MISP (core software) - Open Source Threat Intelligence and Sharing Platform (formely known as Malware Information Sharing Platform) https://www.misp-project.org/
 
 
 
 
 
 
Go to file
Jakub Onderka bf51c9ebde chg: [validation] Remove CIDR from /32 IPv4 and /128 IPv6 to normalize values 2024-01-05 16:40:49 +01:00
.github fix: Missing deps for tests 2024-01-04 13:59:40 +01:00
INSTALL chg: [install] support jammy - see #9153 2023-12-29 14:49:08 +01:00
PyMISP@81f5d596a7 chg: [PyMISP] Bump version 2024-01-04 13:41:18 +01:00
app chg: [validation] Remove CIDR from /32 IPv4 and /128 IPv6 to normalize values 2024-01-05 16:40:49 +01:00
build fix: [GHA] change in hostname, bump pymisp, fix vhost 2021-04-20 16:18:38 +02:00
debian Merge pull request #5858 from stricaud/debian 2020-05-05 21:56:20 +09:00
docs Merge pull request #9327 from SteveClement/guides 2023-10-12 20:41:41 +09:00
format Add blob in the url 2017-04-07 22:53:53 +02:00
tests fix: [tests] fix path in logs_tests.sh 2023-12-01 10:49:00 +01:00
tools chg: [tools] mention the communities json page 2023-12-15 08:56:58 +01:00
travis Feature/user login profiles2 (#9379) 2023-11-24 13:47:59 +01:00
.coveragerc Create .coveragerc 2015-09-27 10:55:55 +02:00
.gitchangelog.rc chg: [doc] updated Changelog.md to be more markdown friendly 2018-10-26 10:38:37 +09:00
.gitignore fix: [servers] custom cert file not written when cert folder does not exist 2023-12-18 18:30:46 +01:00
.gitmodules fix: [misp-vagrant] submodule removed 2023-09-29 08:33:43 +02:00
.travis.yml Split requirements file and pin minimum version of Python deps 2023-09-29 09:27:17 +01:00
AUTHORS chg: [copyright] AUTHORS updated 2020-10-14 10:13:47 +02:00
CITATION.cff new: [citation-cff] added 2021-08-02 08:16:52 +02:00
CODINGSTYLE.md chg: [doc] Fix python naming swap (based on example and practice) and stray whitespace. 2023-08-02 18:33:41 +02:00
CONTRIBUTING.md chg: [doc] Fix 404 file not found. 2023-08-15 12:51:40 +02:00
GITWORKFLOW.md chg: [doc] FIx links 2021-04-13 13:42:21 +01:00
LICENSE Fix permissions 2016-02-11 17:03:51 +01:00
Pipfile chg: [internal] Use pydeep2 2022-01-16 20:15:06 +01:00
README.debian Adding instructions to build a Debian Package 2020-02-10 23:50:38 -08:00
README.md doc: Update README.md with new badges, toc, install tips 2023-09-29 15:09:01 +02:00
ROADMAP.md chg: [doc] Minor changes 2021-04-09 15:29:14 +01:00
SECURITY.md Update SECURITY.md 2020-04-28 10:47:04 +02:00
VERSION.json chg: [VERSION] bump 2024-01-04 20:10:35 +01:00
build-deb.sh If the submodules have not been initialized and updated, the debian package will build. 2020-05-02 11:07:24 -07:00
code_of_conduct.md add: Code of conduct added to the MISP Project - fix #1858 2017-01-25 20:29:34 +01:00
db_schema.json fix: [db_schema] dump 2023-12-14 14:21:37 +01:00
mkdocs.yml chg: [doc] Updated docs and removed obsolete refs. 2021-12-25 11:02:44 +09:00
preinst Adding the preinst where required apache modules are enabled 2020-05-02 11:08:24 -07:00
requirements-dev.txt Split requirements file and pin minimum version of Python deps 2023-09-29 09:27:17 +01:00
requirements.txt chg: [PyMISP] Bump version 2024-01-04 13:41:18 +01:00

README.md

MISP - Threat Intelligence Sharing Platform

MISP logo

MISP is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.

The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of said information by Network Intrusion Detection Systems (NIDS), LIDS but also log analysis tools, SIEMs.

  ●  Core functions   ●  Website / Support   ●  PHP and MISP
  ●  Installation   ●  Documentation   ●  Contributing
  ●  License

Latest Release GitHub version
CI
Gitter
Mastodon
Twitter
Localization
Contributors
License

Core functions

  • An efficient IOC and indicators database, allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
  • Automatic correlation finding relationships between attributes and indicators from malware, attack campaigns or analysis. The correlation engine includes correlation between attributes and more advanced correlations like Fuzzy hashing correlation (e.g. ssdeep) or CIDR block matching. Correlation can also be enabled or event disabled per attribute.
  • A flexible data model where complex objects can be expressed and linked together to express threat intelligence, incidents or connected elements.
  • Built-in sharing functionality to ease data sharing using different model of distributions. MISP can automatically synchronize events and attributes among different MISP instances. Advanced filtering functionalities can be used to meet each organization's sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms.
  • An intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators. A graphical interface to navigate seamlessly between events and their correlations. An event graph functionality to create and view relationships between objects and attributes. Advanced filtering functionalities and warning lists to help the analysts to contribute events and attributes and limit the risk of false-positives.
  • storing data in a structured format (allowing automated use of the database for various purposes) with an extensive support of cyber security indicators along fraud indicators as in the financial sector.
  • export: generating IDS, OpenIOC, plain text, CSV, MISP XML or JSON output to integrate with other systems (network IDS, host IDS, custom tools), Cache format (used for forensic tools), STIX (XML and JSON) 1 and 2, NIDS export (Suricata, Snort and Bro/Zeek) or RPZ zone. Many other formats can be easily added via the misp-modules.
  • import: bulk-import, batch-import, import from OpenIOC, GFI sandbox, ThreatConnect CSV, MISP standard format or STIX 1.1/2.0. Many other formats easily added via the misp-modules.
  • Flexible free text import tool to ease the integration of unstructured reports into MISP.
  • A user-friendly system to collaborate on events and attributes allowing MISP users to propose changes or updates to attributes/indicators.
  • data-sharing: automatically exchange and synchronize with other parties and trust-groups using MISP.
  • delegating of sharing: allows for a simple, pseudo-anonymous mechanism to delegate publication of event/indicators to another organization.
  • Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes. An exhaustive restSearch API to easily search for indicators in MISP and exports those in all the format supported by MISP.
  • Adjustable taxonomy to classify and tag events following your own classification schemes or existing classification. The taxonomy can be local to your MISP but also shareable among MISP instances.
  • Intelligence vocabularies called MISP galaxy and bundled with existing threat actors, malware, RAT, ransomware or MITRE ATT&CK which can be easily linked with events and attributes in MISP.
  • Expansion modules in Python to expand MISP with your own services or activate already available misp-modules.
  • Sighting support to get observations from organizations concerning shared indicators and attributes. Sighting can be contributed via MISP user-interface, API as MISP document or STIX sighting documents.
  • STIX support: import and export data in the STIX version 1 and version 2 format.
  • Integrated encryption and signing of the notifications via GnuPG and/or S/MIME depending on the user's preferences.
  • Real-time publish-subscribe channel within MISP to automatically get all changes (e.g. new events, indicators, sightings or tagging) in ZMQ (e.g. misp-dashboard) or Kafka publishing.

Exchanging info results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that other teams or organizations have already analyzed a specific malware.

MISP 2.4 overview

A sample event encoded in MISP:

MISP event view

Website / Support

Checkout the website for more information about MISP software, standards, tools and communities.

Information, news and updates are also regularly posted on the MISP project Mastodon account, twitter account and news page.

PHP and MISP

MISP currently requires PHP 7.4, an end-of-life version of PHP. Because of this it is recommended that you only run MISP on distributions or PHP installs that you know will get security fixes backported, like Red Hat or Debian and derratives.

MISP 3.x, currently in development will support PHP 8.x.

Installation

For test- og production installations we recommend you check out the possible options on misp-project.org/download.

Documentation

MISP user-guide (MISP-book) is available online or as PDF or as EPUB or as MOBI/Kindle.

It is also recommended to read the FAQ

Contributing

If you are interested to contribute to the MISP project, review our contributing page. There are many ways to contribute and participate to the project.

Please see our Code of conduct.

Feel free to fork the code, play with it, make some patches and send us the pull requests via the issues.

Feel free to contact us, create issues, if you have questions, remarks or bug reports.

There is one main branch:

  • 2.4 (current stable version): what we consider as stable with frequent updates as hot-fixes.

and features are developed in separated branches and then regularly merged into the 2.4 stable branch.

License

This software is licensed under GNU Affero General Public License version 3

  • Copyright (C) 2012-2023 Christophe Vandeplas
  • Copyright (C) 2012 Belgian Defence
  • Copyright (C) 2012 NATO / NCIRC
  • Copyright (C) 2013-2023 Andras Iklody
  • Copyright (C) 2015-2023 CIRCL - Computer Incident Response Center Luxembourg
  • Copyright (C) 2016 Andreas Ziegler
  • Copyright (C) 2018-2023 Sami Mokaddem
  • Copyright (C) 2018-2023 Christian Studer
  • Copyright (C) 2015-2023 Alexandre Dulaunoy
  • Copyright (C) 2018-2022 Steve Clement
  • Copyright (C) 2020-2023 Jakub Onderka

For more information, the list of authors and contributors is available.