MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:SteveClement/misp-book

pull/156/head^2
Steve Clement 2019-04-30 01:28:23 +02:00
parent b68aeba713 c47e18e204
commit df622b9afa
14 changed files with 399 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
GLOSSARY.md
View File

@ -39,8 +39,11 @@ Attributes in MISP can be network indicators (e.g. IP address), system indicator
◦ An IDS flag on an attribute allows to determine if an attribute can be automated (such as being exported as an IDS ruleset or used for detection). If the IDS flag is not present, the attribute
can be useful for contextualisation only.
## Observable
Some other SIEMs or formats (STIX) use the term observable. This is the same as an attribute in MISP-speak. Usually an observable is a MISP attribute without the IDS flag set.
## MISP Event
MISP events are encapsulations for contextually linked information
MISP events are encapsulations for contextually related information represented as attribute and object.
## MISP Extended Events
MISP can now extend an event (starting from version 2.4.90). This allows users to build full blown events that extend an existing event, giving way to a combined event view that includes a sum total of the event along with all extending events.
@ -149,6 +152,11 @@ You can add new Roles depending on your use case. The following permissions can
## Scheduled Tasks
Certain common tasks can be scheduled for a later execution or for regular recurring executions. These tasks currently include caching all of the export formats, pulling from all eligible instances and pushing to all eligible instances.
## Standard MISP Install
Any MISP instance install that is strongly aligned with our [official install guides](https://misp.github.io/MISP/).
This is mostly to make sure you have a similar folder structure, /var/www/MISP for an Ubuntu Server Install.
It will also be easier to debug any Web Server issues or other system related problems.
## Sync User
A user of a role that grants sync permissions, these users (and their authentication keys) are used to serve as the points of connection between instances. Events pushed to an instance are pushed to a sync user, who then creates the events on the remote instance. Events pulled are added by the sync user that is used to connect the remote instance to your instance. As an administrator, keep in mind that a sync user needs auth key and publish permissions, has to have undergone the mandatory password change and has to have accepted the Terms of Use in order for the sync to work. Please make sure that all of these steps are taken before attempting to push or pull.

4
README.md
View File

@ -29,6 +29,10 @@ We welcome contributions to the MISP book. If you want to contribute, fork the [
<div class="pagebreak"></div>
## Format
MISP book is available in [HTML](https://www.circl.lu/doc/misp/), [PDF](https://www.circl.lu/doc/misp/book.pdf), [ePub](https://www.circl.lu/doc/misp/book.epub) and [Kindle mobi format](https://www.circl.lu/doc/misp/book.mobi).
## License
The MISP user guide is dual-licensed under [GNU Affero General Public License version 3](http://www.gnu.org/licenses/agpl-3.0.html) and [CC-BY-SA 4.0 international](https://creativecommons.org/licenses/by-sa/4.0/).

3
SUMMARY.md
View File

@ -20,9 +20,10 @@
* [Sightings](sightings/README.md) - in progress
* [Warning lists](warninglists/README.md) - in progress
* [Notice lists](noticelists/README.md) - in progress
* [Modules](modules/README.md) - in progress
* [Categories and Types](categories-and-types/README.md)
* [Synchronisation/Sharing](sharing/README.md)
* [External Connectors](connectors/README.md)
* [Modules](modules/README.md) - in progress
* [ZeroMQ - MISP publish-subscribe](misp-zmq/README.md)
* [Translations - i18n & l10n](translation/README.md)
* [FAQ](faq/README.md)

28
categories-and-types/README.md
View File

@ -6,6 +6,7 @@
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
|AS| | | | X | | |
|aba-rtn| | | | | X | |
|anonymised| X | X | X | X | X | X |
|attachment| X | X | | X | | |
|authentihash| | X | | | | |
|bank-account-nr| | | | | X | |
@ -17,6 +18,7 @@
|campaign-id| | | X | | | |
|campaign-name| | | X | | | |
|cc-number| | | | | X | |
|cdhash| | X | | | | |
|comment| X | X | X | X | X | X |
|cookie| | X | | | | |
|cortex| | | | X | | |
@ -64,6 +66,8 @@
|github-organisation| | | | | | |
|github-repository| | | | X | | |
|github-username| | | | | | |
|hassh-md5| | | | X | | |
|hasshserver-md5| | | | X | | |
|hex| X | X | | | X | X |
|hostname| | | | X | | |
|hostname&#124;port| | | | | | |
@ -77,6 +81,7 @@
|ip-src| | | | X | | |
|ip-src&#124;port| | | | X | | |
|issue-date-of-the-visa| | | | | | |
|ja3-fingerprint-md5| | | | X | | |
|jabber-id| | | | | | |
|last-name| | | | | | |
|link| X | | | X | | X |
@ -156,11 +161,13 @@
|x509-fingerprint-sha256| | X | X | X | | |
|xmr| | | | | X | |
|yara| | X | | | | |
|zeek| | | | X | | |
|Category| Network activity | Other | Payload delivery | Payload installation | Payload type | Persistence mechanism |
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
|AS| X | | X | | | |
|aba-rtn| | | | | | |
|anonymised| X | X | X | X | X | X |
|attachment| X | | X | X | | |
|authentihash| | | X | X | | |
|bank-account-nr| | | | | | |
@ -172,6 +179,7 @@
|campaign-id| | | | | | |
|campaign-name| | | | | | |
|cc-number| | | | | | |
|cdhash| | | X | X | | |
|comment| X | X | X | X | X | X |
|cookie| X | | | | | |
|cortex| | | | | | |
@ -219,6 +227,8 @@
|github-organisation| | | | | | |
|github-repository| | | | | | |
|github-username| | | | | | |
|hassh-md5| X | | X | | | |
|hasshserver-md5| X | | X | | | |
|hex| X | X | X | X | | X |
|hostname| X | | X | | | |
|hostname&#124;port| X | | X | | | |
@ -232,6 +242,7 @@
|ip-src| X | | X | | | |
|ip-src&#124;port| X | | X | | | |
|issue-date-of-the-visa| | | | | | |
|ja3-fingerprint-md5| X | | X | | | |
|jabber-id| | | | | | |
|last-name| | | | | | |
|link| | | X | | | |
@ -306,16 +317,18 @@
|windows-scheduled-task| | | | | | |
|windows-service-displayname| | | | | | |
|windows-service-name| | | | | | |
|x509-fingerprint-md5| | | X | X | | |
|x509-fingerprint-md5| X | | X | X | | |
|x509-fingerprint-sha1| X | | X | X | | |
|x509-fingerprint-sha256| | | X | X | | |
|x509-fingerprint-sha256| X | | X | X | | |
|xmr| | | | | | |
|yara| | | X | X | | |
|zeek| X | | | | | |
|Category| Person | Social network | Support Tool | Targeting data |
| --- |:---:|:---:|:---:|:---:|
|AS| | | | |
|aba-rtn| | | | |
|anonymised| X | X | X | X |
|attachment| | | X | |
|authentihash| | | | |
|bank-account-nr| | | | |
@ -327,6 +340,7 @@
|campaign-id| | | | |
|campaign-name| | | | |
|cc-number| | | | |
|cdhash| | | | |
|comment| X | X | X | X |
|cookie| | | | |
|cortex| | | | |
@ -374,6 +388,8 @@
|github-organisation| | X | | |
|github-repository| | X | | |
|github-username| | X | | |
|hassh-md5| | | | |
|hasshserver-md5| | | | |
|hex| | | X | |
|hostname| | | | |
|hostname&#124;port| | | | |
@ -387,6 +403,7 @@
|ip-src| | | | |
|ip-src&#124;port| | | | |
|issue-date-of-the-visa| X | | | |
|ja3-fingerprint-md5| | | | |
|jabber-id| | X | | |
|last-name| X | | | |
|link| | | X | |
@ -466,6 +483,7 @@
|x509-fingerprint-sha256| | | | |
|xmr| | | | |
|yara| | | | |
|zeek| | | | |
### Categories
@ -491,6 +509,7 @@
* **AS**: Autonomous system
* **aba-rtn**: ABA routing transit number
* **anonymised**: Anonymised value - described with the anonymisation object via a relationship
* **attachment**: Attachment with external information
* **authentihash**: Authenticode executable signature hash
* **bank-account-nr**: Bank account number without any routing number
@ -502,6 +521,7 @@
* **campaign-id**: Associated campaign ID
* **campaign-name**: Associated campaign name
* **cc-number**: Credit-Card Number
* **cdhash**: An Apple Code Directory Hash, identifying a code-signed Mach-O executable file
* **comment**: Comment or description in a human language
* **cookie**: HTTP cookie as often stored on the user web client. This can include authentication cookie or session cookie.
* **cortex**: Cortex analysis result
@ -549,6 +569,8 @@
* **github-organisation**: A github organisation
* **github-repository**: A github repository
* **github-username**: A github user name
* **hassh-md5**: hassh is a network fingerprinting standard which can be used to identify specific Client SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
* **hasshserver-md5**: hasshServer is a network fingerprinting standard which can be used to identify specific Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
* **hex**: A value in hexadecimal format
* **hostname**: A full host/dnsname of an attacker
* **hostname&#124;port**: Hostname and port number seperated by a &#124;
@ -562,6 +584,7 @@
* **ip-src**: A source IP address of the attacker
* **ip-src&#124;port**: IP source and port number seperated by a &#124;
* **issue-date-of-the-visa**: The date on which the visa was issued
* **ja3-fingerprint-md5**: JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.
* **jabber-id**: Jabber ID
* **last-name**: Last name of a natural person
* **link**: Link to an external information
@ -641,3 +664,4 @@
* **x509-fingerprint-sha256**: X509 fingerprint in SHA-256 format
* **xmr**: Monero Address
* **yara**: Yara signature
* **zeek**: An NIDS rule in the Zeek rule-format

175
connectors/README.md Normal file
View File

@ -0,0 +1,175 @@
# External Connectors
Below you will find various tweaks and tips when integrating 3rd party connectors.
## Microsoft Azure Sentinel
[Azure Sentinel](https://azure.microsoft.com/en-us/services/azure-sentinel/)
# MISP to Microsoft Graph Security Script
The script provides clients with MISP instances to migrate threat indicators to the Microsoft Graph Security API.
For more information on Microsoft Security Graph visit [Microsoft Graph] (https://developer.microsoft.com/en-us/graph)
## Prerequisites
Before installing the sample:
* Install Python 3.x version from https://www.python.org/.
* To register your application for access to Microsoft Graph, you'll need either a [Microsoft account](https://www.outlook.com/) or an [Office 365 for business account](https://msdn.microsoft.com/en-us/office/office365/howto/setup-development-environment#bk_Office365Account). If you don't have one of these, you can create a Microsoft account for free at [outlook.com](https://www.outlook.com/).
## Getting Started
After the prerequisites are installed or met, perform the following steps to use these scripts:
1. Download or clone this repository.
1. Go to directory `security-api-solutions/Samples/MISP`
1. Install dependencies. In the command line, run `pip3 install requests requests-futures pymisp`
1. To run script, go to the root directory of misp-graph-script and enter `PYTHONHASHSEED=0 python3 script.py` in the command line.
## App Registration
To configure the samples, you'll need to register a new application in the Microsoft [Application Registration Portal](https://apps.dev.microsoft.com/).
### Follow these steps to register a new application:
1. Sign in to the [Azure Portal](https://portal.azure.com/) using either your personal or work or school account.
1. Under My Azure Active Directory, choose App registrations (if you are suggested to use the preview, use that) choose New registration.
1. Enter an application name, and choose Register
1. Next you'll see the registration page for your app. Copy and save the `Application (client) Id` & `Directory (tenant) ID` field.You will need it later to complete the configuration process.
1. Under Certificates & secrets, choose `New client secret` and give it a name. A new password will be displayed under Client secrets. Copy this password. This will be your `client secret`. You will need it later to complete the configuration process.
1. Under Authentication, find Implicit grant choose both `Access tokens` & `ID tokens` and save.
1. Under API permissions click `Add a permission`, choose Microsoft Graph, under `Application permissions`, under ThreatIndicators add ThreatIndicators.ReadWrite.OwnedBy. You will be taken back to the API permissions screen, click `Grant admin consent for Default Directory`
>Note: See the [Microsoft Graph permissions reference](https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference) for more information about Graph's permission model.
1. Modify the RequestManager.py file to comment out line 121-124. (This allows the script to run without failing due to line 123 being divided by `avg_speed` incase it starts as `0`.
1. Modify the script.py to add in `config.misp_verifycert` at line 13. Ensure it looks like below.
```
misp = PyMISP(config.misp_domain, config.misp_key, config.misp_verifycert)
```
1. Modify config.py file to add in `misp_verifycert = False` anywhere in the file.
As the final step in configuring the script, modify the config.py file in the root folder of your cloned repo.
Update tenent, client_id, and client_secret in config.py
```
graph_auth = {
'tenant': '<tenant id>',
'client_id': '<client id>',
'client_secret': '<client secret>',
}
```
Once changes are complete, save the config file.
## Configurations
### Target Product
`targetProduct = "Azure Sentinel"`
### Misp Event Filter
Filters can be set in the config.py file under the "misp_event_filters" property
Below is a list of parameters that can be passed to the filter (source: https://pymisp.readthedocs.io/modules.html):
* values values to search for
* not_values values not to search for
* type_attribute Type of attribute
* category Category to search
* org Org reporting the event
* tags Tags to search for
* not_tags Tags not to search for
* date_from First date (Format: '2019-01-01')
* date_to Last date (Format: '2019-01-01')
* last Last published events (for example 5d or 12h or 30m)
* eventid Evend ID
* withAttachments return events with or without the attachments
* uuid search by uuid
* publish_timestamp the publish timestamp (Note: Uses UNIX timestamp. Format: '1551811160')
* published return only published events (Format: True or False)
A list or a specific value can be passed to the above parameters. If a list is passed to the parameter, the filtered events are the result of the union of provided list.
This field needs to be a list that contains multiple filters. The filtered events are the result of the intersection of provided filters.
#### First Example of How This Field can be Configured
```
misp_event_filters = [
{
"type_attribute": 'mutex'
},
{
"type_attribute": 'filename|md5'
},
]
```
An event meets this filtering criteria if the event has an attribute with attribute type of 'mutex' AND the event has an attribute with attribute type of 'filename|md5'.
#### Second Example of How This Field can be Configured
```
misp_event_filters = [
{
"type_attribute": ['mutex', 'filename|md5']
}
]
```
An event meets this filtering criteria if the event has an attribute with attribute type of 'mutex' OR the event has an attribute with attribute type of 'filename|md5'.
#### Third Example of How This Field can be Configured
```
misp_event_filters = [
{
"values": 'http://www.test.com'
}
]
```
An event meets this filtering criteria if the event has an attribute with attribute value of 'http://www.test.com'.
#### Fourth Example of How This Field can be Configured
```
misp_event_filters = []
```
This gets all events.
### Action
`action = "alert"` (This is default).
### Passive Only
`passiveOnly = False` (This is default).
### Days to Expire
This property is used to specify the amount of days the records will expire in Microsoft Graph Security API. The default value for days to expire is 30.
`days_to_expire = 5`
### Misp Key
The Misp Auth Key is required to fetch data from your Misp instance.
Configure a sync user.
`misp_key = '<misp key>'`
### Verify Cert
This gives you the option to choose if python should validate the certificate of the misp instance. (This allows ease within testing environments)
`misp_verifycert = False` IT IS RECOMENDED TO USE A VALID SSL CERT IN PRODUCTION AND CHANGE THIS TO TRUE
## Instructions on Reading TiIndicators That Have Been Pushed
In the command line, run `python3 script.py -r`
## Instructions on Seeing All Requests That Resulted in Errors
1. In the command line, run `cd logs` to go to the logs folder.
2. * To print all the requests that resulted in errors to the console, simply run `cat *_error_*` in the command line.
* To aggregate all the requests that resulted in errors to a file, run `cat *_error_* > <filename>.txt` in the command line.
## Script Output
As the script runs, it prints out the request body sent to the Graph API and the response from the Graph API.
Every request is logged as a json file under the directory "logs". The name of the json file is the datetime of when the request is completed.
## Schedule with CRONTAB
Below is a CRONTAB entry example of running the script every Sunday at 2am
0 2 * * Sun /home/mark/misp-graph-script/python3 script.sh
This README.md has been adapted from the README.md found here [Microsoft Graph MISP sample](https://github.com/microsoftgraph/security-api-solutions/blob/master/Samples/MISP/README.md)

156
faq/README.md
View File

@ -2,7 +2,60 @@
# Frequently Asked Questions
The following page hosts most frequently asked questions as seen on our [issues](https://github.com/MISP/issues) and [gitter](https://gitter.im/MISP/MISP).
The following page hosts most frequently asked questions as seen on our [issues](https://github.com/MISP/issues) and [gitter](https://gitter.im/MISP/Support).
## Usage
### How can I see all the deleted events in a MISP instance?
You can use the logging system for this, to see all deleted events, simply go to audit actions -> search logs and use the following parameters:
~~~~
model: Event
action: delete
~~~~
This will list all event deletions. To find out more about what a particular deleted event
was, simply grab the ID from the above search results and search for:
~~~~
model: Event
action: add
model_id: <Event ID retrieved from the listing of all event deletions>
~~~~
To do the same via the API, first search for the deletions:
~~~~
POST request:
url: https://url.of.your.misp/logs/index
headers:
Authorization: <your_api_key>
Accept: application/json
Content-type: application/json
Body:
{
"model": "Event",
"action": "delete"
}
~~~~
Then find the individual event's metadata that was deleted
~~~~
POST request:
url: https://url.of.your.misp/logs/index
headers:
Authorization: <your_api_key>
Accept: application/json
Content-type: application/json
Body:
{
"model": "Event",
"action": "add",
"model_id": "<Event ID retrieved from the query before>"
}
~~~~
## Permission issues
@ -113,6 +166,107 @@ There is no official procedure to uninstalling a MISP instance.
If you want to re-use a machine where MISP was installed, wipe the machine and do a fresh install.
Consider the data in your MISP instance as potentially confidential and if you synchronized with other instances, be respectful and wipe it clean.
## Updating PyMISP to incorporate newer versions of the MISP object templates
In some cases, for instance if a newer version of a MISP object is present on the server but not yet on PyMISP, you want to reflect the current state in your PyMISP installation.
In order to do so, perform the following steps. It fetches the latest object templates and installs PyMISP again:
```
git clone https://github.com/MISP/PyMISP.git
cd PyMISP/pymisp/data
git submodule update --init
cd misp-objects
git pull origin master
cd ../../../
sudo pip3 install -I .
```
## How to disable freetext/custom/user-created tags and only allow certain tags
Remove the "tag editor" from the permissions that you grant to users.
Set all tags that you do not want to "hidden".
There is a server setting to treat all incoming tags as hidden by default: `MISP.incoming_tags_disabled_by_default`
**Important** Make sure that you don't remove "tag editor" from sync users, or you'll be stripping tags from synchronized data.
## How to enable the csv import module?
First you have to enable the import services: double-click on "false" in the very first line and change it to "true".
In Server Settings & Maintenance -> Plugin Settings -> Import -> set "Plugin.Import_csvimport_enabled" to true.
Afterwards you'll find the csvimport from within the newly created event: "Populate from..."
Don't use from the main site ("Import from...").
## Why do I see 'The request has been black-holed' when I submit forms?
That's a security measure for form tampering protection.
All forms have a timeout (~15min) and all of them can only be submitted once. If you use your browser's "back" button and resubmit the form MISP will consider it as a potential attempt at form tampering.
## Importing large feeds creates PHP Fatal error
When importing a large feed like the CIRCL feed, the job reaches 99% and then fails.
The log file records:
```
PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 1941504 bytes) in /var/www/MISP/app/Model/Feed.php on line 691
```
In this case you will need to increase the memory_limit option in `php.ini` file
## I deleted the admin user by mistake
Now, I only have Org Admin.
You have several options:
1. Delete the org admin. MISP automatically creates a new default site admin user if no users are found in the db (mysql: truncate users;)
2. Upgrade a user to a site admin, such as an org admin user:
```
SELECT id, email from users;
```
Note down the ID you want to upgrade. Let's say this is 2 for the example's sake.
```
SELECT id, name from roles;
```
Note down the role ID you want to upgrade. Let's say this is 1 for the example's sake.
```
UPDATE users set role_id = 1 where id = 2;
```
## config.php is not writeable
```
Warning: app/Config/config.php is not writeable. This means that any setting changes made here will NOT be saved.
```
According to the install guide, make sure to:
```
chown -R apache:apache /var/www/MISP
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP
```
If it still doesn't work, make sure SELinxu is not enabled or modify the rule set:
```
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom
```
<!--
Comment Place Holder
-->

24
misp-object/README.md
View File

@ -11,10 +11,15 @@ Objects can be added by using the side menu:
This will open a popup where you can choose the type of object:
![Object Popup](figures/select_obj_cat.png)
![Object Popup All](figures/select_object.png)
If there are only few templates available for this type, they will all be shown this way:
![Object Popup All](figures/select_object1.png)
Otherwise you will be able to search and select the desired object within a scrolling list (a search field is available)
![Object Popup All](figures/select_object2.png)
A description of each object is shown by hovering the info icon or directly besides it.
For this example we will try to add an ip|port object:
![ip|port form](figures/object_ipport.png)
Note: This screenshot displays an old version of the template
For some objects, there might be attributes that required to be set. For instance in this object, there is a required attribute, "Ip", and it is also required to set one of the attributes between "dst-port" and "src-port". If these requirements are not met, the object will not be valid and therefore not added to the event. Also you can't add an object without setting any attribute.
After pressing "Submit, you are given the possibility to review your object before saving it.
@ -22,21 +27,20 @@ After pressing "Submit, you are given the possibility to review your object befo
### Creating object
An object is designed using a JSON file which should repect a format described in [this document](https://github.com/MISP/misp-objects/blob/master/schema_objects.json).
An object is designed using a JSON file which should respect a format described in [this document](https://github.com/MISP/misp-objects/blob/master/schema_objects.json).
An object is basically a combinaison of two or more attributes that can be used together to represent real cyber security use-cases. These attributes are listed in a JSON object.
An object is basically a combination of two or more attributes that can be used together to represent real cyber security use-cases. These attributes are listed in a JSON object.
Each attribute is an JSON object defined by a name, a description, a misp-attribute and an ui-priority value.
- Name and description are self-explanatory.
- misp-attribute is an existing type of attribute in misp that matches the attribute.
Each attribute is an JSON object defined by a name, a description, a misp-attribute and an ui-priority value.
- Name and description are self-explanatory.
- misp-attribute is an existing type of attribute in misp that matches the attribute.
- Concerning ui-priority, the higher the number is, the most it is expected to be seen.
There are also others options that can be added to define an attribute more precisely.
- sane_default is a list of default valid value for this attribute. The user can pick a value from this list or choose "Enter value manually"
- disable_correlation will disable correlation for this value. Usefull for dates for instance
- disable_correlation will disable correlation for this value. Useful for dates for instance
- recommended value for this field
- multiple, if set to true, allow the user to add multiple instances of this attribute.
Not all attributes are mandatory, but some can be required. If s, they need to be listed in a list called "required". The object will only be valid if the listed attributes are set.
The same way, there are sometimes when only one attribute in a set is needed. This set can be put in a list called "requiredOneOf". If at least oen of the attributes in this list is set, the object will be valid.
Not all attributes are mandatory, but some can be required. If so, they need to be listed in a list called "required". The object will only be valid if the listed attributes are set.
The same way, there are sometimes when only one attribute in a set is needed. This set can be put in a list called "requiredOneOf". If at least oen of the attributes in this list is set, the object will be valid.

BIN
misp-object/figures/select_obj_cat.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 33 KiB

BIN
misp-object/figures/select_object.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
misp-object/figures/select_object1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
misp-object/figures/select_object2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

7
misp-zmq/README.md
View File

@ -32,6 +32,13 @@ Prior to enabling it, make sure that you have the pyzmq installed by running
~~~~
sudo pip install pyzmq
sudo pip install redis
~~~~
If you have problems and the plugin does not start, the logfile may be helpful.
~~~~
sudo cat /var/www/MISP/app/tmp/logs/mispzmq.error.log
~~~~
![ZeroMQ configuration](./figures/zmq-config.png)

3
noticelist/README.md Normal file
View File

@ -0,0 +1,3 @@
<!-- toc -->
## MISP-noticelist

6
quick-start/README.md
View File

@ -2,8 +2,10 @@
And Justice for All! -->
# Quick Start
The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your community of trusted members. MISP is a distributed IOC database containing technical and non-technical information. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives.
With the focus on automation and standards, MISP provides you with a powerful API via PyMISP, jump ahead to these chapters to get started.
MISP (Open Source Threat Intelligence and Sharing Platform) software facilitates the exchange and sharing of threat intelligence, Indicators of Compromise (IOCs) about targeted malware and attacks, financial fraud or any intelligence within your community of trusted members. MISP sharing is a distributed model containing technical and non-technical information which can be shared within closed, semi-private or open communities. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives.
With the focus on automation and standards, MISP provides you with a powerful ReST API, extensibility (via misp-modules) or additional libraries such as PyMISP, jump ahead to these chapters to get started.
## Login into MISP