chg: [dashboard] Added FAQ entry on how to debug misp-dashboard

chg: [galaxies] Mild attempt to document how to roll your own.
pull/156/head
Steve Clement 2019-04-26 06:44:31 +09:00
parent 4f11f9cada
commit a7bb7126b7
2 changed files with 78 additions and 0 deletions

View File

@ -266,6 +266,25 @@ chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
``` ```
## How to debug misp-dashboard
This is the full chain from MISP to the live dashboard and some tips to find out which link is faulty.
1. MISP
Ensure that ZMQ is installed and enabled with the correct settings
2. MISP ZMQ
You can use MISP/tools/misp-zmq/sub.py which will subscribe to the ZMQ and print the data
3. ZMQ_subscriber
You can change the logging level from logging.INFO to logging.DEBUG and look in the logs for the string Pushed: *
Or add a print statement in the put_in_redis_list function
4. ZMQ_dispatcher
Look in the logs for the string Handling *
5. Server (Flask) and Browser (live Dashboard)
Open the Web developer Network tab in your browser and look for the url /_logs with Content-Type: text/event-stream;
<!-- <!--
Comment Place Holder Comment Place Holder

View File

@ -36,6 +36,64 @@ Galaxies can be reimported from the submodules by clicking the "Update Galaxies"
All galaxies will always be updated, even while browsing a specific galaxy. All galaxies will always be updated, even while browsing a specific galaxy.
### Adding a custom Galaxy repository in MISP (WiP - notFunctional)
[Fork](https://help.github.com/articles/fork-a-repo/) the [misp-galaxy](https://github.com/MISP/misp-galaxy/) repository to your github account.
Once you have forked the repo you can do the following, assuming you have followed the Standard MISP Install.
```bash
cd /var/www/MISP/app/files/
sudo rm -rf misp-galaxy
# Replace the following line with your fork
sudo -u www-data git clone https://github.com/SteveClement/misp-galaxy.git
```
Once this is done double check if you can still see the Galaxies in the Web UI.
> [warning] This will impact the UI "Update MISP" functionality in administration. Your git head might get [detached](https://git-scm.com/docs/gitglossary#gitglossary-aiddefdetachedHEADadetachedHEAD) in your misp-galaxy repo.
### Adding a new Galaxy (WiP - notFuctional)
#### Dependencies
To create your own Galaxies the following tools are needed to run the validation scripts.
- jsonschema (>v2.4)
- jq
- moreutils (sponge)
On a Debian flavoured distribution you can potentially do this:
```bash
sudo apt install jq moreutils python3-jsonschema
sudo wget -O /usr/local/bin/jsonschema https://gist.githubusercontent.com/SteveClement/e6ac60e153e9657913000216fc77c6ef/raw/c273ace06ad338d609dd2c84a0a6e215a268ea11/jsonschema
sudo chmod +x /usr/local/bin/jsonschema # This will only work with jsonschema >2.4 (before no CLI interface was available)
```
#### Create a fork
To add your custom Galaxy it is preferable to [fork](https://help.github.com/articles/fork-a-repo/) the [misp-galaxy](https://github.com/MISP/misp-galaxy/) repository. See above for details.
#### Understanding directory structure
#### Removing a Galaxy to better understand the add
Let's start with removing a single Galaxy.
```bash
cd /var/www/MISP/app/files/misp-galaxy
sudo -u www-data rm galaxies/android.json
sudo -u www-data rm clusters/android.json
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies force
```
After this you will have removed the android Galaxy Cluster.
### Using Galaxies in MISP Events - Example ### Using Galaxies in MISP Events - Example
For this example, we will try to add a cluster to an existing event. This cluster contains information about threat actor known as Sneaky Panda. For this example, we will try to add a cluster to an existing event. This cluster contains information about threat actor known as Sneaky Panda.
@ -52,6 +110,7 @@ A popup will appear proposising to explore a particular galaxy or all at the sam
Wait. No Sneaky Panda? Hm that's strange. Or maybe it is only registred as a alias. Let's have a look! To do so we will use the search field which stay on top of the list. So what do we get? Beijing Group, is it an alias of our threat actor. Wait. No Sneaky Panda? Hm that's strange. Or maybe it is only registred as a alias. Let's have a look! To do so we will use the search field which stay on top of the list. So what do we get? Beijing Group, is it an alias of our threat actor.
![Search](./figures/Search.png) ![Search](./figures/Search.png)
Pointing the cursor on it will give us the answer. Pointing the cursor on it will give us the answer.