mirror of https://github.com/MISP/misp-book
commit
e310fab042
|
@ -2,73 +2,70 @@
|
||||||
And Justice for All! -->
|
And Justice for All! -->
|
||||||
|
|
||||||
# Quick Start
|
# Quick Start
|
||||||
|
The Malware Information Sharing Platform (MISP) tool facilitates the exchange of Indicators of Compromise (IOCs) about targeted malware and attacks, within your comunity of trusted members. MISP is a distributed IOC database containing technical and non-technical information. Exchanging such information should result in faster detection of targeted attacks and improve the detection ratio, whilst also reducing the number of false positives.
|
||||||
|
|
||||||
|
|
||||||
The Malware Information Sharing Platform (MISP) is the tool which will be used to facilitate the exchange of Indicator of Compromise (IOC) about targeted malware and attacks within your community of trusted members. It is a distributed Indicator of Compromise (IOC) database with technical and non-technical information. Exchanging this information should result in faster detection of targeted attacks and improve the detection ratio, while also reducing the number of false positives.
|
|
||||||
|
|
||||||
## Create an Event
|
## Create an Event
|
||||||
|
|
||||||
![Create an Event in MISP](figures/AddEvent.jpg)
|
![Create an Event in MISP](figures/AddEvent.jpg)
|
||||||
|
|
||||||
You have only few infos to put in to register your Event. Details will be specified after adding your Event.
|
You only have to add a few pieces of information to register your Event. Further details will be specified after the Event has been added.
|
||||||
|
|
||||||
## Describe Event
|
## Describe Event
|
||||||
|
|
||||||
|
|
||||||
Red is fully normal. No worries.
|
Red is totally normal. No worries.
|
||||||
|
|
||||||
![Describe Event](figures/AddEventOK.jpg)
|
![Describe Event](figures/AddEventOK.jpg)
|
||||||
|
|
||||||
|
Now you can specify the information for your Event (you will need to scroll the window).
|
||||||
You can now specify the information for your Event. (You must scroll the window).
|
|
||||||
|
|
||||||
### Free-Text Import Tool
|
### Free-Text Import Tool
|
||||||
|
|
||||||
![Use Freetext import](figures/AddEventDescription.jpg)
|
![Use Freetext import](figures/AddEventDescription.jpg)
|
||||||
|
|
||||||
If you have a list of indicators that you would like to quickly generate attributes out of then the **Free-text import tool** is
|
If you have a list of indicators from which you would like to quickly generate attributes then the **Free-text import tool** is
|
||||||
just what you need. Simply paste a list of indicators (separated by line-breaks into this tool).
|
just what you need. Simply paste your list of indicators (separated by line-breaks) into this tool.
|
||||||
|
|
||||||
![FreeText Import result](figures/FreeTextImportResult.jpg)
|
![FreeText Import result](figures/FreeTextImportResult.jpg)
|
||||||
|
|
||||||
The Tool will help you to find similarities and other issues already registered in MISP.
|
The tool will help you to find similarities between your inport and other issues already registered in MISP.
|
||||||
|
|
||||||
![FreeText Suggest](figures/FreeTextSuggest.jpg)
|
![FreeText Suggest](figures/FreeTextSuggest.jpg)
|
||||||
|
|
||||||
For example, you can see the number of related events and informations.
|
For example, you can see the ID of all related Events and view their information.
|
||||||
|
|
||||||
### Tags and Taglist
|
### Tags and Taglist
|
||||||
|
|
||||||
#### Using existing Data
|
#### Using existing Data
|
||||||
|
|
||||||
An other easy way to add information, is to use Tags, because you will find some Taglist. You can see the result of adding existing Tags (circl:incident-classification=XSS ans circl:incident-classification="information-leak).
|
Another easy way to add information is to use Tags. You can see the result of adding existing Tags (circl:incident-classification=XSS ans circl:incident-classification="information-leak).
|
||||||
|
|
||||||
![Add Tag](figures/SelectTag.jpg)
|
![Add Tag](figures/SelectTag.jpg)
|
||||||
|
|
||||||
By clicking the bottom, you can add other tag from existing Taglist.
|
By clicking the button, you can add more tags from an existing Taglist.
|
||||||
|
|
||||||
![Taglist](figures/AddEventTagsList.jpg)
|
![Taglist](figures/AddEventTagsList.jpg)
|
||||||
|
|
||||||
Especially, the Taglist "Taxonomy Library: circl" is very complete, as you can see:
|
In particular the "Taxonomy Library: circl" Taglist is very complete, as you can see:
|
||||||
|
|
||||||
![Select Tag from Taglis](figures/AddEventSelectTag.jpg)
|
![Select Tag from Taglis](figures/AddEventSelectTag.jpg)
|
||||||
|
|
||||||
#### Make your own Taglist
|
#### Make your own Taglist
|
||||||
|
|
||||||
If you want make your own Taglist, you should select Add Tag
|
If you want make your own Taglist, select Add Tag.
|
||||||
|
|
||||||
![Select Add New Tag](figures/SelectAddNewTag.jpg)
|
![Select Add New Tag](figures/SelectAddNewTag.jpg)
|
||||||
|
|
||||||
you will then see the following window:
|
You will see the following window:
|
||||||
|
|
||||||
![Define Tag](figures/AddTag.jpg)
|
![Define Tag](figures/AddTag.jpg)
|
||||||
|
|
||||||
|
Then, when you add the new tag it will appear in the Custom Taglist.
|
||||||
Then when you want to add the new tag , it will appear among the Custom Taglist.
|
|
||||||
|
|
||||||
### Suggestions
|
### Suggestions
|
||||||
|
|
||||||
The following attribute types should be added for each event:
|
The following attribute types should be added for each Event:
|
||||||
- ip-src: source IP of attacker
|
- ip-src: source IP of attacker
|
||||||
- email-src: email used to send malware
|
- email-src: email used to send malware
|
||||||
- md5/sha1/sha256: checksum
|
- md5/sha1/sha256: checksum
|
||||||
|
@ -76,20 +73,20 @@ The following attribute types should be added for each event:
|
||||||
- Domain: domain name used in malware
|
- Domain: domain name used in malware
|
||||||
|
|
||||||
## Browsing Events
|
## Browsing Events
|
||||||
To see your Event, select List Events from the menu Events Action and choice List Events. You can click any row and select filter.
|
To see your Event, select List Events from the menu Events Action. You can click any row and select a filter.
|
||||||
|
|
||||||
![Browsing Events](figures/ListEvents.png)
|
![Browsing Events](figures/ListEvents.png)
|
||||||
|
|
||||||
If you click to your event's number, you can see all informations related to your Event.
|
If you click on your Event's number, you can see all the information related to your Event.
|
||||||
|
|
||||||
![See Event](figures/SeeEvent.jpg)
|
![See Event](figures/SeeEvent.jpg)
|
||||||
|
|
||||||
## Export Events for Log Search
|
## Export Events for Log Search
|
||||||
|
|
||||||
Export functionality is designed to automatically generate signatures for intrusion detection systems. To enable signature generation for a given attribute, Signature field of this attribute must be set to Yes. Note that not all attribute types are applicable for signature generation, currently we only support NIDS signature generation for IP, domains, host names, user agents etc., and hash list generation for MD5/SHA1 values of file artifacts. Support for more attribute types is planned.
|
Export functionality is designed to automatically generate signatures for intrusion detection systems. To enable signature generation for a given attribute, the Signature field of this attribute must be set to Yes. Note that not all attribute types are applicable for signature generation, currently we only support NIDS signature generation for IP, domains, host names, user agents etc., and hash list generation for MD5/SHA1 values of file artifacts. Support for more attribute types is planned.
|
||||||
|
|
||||||
![Quick Export](figures/Export.jpg)
|
![Quick Export](figures/Export.jpg)
|
||||||
|
|
||||||
Simply click on any of the following buttons to download the appropriate data and download for log correlation.
|
Simply click on any of the following buttons to download the appropriate data for log correlation.
|
||||||
|
|
||||||
![Select Format](figures/Select Export.jpg)
|
![Select Format](figures/Select Export.jpg)
|
||||||
|
|
Loading…
Reference in New Issue