Merge remote-tracking branch 'upstream/master'

pull/150/head
Steve Clement 2019-02-01 02:04:37 +09:00
commit 5b1b678a50
4 changed files with 86 additions and 2 deletions

View File

@ -29,6 +29,10 @@ We welcome contributions to the MISP book. If you want to contribute, fork the [
<div class="pagebreak"></div>
## Format
MISP book is available in [HTML](https://www.circl.lu/doc/misp/), [PDF](https://www.circl.lu/doc/misp/book.pdf), [ePub](https://www.circl.lu/doc/misp/book.epub) and [Kindle mobi format](https://www.circl.lu/doc/misp/book.mobi).
## License
The MISP user guide is dual-licensed under [GNU Affero General Public License version 3](http://www.gnu.org/licenses/agpl-3.0.html) and [CC-BY-SA 4.0 international](https://creativecommons.org/licenses/by-sa/4.0/).

View File

@ -17,6 +17,7 @@
|campaign-id| | | X | | | |
|campaign-name| | | X | | | |
|cc-number| | | | | X | |
|cdhash| | X | | | | |
|comment| X | X | X | X | X | X |
|cookie| | X | | | | |
|cortex| | | | X | | |
@ -64,6 +65,8 @@
|github-organisation| | | | | | |
|github-repository| | | | X | | |
|github-username| | | | | | |
|hassh-md5| | | | X | | |
|hasshserver-md5| | | | X | | |
|hex| X | X | | | X | X |
|hostname| | | | X | | |
|hostname&#124;port| | | | | | |
@ -77,6 +80,7 @@
|ip-src| | | | X | | |
|ip-src&#124;port| | | | X | | |
|issue-date-of-the-visa| | | | | | |
|ja3-fingerprint-md5| | | | X | | |
|jabber-id| | | | | | |
|last-name| | | | | | |
|link| X | | | X | | X |
@ -156,6 +160,7 @@
|x509-fingerprint-sha256| | X | X | X | | |
|xmr| | | | | X | |
|yara| | X | | | | |
|zeek| | | | X | | |
|Category| Network activity | Other | Payload delivery | Payload installation | Payload type | Persistence mechanism |
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
@ -172,6 +177,7 @@
|campaign-id| | | | | | |
|campaign-name| | | | | | |
|cc-number| | | | | | |
|cdhash| | | X | X | | |
|comment| X | X | X | X | X | X |
|cookie| X | | | | | |
|cortex| | | | | | |
@ -219,6 +225,8 @@
|github-organisation| | | | | | |
|github-repository| | | | | | |
|github-username| | | | | | |
|hassh-md5| X | | X | | | |
|hasshserver-md5| X | | X | | | |
|hex| X | X | X | X | | X |
|hostname| X | | X | | | |
|hostname&#124;port| X | | X | | | |
@ -232,6 +240,7 @@
|ip-src| X | | X | | | |
|ip-src&#124;port| X | | X | | | |
|issue-date-of-the-visa| | | | | | |
|ja3-fingerprint-md5| X | | X | | | |
|jabber-id| | | | | | |
|last-name| | | | | | |
|link| | | X | | | |
@ -306,11 +315,12 @@
|windows-scheduled-task| | | | | | |
|windows-service-displayname| | | | | | |
|windows-service-name| | | | | | |
|x509-fingerprint-md5| | | X | X | | |
|x509-fingerprint-md5| X | | X | X | | |
|x509-fingerprint-sha1| X | | X | X | | |
|x509-fingerprint-sha256| | | X | X | | |
|x509-fingerprint-sha256| X | | X | X | | |
|xmr| | | | | | |
|yara| | | X | X | | |
|zeek| X | | | | | |
|Category| Person | Social network | Support Tool | Targeting data |
| --- |:---:|:---:|:---:|:---:|
@ -327,6 +337,7 @@
|campaign-id| | | | |
|campaign-name| | | | |
|cc-number| | | | |
|cdhash| | | | |
|comment| X | X | X | X |
|cookie| | | | |
|cortex| | | | |
@ -374,6 +385,8 @@
|github-organisation| | X | | |
|github-repository| | X | | |
|github-username| | X | | |
|hassh-md5| | | | |
|hasshserver-md5| | | | |
|hex| | | X | |
|hostname| | | | |
|hostname&#124;port| | | | |
@ -387,6 +400,7 @@
|ip-src| | | | |
|ip-src&#124;port| | | | |
|issue-date-of-the-visa| X | | | |
|ja3-fingerprint-md5| | | | |
|jabber-id| | X | | |
|last-name| X | | | |
|link| | | X | |
@ -466,6 +480,7 @@
|x509-fingerprint-sha256| | | | |
|xmr| | | | |
|yara| | | | |
|zeek| | | | |
### Categories
@ -502,6 +517,7 @@
* **campaign-id**: Associated campaign ID
* **campaign-name**: Associated campaign name
* **cc-number**: Credit-Card Number
* **cdhash**: An Apple Code Directory Hash, identifying a code-signed Mach-O executable file
* **comment**: Comment or description in a human language
* **cookie**: HTTP cookie as often stored on the user web client. This can include authentication cookie or session cookie.
* **cortex**: Cortex analysis result
@ -549,6 +565,8 @@
* **github-organisation**: A github organisation
* **github-repository**: A github repository
* **github-username**: A github user name
* **hassh-md5**: hassh is a network fingerprinting standard which can be used to identify specific Client SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
* **hasshserver-md5**: hasshServer is a network fingerprinting standard which can be used to identify specific Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
* **hex**: A value in hexadecimal format
* **hostname**: A full host/dnsname of an attacker
* **hostname&#124;port**: Hostname and port number seperated by a &#124;
@ -562,6 +580,7 @@
* **ip-src**: A source IP address of the attacker
* **ip-src&#124;port**: IP source and port number seperated by a &#124;
* **issue-date-of-the-visa**: The date on which the visa was issued
* **ja3-fingerprint-md5**: JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.
* **jabber-id**: Jabber ID
* **last-name**: Last name of a natural person
* **link**: Link to an external information
@ -641,3 +660,4 @@
* **x509-fingerprint-sha256**: X509 fingerprint in SHA-256 format
* **xmr**: Monero Address
* **yara**: Yara signature
* **zeek**: An NIDS rule in the Zeek rule-format

View File

@ -4,6 +4,59 @@
The following page hosts most frequently asked questions as seen on our [issues](https://github.com/MISP/issues) and [gitter](https://gitter.im/MISP/MISP).
## Usage
### How can I see all the deleted events in a MISP instance?
You can use the logging system for this, to see all deleted events, simply go to audit actions -> search logs and use the following parameters:
~~~~
model: Event
action: delete
~~~~
This will list all event deletions. To find out more about what a particular deleted event
was, simply grab the ID from the above search results and search for:
~~~~
model: Event
action: add
model_id: <Event ID retrieved from the listing of all event deletions>
~~~~
To do the same via the API, first search for the deletions:
~~~~
POST request:
url: https://url.of.your.misp/logs/index
headers:
Authorization: <your_api_key>
Accept: application/json
Content-type: application/json
Body:
{
"model": "Event",
"action": "delete"
}
~~~~
Then find the individual event's metadata that was deleted
~~~~
POST request:
url: https://url.of.your.misp/logs/index
headers:
Authorization: <your_api_key>
Accept: application/json
Content-type: application/json
Body:
{
"model": "Event",
"action": "add",
"model_id": "<Event ID retrieved from the query before>"
}
~~~~
## Permission issues
If you have any permission issues, please [set the permissions](https://misp.github.io/MISP/INSTALL.ubuntu1804/#5-set-the-permissions) to something sane first.

View File

@ -32,6 +32,13 @@ Prior to enabling it, make sure that you have the pyzmq installed by running
~~~~
sudo pip install pyzmq
sudo pip install redis
~~~~
If you have problems and the plugin does not start, the logfile may be helpful.
~~~~
sudo cat /var/www/MISP/app/tmp/logs/mispzmq.error.log
~~~~
![ZeroMQ configuration](./figures/zmq-config.png)