diff --git a/a.3-misp-feed/content.tex b/a.3-misp-feed/content.tex new file mode 100755 index 0000000..21146ec --- /dev/null +++ b/a.3-misp-feed/content.tex @@ -0,0 +1,218 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\colorlet{punct}{red!60!black} +\definecolor{background}{HTML}{EEEEEE} +\definecolor{delim}{RGB}{20,105,176} +\colorlet{numb}{magenta!60!black} + +\lstdefinelanguage{json}{ + basicstyle=\ttfamily\footnotesize, + numbers=left, + numberstyle=\ttfamily\footnotesize, + stepnumber=1, + numbersep=8pt, + showstringspaces=false, + breaklines=true, + frame=lines, + backgroundcolor=\color{background}, + literate= + *{0}{{{\color{numb}0}}}{1} + {1}{{{\color{numb}1}}}{1} + {2}{{{\color{numb}2}}}{1} + {3}{{{\color{numb}3}}}{1} + {4}{{{\color{numb}4}}}{1} + {5}{{{\color{numb}5}}}{1} + {6}{{{\color{numb}6}}}{1} + {7}{{{\color{numb}7}}}{1} + {8}{{{\color{numb}8}}}{1} + {9}{{{\color{numb}9}}}{1} + {:}{{{\color{punct}{:}}}}{1} + {,}{{{\color{punct}{,}}}}{1} + {\{}{{{\color{delim}{\{}}}}{1} + {\}}{{{\color{delim}{\}}}}}{1} + {[}{{{\color{delim}{[}}}}{1} + {]}{{{\color{delim}{]}}}}{1}, +} + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{MISP Feed - Basics} + MISP Feeds provide a way to + \begin{itemize} + \item {\bf Exchange information via any transports} (e.g. HTTP, TLS, USB keys) + \item Preview events along with their attributes, objects + \item Select and import events + \item {\bf Correlate attributes using caching} + \end{itemize} + MISP Feeds have the following advantages + \begin{itemize} + \item Feeds work without the need of MISP synchronisation (reducing attack surface and complexity to a static directory with the events)\\ + \item {\bf Feeds can be produced without a MISP instance} (e.g. security devices, honeypot sensors) + \note{Feeds can be used to produce output from various security devices} + \end{itemize} +\end{frame} + +\begin{frame}{Feed - Overview} + \begin{itemize} + \item By default, MISP is bundled with $\sim$50 default feeds (MISP feeds, CSV or freetext feeds) which are not enabled by default and described in a simple JSON file\footnote{\url{https://github.com/MISP/MISP/blob/2.4/app/files/feed-metadata/defaults.json}}. + \item The feeds include CIRCL OSINT feed but also feeds like abuse.ch, Tor exit nodes or many more \footnote{\url{http://www.misp-project.org/feeds/}}. + \end{itemize} + \vspace{-25px} + \begin{figure} + \includegraphics[width=1.05\linewidth]{pics/feeds1.png} + \end{figure} +\end{frame} + +\begin{frame} + \frametitle{Feed - Operations} + \begin{figure} + \includegraphics[width=0.35\linewidth]{pics/feeds2.png} + \end{figure} + \begin{itemize} + \item Cache feed attributes for correlation (not imported but visible in MISP) + \item Disable feed + \item Explore remote events + \item Fetch all events (imported in MISP as event) + \item Edit the feed configuration (e.g. authentication, URL,...) + \item Remove feed + \item Download feed metadata (to share feed details) + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Feed - Creation using PyMISP \texttt{feed generator}} + \texttt{feed generator} fetches events (matching some filtering) from a MISP instance and construct the manifest (defined in \textit{MISP core format}) needed to export data. + + \vspace{15px} + Particularly, + \begin{itemize} + \item Used to generate the {\bf CIRCL OSINT feed} + \item Export events as json based on tags, organisation, events, ... + \item Automatically update the dumps and the metadata file + \item Comparable to a lighweight {\bf TAXII interface} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{\texttt{Feed generator} - configuration file} + \begin{lstlisting} +url = 'your/misp/url' +key = 'YourAPIKey' +ssl = True +outputdir = 'output_directory' + +filters = { + 'tag':'tlp:white|feed-export|!privint', + 'org':'CIRCL' +} +# the above would generate a feed for all events created by CIRCL, tagged tlp:white and/or feed-export but exclude anything tagged privint + +valid_attribute_distribution_levels = ['0', '1', '2', '3', '4', '5'] +# 0: Your Organisation Only +# 4: Sharing Group +# 5: Inherit Event + \end{lstlisting} +\end{frame} + +\begin{frame} + \frametitle{{\it Real-time} Feed generator - Purpose} + The PyMISP feed generator is great but may be inadequate or ineficient: + \begin{itemize} + \item Batch import of attributes/objects + \item Data producer doesn't have a MISP instance at hand and only wants to {\bf produce a directly consumable feed}: + \end{itemize} + + \vspace{15px} + \begin{center} + \begin{tikzpicture}[scale=2.0] + %styles + \tikzstyle{n}=[ellipse,draw,align=center] + \tikzstyle{t}=[align=center] + \tikzstyle{misp}=[rectangle,draw, align=center, fill={rgb:red,0;green,0;blue,3}] + \tikzstyle{commu}=[->,>=latex,very thick] + %nodes + \node[n] (honey) at (0,0) {Honeypot}; + \node[misp] (misp) at (2,0) {\color{white}MISP}; + \node[t] (text) at (1.5,-0.8) {\parbox[l]{3.0cm}{ip-src\\payload-delivery\\url\\malware\\...}}; + %arraws + \draw[commu] (honey)--(misp); + + \end{tikzpicture} + \end{center} +\end{frame} + +\begin{frame}[fragile] + \frametitle{{\it Real-time} Feed generator - Usage} + \begin{itemize} + \item \texttt{generator.py} exposes a class allowing to generate a MISP feed in real-time + \item Each items can be appended on daily generated events + \end{itemize} + + Example: + \begin{lstlisting} +# Init generator +generator = FeedGenerator() + +# Adding an attribute to the daily event +attr_type = "ip-src" +attr_value = "8.8.8.8" +additional_data = {} +generator.add_attribute_to_event(attr_type, + attr_value, + **additional_data) +\end{lstlisting} +\end{frame} + +\begin{frame}[fragile] + \frametitle{{\it Real-time} Feed generator - Usage (2)} + + \begin{lstlisting} +# Adding a MISP object (cowrie) to the daily event +obj_name = "cowrie" +obj_data = { + "session": "session_id", + "username": "admin", + "password": "admin", + "protocol": "telnet" + } +generator.add_object_to_event(obj_name, **obj_data) +\end{lstlisting} +\end{frame} + +\begin{frame} + \frametitle{Adding custom feed to MISP} + \begin{minipage}{0.48\linewidth} + \includegraphics[width=1.0\linewidth]{pics/feeds3.png} + \end{minipage} + \hfill + \begin{minipage}{0.48\linewidth} + \begin{itemize} + \item Enabled + \item Lookup visible + \item Name + \item Provider + \item Source Format + \item Url + \item Source Format + \item Headers + \item Distribution + \item Default Tag + \item Filter rules + \end{itemize} + \end{minipage} +\end{frame} + +\begin{frame}[t,fragile] {Q\&A} +\includegraphics[scale=0.5]{misplogo.pdf} +\begin{itemize} + \item \url{https://github.com/MISP/PyMISP} + \item \url{https://github.com/MISP/} + \item We welcome new functionalities and pull requests. +\end{itemize} + +\end{frame} + diff --git a/a.3-misp-feed/logo-circl.pdf b/a.3-misp-feed/logo-circl.pdf new file mode 100644 index 0000000..62c9239 Binary files /dev/null and b/a.3-misp-feed/logo-circl.pdf differ diff --git a/a.3-misp-feed/misp.pdf b/a.3-misp-feed/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/a.3-misp-feed/misp.pdf differ diff --git a/a.3-misp-feed/misplogo.pdf b/a.3-misp-feed/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/a.3-misp-feed/misplogo.pdf differ diff --git a/a.3-misp-feed/pics/feeds1.png b/a.3-misp-feed/pics/feeds1.png new file mode 100644 index 0000000..b3342b6 Binary files /dev/null and b/a.3-misp-feed/pics/feeds1.png differ diff --git a/a.3-misp-feed/pics/feeds2.png b/a.3-misp-feed/pics/feeds2.png new file mode 100644 index 0000000..5dbb6ad Binary files /dev/null and b/a.3-misp-feed/pics/feeds2.png differ diff --git a/a.3-misp-feed/pics/feeds3.png b/a.3-misp-feed/pics/feeds3.png new file mode 100644 index 0000000..3a4b757 Binary files /dev/null and b/a.3-misp-feed/pics/feeds3.png differ diff --git a/a.3-misp-feed/slide.tex b/a.3-misp-feed/slide.tex new file mode 100644 index 0000000..b7d82fb --- /dev/null +++ b/a.3-misp-feed/slide.tex @@ -0,0 +1,75 @@ +\PassOptionsToClass{10pt}{beamer} +\documentclass{beamerswitch} +%\handoutlayout{nup=2} +%\setbeameroption{show notes on second screen} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + + + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\usepackage{xcolor} +\usepackage{colortbl} +\definecolor{mygreen}{rgb}{0,0.6,0} +\definecolor{mygreen2}{rgb}{0,0.56,0.16} +\definecolor{myred}{rgb}{0.6,0.066,0.066} +\definecolor{redCIRCL}{RGB}{213,43,30} +\definecolor{mygray}{rgb}{0.5,0.5,0.5} +\definecolor{mymauve}{rgb}{0.58,0,0.82} +\definecolor{mygray}{gray}{0.9} +\definecolor{mywhite}{rgb}{1,1,1} +\definecolor{myblack}{rgb}{0,0,0} +\definecolor{mybeige}{HTML}{eeeeee} +%\usepackage{tcolorbox} +\usepackage[listings]{tcolorbox} +\tcbuselibrary{listings} + +\lstdefinestyle{code}{ % + backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single, % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{blue}, % keyword style + language=Python, % the language of the code + morekeywords={*,...}, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstset{style=code} + +\author{\small{\input{../includes/authors.txt}} \\ \emph{TLP:WHITE}} +\title{MISP feeds - A simple and secure approach to generate, select and collect intelligence} +\subtitle{Providing ready-to-use threat intelligence in MISP standard format} +\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}} +\date{\input{../includes/location.txt}} + +\begin{document} +\mode +\include{content} +\end{document} + diff --git a/build.sh b/build.sh index 794bd24..892d683 100644 --- a/build.sh +++ b/build.sh @@ -1,7 +1,7 @@ #!/bin/bash # -slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp") +slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed") mkdir output export TEXINPUTS=::`pwd`/themes/ echo ${TEXINPUTS}