MISP
/
misp-book
mirror of https://github.com/MISP/misp-book
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-book/faq
History
Steve Clement a7bb7126b7 chg: [dashboard] Added FAQ entry on how to debug misp-dashboard 
chg: [galaxies] Mild attempt to document how to roll your own.
 		2019-04-26 06:44:31 +09:00
..
figures chg: [doc] Added more FAQ items. 2018-11-01 16:29:27 +09:00
README.md chg: [dashboard] Added FAQ entry on how to debug misp-dashboard 2019-04-26 06:44:31 +09:00

README.md

Frequently Asked Questions

The following page hosts most frequently asked questions as seen on our issues and gitter.

Usage

How can I see all the deleted events in a MISP instance?

You can use the logging system for this, to see all deleted events, simply go to audit actions -> search logs and use the following parameters:

  model: Event
  action: delete

This will list all event deletions. To find out more about what a particular deleted event was, simply grab the ID from the above search results and search for:

  model: Event
  action: add
  model_id: <Event ID retrieved from the listing of all event deletions>

To do the same via the API, first search for the deletions:

  POST request:
    url: https://url.of.your.misp/logs/index
    headers:
      Authorization: <your_api_key>
      Accept: application/json
      Content-type: application/json
    Body:
      {
        "model": "Event",
        "action": "delete"
      }

Then find the individual event's metadata that was deleted

  POST request:
    url: https://url.of.your.misp/logs/index
    headers:
      Authorization: <your_api_key>
      Accept: application/json
      Content-type: application/json
    Body:
      {
        "model": "Event",
        "action": "add",
        "model_id": "<Event ID retrieved from the query before>"
      }

Permission issues

If you have any permission issues, please set the permissions to something sane first.

When to update MISP?

One question might be how often to update MISP. You can update MISP as ofte as you like. If you see the follwing:

MISP Update

This means that the main repository has an update available.

If you want to play it safer or want to integrate it in your Weekly/Bi-Monthly update routine you can track our Changelog a more up to date version is available here

Hardening

How do I harden my MISP instance?

You can check the hardening section in the install guide.

Maintenance mode

Is there a MISP maintenance mode?

Yes, you want to flip your instances "Live-mode". This wants to be done on the CLI if you experience issues:

$PATH_TO_MISP/app/Console/cake "MISP.live" 0

Other related MISP Settings

Optional MISP.maintenance_message Great things are happening! MISP is undergoing maintenance, but will return shortly. You can contact the administration at $email or call CIRCL. The message that users will see if the instance is not live.

Critical MISP.live true Unless set to true, the instance will only be accessible by site admins.

Update MISP fails

If your MISP instance is outdated, meaning ONLY the core, not the modules or dashboard or python modules, you well see the following.

MISP outdated

Once you click on update MISP you will be asked confirmation.

MISP Update Yes/No

If you are not on a branch, the UI will tell you this, the update will fail.

not on branch

If you cannot write the .git files and directory as the user running the web server (and thus PHP), the update will fail. The following diagnostic check will let you know if you can update or not.

.git not writeable

In case you get a file not found on .git/ORIG_HEAD, this means that you have never updated your MISP OR you have installed git from an archive file (like .zip/.tar.gz or similar) Try to click update MISP and see what happens.

ORIG_HEAD file not found

What can go wrong if I update MISP?

In theory nothing. We put great effort into protecting the integrity of the data stored in your MISP instance. DB upgrades happen upon login or on reload once you have update the repository. You cannot "break" anything by clicking Update MISP worse case it will complain about something and you will certainly find the answer on this page.

IF not, please open an issue on GitHub or come to our gitter chat to see if the community can help.

error: pathspec 'app/composer.json' did not match any file(s) known to git

This is not an error and can be ignore. Nothing will be impacted by this.

pathspec

MISP modules "Connection refused"

MISP Modules

If you get have a Connection refused state on your modules one of the following might be true.

  • You have no misp-modules not installed
  • They are instaled but not running
  • Something completly different

If they are not installed, check out this section of the INSTALL guide of misp-modules.

In case they are not running, try this on the console:

sudo -u www-data /var/www/MISP/venv/bin/misp-modules -l 127.0.0.1 -s &

OR if you were foolish enough to not install in a Python virtualenv:

sudo -u www-data misp-modules -l 127.0.0.1 -s &

[warning] Running misp-modules like this will certainly kill it once you quit the session. Make sure it is in your /etc/rc.local or some ther init script that gets run on boot.

Uninstalling MISP

There is no official procedure to uninstalling a MISP instance.

If you want to re-use a machine where MISP was installed, wipe the machine and do a fresh install. Consider the data in your MISP instance as potentially confidential and if you synchronized with other instances, be respectful and wipe it clean.

Updating PyMISP to incorporate newer versions of the MISP object templates

In some cases, for instance if a newer version of a MISP object is present on the server but not yet on PyMISP, you want to reflect the current state in your PyMISP installation.

In order to do so, perform the following steps. It fetches the latest object templates and installs PyMISP again:

git clone https://github.com/MISP/PyMISP.git
cd PyMISP/pymisp/data
git submodule update --init
cd misp-objects
git pull origin master
cd ../../../
sudo pip3 install -I .

How to disable freetext/custom/user-created tags and only allow certain tags

Remove the "tag editor" from the permissions that you grant to users. Set all tags that you do not want to "hidden". There is a server setting to treat all incoming tags as hidden by default: MISP.incoming_tags_disabled_by_default

Important Make sure that you don't remove "tag editor" from sync users, or you'll be stripping tags from synchronized data.

How to enable the csv import module?

First you have to enable the import services: double-click on "false" in the very first line and change it to "true".

In Server Settings & Maintenance -> Plugin Settings -> Import -> set "Plugin.Import_csvimport_enabled" to true. Afterwards you'll find the csvimport from within the newly created event: "Populate from..."

Don't use from the main site ("Import from...").

Why do I see 'The request has been black-holed' when I submit forms?

That's a security measure for form tampering protection.

All forms have a timeout (~15min) and all of them can only be submitted once. If you use your browser's "back" button and resubmit the form MISP will consider it as a potential attempt at form tampering.

Importing large feeds creates PHP Fatal error

When importing a large feed like the CIRCL feed, the job reaches 99% and then fails. The log file records:

PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 1941504 bytes) in /var/www/MISP/app/Model/Feed.php on line 691

In this case you will need to increase the memory_limit option in php.ini file

I deleted the admin user by mistake

Now, I only have Org Admin.

You have several options:

  1. Delete the org admin. MISP automatically creates a new default site admin user if no users are found in the db (mysql: truncate users;)

  2. Upgrade a user to a site admin, such as an org admin user:

SELECT id, email from users;

Note down the ID you want to upgrade. Let's say this is 2 for the example's sake.

SELECT id, name from roles;

Note down the role ID you want to upgrade. Let's say this is 1 for the example's sake.

UPDATE users set role_id = 1 where id = 2;

config.php is not writeable

Warning: app/Config/config.php is not writeable. This means that any setting changes made here will NOT be saved.

According to the install guide, make sure to:

chown -R apache:apache /var/www/MISP
find /var/www/MISP -type d -exec chmod g=rx {} \;
chmod -R g+r,o= /var/www/MISP

If it still doesn't work, make sure SELinxu is not enabled or modify the rule set:

chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/terms
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/files/scripts/tmp
chcon -t httpd_sys_rw_content_t /var/www/MISP/app/Plugin/CakeResque/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/tmp
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/orgs
chcon -R -t httpd_sys_rw_content_t /var/www/MISP/app/webroot/img/custom

How to debug misp-dashboard

This is the full chain from MISP to the live dashboard and some tips to find out which link is faulty.

  1. MISP Ensure that ZMQ is installed and enabled with the correct settings

  2. MISP ZMQ You can use MISP/tools/misp-zmq/sub.py which will subscribe to the ZMQ and print the data

  3. ZMQ_subscriber You can change the logging level from logging.INFO to logging.DEBUG and look in the logs for the string Pushed: * Or add a print statement in the put_in_redis_list function

  4. ZMQ_dispatcher Look in the logs for the string Handling *

  5. Server (Flask) and Browser (live Dashboard) Open the Web developer Network tab in your browser and look for the url /_logs with Content-Type: text/event-stream;