From fce2f55a5948237bd4c97a0cd7622a06cb44defc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 1 Feb 2019 07:25:48 +0100 Subject: [PATCH 1/6] chg: [datamodel] anonymise type added --- categories-and-types/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/categories-and-types/README.md b/categories-and-types/README.md index 141a942..2d1ef83 100644 --- a/categories-and-types/README.md +++ b/categories-and-types/README.md @@ -6,6 +6,7 @@ | --- |:---:|:---:|:---:|:---:|:---:|:---:| |AS| | | | X | | | |aba-rtn| | | | | X | | +|anonymised| X | X | X | X | X | X | |attachment| X | X | | X | | | |authentihash| | X | | | | | |bank-account-nr| | | | | X | | @@ -166,6 +167,7 @@ | --- |:---:|:---:|:---:|:---:|:---:|:---:| |AS| X | | X | | | | |aba-rtn| | | | | | | +|anonymised| X | X | X | X | X | X | |attachment| X | | X | X | | | |authentihash| | | X | X | | | |bank-account-nr| | | | | | | @@ -326,6 +328,7 @@ | --- |:---:|:---:|:---:|:---:| |AS| | | | | |aba-rtn| | | | | +|anonymised| X | X | X | X | |attachment| | | X | | |authentihash| | | | | |bank-account-nr| | | | | @@ -506,6 +509,7 @@ * **AS**: Autonomous system * **aba-rtn**: ABA routing transit number +* **anonymised**: Anonymised value - described with the anonymisation object via a relationship * **attachment**: Attachment with external information * **authentihash**: Authenticode executable signature hash * **bank-account-nr**: Bank account number without any routing number From 7a98452c7f70dcfcaba4db03a53630ee803c04b6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 13 Mar 2019 21:49:06 +0100 Subject: [PATCH 2/6] chg: quick-start introduction updated to reflect current use of MISP --- quick-start/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/quick-start/README.md b/quick-start/README.md index b7cd189..945249b 100644 --- a/quick-start/README.md +++ b/quick-start/README.md @@ -2,8 +2,10 @@ And Justice for All! --> # Quick Start -The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and non-technical information. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives. -With the focus on automation and standards, MISP provides you with a powerful API via PyMISP, jump ahead to these chapters to get started. + +MISP (Open Source Threat Intelligence and Sharing Platform) software facilitates the exchange and sharing of threat intelligence, Indicators of Compromise (IOCs) about targeted malware and attacks, financial fraud or any intelligence within your community of trusted members. MISP sharing is a distributed model containing technical and non-technical information which can be shared within closed, semi-private or open communities. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives. + +With the focus on automation and standards, MISP provides you with a powerful ReST API, extensibility (via misp-modules) or additional libraries such as PyMISP, jump ahead to these chapters to get started. ## Login into MISP From 40f91d6e2e0c68a10b9a44c5fb5d690ba28d96dd Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Wed, 27 Mar 2019 15:27:40 +0100 Subject: [PATCH 3/6] How to enable the csv import module? thx @StefanKelm for the reply and @ag-michael for the question ;) --- faq/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/faq/README.md b/faq/README.md index baa500a..2104257 100644 --- a/faq/README.md +++ b/faq/README.md @@ -193,6 +193,13 @@ There is a server setting to treat all incoming tags as hidden by default: `MISP **Important** Make sure that you don't remove "tag editor" from sync users, or you'll be stripping tags from synchronized data. +## How to enable the csv import module? + +In Server Settings & Maintenance -> Plugin Settings -> Import -> set "Plugin.Import_csvimport_enabled" to true. +Afterwards you'll find the csvimport from within the newly created event: "Populate from..." + +Don't use from the main site ("Import from..."). + From 56f9553f0ed40474302b00830fc0a7a831833870 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Tue, 9 Apr 2019 13:42:24 +0200 Subject: [PATCH 4/6] added black-hole explanation --- faq/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/faq/README.md b/faq/README.md index 2104257..6e1fcdc 100644 --- a/faq/README.md +++ b/faq/README.md @@ -200,6 +200,14 @@ Afterwards you'll find the csvimport from within the newly created event: "Popul Don't use from the main site ("Import from..."). + +## Why do I see 'The request has been black-holed' when I submit forms? + +That's a security measure for form tampering protection. + +All forms have a timeout (~15min) and all of them can only be submitted once. If you use your browser's "back" button and resubmit the form MISP will consider it as a potential attempt at form tampering. + + From 003ef471f8e98ca5141533367df3f75c40a3a932 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Tue, 9 Apr 2019 14:18:54 +0200 Subject: [PATCH 5/6] added memory limit issue --- faq/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/faq/README.md b/faq/README.md index 6e1fcdc..f6f53c1 100644 --- a/faq/README.md +++ b/faq/README.md @@ -208,6 +208,16 @@ That's a security measure for form tampering protection. All forms have a timeout (~15min) and all of them can only be submitted once. If you use your browser's "back" button and resubmit the form MISP will consider it as a potential attempt at form tampering. +## Importing large feeds creates PHP Fatal error + +When importing a large feed like the CIRCL feed, the job reaches 99% and then fails. +The log file records: +``` +PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 1941504 bytes) in /var/www/MISP/app/Model/Feed.php on line 691 +``` + +In this case you will need to increase the memory_limit option in `php.ini` file + From 0dc5ce65ad1b4e32a05bd3ae61167ae7e76ed153 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Tue, 9 Apr 2019 14:28:41 +0200 Subject: [PATCH 6/6] added SELinux --- faq/README.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/faq/README.md b/faq/README.md index f6f53c1..f7f792b 100644 --- a/faq/README.md +++ b/faq/README.md @@ -195,6 +195,8 @@ There is a server setting to treat all incoming tags as hidden by default: `MISP ## How to enable the csv import module? +First you have to enable the import services: double-click on "false" in the very first line and change it to "true". + In Server Settings & Maintenance -> Plugin Settings -> Import -> set "Plugin.Import_csvimport_enabled" to true. Afterwards you'll find the csvimport from within the newly created event: "Populate from..." @@ -218,6 +220,31 @@ PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allo In this case you will need to increase the memory_limit option in `php.ini` file + +## config.php is not writeable + +``` +Warning: app/Config/config.php is not writeable. This means that any setting changes made here will NOT be saved. +``` + +According to the install guide, make sure to: +``` +chown -R apache:apache /var/www/MISP +find /var/www/MISP -type d -exec chmod g=rx {} \; +chmod -R g+r,o= /var/www/MISP +``` +If it still doesn't work, make sure SELinxu is not enabled or modify the rule set: +``` +chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files +chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms +chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp +chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp +chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp +chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs +chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom +``` + +