MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'upstream/2.4' into sharingGraph

pull/3449/head
Sami Mokaddem 2018-07-12 14:47:14 +00:00
parent 508c7a3b68 56808265b7
commit 225c34ef0b
29 changed files with 44070 additions and 5001 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
INSTALL/INSTALL.OpenBSD.txt
View File

@ -339,10 +339,6 @@ doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
-subj "/C=<Country>/ST=<State>/L=<Locality>/O=<Organization>/OU=<Organizational Unit Name>/CN=<QDN.here>/emailAddress=admin@<your.FQDN.here>" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
doas openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \
-subj "/C=LU/ST=Lxu/L=Lux/O=Test/CN=192.168.99.50/emailAddress=admin@admin.test" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
# Otherwise, copy the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to /etc/ssl/private/. (Modify path and config to fit your environment)
doas mkdir /var/log/apache2/
@ -505,4 +501,4 @@ Optional features
# ZeroMQ depends on the Python client for Redis
```
doas pkg_add -v py3-zmq
```
```

219
INSTALL/INSTALL.debian9.txt
View File

@ -10,6 +10,10 @@ Some configurables used below:
```
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
CAKE="$PATH_TO_MISP/app/Console/cake"
MISP_BASEURL=''
MISP_LIVE='1'
# Database configuration
DBHOST='localhost'
@ -20,23 +24,20 @@ DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
PATH_TO_MISP='/var/www/MISP'
MISP_BASEURL=''
MISP_LIVE='1'
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='Common Name'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_CN='Common Name'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated VM consider this Key VOID!'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
@ -47,6 +48,9 @@ post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/php/7.0/apache2/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
```
1/ Minimal Debian install
@ -103,6 +107,11 @@ libapache2-mod-php7.0 php7.0 php7.0-cli php7.0-dev php7.0-json php7.0-xml php7.0
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
# Start rng-tools to get more entropy (optional)
# If you get TPM errors, enable "Security chip" in BIOS (keep secure boot disabled)
sudo apt install rng-tools
sudo service rng-tools start
# Secure the MariaDB installation (especially by setting a strong root password)
sudo mysql_secure_installation
@ -324,10 +333,10 @@ class DATABASE_CONFIG {
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
# Set some MISP directives with the command line tool
sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
sudo $CAKE Live $MISP_LIVE
# Change base url
sudo $PATH_TO_MISP/app/Console/cake Baseurl $MISP_BASEURL
sudo $CAKE Baseurl $MISP_BASEURL
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
@ -358,7 +367,7 @@ sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-k
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# And export the public key to the webroot
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS > $PATH_TO_MISP/MISP/app/webroot/gpg.asc"
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
# To make the background workers start on boot
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
@ -370,77 +379,127 @@ then
fi
# Initialize user and fetch Auth Key
sudo -E $PATH_TO_MISP/app/Console/cake userInit -q
sudo -E $CAKE userInit -q
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# Setup some more MISP default via cake CLI
# Tune global time outs
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.autoRegenerate" 0
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.timeout" 600
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.cookie_timeout" 3600
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Enable GnuPG
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.email" "admin@admin.test"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.password" "Password1234"
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
sudo $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
# Enable Enrichment set better timeouts
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_timeout" 300
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 150
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_dns_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
# Enable Import modules set better timout
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_timeout" 300
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_ocr_enabled" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_csvimport_enabled" true
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
# Enable Export modules set better timout
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_timeout" 300
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_pdfexport_enabled" true
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
# Enable installer org and tune some configurables
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.email" "info@admin.test"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disable_emailing" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.contact" "info@admin.test"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disablerestalert" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.showCorrelationsOnIndex" true
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disable_emailing" true
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
# Provisional Cortex tunes
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
# Various plugin sightings settings
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
# Plugin CustomAuth tuneable
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
# RPZ Plugin settings
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
# Force defaults to make MISP Server Settings less RED
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.language" "eng"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.proposals_block_attributes" false
sudo $CAKE Admin setSetting "MISP.language" "eng"
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
## Redis block
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_port" 6379
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_database" 13
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_password" ""
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
sudo $CAKE Admin setSetting "MISP.redis_database" 13
sudo $CAKE Admin setSetting "MISP.redis_password" ""
# Force defaults to make MISP Server Settings less YELLOW
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.extended_alert_subject" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.default_event_threat_level" 4
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.enableEventBlacklisting" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.enableOrgBlacklisting" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.log_client_ip" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.log_auth" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disableUserSelfManagement" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_event_alert" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_age" ""
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
sudo $CAKE Admin setSetting "MISP.log_auth" false
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings"
# Force defaults to make MISP Server Settings less GREEN
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Security.password_policy_length" 12
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
# Tune global time outs
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
@ -452,21 +511,23 @@ sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Security.password_policy_l
# Don't forget to change the email, password and authentication key after installation.
# Set MISP Live
sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
sudo $CAKE Live $MISP_LIVE
# Update the galaxies…
sudo $PATH_TO_MISP/app/Console/cake Admin updateGalaxies
sudo $CAKE Admin updateGalaxies
# Updating the taxonomies…
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/taxonomies/update
sudo $CAKE Admin updateTaxonomies
# Updating the warning lists…
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
sudo $CAKE Admin updateWarningLists
# Updating the notice lists…
## sudo $CAKE Admin updateNoticeLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
# Updating the object templates…
##sudo $CAKE Admin updateObjectTemplates
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
# Add the following lines before the last line (exit 0). Make sure that you replace www-data with your apache user:
@ -508,6 +569,9 @@ sudo chown -R www-data:www-data $PATH_TO_MISP/<directory path with an indicated
# $PATH_TO_MISP/app/tmp/logs/resque-scheduler-error.log
# $PATH_TO_MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
Recommended actions
-------------------
@ -527,12 +591,6 @@ Optional features
# ZeroMQ depends on the Python client for Redis
sudo pip3 install redis
# Debian has an ancient version of ZeroMQ, so manually install a current version
## Install ZeroMQ and prerequisites
sudo apt-get install pkg-config
cd /usr/local/src/
## install pyzmq
sudo pip3 install pyzmq
@ -592,21 +650,27 @@ sudo a2ensite misp-dashboard
# Enable ZeroMQ for misp-dashboard
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
Install viper framework
-----------------------
/!\ Has libyara issues
cd /usr/local/src/
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
sudo pip3 install SQLAlchemy PrettyTable python-magic
@ -615,6 +679,7 @@ cd viper
sudo git submodule init
sudo git submodule update
sudo pip3 install -r requirements.txt
sudo pip3 uninstall yara -y
/usr/local/src/viper/viper-cli -h
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper"' |sudo tee /etc/environment

228
INSTALL/INSTALL.debian_testing.txt
View File

@ -12,6 +12,10 @@ Some configurables used below:
```
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
CAKE="$PATH_TO_MISP/app/Console/cake"
MISP_BASEURL=''
MISP_LIVE='1'
# Database configuration
DBHOST='localhost'
@ -22,18 +26,15 @@ DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
PATH_TO_MISP='/var/www/MISP'
MISP_BASEURL=''
MISP_LIVE='1'
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='Common Name'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_CN='Common Name'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
@ -49,6 +50,9 @@ post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/php/7.2/apache2/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
```
1/ Minimal Debian install
@ -102,6 +106,11 @@ libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-mbstring php-pear php7.2-dev php
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
# Start rng-tools to get more entropy (optional)
# If you get TPM errors, enable "Security chip" in BIOS (keep secure boot disabled)
sudo apt install rng-tools
sudo service rng-tools start
# Secure the MariaDB installation (especially by setting a strong root password)
sudo mysql_secure_installation
@ -116,7 +125,7 @@ sudo pear channel-update pear.php.net
sudo pear install Crypt_GPG
sudo pecl channel-update pecl.php.net
sudo pecl install redis
sudo echo "extension=redis.so" > /etc/php/7.2/mods-available/redis.ini
echo "extension=redis.so" | sudo tee /etc/php/7.2/mods-available/redis.ini
# Switch to python3 by default (optional)
@ -327,10 +336,10 @@ class DATABASE_CONFIG {
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
# Set some MISP directives with the command line tool
sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
sudo $CAKE Live $MISP_LIVE
# Change base url
sudo $PATH_TO_MISP/app/Console/cake Baseurl $MISP_BASEURL
sudo $CAKE Baseurl $MISP_BASEURL
# example: 'baseurl' => 'https://<your.FQDN.here>',
# alternatively, you can leave this field empty if you would like to use relative pathing in MISP
@ -361,7 +370,7 @@ sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-k
# The email address should match the one set in the config.php / set in the configuration menu in the administration menu configuration file
# And export the public key to the webroot
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS > $PATH_TO_MISP/MISP/app/webroot/gpg.asc"
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
# To make the background workers start on boot
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
@ -373,77 +382,127 @@ then
fi
# Initialize user and fetch Auth Key
sudo -E $PATH_TO_MISP/app/Console/cake userInit -q
sudo -E $CAKE userInit -q
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
# Setup some more MISP default via cake CLI
# Tune global time outs
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.autoRegenerate" 0
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.timeout" 600
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Session.cookie_timeout" 3600
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Enable GnuPG
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.email" "admin@admin.test"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "GnuPG.password" "Password1234"
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
sudo $CAKE Admin setSetting "GnuPG.homedir" "$PATH_TO_MISP/.gnupg"
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
# Enable Enrichment set better timeouts
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_services_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_timeout" 300
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_hover_timeout" 150
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Enrichment_dns_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
# Enable Import modules set better timout
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_services_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_timeout" 300
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_ocr_enabled" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Import_csvimport_enabled" true
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
# Enable Export modules set better timout
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_services_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_timeout" 300
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Export_pdfexport_enabled" true
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
# Enable installer org and tune some configurables
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.email" "info@admin.test"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disable_emailing" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.contact" "info@admin.test"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disablerestalert" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.showCorrelationsOnIndex" true
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disable_emailing" true
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
# Provisional Cortex tunes
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
# Various plugin sightings settings
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
# Plugin CustomAuth tuneable
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
# RPZ Plugin settings
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
# Force defaults to make MISP Server Settings less RED
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.language" "eng"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.proposals_block_attributes" false
sudo $CAKE Admin setSetting "MISP.language" "eng"
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
## Redis block
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_port" 6379
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_database" 13
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.redis_password" ""
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
sudo $CAKE Admin setSetting "MISP.redis_database" 13
sudo $CAKE Admin setSetting "MISP.redis_password" ""
# Force defaults to make MISP Server Settings less YELLOW
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.extended_alert_subject" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.default_event_threat_level" 4
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.enableEventBlacklisting" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.enableOrgBlacklisting" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.log_client_ip" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.log_auth" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.disableUserSelfManagement" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_event_alert" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert" false
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_age" ""
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
sudo $CAKE Admin setSetting "MISP.log_auth" false
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an initial install"
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP, change this message in MISP Settings"
# Force defaults to make MISP Server Settings less GREEN
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Security.password_policy_length" 12
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
# Tune global time outs
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
# Now log in using the webinterface:
# The default user/pass = admin@admin.test/admin
@ -455,28 +514,30 @@ sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Security.password_policy_l
# Don't forget to change the email, password and authentication key after installation.
# Set MISP Live
sudo $PATH_TO_MISP/app/Console/cake Live $MISP_LIVE
sudo $CAKE Live $MISP_LIVE
# Update the galaxies…
sudo $PATH_TO_MISP/app/Console/cake Admin updateGalaxies
sudo $CAKE Admin updateGalaxies
# Updating the taxonomies…
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/taxonomies/update
sudo $CAKE Admin updateTaxonomies
# Updating the warning lists…
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/warninglists/update
sudo $CAKE Admin updateWarningLists
# Updating the notice lists…
## sudo $CAKE Admin updateNoticeLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
# Updating the object templates…
##sudo $CAKE Admin updateObjectTemplates
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
# Add the following lines before the last line (exit 0). Make sure that you replace www-data with your apache user:
sudo sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
sudo sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
sudo sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data bash $PATH_TO_MISP/app/Console/worker/start.sh\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
# Start the workers
@ -511,6 +572,9 @@ sudo chown -R www-data:www-data $PATH_TO_MISP/<directory path with an indicated
# $PATH_TO_MISP/app/tmp/logs/resque-scheduler-error.log
# $PATH_TO_MISP/app/tmp/logs/resque-2015-01-01.log // where the actual date is the current date
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
Recommended actions
-------------------
@ -528,16 +592,10 @@ Optional features
# MISP has a new pub/sub feature, using ZeroMQ. To enable it, simply run the following commands
# ZeroMQ depends on the Python client for Redis
sudo pip3 install redis
# Debian has an ancient version of ZeroMQ, so manually install a current version
## Install ZeroMQ and prerequisites
sudo apt-get install pkg-config
cd /usr/local/src/
sudo apt install python3-redis -y
## install pyzmq
sudo pip3 install pyzmq
sudo apt install python3-zmq -y
MISP Dashboard
@ -592,24 +650,31 @@ echo "<VirtualHost *:8001>
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-dashboard.conf
sudo a2ensite misp-dashboard
## Failing
sudo systemctl reload apache2
# Enable ZeroMQ for misp-dashboard
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
sudo $PATH_TO_MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
Install viper framework
-----------------------
/!\ Has libyara issues
cd /usr/local/src/
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
sudo pip3 install SQLAlchemy PrettyTable python-magic
@ -618,6 +683,7 @@ cd viper
sudo git submodule init
sudo git submodule update
sudo pip3 install -r requirements.txt
sudo pip3 uninstall yara -y
/usr/local/src/viper/viper-cli -h
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper"' |sudo tee /etc/environment

67
INSTALL/INSTALL.elasticsearch-logging.txt Normal file
View File

@ -0,0 +1,67 @@
# It's possible to send all logs from MISP to an elasticsearch
# endpoint
# First, we'll need an ES PHP library
# Replace according to your requirements
export MISP_DIR=/var/www/MISP
cd $MISP_DIR/app
sudo -u www-data php composer.phar require elasticsearch/elasticsearch
# Ok now we need to configure where we log to
#
# In Administration -> Server Settings & Maintenance -> Plugin Settings
# Under the elasticsearch tab, enable elasticsearch logging, and input
# your connection string
# Note that explicitly specifying the port may be needed, e.g. for AWS instances
# running on 443.
# Also input a log index - all logs will be thrown at this index.
# Now give ES a template to work from
cat << EOF > misp_es_template.json
{
"template": "misp_logging",
"mappings": {
"log": {
"_source": {
"enabled": true
},
"properties": {
"Log.email": {
"type": "keyword"
},
"Log.title": {
"type": "text"
},
"Log.ip": {
"type": "ip"
},
"Log.created": {
"format": "YYYY-MM-dd HH:mm:ss",
"type": "date"
},
"Log.description": {
"type": "text"
},
"Log.org": {
"type": "text"
},
"Log.action": {
"type": "text"
},
"Log.model": {
"type": "text"
},
"Log.change": {
"type": "text"
}
}
}
}
}
EOF
# And put it to ES
curl -XPUT https://my_es/_template/misp_logging --data-binary @misp_es_template.json
# Now MISP will start sending logs to ES! Hooray!

505
INSTALL/INSTALL.kali.txt Normal file
View File

@ -0,0 +1,505 @@
#!/usr/bin/env bash
#INSTALLATION INSTRUCTIONS
#------------------------- for Kali Linux
#
#0/ Quick MISP Instance on Kali Linux - Status
#---------------------------------------------
#
#1/ Prepare Kali with a MISP User
#--------------------------------
# useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data misp
# passwd misp
# su - misp
# sh -c "$(curl -fsSL https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.kali.txt)"
# MISP configuration variables
PATH_TO_MISP='/var/www/MISP'
MISP_BASEURL=''
MISP_LIVE='1'
CAKE="$PATH_TO_MISP/app/Console/cake"
# Database configuration
DBHOST='localhost'
DBNAME='misp'
DBUSER_ADMIN='root'
DBPASSWORD_ADMIN="$(openssl rand -hex 32)"
DBUSER_MISP='misp'
DBPASSWORD_MISP="$(openssl rand -hex 32)"
# Webserver configuration
FQDN='localhost'
# OpenSSL configuration
OPENSSL_CN='localhost'
OPENSSL_C='LU'
OPENSSL_ST='State'
OPENSSL_L='Location'
OPENSSL_O='Organization'
OPENSSL_OU='Organizational Unit'
OPENSSL_EMAILADDRESS='info@localhost'
# GPG configuration
GPG_REAL_NAME='Autogenerated Key'
GPG_COMMENT='WARNING: MISP AutoGenerated Key consider this Key VOID!'
GPG_EMAIL_ADDRESS='admin@admin.test'
GPG_KEY_LENGTH='2048'
GPG_PASSPHRASE='Password1234'
# php.ini configuration
upload_max_filesize=50M
post_max_size=50M
max_execution_time=300
memory_limit=512M
PHP_INI=/etc/php/7.2/apache2/php.ini
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN"
echo "User (misp) DB Password: $DBPASSWORD_MISP"
sudo apt install -y etckeeper
sudo apt update
# Skip dist-upgrade for now, pulls in 500+ updated packages
#sudo apt -y dist-upgrade
sudo apt install -y postfix
sudo apt install -y \
curl gcc git gnupg-agent make openssl redis-server neovim zip libyara-dev python3-yara python3-redis python3-zmq \
mariadb-client \
mariadb-server \
apache2 apache2-doc apache2-utils \
libapache2-mod-php7.2 php7.2 php7.2-cli php7.2-mbstring php-pear php7.2-dev php7.2-json php7.2-xml php7.2-mysql php7.2-opcache php7.2-readline \
python3-dev python3-pip libpq5 libjpeg-dev libfuzzy-dev ruby asciidoctor \
libxml2-dev libxslt1-dev zlib1g-dev python3-setuptools
sudo apt install rng-tools -y # This might fail on TPM grounds, enable the security chip in your BIOS
sudo service rng-tools start
sudo systemctl restart mariadb.service
sudo expect -f - <<-EOF
set timeout 10
spawn mysql_secure_installation
expect "Enter current password for root (enter for none):"
send -- "\r"
expect "Set root password?"
send -- "y\r"
expect "New password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Re-enter new password:"
send -- "${DBPASSWORD_ADMIN}\r"
expect "Remove anonymous users?"
send -- "y\r"
expect "Disallow root login remotely?"
send -- "y\r"
expect "Remove test database and access to it?"
send -- "y\r"
expect "Reload privilege tables now?"
send -- "y\r"
expect eof
EOF
sudo a2dismod status
sudo a2enmod ssl rewrite
sudo a2dissite 000-default
sudo a2ensite default-ssl
sudo pear channel-update pear.php.net
sudo pear install Crypt_GPG
sudo pecl channel-update pecl.php.net
yes '' |sudo pecl install redis
echo "extension=redis.so" | sudo tee /etc/php/7.2/mods-available/redis.ini
sudo phpenmod redis
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3.6 2
sudo mkdir $PATH_TO_MISP
sudo chown www-data:www-data $PATH_TO_MISP
cd $PATH_TO_MISP
sudo -u www-data git clone https://github.com/MISP/MISP.git $PATH_TO_MISP
sudo -u www-data git config core.filemode false
cd $PATH_TO_MISP/app/files/scripts
sudo -u www-data git clone https://github.com/CybOXProject/python-cybox.git
sudo -u www-data git clone https://github.com/STIXProject/python-stix.git
cd $PATH_TO_MISP/app/files/scripts/python-cybox
sudo pip3 install .
cd $PATH_TO_MISP/app/files/scripts/python-stix
sudo pip3 install .
cd $PATH_TO_MISP/app/files/scripts/
sudo -u www-data git clone https://github.com/CybOXProject/mixbox.git
cd $PATH_TO_MISP/app/files/scripts/mixbox
sudo pip3 install .
cd $PATH_TO_MISP
sudo -u www-data git submodule init
sudo -u www-data git submodule update
# Make git ignore filesystem permission differences for submodules
sudo -u www-data git submodule foreach git config core.filemode false
# install PyMISP
cd $PATH_TO_MISP/PyMISP
sudo pip3 install .
cd $PATH_TO_MISP/app
sudo mkdir /var/www/.composer ; sudo chown www-data:www-data /var/www/.composer
sudo -u www-data php composer.phar require kamisama/cake-resque:4.1.2
sudo -u www-data php composer.phar config vendor-dir Vendor
sudo -u www-data php composer.phar install
sudo -u www-data cp -fa $PATH_TO_MISP/INSTALL/setup/config.php $PATH_TO_MISP/app/Plugin/CakeResque/Config/config.php
sudo chown -R www-data:www-data $PATH_TO_MISP
sudo chmod -R 750 $PATH_TO_MISP
sudo chmod -R g+ws $PATH_TO_MISP/app/tmp
sudo chmod -R g+ws $PATH_TO_MISP/app/files
sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "create database $DBNAME;"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant usage on *.* to $DBNAME@localhost identified by '$DBPASSWORD_MISP';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "grant all privileges on $DBNAME.* to '$DBUSER_MISP'@'localhost';"
sudo mysql -u $DBUSER_ADMIN -p$DBPASSWORD_ADMIN -e "flush privileges;"
sudo -u www-data cat $PATH_TO_MISP/INSTALL/MYSQL.sql | mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP $DBNAME
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 \
-subj "/C=${OPENSSL_C}/ST=${OPENSSL_ST}/L=${OPENSSL_L}/O=${OPENSSL_O}/OU=${OPENSSL_OU}/CN=${OPENSSL_CN}/emailAddress=${OPENSSL_EMAILADDRESS}" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crt
cd /var/www
sudo mkdir misp-dashboard
sudo chown www-data:www-data misp-dashboard
sudo -u www-data git clone https://github.com/MISP/misp-dashboard.git
cd misp-dashboard
sudo /var/www/misp-dashboard/install_dependencies.sh
sudo sed -i "s/^host\ =\ localhost/host\ =\ 0.0.0.0/g" /var/www/misp-dashboard/config/config.cfg
sudo sed -i -e '$i \sudo -u www-data bash /var/www/misp-dashboard/start_all.sh\n' /etc/rc.local
sudo -u www-data bash /var/www/misp-dashboard/start_all.sh
sudo apt install libapache2-mod-wsgi-py3 -y
echo "<VirtualHost _default_:80>
ServerAdmin admin@localhost.lu
ServerName misp.local
Redirect permanent / https://localhost
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost _default_:443>
ServerAdmin admin@localhost.lu
ServerName misp.local
DocumentRoot $PATH_TO_MISP/app/webroot
<Directory $PATH_TO_MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-ssl.conf
EOF
echo "127.0.0.1 misp.local" | sudo tee -a /etc/hosts
echo "<VirtualHost *:8001>
ServerAdmin admin@misp.local
ServerName misp.local
DocumentRoot /var/www/misp-dashboard
WSGIDaemonProcess misp-dashboard \
user=misp group=misp \
python-home=/var/www/misp-dashboard/DASHENV \
processes=1 \
threads=15 \
maximum-requests=5000 \
listen-backlog=100 \
queue-timeout=45 \
socket-timeout=60 \
connect-timeout=15 \
request-timeout=60 \
inactivity-timeout=0 \
deadlock-timeout=60 \
graceful-timeout=15 \
eviction-timeout=0 \
shutdown-timeout=5 \
send-buffer-size=0 \
receive-buffer-size=0 \
header-buffer-size=0 \
response-buffer-size=0 \
server-metrics=Off
WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi
<Directory /var/www/misp-dashboard>
WSGIProcessGroup misp-dashboard
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
LogLevel info
ErrorLog /var/log/apache2/misp-dashboard.local_error.log
CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
ServerSignature Off
</VirtualHost>" | sudo tee /etc/apache2/sites-available/misp-dashboard.conf
sudo a2dissite default-ssl
sudo a2ensite misp-ssl
sudo a2ensite misp-dashboard
for key in upload_max_filesize post_max_size max_execution_time max_input_time memory_limit
do
sudo sed -i "s/^\($key\).*/\1 = $(eval echo \${$key})/" $PHP_INI
done
sudo systemctl restart apache2
sudo cp $PATH_TO_MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/bootstrap.default.php $PATH_TO_MISP/app/Config/bootstrap.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/database.default.php $PATH_TO_MISP/app/Config/database.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/core.default.php $PATH_TO_MISP/app/Config/core.php
sudo -u www-data cp -a $PATH_TO_MISP/app/Config/config.default.php $PATH_TO_MISP/app/Config/config.php
echo "<?php
class DATABASE_CONFIG {
public \$default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '$DBHOST',
'login' => '$DBUSER_MISP',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => '$DBPASSWORD_MISP',
'database' => '$DBNAME',
'prefix' => '',
'encoding' => 'utf8',
);
}" | sudo -u www-data tee $PATH_TO_MISP/app/Config/database.php
sudo chown -R www-data:www-data $PATH_TO_MISP/app/Config
sudo chmod -R 750 $PATH_TO_MISP/app/Config
sudo $CAKE Live $MISP_LIVE
sudo $CAKE Baseurl $MISP_BASEURL
cat >/tmp/gen-key-script <<EOF
%echo Generating a default key
Key-Type: default
Key-Length: $GPG_KEY_LENGTH
Subkey-Type: default
Name-Real: $GPG_REAL_NAME
Name-Comment: $GPG_COMMENT
Name-Email: $GPG_EMAIL_ADDRESS
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
# Do a commit here, so that we can later print "done"
%commit
%echo done
EOF
sudo -u www-data gpg --homedir $PATH_TO_MISP/.gnupg --batch --gen-key /tmp/gen-key-script
sudo -u www-data sh -c "gpg --homedir $PATH_TO_MISP/.gnupg --export --armor $GPG_EMAIL_ADDRESS" | sudo -u www-data tee $PATH_TO_MISP/app/webroot/gpg.asc
sudo chmod +x $PATH_TO_MISP/app/Console/worker/start.sh
if [ ! -e /etc/rc.local ]
then
echo '#!/bin/sh -e' | sudo tee -a /etc/rc.local
echo 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod u+x /etc/rc.local
fi
sudo -E $CAKE userInit -q
AUTH_KEY=$(mysql -u $DBUSER_MISP -p$DBPASSWORD_MISP misp -e "SELECT authkey FROM users;" | tail -1)
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" true
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_port" 50000
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_database" 1
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_include_attachments" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
sudo $CAKE Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" false
sudo $CAKE Admin setSetting "GnuPG.email" "admin@admin.test"
sudo $CAKE Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
sudo $CAKE Admin setSetting "GnuPG.password" "Password1234"
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_enable" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Enrichment_hover_timeout" 150
sudo $CAKE Admin setSetting "Plugin.Enrichment_cve_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_dns_enabled" true
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Enrichment_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Import_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Import_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Import_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Import_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Import_ocr_enabled" true
sudo $CAKE Admin setSetting "Plugin.Import_csvimport_enabled" true
sudo $CAKE Admin setSetting "Plugin.Export_services_enable" true
sudo $CAKE Admin setSetting "Plugin.Export_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Export_services_port" 6666
sudo $CAKE Admin setSetting "Plugin.Export_timeout" 300
sudo $CAKE Admin setSetting "Plugin.Export_pdfexport_enabled" true
sudo $CAKE Admin setSetting "MISP.host_org_id" 1
sudo $CAKE Admin setSetting "MISP.email" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disable_emailing" false
sudo $CAKE Admin setSetting "MISP.contact" "info@admin.test"
sudo $CAKE Admin setSetting "MISP.disablerestalert" true
sudo $CAKE Admin setSetting "MISP.showCorrelationsOnIndex" true
sudo $CAKE Admin setSetting "Plugin.Cortex_services_enable" false
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.Cortex_services_port" 9000
sudo $CAKE Admin setSetting "Plugin.Cortex_services_timeout" 120
sudo $CAKE Admin setSetting "Plugin.Cortex_services_authkey" ""
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_verify_host" false
sudo $CAKE Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
sudo $CAKE Admin setSetting "Plugin.Sightings_policy" 0
sudo $CAKE Admin setSetting "Plugin.Sightings_anonymise" false
sudo $CAKE Admin setSetting "Plugin.Sightings_range" 365
sudo $CAKE Admin setSetting "Plugin.CustomAuth_disable_logout" false
sudo $CAKE Admin setSetting "Plugin.RPZ_policy" "DROP"
sudo $CAKE Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
sudo $CAKE Admin setSetting "Plugin.RPZ_serial" "\$date00"
sudo $CAKE Admin setSetting "Plugin.RPZ_refresh" "2h"
sudo $CAKE Admin setSetting "Plugin.RPZ_retry" "30m"
sudo $CAKE Admin setSetting "Plugin.RPZ_expiry" "30d"
sudo $CAKE Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
sudo $CAKE Admin setSetting "Plugin.RPZ_ttl" "1w"
sudo $CAKE Admin setSetting "Plugin.RPZ_ns" "localhost."
sudo $CAKE Admin setSetting "Plugin.RPZ_ns_alt" ""
sudo $CAKE Admin setSetting "Plugin.RPZ_email" "root.localhost"
sudo $CAKE Admin setSetting "MISP.language" "eng"
sudo $CAKE Admin setSetting "MISP.proposals_block_attributes" false
sudo $CAKE Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo $CAKE Admin setSetting "MISP.redis_port" 6379
sudo $CAKE Admin setSetting "MISP.redis_database" 13
sudo $CAKE Admin setSetting "MISP.redis_password" ""
sudo $CAKE Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo $CAKE Admin setSetting "MISP.extended_alert_subject" false
sudo $CAKE Admin setSetting "MISP.default_event_threat_level" 4
sudo $CAKE Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo $CAKE Admin setSetting "MISP.enableEventBlacklisting" true
sudo $CAKE Admin setSetting "MISP.enableOrgBlacklisting" true
sudo $CAKE Admin setSetting "MISP.log_client_ip" false
sudo $CAKE Admin setSetting "MISP.log_auth" false
sudo $CAKE Admin setSetting "MISP.disableUserSelfManagement" false
sudo $CAKE Admin setSetting "MISP.block_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo $CAKE Admin setSetting "MISP.block_old_event_alert" false
sudo $CAKE Admin setSetting "MISP.block_old_event_alert_age" ""
sudo $CAKE Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo $CAKE Admin setSetting "MISP.footermidleft" "This is an autogenerated install"
sudo $CAKE Admin setSetting "MISP.footermidright" "Please configure accordingly and do not use in production"
sudo $CAKE Admin setSetting "MISP.welcome_text_top" "Autogenerated install, please configure and harden accordingly"
sudo $CAKE Admin setSetting "MISP.welcome_text_bottom" "Welcome to MISP on Kali"
sudo $CAKE Admin setSetting "Security.password_policy_length" 12
sudo $CAKE Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
sudo $CAKE Admin setSetting "Session.autoRegenerate" 0
sudo $CAKE Admin setSetting "Session.timeout" 600
sudo $CAKE Admin setSetting "Session.cookie_timeout" 3600
sudo $CAKE Live $MISP_LIVE
sudo $CAKE Admin updateGalaxies
sudo $CAKE Admin updateTaxonomies
sudo $CAKE Admin updateWarningLists
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/noticelists/update
curl --header "Authorization: $AUTH_KEY" --header "Accept: application/json" --header "Content-Type: application/json" -k -X POST https://127.0.0.1/objectTemplates/update
sudo sed -i -e '$i \echo never > /sys/kernel/mm/transparent_hugepage/enabled\n' /etc/rc.local
sudo sed -i -e '$i \echo 1024 > /proc/sys/net/core/somaxconn\n' /etc/rc.local
sudo sed -i -e '$i \sysctl vm.overcommit_memory=1\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data bash /var/www/MISP/app/Console/worker/start.sh\n' /etc/rc.local
sudo sed -i -e '$i \sudo -u www-data misp-modules -l 0.0.0.0 -s &\n' /etc/rc.local
sudo -u www-data bash $PATH_TO_MISP/app/Console/worker/start.sh
cd /usr/local/src/
sudo git clone https://github.com/MISP/misp-modules.git
cd misp-modules
# pip3 install
sudo pip3 install -I -r REQUIREMENTS
sudo pip3 install -I .
sudo pip3 install maec lief python-magic wand yara
sudo pip3 install git+https://github.com/kbandla/pydeep.git
sudo pip3 install stix2
sudo gem install pygments.rb
sudo gem install asciidoctor-pdf --pre
sudo -u www-data misp-modules -l 0.0.0.0 -s &
cd /usr/local/src/
sudo apt-get install -y libssl-dev swig python3-ssdeep p7zip-full unrar-free sqlite python3-pyclamd exiftool radare2
sudo pip3 install SQLAlchemy PrettyTable python-magic
sudo git clone https://github.com/viper-framework/viper.git
cd viper
sudo git submodule init
sudo git submodule update
sudo pip3 install -r requirements.txt
sudo pip3 uninstall yara -y
/usr/local/src/viper/viper-cli -h
/usr/local/src/viper/viper-web -p 8888 -H 0.0.0.0 &
echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/src/viper:/var/www/MISP/app/Console"' |sudo tee /etc/environment
sed -i "s/^misp_url\ =/misp_url\ =\ http:\/\/localhost/g" ~/.viper/viper.conf
sed -i "s/^misp_key\ =/misp_key\ =\ $AUTH_KEY/g" ~/.viper/viper.conf
sqlite3 ~/.viper/admin.db 'UPDATE auth_user SET password="pbkdf2_sha256$100000$iXgEJh8hz7Cf$vfdDAwLX8tko1t0M1TLTtGlxERkNnltUnMhbv56wK/U="'
sudo chown -R www-data:www-data $PATH_TO_MISP
sudo chmod -R 750 $PATH_TO_MISP
sudo chmod -R g+ws $PATH_TO_MISP/app/tmp
sudo chmod -R g+ws $PATH_TO_MISP/app/files
sudo chmod -R g+ws $PATH_TO_MISP/app/files/scripts/tmp
echo "Admin (root) DB Password: $DBPASSWORD_ADMIN" > ~/mysql.txt
echo "User (misp) DB Password: $DBPASSWORD_MISP" >> ~/mysql.txt
echo "Authkey: $AUTH_KEY" > ~/MISP-authkey.txt
# TODO: mail-to-misp
#cd /usr/local/src/
#sudo apt-get install -y cmake
#sudo git clone https://github.com/MISP/mail_to_misp.git
#sudo git clone git://github.com/stricaud/faup.git
#cd faup
#sudo mkdir -p build
#cd build
#sudo cmake .. && sudo make
#sudo make install
#sudo ldconfig
#cd ../../
#cd mail_to_misp
#sudo pip3 install -r requirements.txt
#sudo cp mail_to_misp_config.py-example mail_to_misp_config.py
#
#sudo sed -i "s/^misp_url\ =\ 'YOUR_MISP_URL'/misp_url\ =\ 'http:\/\/localhost'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py
#sudo sed -i "s/^misp_key\ =\ 'YOUR_KEY_HERE'/misp_key\ =\ '$AUTH_KEY'/g" /usr/local/src/mail_to_misp/mail_to_misp_config.py

77
app/Console/Command/AdminShell.php
View File

@ -2,7 +2,7 @@
App::uses('AppShell', 'Console/Command');
class AdminShell extends AppShell
{
public $uses = array('Event', 'Post', 'Attribute', 'Job', 'User', 'Task', 'Whitelist', 'Server', 'Organisation', 'AdminSetting', 'Galaxy');
public $uses = array('Event', 'Post', 'Attribute', 'Job', 'User', 'Task', 'Whitelist', 'Server', 'Organisation', 'AdminSetting', 'Galaxy', 'Taxonomy', 'Warninglist', 'Noticelist', 'ObjectTemplate');
public function jobGenerateCorrelation() {
$jobId = $this->args[0];
@ -34,14 +34,75 @@ class AdminShell extends AppShell
$this->ShadowAttribute->generateCorrelation($jobId);
}
public function updateGalaxies() {
public function updateGalaxies() {
// The following is 7.x upwards only
//$value = $this->args[0] ?? $this->args[0] ?? 0;
$value = empty($this->args[0]) ? null : $this->args[0];
if ($value === 'false') $value = 0;
if ($value === 'true') $value = 1;
if ($value === 'force') $value = 1;
$force = $value;
$result = $this->Galaxy->update($force);
if ($result) {
echo 'Galaxies updated';
} else {
echo 'Could not update Galaxies';
}
}
# FIXME: Make Taxonomy->update() return a status string on API if successful
public function updateTaxonomies() {
$result = $this->Taxonomy->update();
if ($result) {
echo 'Taxonomies updated';
} else {
echo 'Could not update Taxonomies';
}
}
public function updateWarningLists() {
$result = $this->Galaxy->update();
if ($result) {
echo 'Galaxies updated';
} else {
echo 'Could not update Galaxies';
}
}
if ($result) {
echo 'Warning lists updated';
} else {
echo 'Could not update warning lists';
}
}
public function updateNoticeLists() {
$result = $this->Noticelist->update();
if ($result) {
echo 'Notice lists updated';
} else {
echo 'Could not update notice lists';
}
}
# FIXME: Debug and make it work, fails to pass userId/orgId properly
public function updateObjectTemplates() {
if (empty($this->args[0])) {
echo 'Usage: ' . APP . '/cake ' . 'Admin updateNoticeLists [user_id]';
} else {
$userId = $this->args[0];
$user = $this->User->find('first', array(
'recursive' => -1,
'conditions' => array(
'User.id' => $userId,
),
'fields' => array('User.id', 'User.org_id')
));
if (empty($user)) {
echo 'User not found';
} else {
$result = $this->ObjectTemplate->update($user, false,false);
if ($result) {
echo 'Object templates updated';
} else {
echo 'Could not update object templates';
}
}
}
}
public function jobUpgrade24() {
$jobId = $this->args[0];

13
app/Controller/AppController.php
View File

@ -117,6 +117,8 @@ class AppController extends Controller {
$language = Configure::read('MISP.language');
if (!empty($language) && $language !== 'eng') {
Configure::write('Config.language', $language);
} else {
Configure::write('Config.language', 'eng');
}
//if fresh installation (salt empty) generate a new salt
@ -446,7 +448,16 @@ class AppController extends Controller {
protected function _isRest() {
$api = $this->__isApiFunction($this->request->params['controller'], $this->request->params['action']);
return (isset($this->RequestHandler) && ($api || $this->RequestHandler->isXml() || $this->_isJson()));
if (isset($this->RequestHandler) && ($api || $this->RequestHandler->isXml() || $this->_isJson())) {
if ($this->_isJson()) {
if (!empty($this->request->input()) && empty($this->request->input('json_decode'))) {
throw new MethodNotAllowedException('Invalid JSON input. Make sure that the JSON input is a correctly formatted JSON string. This request has been blocked to avoid an unfiltered request.');
}
}
return true;
} else {
return false;
}
}
protected function _isAutomation() {

2
app/Controller/ServersController.php
View File

@ -816,7 +816,7 @@ class ServersController extends AppController {
if ($tab == 'diagnostics' || $tab == 'download') {
$php_ini = php_ini_loaded_file();
$this->set('php_ini', $php_ini);
$advanced_attachments = shell_exec('python ' . APP . 'files/scripts/generate_file_objects.py -c');
$advanced_attachments = shell_exec('python3 ' . APP . 'files/scripts/generate_file_objects.py -c');
try {
$advanced_attachments = json_decode($advanced_attachments, true);
} catch (Exception $e) {

6
app/Lib/Tools/ComplexTypeTool.php
View File

@ -270,8 +270,10 @@ class ComplexTypeTool {
private function __checkForSimpleRegex($input) {
// CVE numbers
if (preg_match("#^cve-[0-9]{4}-[0-9]{4,9}$#i", $input['raw'])) return array('types' => array('vulnerability'), 'categories' => array('External analysis'), 'to_ids' => false, 'default_type' => 'vulnerability', 'value' => $input['raw']);
// Phone numbers
if (preg_match("#^(\+)?([0-9]{1,3}(\(0\))?)?[0-9\/\-]{5,}[0-9]$#i", $input['raw'])) return array('types' => array('phone-number', 'prtn', 'whois-registrant-phone'), 'categories' => array('Other'), 'to_ids' => false, 'default_type' => 'phone-number', 'value' => $input['raw']);
// Phone numbers - for automatic recognition, needs to start with + or include dashes
if ($input['raw'][0] === '+' || strpos($input['raw'], '-')) {
if (preg_match("#^(\+)?([0-9]{1,3}(\(0\))?)?[0-9\/\-]{5,}[0-9]$#i", $input['raw'])) return array('types' => array('phone-number', 'prtn', 'whois-registrant-phone'), 'categories' => array('Other'), 'to_ids' => false, 'default_type' => 'phone-number', 'value' => $input['raw']);
}
}
private function __checkForIP($input) {

45
app/Lib/Tools/ElasticSearchClient.php Normal file
View File

@ -0,0 +1,45 @@
<?php
use Elasticsearch\ClientBuilder;
class ElasticSearchClient {
private $__settings = false;
private $__client = false;
private function __getSetSettings() {
$settings = array(
'enabled' => false,
'connection_string' => 'http://localhost',
);
foreach ($settings as $key => $setting) {
$temp = Configure::read('Plugin.ElasticSearch_' . $key);
if ($temp) $settings[$key] = $temp;
}
return $settings;
}
public function initTool() {
$settings = $this->__getSetSettings();
$hosts = explode(",", $settings["connection_string"]);
$client = ClientBuilder::create()
->setHosts($hosts)
->build();
$this->__client = $client;
$this->__settings = $settings;
return $client;
}
public function pushDocument($index, $document_type, $document) {
// Format timestamp
$time = strftime("%Y-%m-%d %H:%M:%S", strtotime($document["Log"]["created"]));
$document["Log"]["created"] = $time;
$params = array(
'index' => $index,
'type' => $document_type,
'body' => $document
);
$this->__client->index($params);
}
}

4
app/Lib/Tools/PubSubTool.php
View File

@ -67,7 +67,7 @@ class PubSubTool {
}
public function checkIfPythonLibInstalled() {
$result = trim(shell_exec('python ' . APP . 'files' . DS . 'scripts' . DS . 'mispzmq' . DS . 'mispzmqtest.py'));
$result = trim(shell_exec('python3 ' . APP . 'files' . DS . 'scripts' . DS . 'mispzmq' . DS . 'mispzmqtest.py'));
if ($result === "OK") return true;
return false;
}
@ -76,7 +76,7 @@ class PubSubTool {
App::uses('File', 'Utility');
$settings = $this->__getSetSettings();
if ($this->checkIfRunning() === false) {
shell_exec('python ' . APP . 'files' . DS . 'scripts' . DS . 'mispzmq' . DS . 'mispzmq.py > ' . APP . 'tmp' . DS . 'logs' . DS . 'mispzmq.log 2> ' . APP . 'tmp' . DS . 'logs' . DS . 'mispzmq.error.log &');
shell_exec('python3 ' . APP . 'files' . DS . 'scripts' . DS . 'mispzmq' . DS . 'mispzmq.py > ' . APP . 'tmp' . DS . 'logs' . DS . 'mispzmq.log 2> ' . APP . 'tmp' . DS . 'logs' . DS . 'mispzmq.error.log &');
}
return $settings;
}

2
app/Locale/cake_dev.pot
View File

@ -13,7 +13,7 @@ msgstr ""
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
#: Controller/AppController.php:424
#: Controller/AppController.php:437
msgid "The request has been black-holed"
msgstr ""

1835
app/Locale/default.pot
View File

File diff suppressed because it is too large Load Diff

5492
app/Locale/fra/LC_MESSAGES/default.po
View File

File diff suppressed because it is too large Load Diff

22
app/Locale/fra/cake_dev.po Normal file
View File

@ -0,0 +1,22 @@
# LANGUAGE translation of CakePHP Application
# Copyright 2018 truckydev <EMAIL@ADDRESS>
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: 1\n"
"PO-Revision-Date: 2018-01-29 18:34\n"
"Last-Translator: truckydev\n"
"Language-Team: FR_fr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
#: Controller/AppController.php:398
msgid "The request has been black-holed"
msgstr "La requête a été bloquée"
#: View/Layouts/error.ctp:19
msgid "CakePHP: the rapid development php framework"
msgstr "CakePHP: cadriciel php de développement rapide"

11925
app/Locale/ita/LC_MESSAGES/default.po Normal file
View File

File diff suppressed because it is too large Load Diff

5937
app/Locale/jpn/LC_MESSAGES/default.po
View File

File diff suppressed because it is too large Load Diff

10642
app/Locale/kor/LC_MESSAGES/default.po Normal file
View File

File diff suppressed because it is too large Load Diff

11914
app/Locale/pt_BR/LC_MESSAGES/default.po Normal file
View File

File diff suppressed because it is too large Load Diff

16
app/Model/AppModel.php
View File

@ -36,6 +36,8 @@ class AppModel extends Model {
private $__profiler = array();
public $elasticSearchClient = false;
public function __construct($id = false, $table = null, $ds = null) {
parent::__construct($id, $table, $ds);
@ -1337,6 +1339,20 @@ class AppModel extends Model {
return true;
}
public function getElasticSearchTool() {
if (!$this->elasticSearchClient) {
$this->loadElasticSearchTool();
}
return $this->elasticSearchClient;
}
public function loadElasticSearchTool() {
App::uses('ElasticSearchClient', 'Tools');
$client = new ElasticSearchClient();
$client->initTool();
$this->elasticSearchClient = $client;
}
public function checkVersionRequirements($versionString, $minVersion) {
$version = explode('.', $versionString);
$minVersion = explode('.', $minVersion);

8
app/Model/Log.php
View File

@ -239,6 +239,14 @@ class Log extends AppModel {
$pubSubTool = $this->getPubSubTool();
$pubSubTool->publish($data, 'audit', 'log');
}
if (Configure::read('Plugin.ElasticSearch_logging_enable')) {
// send off our logs to distributed /dev/null
$logIndex = Configure::read("Plugin.ElasticSearch_log_index");
$elasticSearchClient = $this->getElasticSearchTool();
$elasticSearchClient->pushDocument($logIndex, "log", $data);
}
if (Configure::read('Security.syslog')) {
// write to syslogd as well
$syslog = new SysLog();

44
app/Model/Server.php
View File

@ -398,7 +398,7 @@ class Server extends AppModel {
'attachments_dir' => array(
'level' => 2,
'description' => 'Directory where attachments are stored. MISP will NOT migrate the existing data if you change this setting. The only safe way to change this setting is in config.php, when MISP is not running, and after having moved/copied the existing data to the new location. This directory must already exist and be writable and readable by the MISP application.',
'value' => 'app/files', # GUI display purpose only. Default value defined in func getDefaultAttachments_dir()
'value' => '', # GUI display purpose only. Default value defined in func getDefaultAttachments_dir()
'errorMessage' => '',
'null' => false,
'test' => 'testForWritableDir',
@ -1364,6 +1364,30 @@ class Server extends AppModel {
'test' => 'testBool',
'type' => 'boolean'
),
'ElasticSearch_logging_enable' => array (
'level' => 2,
'description' => 'Enabled logging to an ElasticSearch instance',
'value' => false,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean'
),
'ElasticSearch_connection_string' => array(
'level' => 2,
'description' => 'The URL(s) at which to access ElasticSearch - comma seperate if you want to have more than one.',
'value' => '',
'errorMessage' => '',
'test' => 'testForEmpty',
'type' => 'string'
),
'ElasticSearch_log_index' => array(
'level' => 2,
'description' => 'The index in which to place logs',
'value' => '',
'errorMessage' => '',
'test' => 'testForEmpty',
'type' => 'string'
),
'Sightings_policy' => array(
'level' => 1,
'description' => 'This setting defines who will have access to seeing the reported sightings. The default setting is the event owner alone (in addition to everyone seeing their own contribution) with the other options being Sighting reporters (meaning the event owner and anyone that provided sighting data about the event) and Everyone (meaning anyone that has access to seeing the event / attribute).',
@ -1697,6 +1721,11 @@ class Server extends AppModel {
'Session' => 'Security'
);
public function __construct($id = false, $table = null, $ds = null) {
parent::__construct($id, $table, $ds);
$this->serverSettings['MISP']['attachments_dir']['value'] = APP . '/files';
}
public $validEventIndexFilters = array('searchall', 'searchpublished', 'searchorg', 'searchtag', 'searcheventid', 'searchdate', 'searcheventinfo', 'searchthreatlevel', 'searchdistribution', 'searchanalysis', 'searchattribute');
public function isOwnedByOrg($serverid, $org) {
@ -3247,7 +3276,7 @@ class Server extends AppModel {
public function stixDiagnostics(&$diagnostic_errors, &$stixVersion, &$cyboxVersion, &$mixboxVersion, &$maecVersion, &$pymispVersion) {
$result = array();
$expected = array('stix' => '1.2.0.6', 'cybox' => '2.1.0.18.dev0', 'mixbox' => '1.0.3', 'maec' => '4.1.0.13', 'pymisp' => '>2.4.93');
$expected = array('stix' => '1.2.0.6', 'cybox' => '2.1.0.17', 'mixbox' => '1.0.3', 'maec' => '4.1.0.13', 'pymisp' => '>2.4.93');
// check if the STIX and Cybox libraries are working using the test script stixtest.py
$scriptResult = shell_exec('python3 ' . APP . 'files' . DS . 'scripts' . DS . 'stixtest.py');
$scriptResult = json_decode($scriptResult, true);
@ -3863,9 +3892,18 @@ class Server extends AppModel {
public function update($status) {
$final = '';
$cleanup_commands = array(
// (>^-^)> [hacky]
'git checkout app/composer.json 2>&1'
);
foreach ($cleanup_commands as $cleanup_command) {
$final .= $cleanup_command . "\n\n";
exec($cleanup_command, $output);
$final .= implode("\n", $output) . "\n\n";
}
$command1 = 'git pull origin ' . $status['branch'] . ' 2>&1';
$command2 = 'git submodule update --init --recursive 2>&1';
$final = $command1 . "\n\n";
$final .= $command1 . "\n\n";
exec($command1, $output);
$final .= implode("\n", $output) . "\n\n=================================\n\n";
$output = array();

2
app/Model/Sighting.php
View File

@ -271,7 +271,7 @@ class Sighting extends AppModel {
$tempFile->close();
$scriptFile = APP . "files" . DS . "scripts" . DS . "stixsighting2misp.py";
// Execute the python script and point it to the temporary filename
$result = shell_exec('python ' . $scriptFile . ' ' . $randomFileName);
$result = shell_exec('python3 ' . $scriptFile . ' ' . $randomFileName);
// The result of the script will be a returned JSON object with 2 variables: success (boolean) and message
// If success = 1 then the temporary output file was successfully written, otherwise an error message is passed along
$result = json_decode($result, true);

4
app/composer.json
View File

@ -5,6 +5,8 @@
"kamisama/cake-resque": "@stable",
"pear/crypt_gpg": "@stable",
"pear/net_geoip": "@dev"
},
"suggest": {
"elasticsearch/elasticsearch": "For logging to elasticsearch"
}
}

2
app/files/misp-objects

@ -1 +1 @@
Subproject commit b92ab93c80b8f9e8ede7cf572f58bf2629db4c55
Subproject commit 498c6f114bea7030090aee17cf864fd1f314a393

4
app/files/scripts/mispzmq/mispzmq.py
View File

@ -62,8 +62,8 @@ class MISPZMQ():
self.setup()
if command == "status":
print("Status command received, responding with latest stats.")
self.r.delete("{self.namespace}:status".format(self.namespace))
self.r.lpush("{self.namespace}:status".format(self.namespace),
self.r.delete("{}:status".format(self.namespace))
self.r.lpush("{}:status".format(self.namespace),
json.dumps({"timestamp": time.time(),
"timestampSettings": self.timestampSettings,
"publishCount": self.publishCount}))

42
app/files/scripts/stix2/misp2stix2.py
View File

@ -146,9 +146,9 @@ class StixBuilder():
galaxy_type = galaxy.get('type')
if 'attack-pattern' in galaxy_type:
self.add_attack_pattern(galaxy)
elif 'course' in galaxy_type:
elif 'course-of-action' in galaxy_type:
self.add_course_of_action(galaxy)
elif 'intrusion' in galaxy_type:
elif 'intrusion-set' in galaxy_type:
self.add_intrusion_set(galaxy)
elif 'ware' in galaxy_type:
self.add_malware(galaxy)
@ -420,7 +420,7 @@ class StixBuilder():
killchain = self.create_killchain(category)
labels = self.create_labels(attribute)
attribute_value = attribute.value if attribute_type != "AS" else self.define_attribute_value(attribute.value, attribute.comment)
pattern = mispTypesMapping[attribute_type]['pattern'](attribute_type, attribute_value, b64encode(attribute.data.getvalue()).decode()[1:-1]) if 'data' in attribute else self.define_pattern(attribute_type, attribute_value)
pattern = mispTypesMapping[attribute_type]['pattern'](attribute_type, attribute_value, b64encode(attribute.data.getbuffer()).decode()[1:-1]) if 'data' in attribute else self.define_pattern(attribute_type, attribute_value)
indicator_args = {'id': indicator_id, 'type': 'indicator', 'labels': labels, 'kill_chain_phases': killchain,
'valid_from': attribute.timestamp, 'created_by_ref': self.identity_id, 'pattern': pattern}
if hasattr(attribute, 'comment') and attribute.comment:
@ -446,7 +446,7 @@ class StixBuilder():
timestamp = attribute.timestamp
labels = self.create_labels(attribute)
attribute_value = attribute.value if attribute_type != "AS" else self.define_attribute_value(attribute.value, attribute.comment)
observable = mispTypesMapping[attribute_type]['observable'](attribute_type, attribute_value, b64encode(attribute.data.getvalue())) if 'data' in attribute else self.define_observable(attribute_type, attribute_value)
observable = mispTypesMapping[attribute_type]['observable'](attribute_type, attribute_value, b64encode(attribute.data.getbuffer())) if 'data' in attribute else self.define_observable(attribute_type, attribute_value)
observed_data_args = {'id': observed_data_id, 'type': 'observed-data', 'number_observed': 1,
'first_observed': timestamp, 'last_observed': timestamp, 'labels': labels,
'created_by_ref': self.identity_id, 'objects': observable}
@ -737,7 +737,7 @@ class StixBuilder():
except:
mapping = "x_misp_{}_{}".format(attribute.type, relation)
if relation in ('eml', 'screenshot'):
message[mapping] = {'value': attribute_value, 'data': b64encode(attribute.data.getvalue()).decode()[1:-1]}
message[mapping] = {'value': attribute_value, 'data': b64encode(attribute.data.getbuffer()).decode()[1:-1]}
else:
message[mapping] = attribute_value
if reply_to and 'additional_header_fields' in message:
@ -765,7 +765,7 @@ class StixBuilder():
stix_type = "'x_misp_{}_{}'".format(attribute.type, relation)
if relation in ('eml', 'screenshot'):
stix_type_data = "{}.data".format(stix_type)
pattern += pattern_mapping.format(email_type, stix_type_data, b64encode(attribute.data.getvalue()).decode()[1:-1])
pattern += pattern_mapping.format(email_type, stix_type_data, b64encode(attribute.data.getbuffer()).decode()[1:-1])
stix_type += ".value"
pattern += pattern_mapping.format(email_type, stix_type, attribute.value)
return "[{}]".format(pattern[:-5])
@ -785,7 +785,7 @@ class StixBuilder():
malware_sample['filename'] = filename
malware_sample['md5'] = md5
if attribute.data:
observable[str(n_object)] = {'type': 'artifact', 'payload_bin': b64encode(attribute.data.getvalue())}
observable[str(n_object)] = {'type': 'artifact', 'payload_bin': b64encode(attribute.data.getbuffer())}
observable_file['content_ref'] = str(n_object)
n_object += 1
elif attribute_type in ('filename', 'md5'):
@ -818,7 +818,7 @@ class StixBuilder():
malware_sample['filename'] = filename
malware_sample['md5'] = md5
if attribute.data:
pattern += "{} AND ".format(pattern_attachment('', b64encode(attribute.data.getvalue()).decode()[1:-1])[1:-1])
pattern += "{} AND ".format(attribute_data_pattern(b64encode(attribute.data.getbuffer()).decode()[1:-1]))
elif attribute_type in ("filename", "md5"):
d_pattern[attribute_type] = attribute.value
else:
@ -840,17 +840,17 @@ class StixBuilder():
ip_address = {}
domain = {}
for attribute in attributes:
attribute_type = attribute.type
relation = attribute.object_relation
attribute_value = attribute.value
if attribute_type == 'ip-dst':
if relation == 'ip':
ip_address['type'] = define_address_type(attribute_value)
ip_address['value'] = attribute_value
elif attribute_type == 'domain':
elif relation == 'domain':
domain['type'] = 'domain-name'
domain['value'] = attribute_value
else:
try:
observable_type = ipPortObjectMapping[attribute_type][attribute.object_relation]
observable_type = ipPortObjectMapping[relation]
except:
continue
observable[observable_type] = attribute_value
@ -892,19 +892,21 @@ class StixBuilder():
def resolve_ip_port_pattern(attributes):
pattern = ""
for attribute in attributes:
attribute_type = attribute.type
relation = attribute.object_relation
attribute_value = attribute.value
if attribute_type == 'domain':
pattern += objectsMapping['domain-ip']['pattern'].format(ipPortObjectMapping[attribute_type], attribute_value)
if relation == 'domain':
mapping_type = 'domain-ip'
stix_type = ipPortObjectMapping[relation]
elif relation == 'ip':
mapping_type = 'ip-port'
stix_type = ipPortObjectMapping[relation].format(define_address_type(attribute_value))
else:
try:
try:
stix_type = ipPortObjectMapping[attribute_type][attribute.object_relation]
except:
stix_type = ipPortObjectMapping[attribute_type].format(define_address_type(attribute_value))
stix_type = ipPortObjectMapping[relation]
mapping_type = 'ip-port'
except:
continue
pattern += objectsMapping['ip-port']['pattern'].format(stix_type, attribute_value)
pattern += objectsMapping[mapping_type]['pattern'].format(stix_type, attribute_value)
return "[{}]".format(pattern[:-5])
@staticmethod

6
app/files/scripts/stix2/misp2stix2_mapping.py
View File

@ -305,9 +305,9 @@ emailObjectMapping = {'email-body': {'email_type': 'message', 'stix_type': 'body
fileMapping = {'hashes': "hashes.'{0}'", 'size-in-bytes': 'size', 'filename': 'name', 'mime-type': 'mime_type'}
ipPortObjectMapping = {'ip-dst': network_traffic_dst_ref,
'port': {'src-port': 'src_port', 'dst-port': 'dst_port'},
'datetime': {'first-seen': 'start', 'last-seen': 'end'},
ipPortObjectMapping = {'ip': network_traffic_dst_ref,
'src-port': 'src_port', 'dst-port': 'dst_port',
'first-seen': 'start', 'last-seen': 'end',
'domain': 'value'}
networkSocketMapping = {'address-family': 'address_family', 'domain-family': 'protocol_family',

2
app/files/warninglists

@ -1 +1 @@
Subproject commit 43e82c6b25bd61c89b889a8262354c3f2e4f62ac
Subproject commit e597831a25c2a2f8bf08320420efee4dbb386389