MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

- Removed trailing spaces and fixed obvious typoes

pull/88/head
Steve Clement 2018-02-02 12:13:27 +01:00
parent 14740a72b4
commit c3e3c29e4c
2 changed files with 30 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
administration/README.md
View File

@ -109,7 +109,7 @@ To add a new organisation, click on the "Add Organisation" button in the adminis
* **Uuid:** Unique identifier. If you want to share organisation between MISP multi-instance, use the same Uuid.
* **A brief description of the organisation:** A word for describing the organisation.
* **Nationality:** A drop-down list for selecting the country of organisation.
* **Sector:** Define the sector of organisation (financial, transport, telecom...)
* **Sector:** Define the sector of organisation (financial, transport, telecom)
* **Type of organisation:** Define the type of the organisation.
* **Contacts:** You can add some contact details for the organisation.
@ -122,12 +122,12 @@ To list all current organisation of the system, just click on List Organisations
* **Id:** The organisation's automatically assigned ID number.
* **Logo:** Picture of the organisation.
* **Name:** Name of the organisation.
* **Uuid:** Unique identifier of orgnisation. Share this Uuid when using it between MISP's multi-instance.
* **Uuid:** Unique identifier of organisation. Share this Uuid when using it between MISP's multi-instance.
* **Description:** Description of the organisation.
* **Nationality:** Country of the organisation.
* **Sector:** Sector defined for the organisation.
* **Type:** Type of organisation.
* **Contacts:** Contacts of orgnisation.
* **Contacts:** Contacts of organisation.
* **Added by:** Login of the user who added the organisation
* **Local:** Flag defined if the organisation is local or remote.
* **Actions:** There are 3 options available: edit, delete or display an organisation's information. These options are also available on the left menu when you are on the display view.
@ -147,7 +147,7 @@ Merge Organisation menu is available only in the organisation view, under the le
### Roles
Privileges are assigned to users by assigning them to rule groups. Rule groups use one of four options determining what they can do with events as well as four additional privilege elevation settings. These are the four options to edit the full options availble in the Roles section: Read Only, Manage My Own Events, Manage Organisation Events, Manage & Publish Organisation Events. A short description is provided below:
Privileges are assigned to users by assigning them to rule groups. Rule groups use one of four options determining what they can do with events as well as four additional privilege elevation settings. These are the four options to edit the full options available in the Roles section: Read Only, Manage My Own Events, Manage Organisation Events, Manage & Publish Organisation Events. A short description is provided below:
* **Read Only:** This allows a user to browse events that his organisation has access to, but doesn't allow any changes to be made to the database.
* **Manage My Own Events:** The second option, gives its users the rights to create, modify or delete their own events, but they cannot publish them.
@ -183,7 +183,7 @@ By clicking on the List Roles button, you can view a list of all currently regis
* **Id:** The role's automatically assigned ID number.
* **Name:** The name of role.
* **Permission:** One of the 4 permissions: Read Only, Manage My Own Events, Manage Organization Events, Manage & Publish Organisation Events.
* **Extra Permissions flag:** Flag for each extra permissions: Admin, Site Admin, Sync Actions, Audit Actions, Auth key access, Regex Actions, Tagger, Tag Editor, Template Editor, Sharing Group Editor, Deletagions Access.
* **Extra Permissions flag:** Flag for each extra permissions: Admin, Site Admin, Sync Actions, Audit Actions, Auth key access, Regex Actions, Tagger, Tag Editor, Template Editor, Sharing Group Editor, Delegations Access.
* **Action Buttons:** There are 2 options available: Edit Role or Delete it.
* **Edit Role:** Same options of create role's view.<br />
![Edit Role.](figures/edit_roles.png)
@ -305,9 +305,9 @@ Listing all the log entries will display the following columns generated by the
* **Action:** The action's type. This can include: login/logout for users, add, edit, delete for events, attributes, users and servers.
* **Title:** The title of an event always includes the target type (Event, User, Attribute, Server), the target's ID and the target's name (for example: e-mail address for users, event description for events).
* **Change:** This field is only populated for entries with "add" or "edit" actions. The changes are detailed in the following format:
__variable (initial_value)_ => _(new_value)_,...
__variable (initial_value)_ => _(new_value)_,
When the entry is about the creation of a new item (such as adding a new event) then the change will look like this for example:
_org()_ => _(ADMIN)_, _date()_ => _(20012-10-19)_,...
_org()_ => _(ADMIN)_, _date()_ => _(20012-10-19)_,
![You can search logs using this form, narrow down your search by populating several fields.](figures/search_log.png)
@ -318,7 +318,7 @@ Another way to browse the logs is to search it by filtering the results accordin
* **Email:** By searching by Email, it is possible to view the log entries of a single user.
* **Org:** Searching for an organisation allows you to see all actions taken by any member of the organisation.
* **Action:** With the help of this drop down menu, you can search for various types of actions taken (such as logins, deletions, etc).
* **Title:** There are several ways in which to use this field, since the title fields contain several bits of information and the search searches for any substrings contained within the field, it is possible to just search for the ID number of a logged event, the username / server's name / event's name / attribute's name of the event target.
* **Title:** There are several ways in which to use this field, since the title fields contain several bits of information and the search searches for any substrings contained within the field, it is possible to just search for the ID number of a logged event, the username / server's name / event's name / attributes name of the event target.
* **Change:** With the help of this field, you can search for various specific changes or changes to certain variables (Ex.: using "Published" as the search term for and find all log entries where an event has been "Published", ip-src will find all attributes where a source IP address has been entered / edited, etc).
@ -368,7 +368,7 @@ Apart from off-loading long-lasting jobs to the background workers, there is a s
* **Description**: A brief description of the task.
* **Message**: This field shows when the job was queued by the scheduler for execution.
![Site administrators can schedule reccuring tasks on this page.](figures/schedule.png)
![Site administrators can schedule recurring tasks on this page.](figures/schedule.png)
### Various administration tips & tricks
@ -468,7 +468,7 @@ Increase to the following values (or more if you want to)
; is disabled through enable_post_data_reading.
; http://php.net/post-max-size
post_max_size = 256M
[...]
[]
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 1024M
@ -484,7 +484,7 @@ service apache2 restart
The preferred method for support & feature requests is to use the [GitHub ticketing system](https://github.com/MISP/MISP/issues).
If you want to discuss something related to MISP, want some help from the community, etc... You have
If you want to discuss something related to MISP, want some help from the community, etc You have
the [MISP Users mailing list](https://groups.google.com/forum/#!forum/misp-users) and the [MISP developers mailing list](https://groups.google.com/forum/#!forum/misp-devel).
A number of companies offer custom development, consulting, and support around MISP, please check [the support page of the MISP Project website](http://www.misp-project.org/#support).
@ -494,7 +494,7 @@ A number of companies offer custom development, consulting, and support around M
The setting MISP.extended_alert_subject allows you to have an extended subject. One word of warning though. If youre using encryption : the subject will not be encrypted. Be aware that you might leak some sensitive information this way. Below is an example how the two subject types look like. First with the option disabled, then with the option enabled.
```
Event 7 - Low - TLP Amber
Event 8 - OSINT - Dissecting XXX... - Low - TLP Amber
Event 8 - OSINT - Dissecting XXX - Low - TLP Amber
```
Taken from [Koen Van Impe's blog](http://www.vanimpe.eu/2015/05/31/getting-started-misp-malware-information-sharing-platform-threat-sharing-part-3/)
@ -525,8 +525,8 @@ By default, MISP has several layers of logs that can be used to trouble-shoot an
* **Apache access logs**: Rotating logs generated by apache, logging each request, by default (on Ubuntu) they are found in /var/log/apache2/misp.local\_access.log. The location can be changed via the apache conf file
* **Apache error logs**: Rotating logs generated by apache, logging error messages, by default (on Ubuntu) they are found in /var/log/apache2/misp.local\_error.log. This error log file will generally not be used by MISP, however, if there is a PHP level error that prevents MISP from functionining you might have relevant entries here.
* **MISP error log**: Generated by MISP, logging any exceptions that occur during usage. These can be found in /var/www/MISP/app/tmp/logs/error.log (assuming default installation path). If you see errors in here and are stuck with an issue let us know via github!
* **MISP debug log**: Generated by MISP, any debug messages and Notice level messages will be sent to this file. Generally less interesting, but can be helpful during debuging sessions. It should not be necesary to monitor this under normal usage. The file can be found in /var/www/MISP/app/tmp/logs/debug.log (assuming default installation path).
* **MISP error log**: Generated by MISP, logging any exceptions that occur during usage. These can be found in /var/www/MISP/app/tmp/logs/error.log (assuming default installation path). If you see errors in here and are stuck with an issue [let us know via GitHub](https://github.com/MISP/MISP/issues/)!
* **MISP debug log**: Generated by MISP, any debug messages and Notice level messages will be sent to this file. Generally less interesting, but can be helpful during debugging sessions. It should not be necessary to monitor this under normal usage. The file can be found in /var/www/MISP/app/tmp/logs/debug.log (assuming default installation path).
* **MISP worker error log**: Generated by MISP background workers, logging any exceptions generated during a background job. It is the equivalent of the MISP error log for background jobs, so if scheduled tasks, synchronisation or e-mailing with the workers enabled are causing issues, this is the place to check. It can normally be found at /var/www/MISP/app/tmp/logs/resque-worker-error.log
* **MISP worker logs**: Rotating logs generated by MISP background workers, logging any jobs executed by workers. This is part of the normal operation of background workers and doesn't have to be monitored, though it can help when debugging issues. Normally found at /var/www/MISP/app/tmp/logs/resque-[current date].log
* **MISP scheduler error log**: Generated by MISP scheduler worker, logging any exceptions generated during the scheduling of a background job. It is the equivalent of the MISP error log for scheduled jobs. It can normally be found at /var/www/MISP/app/tmp/logs/resque-scheduler-error.log

32
automation/README.md
View File

@ -2,15 +2,15 @@
# Automation API
Automation functionality is designed to automatically generate signatures for intrusion detection systems. To enable signature generation for a given attribute, Signature field of this attribute must be set to Yes. Note that not all attribute types are applicable for signature generation, currently we only support NIDS signature generation for IP, domains, host names, user agents etc., and hash list generation for MD5/SHA1 values of file artifacts. Support for more attribute types is planned. To to make this functionality available for automated tools an authentication key is used. This makes it easier for your tools to access the data without further form-based-authentication.
Automation functionality is designed to automatically generate signatures for intrusion detection systems. To enable signature generation for a given attribute, Signature field of this attribute must be set to Yes. Note that not all attribute types are applicable for signature generation, currently we only support NIDS signature generation for IP, domains, host names, user agents etc., and hash list generation for MD5/SHA1 values of file artefacts. Support for more attribute types is planned. To to make this functionality available for automated tools an authentication key is used. This makes it easier for your tools to access the data without further form-based-authentication.
## General
### Automation URL
The documentation will include a default MISP url in the examples. Don't forget to replace it with your MISP url.
The documentation will include a default MISP URL in the examples. Don't forget to replace it with your MISP URL.
Default MISP url in the documentation:
Default MISP URL in the documentation:
~~~~
https://<misp url>/
@ -20,7 +20,7 @@ https://<misp url>/
The authentication of the automation is performed via a secure key available in the MISP UI interface. Make sure you keep that key secret as it gives access to the entire database! The API key is available in the event actions menu under automation.
Since version 2.2 the usage of the authentication key in the url is deprecated. Instead, pass the auth key in an Authorization header in the request. The legacy option of having the auth key in the url is temporarily still supported but not recommended.
Since version 2.2 the usage of the authentication key in the URL is deprecated. Instead, pass the auth key in an Authorization header in the request. The legacy option of having the auth key in the URL is temporarily still supported but not recommended.
The authorization is performed by using the following header:
@ -331,7 +331,7 @@ Usage of the API:
https://<misp url>/events/stix/download
~~~~
Search parameters can be passed to the function via url parameters or by POSTing an xml or json object (depending on the return type). The following parameters can be passed to the STIX export tool: id, withAttachments, tags. Both id and tags can use the && (and) and ! (not) operators to build queries. Using the url parameters, the syntax is as follows:
Search parameters can be passed to the function via URL parameters or by POSTing an xml or json object (depending on the return type). The following parameters can be passed to the STIX export tool: id, withAttachments, tags. Both id and tags can use the && (and) and ! (not) operators to build queries. Using the URL parameters, the syntax is as follows:
~~~~
https://<misp url>/events/stix/download/[id]/[withAttachments]/[tags]/[from]/[to]/[last]
@ -370,7 +370,7 @@ https://<misp url>/events/stix/download.json
~~~~
~~~~json
{"request": {"id":["!51","!62"],"withAttachment":false,"tags":["APT1","!OSINT"],"from":false,"to":"2015-02-15"}}
{"request": {"id":["!51","!62"],"withAttachment":false,"tags":["APT1","!OSINT"],"from":false,"to":"2015-02-15"}}
~~~~
If you use XML query objects:
@ -928,7 +928,7 @@ To query the add or edit APIs for the valid parameters, simply send a GET reques
~~~
{
"name": "\/admin\/organisations\/add API description",
"description": "POST an Organisation object in JSON format to this API to create a new organsiation.",
"description": "POST an Organisation object in JSON format to this API to create a new organisation.",
"mandatory_fields": [
"name"
],
@ -1127,7 +1127,7 @@ https://<misp-instance>/events/csv/download/<event-id>?attributes=timestamp,type
The order of columns will be honoured including those related to object level information.
To select object level columns, simply pre-pend the given object columns name by object_, such as:
To select object level columns, simply prepend the given object column's name by object_, such as:
~~~~
https://<misp-instance>/events/csv/download/<event-id>?attributes=timestamp,type,uuid,value&object_attributes=uuid,name
@ -1152,7 +1152,7 @@ It is possible to further restrict the exported values using the following filte
<dl>
<dt>tags</dt>
<dd>To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'. You can also chain several tag
commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search when passed through the url. Use semicolons
commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search when passed through the URL. Use semicolons
instead (the search will automatically search for colons instead).</dd>
<dt>id</dt>
<dd>The event's ID</dd>
@ -1178,7 +1178,7 @@ MISP will inject header values into the zone file as well as define the action t
|RPZ_ns_alt||
|RPZ_email| root.localhost|
To override the above values, either use the url parameters as described below:
To override the above values, either use the URL parameters as described below:
~~~~
https://<misp url>/attributes/rpz/download/[tags]/[eventId]/[from]/[to]/[policy]/[walled_garden]/[ns]/[ns_alt]/[email]/[serial]/[refresh]/[retry]/[expiry]/[minim
@ -1300,7 +1300,7 @@ For example, to retrieve all attributes for event #5, including non IDS marked a
~~~~
https://<misp url>/attributes/text/download/all/null/5/true
~~~~
## RESTful searches with JSON result
It is possible to search the database for attributes based on a list of criteria
@ -1311,7 +1311,7 @@ To return an event with all of its attributes, relations, shadowAttributes, use
https://<misp url>/attributes/restSearch/json/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]/[eventid]/[withAttachments]/[metadata]/[uuid]
~~~~
## RESTful searches with XML result export
@ -1509,7 +1509,7 @@ You can also download samples by knowing its MD5 hash. Simply pass the hash alon
You can also use this API to get all samples from events that contain the passed hash. For this functionality, just pass the "allSamples" flag along.
Note that if you are getting all samples from matching events, you can use all supported hash types (md5, sha1, sha256) for the lookup.
You can also get all the samples from an event with a given event ID, by passing along the eventID parameter. Make sure that either an event ID or a hash is passed along, otherwise an error message will be returned. Also, if no hash is set, the allSamples flag will get set automatically.
You can also get all the samples from an event with a given event ID, by passing along the eventID parameter. Make sure that either an event ID or a hash is passed along, otherwise an error message will be returned. Also, if no hash is set, the allSamples flag will get set automatically.
https://<misp url>/attributes/downloadSample/[hash]/[allSamples]/[eventID]
@ -1629,13 +1629,13 @@ Based on the API key used, the list of visible sharing groups will be returned i
The MISP feeds can be enabled via the API.
A feed can be enabled by POSTing on the following url (feed_id is the id of the feed):
A feed can be enabled by POSTing on the following URL (feed_id is the id of the feed):
~~~~
/feeds/enable/feed_id
~~~~
A feed can be disabled by POSTing on the following url (feed_id is the id of the feed):
A feed can be disabled by POSTing on the following URL (feed_id is the id of the feed):
~~~~
/feeds/disable/feed_id
@ -1699,7 +1699,7 @@ It is also possible to POST a STIX indicator with sighting data to the following
https://<misp url>/sightings/add/stix
~~~~
MISP will use the sighting's related observables to gather all values and create sightings for each attribute that matches any of the values. If no related observables are provided in the Sighting object, then MISP will fall back to the Indicator itself and use its observables' values to create the sightings. The time of the sighting is the current time, unless the timestamp attribute is set on the Sightings object, in which case that is taken.
MISP will use the sightings related observables to gather all values and create sightings for each attribute that matches any of the values. If no related observables are provided in the Sighting object, then MISP will fall back to the Indicator itself and use its observables' values to create the sightings. The time of the sighting is the current time, unless the timestamp attribute is set on the Sightings object, in which case that is taken.
An example STIX sightings document: