 32)"
|
||||
|
||||
# Webserver configuration
|
||||
PATH_TO_MISP='/var/www/MISP'
|
||||
MISP_BASEURL=''
|
||||
MISP_LIVE='1'
|
||||
FQDN='localhost'
|
||||
|
||||
# OpenSSL configuration
|
||||
OPENSSL_CN='Common Name'
|
||||
OPENSSL_C='LU'
|
||||
OPENSSL_ST='State'
|
||||
OPENSSL_L='Location'
|
||||
OPENSSL_O='Organization'
|
||||
OPENSSL_OU='Organizational Unit'
|
||||
OPENSSL_CN='Common Name'
|
||||
OPENSSL_EMAILADDRESS='info@localhost'
|
||||
|
||||
# GPG configuration
|
||||
|
@ -49,6 +50,9 @@ post_max_size=50M
|
|||
max_execution_time=300
|
||||
memory_limit=512M
|
||||
PHP_INI=/etc/php/7.2/apache2/php.ini
|
||||
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP"
|
||||
```
|
||||
|
||||
1/ Minimal Debian install
|
||||
|
@ -102,6 +106,11 @@ libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-mbstring php-pear php7.2-dev php
|
|||
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
|
||||
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
|
||||
|
||||
# Start rng-tools to get more entropy (optional)
|
||||
# If you get TPM errors, enable "Security chip" in BIOS (keep secure boot disabled)
|
||||
sudo apt install rng-tools
|
||||
sudo service rng-tools start
|
||||
|
||||
# Secure the MariaDB installation (especially by setting a strong root password)
|
||||
sudo mysql_secure_installation
|
||||
|
||||
|
@ -116,7 +125,7 @@ sudo pear channel-update pear.php.net
|
|||
sudo pear install Crypt_GPG
|
||||
sudo pecl channel-update pecl.php.net
|
||||
sudo pecl install redis
|
||||
sudo echo "extension=redis.so" > /etc/php/7.2/mods-available/redis.ini
|
||||
echo "extension=redis.so" | sudo tee /etc/php/7.2/mods-available/redis.ini
|
||||
|
||||
# Switch to python3 by default (optional)
|
||||
|
||||
|
@ -327,10 +336,10 @@ class DATABASE_CONFIG {
|
|||
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
|
||||
sudo chmod -R 750 $PATH_TO_MISP/app/Config
|
||||
# Set some MISP directives with the command line tool
|
||||
sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
|
||||
sudo $CAKE Live $MISP_LIVE
|
||||
|
||||
# Change base url
|
||||
sudo $PATH_TO_MISP/app/Console/cake Baseurl $MISP_BASEURL
|
||||
sudo $CAKE Baseurl $MISP_BASEURL
|
||||
|
||||
# example: 'baseurl' => 'https://<your.FQDN.here>',
|
||||
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
|
||||
|
@ -361,7 +370,7 @@ sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-k
|
|||
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
|
||||
|
||||
# And export the public key to the webroot
|
||||
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS > $PATH_TO_MISP/MISP/app/webroot/gpg.asc"
|
||||
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
|
||||
|
||||
# To make the background workers start on boot
|
||||
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
|
@ -373,77 +382,127 @@ then
|
|||
fi
|
||||
|
||||
# Initialize user and fetch Auth Key
|
||||
sudo -E $PATH_TO_MISP/app/Console/cake userInit -q
|
||||
sudo -E $CAKE userInit -q
|
||||
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
|
||||
|
||||
# Setup some more MISP default via cake CLI
|
||||
|
||||
# Tune global time outs
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.autoRegenerate" 0
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.timeout" 600
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.cookie_timeout" 3600
|
||||
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
|
||||
sudo $CAKE Admin setSetting "Session.timeout" 600
|
||||
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
|
||||
|
||||
# Enable GnuPG
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.email" "admin@admin.test"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.password" "Password1234"
|
||||
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
|
||||
sudo $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
|
||||
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
|
||||
|
||||
# Enable Enrichment set better timeouts
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
|
||||
|
||||
# Enable Import modules set better timout
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_timeout" 300
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||
|
||||
# Enable Export modules set better timout
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_timeout" 300
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||
|
||||
# Enable installer org and tune some configurables
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.email" "info@admin.test"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disable_emailing" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.contact" "info@admin.test"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disablerestalert" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.showCorrelationsOnIndex" true
|
||||
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
|
||||
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
|
||||
sudo $CAKE Admin setSetting "MISP.disable_emailing" true
|
||||
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
|
||||
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
|
||||
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
|
||||
|
||||
# Provisional Cortex tunes
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
|
||||
|
||||
# Various plugin sightings settings
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
|
||||
|
||||
# Plugin CustomAuth tuneable
|
||||
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
|
||||
|
||||
# RPZ Plugin settings
|
||||
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
|
||||
|
||||
# Force defaults to make MISP Server Settings less RED
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.language" "eng"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.proposals_block_attributes" false
|
||||
sudo $CAKE Admin setSetting "MISP.language" "eng"
|
||||
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
|
||||
|
||||
## Redis block
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_port" 6379
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_database" 13
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_password" ""
|
||||
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
|
||||
|
||||
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
|
||||
sudo $CAKE Admin setSetting "MISP.redis_database" 13
|
||||
sudo $CAKE Admin setSetting "MISP.redis_password" ""
|
||||
|
||||
# Force defaults to make MISP Server Settings less YELLOW
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.ssdeep_correlation_threshold" 40
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.extended_alert_subject" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.default_event_threat_level" 4
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.enableEventBlacklisting" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.enableOrgBlacklisting" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.log_client_ip" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.log_auth" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_event_alert" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert" false
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_age" ""
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.incoming_tags_disabled_by_default" false
|
||||
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
|
||||
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
|
||||
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
|
||||
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
|
||||
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
|
||||
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
|
||||
sudo $CAKE Admin setSetting "MISP.log_auth" false
|
||||
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
|
||||
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
|
||||
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
|
||||
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
|
||||
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
|
||||
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
|
||||
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings"
|
||||
|
||||
# Force defaults to make MISP Server Settings less GREEN
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Security.password_policy_length" 12
|
||||
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
|
||||
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
|
||||
# Tune global time outs
|
||||
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
|
||||
sudo $CAKE Admin setSetting "Session.timeout" 600
|
||||
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
|
||||
|
||||
# Now log in using the webinterface:
|
||||
# The default user/pass = admin@admin.test/admin
|
||||
|
@ -455,28 +514,30 @@ sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Security.password_policy_l
|
|||
# Don't forget to change the email, password and authentication key after installation.
|
||||
|
||||
# Set MISP Live
|
||||
sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
|
||||
sudo $CAKE Live $MISP_LIVE
|
||||
|
||||
# Update the galaxies…
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin updateGalaxies
|
||||
sudo $CAKE Admin updateGalaxies
|
||||
|
||||
# Updating the taxonomies…
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/taxonomies/update
|
||||
sudo $CAKE Admin updateTaxonomies
|
||||
|
||||
# Updating the warning lists…
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
|
||||
sudo $CAKE Admin updateWarningLists
|
||||
|
||||
# Updating the notice lists…
|
||||
## sudo $CAKE Admin updateNoticeLists
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
|
||||
|
||||
# Updating the object templates…
|
||||
##sudo $CAKE Admin updateObjectTemplates
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
|
||||
|
||||
# Add the following lines before the last line (exit 0). Make sure that you replace www-data with your apache user:
|
||||
sudo sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \sudo -u www-data bash $PATH_TO_MISP/app/Console/worker/start.sh\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
|
||||
|
||||
# Start the workers
|
||||
|
@ -511,6 +572,9 @@ sudo chown -R www-data:www-data $PATH_TO_MISP/<directory path with an indicated
|
|||
# $PATH_TO_MISP/app/tmp/logs/resque-scheduler-error.log
|
||||
# $PATH_TO_MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
|
||||
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP"
|
||||
|
||||
|
||||
Recommended actions
|
||||
-------------------
|
||||
|
@ -528,16 +592,10 @@ Optional features
|
|||
# MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following commands
|
||||
|
||||
# ZeroMQ depends on the Python client for Redis
|
||||
sudo pip3 install redis
|
||||
|
||||
# Debian has an ancient version of ZeroMQ, so manually install a current version
|
||||
|
||||
## Install ZeroMQ and prerequisites
|
||||
sudo apt-get install pkg-config
|
||||
cd /usr/local/src/
|
||||
sudo apt install python3-redis -y
|
||||
|
||||
## install pyzmq
|
||||
sudo pip3 install pyzmq
|
||||
sudo apt install python3-zmq -y
|
||||
|
||||
|
||||
MISP Dashboard
|
||||
|
@ -592,24 +650,31 @@ echo "<VirtualHost *:8001>
|
|||
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-dashboard.conf
|
||||
|
||||
sudo a2ensite misp-dashboard
|
||||
|
||||
## Failing
|
||||
sudo systemctl reload apache2
|
||||
|
||||
# Enable ZeroMQ for misp-dashboard
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
|
||||
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
|
||||
|
||||
|
||||
Install viper framework
|
||||
-----------------------
|
||||
|
||||
/!\ Has libyara issues
|
||||
|
||||
cd /usr/local/src/
|
||||
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
|
||||
sudo pip3 install SQLAlchemy PrettyTable python-magic
|
||||
|
@ -618,6 +683,7 @@ cd viper
|
|||
sudo git submodule init
|
||||
sudo git submodule update
|
||||
sudo pip3 install -r requirements.txt
|
||||
sudo pip3 uninstall yara -y
|
||||
/usr/local/src/viper/viper-cli -h
|
||||
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
|
||||
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper"' |sudo tee /etc/environment
|
||||
|
|
|
@ -0,0 +1,67 @@
|
|||
# It's possible to send all logs from MISP to an elasticsearch
|
||||
# endpoint
|
||||
|
||||
# First, we'll need an ES PHP library
|
||||
|
||||
# Replace according to your requirements
|
||||
export MISP_DIR=/var/www/MISP
|
||||
cd $MISP_DIR/app
|
||||
sudo -u www-data php composer.phar require elasticsearch/elasticsearch
|
||||
|
||||
# Ok now we need to configure where we log to
|
||||
#
|
||||
# In Administration -> Server Settings & Maintenance -> Plugin Settings
|
||||
# Under the elasticsearch tab, enable elasticsearch logging, and input
|
||||
# your connection string
|
||||
# Note that explicitly specifying the port may be needed, e.g. for AWS instances
|
||||
# running on 443.
|
||||
# Also input a log index - all logs will be thrown at this index.
|
||||
|
||||
# Now give ES a template to work from
|
||||
cat << EOF > misp_es_template.json
|
||||
{
|
||||
"template": "misp_logging",
|
||||
"mappings": {
|
||||
"log": {
|
||||
"_source": {
|
||||
"enabled": true
|
||||
},
|
||||
"properties": {
|
||||
"Log.email": {
|
||||
"type": "keyword"
|
||||
},
|
||||
"Log.title": {
|
||||
"type": "text"
|
||||
},
|
||||
"Log.ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"Log.created": {
|
||||
"format": "YYYY-MM-dd HH:mm:ss",
|
||||
"type": "date"
|
||||
},
|
||||
"Log.description": {
|
||||
"type": "text"
|
||||
},
|
||||
"Log.org": {
|
||||
"type": "text"
|
||||
},
|
||||
"Log.action": {
|
||||
"type": "text"
|
||||
},
|
||||
"Log.model": {
|
||||
"type": "text"
|
||||
},
|
||||
"Log.change": {
|
||||
"type": "text"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
# And put it to ES
|
||||
curl -XPUT https://my_es/_template/misp_logging --data-binary @misp_es_template.json
|
||||
|
||||
# Now MISP will start sending logs to ES! Hooray!
|
|
@ -0,0 +1,505 @@
|
|||
#!/usr/bin/env bash
|
||||
#INSTALLATION INSTRUCTIONS
|
||||
#------------------------- for Kali Linux
|
||||
#
|
||||
#0/ Quick MISP Instance on Kali Linux - Status
|
||||
#---------------------------------------------
|
||||
#
|
||||
#1/ Prepare Kali with a MISP User
|
||||
#--------------------------------
|
||||
# useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data misp
|
||||
# passwd misp
|
||||
# su - misp
|
||||
# sh -c "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.kali.txt)"
|
||||
|
||||
# MISP configuration variables
|
||||
PATH_TO_MISP='/var/www/MISP'
|
||||
MISP_BASEURL=''
|
||||
MISP_LIVE='1'
|
||||
CAKE="$PATH_TO_MISP/app/Console/cake"
|
||||
|
||||
# Database configuration
|
||||
DBHOST='localhost'
|
||||
DBNAME='misp'
|
||||
DBUSER_ADMIN='root'
|
||||
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
|
||||
DBUSER_MISP='misp'
|
||||
DBPASSWORD_MISP="$(openssl rand -hex 32)"
|
||||
|
||||
# Webserver configuration
|
||||
FQDN='localhost'
|
||||
|
||||
# OpenSSL configuration
|
||||
OPENSSL_CN='localhost'
|
||||
OPENSSL_C='LU'
|
||||
OPENSSL_ST='State'
|
||||
OPENSSL_L='Location'
|
||||
OPENSSL_O='Organization'
|
||||
OPENSSL_OU='Organizational Unit'
|
||||
OPENSSL_EMAILADDRESS='info@localhost'
|
||||
|
||||
# GPG configuration
|
||||
GPG_REAL_NAME='Autogenerated Key'
|
||||
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
|
||||
GPG_EMAIL_ADDRESS='admin@admin.test'
|
||||
GPG_KEY_LENGTH='2048'
|
||||
GPG_PASSPHRASE='Password1234'
|
||||
|
||||
# php.ini configuration
|
||||
upload_max_filesize=50M
|
||||
post_max_size=50M
|
||||
max_execution_time=300
|
||||
memory_limit=512M
|
||||
PHP_INI=/etc/php/7.2/apache2/php.ini
|
||||
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP"
|
||||
|
||||
sudo apt install -y etckeeper
|
||||
sudo apt update
|
||||
# Skip dist-upgrade for now, pulls in 500+ updated packages
|
||||
#sudo apt -y dist-upgrade
|
||||
sudo apt install -y postfix
|
||||
|
||||
sudo apt install -y \
|
||||
curl gcc git gnupg-agent make openssl redis-server neovim zip libyara-dev python3-yara python3-redis python3-zmq \
|
||||
mariadb-client \
|
||||
mariadb-server \
|
||||
apache2 apache2-doc apache2-utils \
|
||||
libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-mbstring php-pear php7.2-dev php7.2-json php7.2-xml php7.2-mysql php7.2-opcache php7.2-readline \
|
||||
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
|
||||
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
|
||||
|
||||
sudo apt install rng-tools -y # This might fail on TPM grounds, enable the security chip in your BIOS
|
||||
sudo service rng-tools start
|
||||
|
||||
sudo systemctl restart mariadb.service
|
||||
|
||||
sudo expect -f - <<-EOF
|
||||
set timeout 10
|
||||
spawn mysql_secure_installation
|
||||
expect "Enter current password for root (enter for none):"
|
||||
send -- "\r"
|
||||
expect "Set root password?"
|
||||
send -- "y\r"
|
||||
expect "New password:"
|
||||
send -- "${DBPASSWORD_ADMIN}\r"
|
||||
expect "Re-enter new password:"
|
||||
send -- "${DBPASSWORD_ADMIN}\r"
|
||||
expect "Remove anonymous users?"
|
||||
send -- "y\r"
|
||||
expect "Disallow root login remotely?"
|
||||
send -- "y\r"
|
||||
expect "Remove test database and access to it?"
|
||||
send -- "y\r"
|
||||
expect "Reload privilege tables now?"
|
||||
send -- "y\r"
|
||||
expect eof
|
||||
EOF
|
||||
|
||||
sudo a2dismod status
|
||||
sudo a2enmod ssl rewrite
|
||||
sudo a2dissite 000-default
|
||||
sudo a2ensite default-ssl
|
||||
|
||||
sudo pear channel-update pear.php.net
|
||||
sudo pear install Crypt_GPG
|
||||
sudo pecl channel-update pecl.php.net
|
||||
|
||||
yes '' |sudo pecl install redis
|
||||
|
||||
echo "extension=redis.so" | sudo tee /etc/php/7.2/mods-available/redis.ini
|
||||
|
||||
sudo phpenmod redis
|
||||
|
||||
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
||||
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.6 2
|
||||
|
||||
sudo mkdir $PATH_TO_MISP
|
||||
sudo chown www-data:www-data $PATH_TO_MISP
|
||||
cd $PATH_TO_MISP
|
||||
sudo -u www-data git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
|
||||
|
||||
sudo -u www-data git config core.filemode false
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts
|
||||
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
|
||||
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-cybox
|
||||
sudo pip3 install .
|
||||
cd $PATH_TO_MISP/app/files/scripts/python-stix
|
||||
sudo pip3 install .
|
||||
|
||||
cd $PATH_TO_MISP/app/files/scripts/
|
||||
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
|
||||
cd $PATH_TO_MISP/app/files/scripts/mixbox
|
||||
sudo pip3 install .
|
||||
|
||||
cd $PATH_TO_MISP
|
||||
sudo -u www-data git submodule init
|
||||
sudo -u www-data git submodule update
|
||||
# Make git ignore filesystem permission differences for submodules
|
||||
sudo -u www-data git submodule foreach git config core.filemode false
|
||||
|
||||
# install PyMISP
|
||||
cd $PATH_TO_MISP/PyMISP
|
||||
sudo pip3 install .
|
||||
|
||||
cd $PATH_TO_MISP/app
|
||||
sudo mkdir /var/www/.composer ; sudo chown www-data:www-data /var/www/.composer
|
||||
sudo -u www-data php composer.phar require kamisama/cake-resque:4.1.2
|
||||
sudo -u www-data php composer.phar config vendor-dir Vendor
|
||||
sudo -u www-data php composer.phar install
|
||||
|
||||
sudo -u www-data cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
|
||||
|
||||
sudo chown -R www-data:www-data $PATH_TO_MISP
|
||||
sudo chmod -R 750 $PATH_TO_MISP
|
||||
sudo chmod -R g+ws $PATH_TO_MISP/app/tmp
|
||||
sudo chmod -R g+ws $PATH_TO_MISP/app/files
|
||||
sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
|
||||
|
||||
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
|
||||
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
|
||||
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
|
||||
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
|
||||
|
||||
sudo -u www-data cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
|
||||
|
||||
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
|
||||
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
|
||||
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
|
||||
|
||||
cd /var/www
|
||||
sudo mkdir misp-dashboard
|
||||
sudo chown www-data:www-data misp-dashboard
|
||||
sudo -u www-data git clone https://github.com/MISP/misp-dashboard.git
|
||||
cd misp-dashboard
|
||||
sudo /var/www/misp-dashboard/install_dependencies.sh
|
||||
sudo sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
|
||||
sudo sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
|
||||
sudo -u www-data bash /var/www/misp-dashboard/start_all.sh
|
||||
|
||||
sudo apt install libapache2-mod-wsgi-py3 -y
|
||||
|
||||
echo "<VirtualHost _default_:80>
|
||||
ServerAdmin admin@localhost.lu
|
||||
ServerName misp.local
|
||||
|
||||
Redirect permanent / https://localhost
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/misp.local_error.log
|
||||
CustomLog /var/log/apache2/misp.local_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost _default_:443>
|
||||
ServerAdmin admin@localhost.lu
|
||||
ServerName misp.local
|
||||
DocumentRoot $PATH_TO_MISP/app/webroot
|
||||
|
||||
<Directory $PATH_TO_MISP/app/webroot>
|
||||
Options -Indexes
|
||||
AllowOverride all
|
||||
Require all granted
|
||||
Order allow,deny
|
||||
allow from all
|
||||
</Directory>
|
||||
|
||||
SSLEngine On
|
||||
SSLCertificateFile /etc/ssl/private/misp.local.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
|
||||
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
|
||||
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/misp.local_error.log
|
||||
CustomLog /var/log/apache2/misp.local_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-ssl.conf
|
||||
EOF
|
||||
|
||||
echo "127.0.0.1 misp.local" | sudo tee -a /etc/hosts
|
||||
|
||||
echo "<VirtualHost *:8001>
|
||||
ServerAdmin admin@misp.local
|
||||
ServerName misp.local
|
||||
|
||||
DocumentRoot /var/www/misp-dashboard
|
||||
|
||||
WSGIDaemonProcess misp-dashboard \
|
||||
user=misp group=misp \
|
||||
python-home=/var/www/misp-dashboard/DASHENV \
|
||||
processes=1 \
|
||||
threads=15 \
|
||||
maximum-requests=5000 \
|
||||
listen-backlog=100 \
|
||||
queue-timeout=45 \
|
||||
socket-timeout=60 \
|
||||
connect-timeout=15 \
|
||||
request-timeout=60 \
|
||||
inactivity-timeout=0 \
|
||||
deadlock-timeout=60 \
|
||||
graceful-timeout=15 \
|
||||
eviction-timeout=0 \
|
||||
shutdown-timeout=5 \
|
||||
send-buffer-size=0 \
|
||||
receive-buffer-size=0 \
|
||||
header-buffer-size=0 \
|
||||
response-buffer-size=0 \
|
||||
server-metrics=Off
|
||||
|
||||
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
|
||||
|
||||
<Directory /var/www/misp-dashboard>
|
||||
WSGIProcessGroup misp-dashboard
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
LogLevel info
|
||||
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
|
||||
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-dashboard.conf
|
||||
|
||||
sudo a2dissite default-ssl
|
||||
sudo a2ensite misp-ssl
|
||||
sudo a2ensite misp-dashboard
|
||||
|
||||
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
|
||||
do
|
||||
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
|
||||
done
|
||||
|
||||
sudo systemctl restart apache2
|
||||
|
||||
sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
|
||||
|
||||
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
|
||||
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
|
||||
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
|
||||
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
|
||||
|
||||
echo "<?php
|
||||
class DATABASE_CONFIG {
|
||||
public \$default = array(
|
||||
'datasource' => 'Database/Mysql',
|
||||
//'datasource' => 'Database/Postgres',
|
||||
'persistent' => false,
|
||||
'host' => '$DBHOST',
|
||||
'login' => '$DBUSER_MISP',
|
||||
'port' => 3306, // MySQL & MariaDB
|
||||
//'port' => 5432, // PostgreSQL
|
||||
'password' => '$DBPASSWORD_MISP',
|
||||
'database' => '$DBNAME',
|
||||
'prefix' => '',
|
||||
'encoding' => 'utf8',
|
||||
);
|
||||
}" | sudo -u www-data tee $PATH_TO_MISP/app/Config/database.php
|
||||
|
||||
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
|
||||
sudo chmod -R 750 $PATH_TO_MISP/app/Config
|
||||
sudo $CAKE Live $MISP_LIVE
|
||||
sudo $CAKE Baseurl $MISP_BASEURL
|
||||
|
||||
cat >/tmp/gen-key-script <<EOF
|
||||
%echo Generating a default key
|
||||
Key-Type: default
|
||||
Key-Length: $GPG_KEY_LENGTH
|
||||
Subkey-Type: default
|
||||
Name-Real: $GPG_REAL_NAME
|
||||
Name-Comment: $GPG_COMMENT
|
||||
Name-Email: $GPG_EMAIL_ADDRESS
|
||||
Expire-Date: 0
|
||||
Passphrase: $GPG_PASSPHRASE
|
||||
# Do a commit here, so that we can later print "done"
|
||||
%commit
|
||||
%echo done
|
||||
EOF
|
||||
|
||||
sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
|
||||
|
||||
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
|
||||
|
||||
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
|
||||
if [ ! -e /etc/rc.local ]
|
||||
then
|
||||
echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local
|
||||
echo 'exit 0' | sudo tee -a /etc/rc.local
|
||||
sudo chmod u+x /etc/rc.local
|
||||
fi
|
||||
|
||||
sudo -E $CAKE userInit -q
|
||||
|
||||
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
|
||||
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
|
||||
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
|
||||
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
|
||||
sudo $CAKE Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
|
||||
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
|
||||
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
|
||||
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
|
||||
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
|
||||
sudo $CAKE Admin setSetting "MISP.disable_emailing" false
|
||||
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
|
||||
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
|
||||
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
|
||||
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
|
||||
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
|
||||
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
|
||||
sudo $CAKE Admin setSetting "MISP.language" "eng"
|
||||
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
|
||||
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
|
||||
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
|
||||
sudo $CAKE Admin setSetting "MISP.redis_database" 13
|
||||
sudo $CAKE Admin setSetting "MISP.redis_password" ""
|
||||
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
|
||||
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
|
||||
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
|
||||
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
|
||||
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
|
||||
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
|
||||
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
|
||||
sudo $CAKE Admin setSetting "MISP.log_auth" false
|
||||
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
|
||||
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
|
||||
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
|
||||
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
|
||||
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an autogenerated install"
|
||||
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure accordingly and do not use in production"
|
||||
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Autogenerated install, please configure and harden accordingly"
|
||||
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP on Kali"
|
||||
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
|
||||
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
|
||||
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
|
||||
sudo $CAKE Admin setSetting "Session.timeout" 600
|
||||
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
|
||||
sudo $CAKE Live $MISP_LIVE
|
||||
sudo $CAKE Admin updateGalaxies
|
||||
sudo $CAKE Admin updateTaxonomies
|
||||
sudo $CAKE Admin updateWarningLists
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
|
||||
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
|
||||
sudo sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
|
||||
sudo sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
|
||||
sudo -u www-data bash $PATH_TO_MISP/app/Console/worker/start.sh
|
||||
cd /usr/local/src/
|
||||
sudo git clone https://github.com/MISP/misp-modules.git
|
||||
cd misp-modules
|
||||
# pip3 install
|
||||
sudo pip3 install -I -r REQUIREMENTS
|
||||
sudo pip3 install -I .
|
||||
sudo pip3 install maec lief python-magic wand yara
|
||||
sudo pip3 install git+https://github.com/kbandla/pydeep.git
|
||||
sudo pip3 install stix2
|
||||
sudo gem install pygments.rb
|
||||
sudo gem install asciidoctor-pdf --pre
|
||||
sudo -u www-data misp-modules -l 0.0.0.0 -s &
|
||||
cd /usr/local/src/
|
||||
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
|
||||
sudo pip3 install SQLAlchemy PrettyTable python-magic
|
||||
sudo git clone https://github.com/viper-framework/viper.git
|
||||
cd viper
|
||||
sudo git submodule init
|
||||
sudo git submodule update
|
||||
sudo pip3 install -r requirements.txt
|
||||
sudo pip3 uninstall yara -y
|
||||
/usr/local/src/viper/viper-cli -h
|
||||
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
|
||||
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper:/var/www/MISP/app/Console"' |sudo tee /etc/environment
|
||||
sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" ~/.viper/viper.conf
|
||||
sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" ~/.viper/viper.conf
|
||||
sqlite3 ~/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'
|
||||
|
||||
sudo chown -R www-data:www-data $PATH_TO_MISP
|
||||
sudo chmod -R 750 $PATH_TO_MISP
|
||||
sudo chmod -R g+ws $PATH_TO_MISP/app/tmp
|
||||
sudo chmod -R g+ws $PATH_TO_MISP/app/files
|
||||
sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
|
||||
|
||||
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN" > ~/mysql.txt
|
||||
echo "User (misp) DB Password: $DBPASSWORD_MISP" >> ~/mysql.txt
|
||||
echo "Authkey: $AUTH_KEY" > ~/MISP-authkey.txt
|
||||
# TODO: mail-to-misp
|
||||
#cd /usr/local/src/
|
||||
#sudo apt-get install -y cmake
|
||||
#sudo git clone https://github.com/MISP/mail_to_misp.git
|
||||
#sudo git clone git://github.com/stricaud/faup.git
|
||||
#cd faup
|
||||
#sudo mkdir -p build
|
||||
#cd build
|
||||
#sudo cmake .. && sudo make
|
||||
#sudo make install
|
||||
#sudo ldconfig
|
||||
#cd ../../
|
||||
#cd mail_to_misp
|
||||
#sudo pip3 install -r requirements.txt
|
||||
#sudo cp mail_to_misp_config.py-example mail_to_misp_config.py
|
||||
#
|
||||
#sudo sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
|
||||
#sudo sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
App::uses('AppShell', 'Console/Command');
|
||||
class AdminShell extends AppShell
|
||||
{
|
||||
public $uses = array('Event', 'Post', 'Attribute', 'Job', 'User', 'Task', 'Whitelist', 'Server', 'Organisation', 'AdminSetting', 'Galaxy');
|
||||
public $uses = array('Event', 'Post', 'Attribute', 'Job', 'User', 'Task', 'Whitelist', 'Server', 'Organisation', 'AdminSetting', 'Galaxy', 'Taxonomy', 'Warninglist', 'Noticelist', 'ObjectTemplate');
|
||||
|
||||
public function jobGenerateCorrelation() {
|
||||
$jobId = $this->args[0];
|
||||
|
@ -34,14 +34,75 @@ class AdminShell extends AppShell
|
|||
$this->ShadowAttribute->generateCorrelation($jobId);
|
||||
}
|
||||
|
||||
public function updateGalaxies() {
|
||||
public function updateGalaxies() {
|
||||
// The following is 7.x upwards only
|
||||
//$value = $this->args[0] ?? $this->args[0] ?? 0;
|
||||
$value = empty($this->args[0]) ? null : $this->args[0];
|
||||
if ($value === 'false') $value = 0;
|
||||
if ($value === 'true') $value = 1;
|
||||
if ($value === 'force') $value = 1;
|
||||
$force = $value;
|
||||
$result = $this->Galaxy->update($force);
|
||||
if ($result) {
|
||||
echo 'Galaxies updated';
|
||||
} else {
|
||||
echo 'Could not update Galaxies';
|
||||
}
|
||||
}
|
||||
|
||||
# FIXME: Make Taxonomy->update() return a status string on API if successful
|
||||
public function updateTaxonomies() {
|
||||
$result = $this->Taxonomy->update();
|
||||
if ($result) {
|
||||
echo 'Taxonomies updated';
|
||||
} else {
|
||||
echo 'Could not update Taxonomies';
|
||||
}
|
||||
}
|
||||
|
||||
public function updateWarningLists() {
|
||||
$result = $this->Galaxy->update();
|
||||
if ($result) {
|
||||
echo 'Galaxies updated';
|
||||
} else {
|
||||
echo 'Could not update Galaxies';
|
||||
}
|
||||
}
|
||||
if ($result) {
|
||||
echo 'Warning lists updated';
|
||||
} else {
|
||||
echo 'Could not update warning lists';
|
||||
}
|
||||
}
|
||||
|
||||
public function updateNoticeLists() {
|
||||
$result = $this->Noticelist->update();
|
||||
if ($result) {
|
||||
echo 'Notice lists updated';
|
||||
} else {
|
||||
echo 'Could not update notice lists';
|
||||
}
|
||||
}
|
||||
|
||||
# FIXME: Debug and make it work, fails to pass userId/orgId properly
|
||||
public function updateObjectTemplates() {
|
||||
if (empty($this->args[0])) {
|
||||
echo 'Usage: ' . APP . '/cake ' . 'Admin updateNoticeLists [user_id]';
|
||||
} else {
|
||||
$userId = $this->args[0];
|
||||
$user = $this->User->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array(
|
||||
'User.id' => $userId,
|
||||
),
|
||||
'fields' => array('User.id', 'User.org_id')
|
||||
));
|
||||
if (empty($user)) {
|
||||
echo 'User not found';
|
||||
} else {
|
||||
$result = $this->ObjectTemplate->update($user, false,false);
|
||||
if ($result) {
|
||||
echo 'Object templates updated';
|
||||
} else {
|
||||
echo 'Could not update object templates';
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function jobUpgrade24() {
|
||||
$jobId = $this->args[0];
|
||||
|
|
|
@ -117,6 +117,8 @@ class AppController extends Controller {
|
|||
$language = Configure::read('MISP.language');
|
||||
if (!empty($language) && $language !== 'eng') {
|
||||
Configure::write('Config.language', $language);
|
||||
} else {
|
||||
Configure::write('Config.language', 'eng');
|
||||
}
|
||||
|
||||
//if fresh installation (salt empty) generate a new salt
|
||||
|
@ -446,7 +448,16 @@ class AppController extends Controller {
|
|||
|
||||
protected function _isRest() {
|
||||
$api = $this->__isApiFunction($this->request->params['controller'], $this->request->params['action']);
|
||||
return (isset($this->RequestHandler) && ($api || $this->RequestHandler->isXml() || $this->_isJson()));
|
||||
if (isset($this->RequestHandler) && ($api || $this->RequestHandler->isXml() || $this->_isJson())) {
|
||||
if ($this->_isJson()) {
|
||||
if (!empty($this->request->input()) && empty($this->request->input('json_decode'))) {
|
||||
throw new MethodNotAllowedException('Invalid JSON input. Make sure that the JSON input is a correctly formatted JSON string. This request has been blocked to avoid an unfiltered request.');
|
||||
}
|
||||
}
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
protected function _isAutomation() {
|
||||
|
|
|
@ -816,7 +816,7 @@ class ServersController extends AppController {
|
|||
if ($tab == 'diagnostics' || $tab == 'download') {
|
||||
$php_ini = php_ini_loaded_file();
|
||||
$this->set('php_ini', $php_ini);
|
||||
$advanced_attachments = shell_exec('python ' . APP . 'files/scripts/generate_file_objects.py -c');
|
||||
$advanced_attachments = shell_exec('python3 ' . APP . 'files/scripts/generate_file_objects.py -c');
|
||||
try {
|
||||
$advanced_attachments = json_decode($advanced_attachments, true);
|
||||
} catch (Exception $e) {
|
||||
|
|
|
@ -270,8 +270,10 @@ class ComplexTypeTool {
|
|||
private function __checkForSimpleRegex($input) {
|
||||
// CVE numbers
|
||||
if (preg_match("#^cve-[0-9]{4}-[0-9]{4,9}$#i", $input['raw'])) return array('types' => array('vulnerability'), 'categories' => array('External analysis'), 'to_ids' => false, 'default_type' => 'vulnerability', 'value' => $input['raw']);
|
||||
// Phone numbers
|
||||
if (preg_match("#^(\+)?([0-9]{1,3}(\(0\))?)?[0-9\/\-]{5,}[0-9]$#i", $input['raw'])) return array('types' => array('phone-number', 'prtn', 'whois-registrant-phone'), 'categories' => array('Other'), 'to_ids' => false, 'default_type' => 'phone-number', 'value' => $input['raw']);
|
||||
// Phone numbers - for automatic recognition, needs to start with + or include dashes
|
||||
if ($input['raw'][0] === '+' || strpos($input['raw'], '-')) {
|
||||
if (preg_match("#^(\+)?([0-9]{1,3}(\(0\))?)?[0-9\/\-]{5,}[0-9]$#i", $input['raw'])) return array('types' => array('phone-number', 'prtn', 'whois-registrant-phone'), 'categories' => array('Other'), 'to_ids' => false, 'default_type' => 'phone-number', 'value' => $input['raw']);
|
||||
}
|
||||
}
|
||||
|
||||
private function __checkForIP($input) {
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
<?php
|
||||
|
||||
use Elasticsearch\ClientBuilder;
|
||||
|
||||
class ElasticSearchClient {
|
||||
private $__settings = false;
|
||||
private $__client = false;
|
||||
|
||||
private function __getSetSettings() {
|
||||
$settings = array(
|
||||
'enabled' => false,
|
||||
'connection_string' => 'http://localhost',
|
||||
);
|
||||
|
||||
foreach ($settings as $key => $setting) {
|
||||
$temp = Configure::read('Plugin.ElasticSearch_' . $key);
|
||||
if ($temp) $settings[$key] = $temp;
|
||||
}
|
||||
return $settings;
|
||||
}
|
||||
|
||||
public function initTool() {
|
||||
$settings = $this->__getSetSettings();
|
||||
$hosts = explode(",", $settings["connection_string"]);
|
||||
$client = ClientBuilder::create()
|
||||
->setHosts($hosts)
|
||||
->build();
|
||||
$this->__client = $client;
|
||||
$this->__settings = $settings;
|
||||
return $client;
|
||||
}
|
||||
|
||||
public function pushDocument($index, $document_type, $document) {
|
||||
// Format timestamp
|
||||
$time = strftime("%Y-%m-%d %H:%M:%S", strtotime($document["Log"]["created"]));
|
||||
$document["Log"]["created"] = $time;
|
||||
$params = array(
|
||||
'index' => $index,
|
||||
'type' => $document_type,
|
||||
'body' => $document
|
||||
);
|
||||
|
||||
$this->__client->index($params);
|
||||
}
|
||||
}
|
|
@ -67,7 +67,7 @@ class PubSubTool {
|
|||
}
|
||||
|
||||
public function checkIfPythonLibInstalled() {
|
||||
$result = trim(shell_exec('python ' . APP . 'files' . DS . 'scripts' . DS . 'mispzmq' . DS . 'mispzmqtest.py'));
|
||||
$result = trim(shell_exec('python3 ' . APP . 'files' . DS . 'scripts' . DS . 'mispzmq' . DS . 'mispzmqtest.py'));
|
||||
if ($result === "OK") return true;
|
||||
return false;
|
||||
}
|
||||
|
@ -76,7 +76,7 @@ class PubSubTool {
|
|||
App::uses('File', 'Utility');
|
||||
$settings = $this->__getSetSettings();
|
||||
if ($this->checkIfRunning() === false) {
|
||||
shell_exec('python ' . APP . 'files' . DS . 'scripts' . DS . 'mispzmq' . DS . 'mispzmq.py > ' . APP . 'tmp' . DS . 'logs' . DS . 'mispzmq.log 2> ' . APP . 'tmp' . DS . 'logs' . DS . 'mispzmq.error.log &');
|
||||
shell_exec('python3 ' . APP . 'files' . DS . 'scripts' . DS . 'mispzmq' . DS . 'mispzmq.py > ' . APP . 'tmp' . DS . 'logs' . DS . 'mispzmq.log 2> ' . APP . 'tmp' . DS . 'logs' . DS . 'mispzmq.error.log &');
|
||||
}
|
||||
return $settings;
|
||||
}
|
||||
|
|
|
@ -13,7 +13,7 @@ msgstr ""
|
|||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
|
||||
|
||||
#: Controller/AppController.php:424
|
||||
#: Controller/AppController.php:437
|
||||
msgid "The request has been black-holed"
|
||||
msgstr ""
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,22 @@
|
|||
# LANGUAGE translation of CakePHP Application
|
||||
# Copyright 2018 truckydev <EMAIL@ADDRESS>
|
||||
#
|
||||
#, fuzzy
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: 1\n"
|
||||
"PO-Revision-Date: 2018-01-29 18:34\n"
|
||||
"Last-Translator: truckydev\n"
|
||||
"Language-Team: FR_fr\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=utf-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
|
||||
|
||||
#: Controller/AppController.php:398
|
||||
msgid "The request has been black-holed"
|
||||
msgstr "La requête a été bloquée"
|
||||
|
||||
#: View/Layouts/error.ctp:19
|
||||
msgid "CakePHP: the rapid development php framework"
|
||||
msgstr "CakePHP: cadriciel php de développement rapide"
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -36,6 +36,8 @@ class AppModel extends Model {
|
|||
|
||||
private $__profiler = array();
|
||||
|
||||
public $elasticSearchClient = false;
|
||||
|
||||
public function __construct($id = false, $table = null, $ds = null) {
|
||||
parent::__construct($id, $table, $ds);
|
||||
|
||||
|
@ -1337,6 +1339,20 @@ class AppModel extends Model {
|
|||
return true;
|
||||
}
|
||||
|
||||
public function getElasticSearchTool() {
|
||||
if (!$this->elasticSearchClient) {
|
||||
$this->loadElasticSearchTool();
|
||||
}
|
||||
return $this->elasticSearchClient;
|
||||
}
|
||||
|
||||
public function loadElasticSearchTool() {
|
||||
App::uses('ElasticSearchClient', 'Tools');
|
||||
$client = new ElasticSearchClient();
|
||||
$client->initTool();
|
||||
$this->elasticSearchClient = $client;
|
||||
}
|
||||
|
||||
public function checkVersionRequirements($versionString, $minVersion) {
|
||||
$version = explode('.', $versionString);
|
||||
$minVersion = explode('.', $minVersion);
|
||||
|
|
|
@ -239,6 +239,14 @@ class Log extends AppModel {
|
|||
$pubSubTool = $this->getPubSubTool();
|
||||
$pubSubTool->publish($data, 'audit', 'log');
|
||||
}
|
||||
|
||||
if (Configure::read('Plugin.ElasticSearch_logging_enable')) {
|
||||
// send off our logs to distributed /dev/null
|
||||
$logIndex = Configure::read("Plugin.ElasticSearch_log_index");
|
||||
$elasticSearchClient = $this->getElasticSearchTool();
|
||||
$elasticSearchClient->pushDocument($logIndex, "log", $data);
|
||||
}
|
||||
|
||||
if (Configure::read('Security.syslog')) {
|
||||
// write to syslogd as well
|
||||
$syslog = new SysLog();
|
||||
|
|
|
@ -398,7 +398,7 @@ class Server extends AppModel {
|
|||
'attachments_dir' => array(
|
||||
'level' => 2,
|
||||
'description' => 'Directory where attachments are stored. MISP will NOT migrate the existing data if you change this setting. The only safe way to change this setting is in config.php, when MISP is not running, and after having moved/copied the existing data to the new location. This directory must already exist and be writable and readable by the MISP application.',
|
||||
'value' => 'app/files', # GUI display purpose only. Default value defined in func getDefaultAttachments_dir()
|
||||
'value' => '', # GUI display purpose only. Default value defined in func getDefaultAttachments_dir()
|
||||
'errorMessage' => '',
|
||||
'null' => false,
|
||||
'test' => 'testForWritableDir',
|
||||
|
@ -1364,6 +1364,30 @@ class Server extends AppModel {
|
|||
'test' => 'testBool',
|
||||
'type' => 'boolean'
|
||||
),
|
||||
'ElasticSearch_logging_enable' => array (
|
||||
'level' => 2,
|
||||
'description' => 'Enabled logging to an ElasticSearch instance',
|
||||
'value' => false,
|
||||
'errorMessage' => '',
|
||||
'test' => 'testBool',
|
||||
'type' => 'boolean'
|
||||
),
|
||||
'ElasticSearch_connection_string' => array(
|
||||
'level' => 2,
|
||||
'description' => 'The URL(s) at which to access ElasticSearch - comma seperate if you want to have more than one.',
|
||||
'value' => '',
|
||||
'errorMessage' => '',
|
||||
'test' => 'testForEmpty',
|
||||
'type' => 'string'
|
||||
),
|
||||
'ElasticSearch_log_index' => array(
|
||||
'level' => 2,
|
||||
'description' => 'The index in which to place logs',
|
||||
'value' => '',
|
||||
'errorMessage' => '',
|
||||
'test' => 'testForEmpty',
|
||||
'type' => 'string'
|
||||
),
|
||||
'Sightings_policy' => array(
|
||||
'level' => 1,
|
||||
'description' => 'This setting defines who will have access to seeing the reported sightings. The default setting is the event owner alone (in addition to everyone seeing their own contribution) with the other options being Sighting reporters (meaning the event owner and anyone that provided sighting data about the event) and Everyone (meaning anyone that has access to seeing the event / attribute).',
|
||||
|
@ -1697,6 +1721,11 @@ class Server extends AppModel {
|
|||
'Session' => 'Security'
|
||||
);
|
||||
|
||||
public function __construct($id = false, $table = null, $ds = null) {
|
||||
parent::__construct($id, $table, $ds);
|
||||
$this->serverSettings['MISP']['attachments_dir']['value'] = APP . '/files';
|
||||
}
|
||||
|
||||
public $validEventIndexFilters = array('searchall', 'searchpublished', 'searchorg', 'searchtag', 'searcheventid', 'searchdate', 'searcheventinfo', 'searchthreatlevel', 'searchdistribution', 'searchanalysis', 'searchattribute');
|
||||
|
||||
public function isOwnedByOrg($serverid, $org) {
|
||||
|
@ -3247,7 +3276,7 @@ class Server extends AppModel {
|
|||
|
||||
public function stixDiagnostics(&$diagnostic_errors, &$stixVersion, &$cyboxVersion, &$mixboxVersion, &$maecVersion, &$pymispVersion) {
|
||||
$result = array();
|
||||
$expected = array('stix' => '1.2.0.6', 'cybox' => '2.1.0.18.dev0', 'mixbox' => '1.0.3', 'maec' => '4.1.0.13', 'pymisp' => '>2.4.93');
|
||||
$expected = array('stix' => '1.2.0.6', 'cybox' => '2.1.0.17', 'mixbox' => '1.0.3', 'maec' => '4.1.0.13', 'pymisp' => '>2.4.93');
|
||||
// check if the STIX and Cybox libraries are working using the test script stixtest.py
|
||||
$scriptResult = shell_exec('python3 ' . APP . 'files' . DS . 'scripts' . DS . 'stixtest.py');
|
||||
$scriptResult = json_decode($scriptResult, true);
|
||||
|
@ -3863,9 +3892,18 @@ class Server extends AppModel {
|
|||
|
||||
public function update($status) {
|
||||
$final = '';
|
||||
$cleanup_commands = array(
|
||||
// (>^-^)> [hacky]
|
||||
'git checkout app/composer.json 2>&1'
|
||||
);
|
||||
foreach ($cleanup_commands as $cleanup_command) {
|
||||
$final .= $cleanup_command . "\n\n";
|
||||
exec($cleanup_command, $output);
|
||||
$final .= implode("\n", $output) . "\n\n";
|
||||
}
|
||||
$command1 = 'git pull origin ' . $status['branch'] . ' 2>&1';
|
||||
$command2 = 'git submodule update --init --recursive 2>&1';
|
||||
$final = $command1 . "\n\n";
|
||||
$final .= $command1 . "\n\n";
|
||||
exec($command1, $output);
|
||||
$final .= implode("\n", $output) . "\n\n=================================\n\n";
|
||||
$output = array();
|
||||
|
|
|
@ -271,7 +271,7 @@ class Sighting extends AppModel {
|
|||
$tempFile->close();
|
||||
$scriptFile = APP . "files" . DS . "scripts" . DS . "stixsighting2misp.py";
|
||||
// Execute the python script and point it to the temporary filename
|
||||
$result = shell_exec('python ' . $scriptFile . ' ' . $randomFileName);
|
||||
$result = shell_exec('python3 ' . $scriptFile . ' ' . $randomFileName);
|
||||
// The result of the script will be a returned JSON object with 2 variables: success (boolean) and message
|
||||
// If success = 1 then the temporary output file was successfully written, otherwise an error message is passed along
|
||||
$result = json_decode($result, true);
|
||||
|
|
|
@ -5,6 +5,8 @@
|
|||
"kamisama/cake-resque": "@stable",
|
||||
"pear/crypt_gpg": "@stable",
|
||||
"pear/net_geoip": "@dev"
|
||||
},
|
||||
"suggest": {
|
||||
"elasticsearch/elasticsearch": "For logging to elasticsearch"
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit b92ab93c80b8f9e8ede7cf572f58bf2629db4c55
|
||||
Subproject commit 498c6f114bea7030090aee17cf864fd1f314a393
|
|
@ -62,8 +62,8 @@ class MISPZMQ():
|
|||
self.setup()
|
||||
if command == "status":
|
||||
print("Status command received, responding with latest stats.")
|
||||
self.r.delete("{self.namespace}:status".format(self.namespace))
|
||||
self.r.lpush("{self.namespace}:status".format(self.namespace),
|
||||
self.r.delete("{}:status".format(self.namespace))
|
||||
self.r.lpush("{}:status".format(self.namespace),
|
||||
json.dumps({"timestamp": time.time(),
|
||||
"timestampSettings": self.timestampSettings,
|
||||
"publishCount": self.publishCount}))
|
||||
|
|
|
@ -146,9 +146,9 @@ class StixBuilder():
|
|||
galaxy_type = galaxy.get('type')
|
||||
if 'attack-pattern' in galaxy_type:
|
||||
self.add_attack_pattern(galaxy)
|
||||
elif 'course' in galaxy_type:
|
||||
elif 'course-of-action' in galaxy_type:
|
||||
self.add_course_of_action(galaxy)
|
||||
elif 'intrusion' in galaxy_type:
|
||||
elif 'intrusion-set' in galaxy_type:
|
||||
self.add_intrusion_set(galaxy)
|
||||
elif 'ware' in galaxy_type:
|
||||
self.add_malware(galaxy)
|
||||
|
@ -420,7 +420,7 @@ class StixBuilder():
|
|||
killchain = self.create_killchain(category)
|
||||
labels = self.create_labels(attribute)
|
||||
attribute_value = attribute.value if attribute_type != "AS" else self.define_attribute_value(attribute.value, attribute.comment)
|
||||
pattern = mispTypesMapping[attribute_type]['pattern'](attribute_type, attribute_value, b64encode(attribute.data.getvalue()).decode()[1:-1]) if 'data' in attribute else self.define_pattern(attribute_type, attribute_value)
|
||||
pattern = mispTypesMapping[attribute_type]['pattern'](attribute_type, attribute_value, b64encode(attribute.data.getbuffer()).decode()[1:-1]) if 'data' in attribute else self.define_pattern(attribute_type, attribute_value)
|
||||
indicator_args = {'id': indicator_id, 'type': 'indicator', 'labels': labels, 'kill_chain_phases': killchain,
|
||||
'valid_from': attribute.timestamp, 'created_by_ref': self.identity_id, 'pattern': pattern}
|
||||
if hasattr(attribute, 'comment') and attribute.comment:
|
||||
|
@ -446,7 +446,7 @@ class StixBuilder():
|
|||
timestamp = attribute.timestamp
|
||||
labels = self.create_labels(attribute)
|
||||
attribute_value = attribute.value if attribute_type != "AS" else self.define_attribute_value(attribute.value, attribute.comment)
|
||||
observable = mispTypesMapping[attribute_type]['observable'](attribute_type, attribute_value, b64encode(attribute.data.getvalue())) if 'data' in attribute else self.define_observable(attribute_type, attribute_value)
|
||||
observable = mispTypesMapping[attribute_type]['observable'](attribute_type, attribute_value, b64encode(attribute.data.getbuffer())) if 'data' in attribute else self.define_observable(attribute_type, attribute_value)
|
||||
observed_data_args = {'id': observed_data_id, 'type': 'observed-data', 'number_observed': 1,
|
||||
'first_observed': timestamp, 'last_observed': timestamp, 'labels': labels,
|
||||
'created_by_ref': self.identity_id, 'objects': observable}
|
||||
|
@ -737,7 +737,7 @@ class StixBuilder():
|
|||
except:
|
||||
mapping = "x_misp_{}_{}".format(attribute.type, relation)
|
||||
if relation in ('eml', 'screenshot'):
|
||||
message[mapping] = {'value': attribute_value, 'data': b64encode(attribute.data.getvalue()).decode()[1:-1]}
|
||||
message[mapping] = {'value': attribute_value, 'data': b64encode(attribute.data.getbuffer()).decode()[1:-1]}
|
||||
else:
|
||||
message[mapping] = attribute_value
|
||||
if reply_to and 'additional_header_fields' in message:
|
||||
|
@ -765,7 +765,7 @@ class StixBuilder():
|
|||
stix_type = "'x_misp_{}_{}'".format(attribute.type, relation)
|
||||
if relation in ('eml', 'screenshot'):
|
||||
stix_type_data = "{}.data".format(stix_type)
|
||||
pattern += pattern_mapping.format(email_type, stix_type_data, b64encode(attribute.data.getvalue()).decode()[1:-1])
|
||||
pattern += pattern_mapping.format(email_type, stix_type_data, b64encode(attribute.data.getbuffer()).decode()[1:-1])
|
||||
stix_type += ".value"
|
||||
pattern += pattern_mapping.format(email_type, stix_type, attribute.value)
|
||||
return "[{}]".format(pattern[:-5])
|
||||
|
@ -785,7 +785,7 @@ class StixBuilder():
|
|||
malware_sample['filename'] = filename
|
||||
malware_sample['md5'] = md5
|
||||
if attribute.data:
|
||||
observable[str(n_object)] = {'type': 'artifact', 'payload_bin': b64encode(attribute.data.getvalue())}
|
||||
observable[str(n_object)] = {'type': 'artifact', 'payload_bin': b64encode(attribute.data.getbuffer())}
|
||||
observable_file['content_ref'] = str(n_object)
|
||||
n_object += 1
|
||||
elif attribute_type in ('filename', 'md5'):
|
||||
|
@ -818,7 +818,7 @@ class StixBuilder():
|
|||
malware_sample['filename'] = filename
|
||||
malware_sample['md5'] = md5
|
||||
if attribute.data:
|
||||
pattern += "{} AND ".format(pattern_attachment('', b64encode(attribute.data.getvalue()).decode()[1:-1])[1:-1])
|
||||
pattern += "{} AND ".format(attribute_data_pattern(b64encode(attribute.data.getbuffer()).decode()[1:-1]))
|
||||
elif attribute_type in ("filename", "md5"):
|
||||
d_pattern[attribute_type] = attribute.value
|
||||
else:
|
||||
|
@ -840,17 +840,17 @@ class StixBuilder():
|
|||
ip_address = {}
|
||||
domain = {}
|
||||
for attribute in attributes:
|
||||
attribute_type = attribute.type
|
||||
relation = attribute.object_relation
|
||||
attribute_value = attribute.value
|
||||
if attribute_type == 'ip-dst':
|
||||
if relation == 'ip':
|
||||
ip_address['type'] = define_address_type(attribute_value)
|
||||
ip_address['value'] = attribute_value
|
||||
elif attribute_type == 'domain':
|
||||
elif relation == 'domain':
|
||||
domain['type'] = 'domain-name'
|
||||
domain['value'] = attribute_value
|
||||
else:
|
||||
try:
|
||||
observable_type = ipPortObjectMapping[attribute_type][attribute.object_relation]
|
||||
observable_type = ipPortObjectMapping[relation]
|
||||
except:
|
||||
continue
|
||||
observable[observable_type] = attribute_value
|
||||
|
@ -892,19 +892,21 @@ class StixBuilder():
|
|||
def resolve_ip_port_pattern(attributes):
|
||||
pattern = ""
|
||||
for attribute in attributes:
|
||||
attribute_type = attribute.type
|
||||
relation = attribute.object_relation
|
||||
attribute_value = attribute.value
|
||||
if attribute_type == 'domain':
|
||||
pattern += objectsMapping['domain-ip']['pattern'].format(ipPortObjectMapping[attribute_type], attribute_value)
|
||||
if relation == 'domain':
|
||||
mapping_type = 'domain-ip'
|
||||
stix_type = ipPortObjectMapping[relation]
|
||||
elif relation == 'ip':
|
||||
mapping_type = 'ip-port'
|
||||
stix_type = ipPortObjectMapping[relation].format(define_address_type(attribute_value))
|
||||
else:
|
||||
try:
|
||||
try:
|
||||
stix_type = ipPortObjectMapping[attribute_type][attribute.object_relation]
|
||||
except:
|
||||
stix_type = ipPortObjectMapping[attribute_type].format(define_address_type(attribute_value))
|
||||
stix_type = ipPortObjectMapping[relation]
|
||||
mapping_type = 'ip-port'
|
||||
except:
|
||||
continue
|
||||
pattern += objectsMapping['ip-port']['pattern'].format(stix_type, attribute_value)
|
||||
pattern += objectsMapping[mapping_type]['pattern'].format(stix_type, attribute_value)
|
||||
return "[{}]".format(pattern[:-5])
|
||||
|
||||
@staticmethod
|
||||
|
|
|
@ -305,9 +305,9 @@ emailObjectMapping = {'email-body': {'email_type': 'message', 'stix_type': 'body
|
|||
|
||||
fileMapping = {'hashes': "hashes.'{0}'", 'size-in-bytes': 'size', 'filename': 'name', 'mime-type': 'mime_type'}
|
||||
|
||||
ipPortObjectMapping = {'ip-dst': network_traffic_dst_ref,
|
||||
'port': {'src-port': 'src_port', 'dst-port': 'dst_port'},
|
||||
'datetime': {'first-seen': 'start', 'last-seen': 'end'},
|
||||
ipPortObjectMapping = {'ip': network_traffic_dst_ref,
|
||||
'src-port': 'src_port', 'dst-port': 'dst_port',
|
||||
'first-seen': 'start', 'last-seen': 'end',
|
||||
'domain': 'value'}
|
||||
|
||||
networkSocketMapping = {'address-family': 'address_family', 'domain-family': 'protocol_family',
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit 43e82c6b25bd61c89b889a8262354c3f2e4f62ac
|
||||
Subproject commit e597831a25c2a2f8bf08320420efee4dbb386389
|
Loading…
Reference in New Issue