mirror of https://github.com/MISP/misp-book
chg: [doc] Updated various aspects of the Book. Added dev-faq (mostly pointing to GH)
parent
f0f6b376d0
commit
05a5808933
|
@ -79,6 +79,9 @@ MISP objects are used in MISP (starting from version 2.4.80) system and can be u
|
||||||
or GnuPG instance key is the GnuPG (Gnu Privacy Guard) key used by the MISP instance and which is only used to sign notification.
|
or GnuPG instance key is the GnuPG (Gnu Privacy Guard) key used by the MISP instance and which is only used to sign notification.
|
||||||
The GnuPG key used in the MISP instance must **not** be used anywhere else and should not be valuable.
|
The GnuPG key used in the MISP instance must **not** be used anywhere else and should not be valuable.
|
||||||
|
|
||||||
|
## MISP Sightings
|
||||||
|
Basically, sighting is a system allowing people to react on attributes on an event. It was originally designed to provide an easy method for user to tell when they see a given attribute, giving it more credibility.
|
||||||
|
|
||||||
## MISP Taxonomies
|
## MISP Taxonomies
|
||||||
[Taxonomy](https://en.wikipedia.org/wiki/Taxonomy_(general)) is the practice and science of classification. The word is also used as a count noun: a taxonomy, or taxonomic scheme, is a particular classification. The word finds its roots in the Greek language τάξις, taxis (meaning 'order', 'arrangement') and νόμος, nomos ('law' or 'science').
|
[Taxonomy](https://en.wikipedia.org/wiki/Taxonomy_(general)) is the practice and science of classification. The word is also used as a count noun: a taxonomy, or taxonomic scheme, is a particular classification. The word finds its roots in the Greek language τάξις, taxis (meaning 'order', 'arrangement') and νόμος, nomos ('law' or 'science').
|
||||||
Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.
|
Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.
|
||||||
|
|
|
@ -26,4 +26,5 @@
|
||||||
* [ZeroMQ - MISP publish-subscribe](misp-zmq/README.md)
|
* [ZeroMQ - MISP publish-subscribe](misp-zmq/README.md)
|
||||||
* [Translations - i18n & l10n](translation/README.md)
|
* [Translations - i18n & l10n](translation/README.md)
|
||||||
* [FAQ](faq/README.md)
|
* [FAQ](faq/README.md)
|
||||||
|
* [Dev FAQ](dev-faq/README.md)
|
||||||
* [Appendices](appendices/README.md)
|
* [Appendices](appendices/README.md)
|
||||||
|
|
|
@ -253,7 +253,6 @@ This section lists some projects we know of but not officially support and rely
|
||||||
| [OTX MISP](https://github.com/gcrahay/otx_misp) | Imports Alienvault OTX pulses to a MISP instance | Not tested by MISP core team |
|
| [OTX MISP](https://github.com/gcrahay/otx_misp) | Imports Alienvault OTX pulses to a MISP instance | Not tested by MISP core team |
|
||||||
| [BTG](https://github.com/conix-security/BTG) | BTG's purpose is to make fast and efficient search on IOC | Not tested by MISP core team |
|
| [BTG](https://github.com/conix-security/BTG) | BTG's purpose is to make fast and efficient search on IOC | Not tested by MISP core team |
|
||||||
| [MISP OSINT Collection](https://github.com/adulau/misp-osint-collection) | Collection of best practices to add OSINT into MISP and/or MISP communities | Not tested by MISP core team |
|
| [MISP OSINT Collection](https://github.com/adulau/misp-osint-collection) | Collection of best practices to add OSINT into MISP and/or MISP communities | Not tested by MISP core team |
|
||||||
| [Ansible MISP](https://github.com/StamusNetworks/ansible-misp) | Ansible playbook to install Malware Information Sharing Platform (MISP) | Not tested by MISP core team |
|
|
||||||
| [IBM XFE module](https://github.com/johestephan/XFE) | Various IBM X-Force Exchange modules | Not tested by MISP core team |
|
| [IBM XFE module](https://github.com/johestephan/XFE) | Various IBM X-Force Exchange modules | Not tested by MISP core team |
|
||||||
| [MISP dockerized](https://github.com/DCSO/MISP-dockerized-misp-modules) | MISP dockerized is a project designed to provide an easy-to-use and easy-to-install'out of the box' MISP instance that includes everything you need to run MISP with minimal host-side requirements. | Not tested by MISP core team |
|
| [MISP dockerized](https://github.com/DCSO/MISP-dockerized-misp-modules) | MISP dockerized is a project designed to provide an easy-to-use and easy-to-install'out of the box' MISP instance that includes everything you need to run MISP with minimal host-side requirements. | Not tested by MISP core team |
|
||||||
| [MISP dockerized modules](https://github.com/DCSO/MISP-dockerized-misp-modules) | MISP-modules for MISP dockerized | Not tested by MISP core team |
|
| [MISP dockerized modules](https://github.com/DCSO/MISP-dockerized-misp-modules) | MISP-modules for MISP dockerized | Not tested by MISP core team |
|
||||||
|
@ -266,6 +265,7 @@ This section lists some projects we know of but not officially support and rely
|
||||||
| [LAC CSV Import](https://github.com/LAC-Japan/MISP-CSVImport) | Register MISP events based on information described in files such as CSV and TSV. | Not tested by MISP core team |
|
| [LAC CSV Import](https://github.com/LAC-Japan/MISP-CSVImport) | Register MISP events based on information described in files such as CSV and TSV. | Not tested by MISP core team |
|
||||||
| [The Hive](https://github.com/TheHive-Project/TheHive) | TheHive: a Scalable, Open Source and Free Security Incident Response Platform | Strong links between core team members, tested and known working |
|
| [The Hive](https://github.com/TheHive-Project/TheHive) | TheHive: a Scalable, Open Source and Free Security Incident Response Platform | Strong links between core team members, tested and known working |
|
||||||
| [puppet-misp](https://github.com/voxpupuli/puppet-misp) | This module installs and configures MISP - [puppet forge site](https://forge.puppet.com/puppet/misp) | Not tested by MISP core team |
|
| [puppet-misp](https://github.com/voxpupuli/puppet-misp) | This module installs and configures MISP - [puppet forge site](https://forge.puppet.com/puppet/misp) | Not tested by MISP core team |
|
||||||
|
| [Ansible MISP](https://github.com/StamusNetworks/ansible-misp) | Ansible playbook to install Malware Information Sharing Platform (MISP) | **unmaintained** |
|
||||||
| [ansible MISP](https://github.com/juju4/ansible-MISP) | ansible role to setup MISP | Not tested by MISP core team |
|
| [ansible MISP](https://github.com/juju4/ansible-MISP) | ansible role to setup MISP | Not tested by MISP core team |
|
||||||
| [OpenDXL ATD MISP](https://github.com/mohlcyber/OpenDXL-ATD-MISP) | Automated threat intelligence collection with McAfee ATD, OpenDXL and MISP | Not tested by MISP core team |
|
| [OpenDXL ATD MISP](https://github.com/mohlcyber/OpenDXL-ATD-MISP) | Automated threat intelligence collection with McAfee ATD, OpenDXL and MISP | Not tested by MISP core team |
|
||||||
| [IMAP Proxy](https://github.com/CIRCL/IMAP-Proxy) | Modular IMAP proxy (including PyCIRCLeanMail and MISP forward modules) | Not tested by MISP core team |
|
| [IMAP Proxy](https://github.com/CIRCL/IMAP-Proxy) | Modular IMAP proxy (including PyCIRCLeanMail and MISP forward modules) | Not tested by MISP core team |
|
||||||
|
@ -290,6 +290,7 @@ This section lists some projects we know of but not officially support and rely
|
||||||
| [aptmap](https://github.com/3c7/aptmap) | A [map](https://aptmap.netlify.com) displaying threat actors from the [misp-galaxy](https://github.com/MISP/misp-galaxy) | Not tested by MISP core team |
|
| [aptmap](https://github.com/3c7/aptmap) | A [map](https://aptmap.netlify.com) displaying threat actors from the [misp-galaxy](https://github.com/MISP/misp-galaxy) | Not tested by MISP core team |
|
||||||
| [mispy](https://github.com/nbareil/mispy) | Another MISP module for Python | Not tested by MISP core team |
|
| [mispy](https://github.com/nbareil/mispy) | Another MISP module for Python | Not tested by MISP core team |
|
||||||
| [MispSharp](https://github.com/DBHeise/MispSharp) | C# Library for MISP | Not tested by MISP core team |
|
| [MispSharp](https://github.com/DBHeise/MispSharp) | C# Library for MISP | Not tested by MISP core team |
|
||||||
|
| [misp_btc](https://github.com/rommelfs/misp_btc) | get BTC addresses from MISP and fetch BTC transactions | Tested by MISP core team |
|
||||||
| [Privacy Aware Sharing of IoCs in MISP](https://github.com/charly077/MISP-privacy-aware-sharing-master-thesis) | [Master Thesis](https://github.com/charly077/MISP-privacy-aware-sharing-master-thesis/blob/master/report/report.pdf) including MISP data. | Master thesis |
|
| [Privacy Aware Sharing of IoCs in MISP](https://github.com/charly077/MISP-privacy-aware-sharing-master-thesis) | [Master Thesis](https://github.com/charly077/MISP-privacy-aware-sharing-master-thesis/blob/master/report/report.pdf) including MISP data. | Master thesis |
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
# Developer FAQ
|
||||||
|
|
||||||
|
## Main Developer Resources
|
||||||
|
|
||||||
|
The main developer resources can be found on GitHub in the [MISP Wiki](https://github.com/MISP/MISP/wiki).
|
||||||
|
|
||||||
|
The following pages are worth inspecting closer in case you want to actively develop for MISP:
|
||||||
|
|
||||||
|
- [The real FAQ](https://github.com/MISP/MISP/wiki/Frequently-Asked-Questions)
|
||||||
|
- [Contributor Overview](https://github.com/MISP/MISP/wiki/Contributing-to-MISP-Project)
|
||||||
|
- [Some objectives of MISP](https://github.com/MISP/MISP/wiki/Critical-aspects-or-features)
|
||||||
|
- [Various deployment tools](https://github.com/MISP/MISP/wiki/DeploymentTools)
|
||||||
|
- [MISP Code of Conduct](https://github.com/MISP/MISP/blob/2.4/code_of_conduct.md)
|
||||||
|
- [UI coloring scheme](https://github.com/MISP/MISP/wiki/UserInterface)
|
||||||
|
- [Notes on MISP and STIX 2](https://github.com/MISP/MISP/wiki/Notes:-MISP-STIX2)
|
||||||
|
- [Commit Messages Best Practices](https://github.com/MISP/MISP/wiki/CommitMessageBestPractices)
|
||||||
|
- [Internationalization (i18n)](https://www.circl.lu/doc/misp/translation/)
|
||||||
|
|
||||||
|
Our [gitter channel](https://gitter.im/MISP/MISP) is a welcome place to ask other community developers in case you are stuck.
|
||||||
|
|
|
@ -19,6 +19,24 @@ This means that the main repository has an update available.
|
||||||
|
|
||||||
If you want to play it safer or want to integrate it in your Weekly/Bi-Monthly update routine you can track our [Changelog](https://www.misp-project.org/Changelog.txt) a more up to date version is available [here](https://misp.github.io/MISP/Changelog/)
|
If you want to play it safer or want to integrate it in your Weekly/Bi-Monthly update routine you can track our [Changelog](https://www.misp-project.org/Changelog.txt) a more up to date version is available [here](https://misp.github.io/MISP/Changelog/)
|
||||||
|
|
||||||
|
|
||||||
|
## Maintenance mode
|
||||||
|
|
||||||
|
### Is there a MISP maintenance mode?
|
||||||
|
|
||||||
|
Yes, you want to flip your instances "Live-mode".
|
||||||
|
This wants to be done on the CLI if you experience issues:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$PATH_TO_MISP/app/Console/cake "MISP.live" 0
|
||||||
|
```
|
||||||
|
|
||||||
|
Other related MISP Settings
|
||||||
|
|
||||||
|
Optional MISP.maintenance_message Great things are happening! MISP is undergoing maintenance, but will return shortly. You can contact the administration at $email or call CIRCL. The message that users will see if the instance is not live.
|
||||||
|
|
||||||
|
Critical MISP.live true Unless set to true, the instance will only be accessible by site admins.
|
||||||
|
|
||||||
## Update MISP fails
|
## Update MISP fails
|
||||||
|
|
||||||
If your MISP instance is outdated, meaning ONLY the core, not the modules or dashboard or python modules, you well see the following.
|
If your MISP instance is outdated, meaning ONLY the core, not the modules or dashboard or python modules, you well see the following.
|
||||||
|
@ -81,7 +99,7 @@ OR if you were foolish enough to not install in a Python virtualenv:
|
||||||
sudo -u www-data misp-modules -l 127.0.0.1 -s &
|
sudo -u www-data misp-modules -l 127.0.0.1 -s &
|
||||||
```
|
```
|
||||||
|
|
||||||
:warning: Running misp-modules like this will certainly kill it once you quit the session. Make sure it is in your **/etc/rc.local** or some ther init script that gets run on boot.
|
> [warning] Running misp-modules like this will certainly kill it once you quit the session. Make sure it is in your **/etc/rc.local** or some ther init script that gets run on boot.
|
||||||
|
|
||||||
## Uninstalling MISP
|
## Uninstalling MISP
|
||||||
|
|
||||||
|
|
|
@ -4,13 +4,13 @@
|
||||||
|
|
||||||
Galaxies in MISP are a method used to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values.
|
Galaxies in MISP are a method used to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values.
|
||||||
|
|
||||||
There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Vocabularies are from existing standards (like STIX, Veris, MISP and so on) or custom ones.
|
There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Vocabularies are from existing standards (like [STIX](https://oasis-open.github.io/cti-documentation/stix/intro), [Veris](http://veriscommunity.net/veris-overview.html), [ATT&CK](https://attack.mitre.org/), MISP and so on) or custom ones you only use for your organization.
|
||||||
|
|
||||||
Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.
|
Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.
|
||||||
|
|
||||||
The objective is to have a common set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared).
|
The objective is to have a common set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared).
|
||||||
|
|
||||||
[MISP galaxy](https://github.com/MISP/misp-galaxy) are available on Github.
|
[MISP galaxy](https://github.com/MISP/misp-galaxy) is available on Github.
|
||||||
|
|
||||||
### Managing Galaxies in MISP
|
### Managing Galaxies in MISP
|
||||||
|
|
||||||
|
@ -24,11 +24,11 @@ A list with all the galaxies existing on the server will appear.
|
||||||
|
|
||||||
![GalaxyView](./figures/GalaxyView.png)
|
![GalaxyView](./figures/GalaxyView.png)
|
||||||
|
|
||||||
Each galaxy can be explored using the icon at the end of the line.
|
Each galaxy can be explored using the **View** icon at the end of the line.
|
||||||
|
|
||||||
![GalaxyList](./figures/GalaxyList.png)
|
![GalaxyList](./figures/GalaxyList.png)
|
||||||
|
|
||||||
Here is shown the metadata of the selected galaxy as well as a table with each available value as well as some complementary data such as a description of the value or the activity, that is to say the evolution of the use of each value.
|
Here the metadata of the selected galaxy is shown. You also see a table with each available value as well as some complementary data such as a description of the value or the activity (MISP Sightings), that is to say the evolution of the use of each value.
|
||||||
|
|
||||||
Galaxies can be reimported from the submodules by clicking the "Update Galaxies" link on either the galaxies list or while browsing a specific galaxy. A popup will appear to confirm the reimportation.
|
Galaxies can be reimported from the submodules by clicking the "Update Galaxies" link on either the galaxies list or while browsing a specific galaxy. A popup will appear to confirm the reimportation.
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ All galaxies will always be updated, even while browsing a specific galaxy.
|
||||||
|
|
||||||
### Using Galaxies in MISP Events - Example
|
### Using Galaxies in MISP Events - Example
|
||||||
|
|
||||||
For this example, we will try to add a cluster to an existing event. This cluster will contains informations about threat actor known as Sneaky Panda.
|
For this example, we will try to add a cluster to an existing event. This cluster contains information about threat actor known as Sneaky Panda.
|
||||||
|
|
||||||
![EventWithoutCluster](./figures/EventWithoutCluster.png)
|
![EventWithoutCluster](./figures/EventWithoutCluster.png)
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
Please read the following CakePHP documentation about i18n & l10n: https://book.cakephp.org/2.0/en/core-libraries/internationalization-and-localization.html
|
Please read the following [CakePHP documentation about i18n & l10n](https://book.cakephp.org/2.0/en/core-libraries/internationalization-and-localization.html).
|
||||||
|
|
||||||
## Add one .md per translation effort
|
## Add one .md per translation effort
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue