MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [doc] Updated administration section 

chg: [doc] Typo in GLOSSARY
chg: [doc] Updated USAGE with various warnings
chg: [doc] Updated conventions used in book and added references to MISPs CoC
pull/128/head
Steve Clement 2018-09-07 16:10:47 +02:00
parent 659747f3b5
commit 9f0436117b
4 changed files with 108 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
GLOSSARY.md
View File

@ -1,6 +1,6 @@
## MISP Glossary
This glossary is meant as a quick lookup document in case of any need of clarification of any threat sharing, threat-intel lingo.
Be careful when adding terms to the glossary. Adding a generic term like: *MISP* will prevent terms like *MISP noticelist* to be addded. As a matter of definition please use the singular of for any terms.
Be careful when adding terms to the glossary. Adding a generic term like: *MISP* will prevent terms like *MISP noticelist* to be addded. As a matter of definition please use the singular for any terms.
In case you use any CCBYSA licensed content, or other pieces that are subject to licensing, make sure to add it as a by-line at the end of the mention.
## API

10
USAGE.md
View File

@ -5,6 +5,16 @@ Install notes
:warning: Make sure to be in the *misp-book* repository directory for the *npm magic*.
Also: The *npm* plugin *autocover* is broken. It pulls an incompatible *canvas* module version. Thus patched repository used (forked from original)
Finally: You will get a few errors on Ubuntu 18.04 which you can ignore for now. In the rather near future we need to think about an alternative as gitbook glides towards obsoletion and security risk.
Reason for concern:
```
npm WARN deprecated ignore@3.1.2: several bugs fixed in v3.2.1
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated hoek@2.16.3: The major version is no longer supported. Please update to 4.x or newer
npm WARN deprecated datauri@0.2.1: Potential REDOS vulnerability removed in v1.1.0
npm WARN deprecated coffee-script@1.12.7: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
```
Tested on: *Ubuntu 18.04 LTS* *Debian 9.5/sid/testing*
[Terminal Recording of npm install lines on Ubuntu 18.04](https://asciinema.org/a/84JZMuGu2QlFH59q6mK8jbdQS)

69
administration/README.md
View File

@ -7,19 +7,19 @@
* [Roles](#roles)
* [Tools](#tools)
* [Server Settings](#server-settings)
* Jobs
* Scheduled Tasks
* [Jobs](#jobs)
* [Scheduled Tasks](#scheduled-tasks)
> [warning] This page is under modification for updating the content. Current status:
- [x] Users
- [x] Organisations
- [x] Roles
- [x] Tools
- [ ] Server Settings
- [ ] Jobs
- [ ] Scheduled Tasks
- [x] Users - Reviewed/Updated on: ?
- [x] Organisations - Reviewed/Updated on: ?
- [x] Roles - Reviewed/Updated on: ?
- [x] Tools - Reviewed/Updated on: ?
- [ ] Server Settings - Reviewed/Updated on: ?
- [ ] Jobs aka. Background processing - Reviewed/Updated on: ?
- [ ] Scheduled Tasks aka. Background processing - Reviewed/Updated on: ?
- - -
@ -329,13 +329,22 @@ If enabled, MISP can delegate a lot of the time intensive tasks to the backgroun
#### Command Line Tools for the Background Workers
The background workers are powered by [CakeResque](https://github.com/kamisama/Cake-Resque), so all of the CakeResque commands work.
To start all of the workers needed by MISP go to your `/var/www/MISP/app/Console/worker` (assuming a standard installation path) and execute start.sh.
To interact with the workers, here is a list of useful commands. Go to your `/var/www/MISP/app/Console` (assuming a standard installation path) and execute one of the following commands as a parameter to `./cake CakeResque.CakeResque` (for example: `./cake CakeResque.CakeResque tail`):
To start all of the workers needed by MISP go to your `/var/www/MISP/app/Console/worker` (assuming a standard installation path) and execute `start.sh`.
To interact with the workers, here is a list of useful commands. Go to your `/var/www/MISP/app/Console` (assuming a standard installation path) and execute one of the following commands as a parameter to `./cake CakeResque` (for example: `./cake CakeResque tail`):
* **tail**: tail the various log files that CakeResque creates, just choose the one from the list that you are interested in.
* **cleanup**: terminate the job that a worker is working on with immediate effect. You will be presented with a choice of workers to choose from when executing this command.
* **clear**: Clear the queue of a worker immediately.
* **stats**: Display some statistics about your workers including the count of successful and failed jobs.
* **start**: Start a new worker.
* **startscheduler**: Start a new scheduler worker.
* **stop**: Stop a worker.
* **pause**: Pause a worker.
* **resume**: Resume a paused worker.
* **cleanup**: Terminate the job that a worker is working on with immediate effect. You will be presented with a choice of workers to choose from when executing this command.
* **restart**: Stop all Resque workers, and start a new one.
* **clear**: Clear all jobs inside a queue
* **reset**: Reset CakeResque internal worker's saved status
* **stats**: Display some statistics about your workers including the count of successful and failed jobs.
* **tail**: Tail the various (workers) log files that CakeResque creates, just choose the one from the list that you are interested in.
* **track**: Track a job status.
* **load**: Load a set of predefined workers.
The other commands should not be required, instead of starting / stopping or restarting workers use the supplied start.sh (it stops all workers and starts them all up again). For further instructions on how to use the console commands for the workers, visit the [CakeResque list of commands](http://cakeresque.kamisama.me/commands#cleanup).
@ -585,3 +594,33 @@ An example of error message:
```
Error: [PDOException] SQLSTATE[42S22]: Column not found: 1054 Unknown column 'Task.job_id' in 'field list'
```
### Jobs
The Jobs tab gives you an overview on any currently running jobs or jobs that were previously completed and their status.
![Running Jobs](figures/jobs-running.png)
Typically this is one of the places you would turn to even some background process might not complete as expected to get an indication on any issues related to user initiated Jobs.
For ease of use, you can filter the Jobs by 'All', 'Default', 'Email', 'Cache'
##### Todo: Explain differences Default, Email, Cache
You can also purge the entries, either only by completed status or purge all.
This is not automated and needs to be done manually.
### Scheduled Tasks
Straight from the UI:
"""
Here you can schedule pre-defined tasks that will be executed every x hours. You can alter the date and time of the next scheduled execution and the frequency at which it will be repeated (expressed in hours). If you set the frequency to 0 then the task will not be repeated. To change and of the above mentioned settings just click on the appropriate field and hit update all when you are done editing the scheduled tasks.
Warning: Scheduled tasks come with a lot of caveats and little in regards of customisations / granularity. You can instead simply create cron jobs out of the console commands as described here: Automating certain console tasks
"""
The task scheduler is a sub-par component to enable minimal functionality in terms of automating certain MISP tasks.
If you have a dedicated and concious MISP Site Admin she can keep an eye on the Scheduler to make sure everything runs smoothly.
For better performance please use a real scheduler like your systems' crontab.
As a rule of thumb: If you can click on it, MISP can automate it.

44
book-convention/README.md
View File

@ -1,3 +1,9 @@
<!-- This is a comment.
If you plan on contributing to misp-book, welcome and enjoy.
In case of any and all questions, feel free to join our gitter:
https://gitter.im/MISP/MISP
For Aiur! -->
---
description: Convention Used in MISP-Book
---
@ -8,6 +14,33 @@ description: Convention Used in MISP-Book
* Used for variable, function or menu names in MISP.
## Language
The language in this book is american english.
All the screenshots and examples are in english.
## CoC
The same code of conduct applies to this book as for the main MISP project.
As a book can some times be considered the inadvertent sould of a piece of software, please take good care and consideration of our `Code of Conduct`. The CoC [can be read here](https://github.com/MISP/MISP/blob/2.4/code_of_conduct.md).
## Example install
The examples and screenshots provided in this book have been created with the MISP Autogenerated VM.
To get a copy of the latest VM [click here](https://www.circl.lu/misp-images/latest/)
## MISP Instance
In general when talking about a network of inter-connected MISP servers, each server is a MISP instance. Whilst we have no strong feelings towards anyones naming schemes, as a rule of thumb try to have a scheme that makes everyday use easy when analysts need to talk about remote MISP instances.
<!--
ToDo: Be more specific give some naming convention examples.
-->
The hostname used for the instance in this book is `misp.local` and we will henceforth refer to it either by name or as `local MISP instance`.
## Example Organisations
As MISP is a platform to support information sharing, example organisations are often used within this book.
@ -21,5 +54,14 @@ The following two organisations are regularly used as example:
Starting from MISP 2.4.71, the example organisations with the above mentioned UUID are **black-listed** to avoid
large distribution of sample events while testing a MISP instance. If you want to test your distribution, the
sample organisation black-listing can be removed in `Administration` under `Manage Org Blacklists`.
sample organisation black-listing can be removed in `Administration`/`Manage Org Blacklists`.
## Example IOCs
As with the example organisations, we want to make this book as useful as possible by using real life examples.
The following IOC examples have been used:
* [Sirefef](https://www.misp-project.org/galaxy.html#_zeroaccess) (aka ZeroAccess)
* [WannaCry](https://www.misp-project.org/galaxy.html#_wannacry)
* [Dridex](https://www.misp-project.org/galaxy.html#_dridex)