## MISP ZeroMQ MISP includes a flexible publish-subscribe model to allow real-time integration of the MISP activities (event publication, attribute creation or removal, sighting). The MISP ZeroMQ plugin operates at global level in MISP which means standard distribution rules don't apply and every activities will be published within the ZeroMQ pub-sub channels. MISP ZeroMQ functionality can be used for various model of integration or to extend MISP functionalities: - real-time search of indicators into a SIEM - automatic expansion - dashboard activities - logging mechanisms - continuous indexing - custom software or scripting The following notification topic channels exist and can be included in the MISP ZeroMQ pub-sub: - `misp_json` - events published - `misp_json_attribute` - attribute updated or created - `misp_json_sighting` - sighting added to an attribute or an event - `misp_json_user` - user updates or creation - `misp_json_organisation` - organisation updates or creation - `misp_json_self` - keep-alive messages sent every minute ### MISP ZeroMQ configuration To enable MISP ZeroMQ, the feature must be enabled in the Plugin setting tab. ![ZeroMQ configuration](./figures/zmq-config.png) Each notification channels can be enabled (from event publication to sightings), the MISP site admin can decide which type of message to publish. By default, the ZMQ pub-sub channel is available to localhost only on TCP port 50000. The binding of the pub-sub channel can be updated in the configuration interface as shown above ### MISP ZeroMQ debugging and testing In the diagnostic section, ZeroMQ service can be started and stopped. There is a small status option to give information about the numbers of events processed by the service. ![ZeroMQ diagnostics](./figures/zmq-diagnostics.png) ### Testing with sub.py tool A simple command line tool is included with MISP to connect to the MISP ZeroMQ channel and get the notifications: ~~~~ python3 sub.py --help usage: sub.py [-h] [-s] [-p PORT] [-r HOST] [-o ONLY] [-t SLEEP] Generic ZMQ client to gather events, attributes and sighting updates from a MISP instance optional arguments: -h, --help show this help message and exit -s, --stats print regular statistics on stderr -p PORT, --port PORT set TCP port of the MISP ZMQ (default: 50000) -r HOST, --host HOST set host of the MISP ZMQ (default: 127.0.0.1) -o ONLY, --only ONLY set filter (misp_json, misp_json_attribute or misp_json_sighting) to limit the output a specific type (default: no filter) -t SLEEP, --sleep SLEEP sleep time (default: 2) ~~~~ The `sub.py` will output the JSON objects for the subscribed topic, by default, all the topic channels are dumped: ~~~~ misp@cpeb:/var/www/MISP/tools/misp-zmq$ python3 -u sub.py | jq . .... { "uptime": 50, "status": "And when you're dead I will be still alive." } { "uptime": 60, "status": "And believe me I am still alive." } { "uptime": 70, "status": "I'm doing science and I'm still alive." } { "uptime": 80, "status": "I feel FANTASTIC and I'm still alive." } { "uptime": 90, "status": "While you're dying I'll be still alive." } { "Sighting": { "uuid": "592d9588-fda0-490f-bf6e-4e56950d210f", "source": "", "type": "0", "date_sighting": 1496159624, "org_id": "2", "event_id": "8102", "attribute_id": "1044812" } } { "Attribute": { "id": "1044802", "value2": "", "value1": "1.2.3.4", "uuid": "592d8494-7120-4760-b5e2-4858950d210f", "batch_import": "0", "comment": "", "value": "1.2.3.4", "type": "ip-dst", "to_ids": 0, "timestamp": 1496155284, "distribution": "5", "sharing_group_id": 0, "deleted": "0", "disable_correlation": "0", "event_id": "8100", "category": "Network activity" } } .... ~~~~