From 8ed2e7790c7f2fdd90d741d47f9857875630512c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Fri, 9 Oct 2015 15:53:05 +0100 Subject: [PATCH 1/3] Added Various administration tricks paragraph --- administration/README.md | 66 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/administration/README.md b/administration/README.md index f4337dd..98d3ce4 100644 --- a/administration/README.md +++ b/administration/README.md @@ -266,3 +266,69 @@ Apart from off-loading long-lasting jobs to the background workers, there is a s ![Site administrators can schedule reccuring tasks on this page.](figures/schedule.png) + +### Various administration tricks + +#### Default sharing level + +Choose your default sharing level to match your usage scenario for MISP. The setting is named *default_event_distribution* and the values can be: + +* Your organisation only (default) +* This community only +* Connected communities +* All communities + +You can also set a default distribution level for attributes contained in an event with *default_attribute_distribution*, and it has the same values as the default sharing level for events plus an additional one that allows attributes to inherit the sharing level of the event. + +#### Adding organisation logos + +You can add logo for organisations in MISP by uploading them via the tab **Manage files** under the **Administration** menu & **Server Settings** sub-menu. +The filename must be exactly the same as the organisation name that you will use in MISP. +It is recommended to use PNG files of 48x48 pixels. + +#### The \_schdlr\_ worker is not starting + +If you already made sure that you copied the config file under the cakeresque directory, it might be due to the FQDN of the server hosting the instance has changed. A way to fix this is to flush temporary data stored in redis. This can be done by logging in redis, for example when logging in with redis-cli, and issuing a flushall command. + +#### How to redirect HTTP to HTTPS + + ``` + + ServerAdmin misp@misp.misp + ServerName misp.misp.misp + ServerAlias misp-int.misp.misp + + Redirect permanent / https://misp.misp.misp + + LogLevel warn + ErrorLog /var/log/apache2/misp.local_error.log + CustomLog /var/log/apache2/misp.local_access.log combined + ServerSignature Off + + + + ServerAdmin misp@misp.misp + ServerName misp.misp.misp + ServerAlias misp-int.misp.misp + + DocumentRoot /var/www/MISP/app/webroot + + Options -Indexes + AllowOverride all + Order allow,deny + allow from all + + + SSLEngine On + SSLCertificateFile /etc/ssl/misp.misp.misp/misp.crt + SSLCertificateKeyFile /etc/ssl/misp.misp.misp/misp.key + SSLCertificateChainFile /etc/ssl/misp.misp.misp/mispCA.crt + + LogLevel warn + ErrorLog /var/log/apache2/misp.local_error.log + CustomLog /var/log/apache2/misp.local_access.log combined + ServerSignature Off + + ``` + (Taken from http://www.vanimpe.eu/2015/05/31/getting-started-misp-malware-information-sharing-platform-threat-sharing-part-3/) + From ae522fc935f9a50a19f2ab759626f82c6e4b6b8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Fri, 9 Oct 2015 15:54:45 +0100 Subject: [PATCH 2/3] Correct display of code block for "How to redirect HTTP to HTTPS" paragraph --- administration/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/administration/README.md b/administration/README.md index 98d3ce4..562ae3c 100644 --- a/administration/README.md +++ b/administration/README.md @@ -292,7 +292,7 @@ If you already made sure that you copied the config file under the cakeresque di #### How to redirect HTTP to HTTPS - ``` +``` ServerAdmin misp@misp.misp ServerName misp.misp.misp @@ -330,5 +330,6 @@ If you already made sure that you copied the config file under the cakeresque di ServerSignature Off ``` + (Taken from http://www.vanimpe.eu/2015/05/31/getting-started-misp-malware-information-sharing-platform-threat-sharing-part-3/) From 9b4eee564da9807f1434181046a8ee7773a2b5e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Fri, 9 Oct 2015 19:44:17 +0100 Subject: [PATCH 3/3] - Changed titlte of chapter to Various administration tips and tricks - Added comment for Apache webserver config - Added paragraph on support and feature requests - Added paragraph on adding IOCs from PDF reports --- administration/README.md | 25 ++++++++++++++++++++++--- using-the-system/README.md | 6 ++++++ 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/administration/README.md b/administration/README.md index 562ae3c..9f4b22a 100644 --- a/administration/README.md +++ b/administration/README.md @@ -267,7 +267,7 @@ Apart from off-loading long-lasting jobs to the background workers, there is a s ![Site administrators can schedule reccuring tasks on this page.](figures/schedule.png) -### Various administration tricks +### Various administration tips & tricks #### Default sharing level @@ -292,6 +292,7 @@ If you already made sure that you copied the config file under the cakeresque di #### How to redirect HTTP to HTTPS +Here is a sample configuration for Apache webserver. ``` ServerAdmin misp@misp.misp @@ -329,7 +330,25 @@ If you already made sure that you copied the config file under the cakeresque di CustomLog /var/log/apache2/misp.local_access.log combined ServerSignature Off - ``` + ``` + Taken from [Koen Van Impe's blog](http://www.vanimpe.eu/2015/05/31/getting-started-misp-malware-information-sharing-platform-threat-sharing-part-3/) - (Taken from http://www.vanimpe.eu/2015/05/31/getting-started-misp-malware-information-sharing-platform-threat-sharing-part-3/) +#### Support & feature requests + +The preferred method for support & feature requests is to use the [GitHub ticketing system](https://github.com/MISP/MISP/issues). + +If you want to discuss about something related to MISP, want help from the community, etc... You have +the [MISP Users mailing list](https://groups.google.com/forum/#!forum/misp-users) and the [MISP developers mailing list](https://groups.google.com/forum/#!forum/misp-devel). + +A number of companies are also offering custom development, consulting, and support around MISP, please check [the support page of the MISP Project website](http://www.misp-project.org/#support). + +#### More information in the notification emails about new events + +The setting MISP.extended_alert_subject allows you to have an extended subject. One word of warning though. If you’re using encryption : the subject will not be encrypted. Be aware that you might leak some sensitive information this way. Below is an example how the two subject types look like. First with the option disabled, then with the option enabled. +``` +Event 7 - Low - TLP Amber +Event 8 - OSINT - Dissecting XXX... - Low - TLP Amber +``` + + Taken from [Koen Van Impe's blog](http://www.vanimpe.eu/2015/05/31/getting-started-misp-malware-information-sharing-platform-threat-sharing-part-3/) diff --git a/using-the-system/README.md b/using-the-system/README.md index d9fe641..bb13cf1 100644 --- a/using-the-system/README.md +++ b/using-the-system/README.md @@ -128,6 +128,10 @@ You can also import the data from a ThreatConnect export csv file. The following The result will be a list of attributes that get added to the currently selected event, each of which will be marked with a comment that indicates that its origin being from a ThreatConnect import. +### Adding IOCs from a PDF report + +You can You can use a generic script called [IOC parser](https://github.com/armbues/ioc_parser) or use a script published by Palo Alto to convert IOC parser output to a MISP event: [report_to_misp] (https://github.com/PaloAltoNetworks-BD/report_to_misp/). + ### Publish an event: ![Only use publish (no email) for minor changes such as the correction of typos.](figures/publish.png) @@ -621,3 +625,5 @@ The respone from requesting an invalid page + +