MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

new: [a.3] added

improvedChecklist
Alexandre Dulaunoy 2018-12-29 21:51:56 +01:00
parent d8c22a9589
commit 1b55cb19c6
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
9 changed files with 294 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

218
a.3-misp-feed/content.tex Executable file
View File

@ -0,0 +1,218 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\colorlet{punct}{red!60!black}
\definecolor{background}{HTML}{EEEEEE}
\definecolor{delim}{RGB}{20,105,176}
\colorlet{numb}{magenta!60!black}
\lstdefinelanguage{json}{
basicstyle=\ttfamily\footnotesize,
numbers=left,
numberstyle=\ttfamily\footnotesize,
stepnumber=1,
numbersep=8pt,
showstringspaces=false,
breaklines=true,
frame=lines,
backgroundcolor=\color{background},
literate=
*{0}{{{\color{numb}0}}}{1}
{1}{{{\color{numb}1}}}{1}
{2}{{{\color{numb}2}}}{1}
{3}{{{\color{numb}3}}}{1}
{4}{{{\color{numb}4}}}{1}
{5}{{{\color{numb}5}}}{1}
{6}{{{\color{numb}6}}}{1}
{7}{{{\color{numb}7}}}{1}
{8}{{{\color{numb}8}}}{1}
{9}{{{\color{numb}9}}}{1}
{:}{{{\color{punct}{:}}}}{1}
{,}{{{\color{punct}{,}}}}{1}
{\{}{{{\color{delim}{\{}}}}{1}
{\}}{{{\color{delim}{\}}}}}{1}
{[}{{{\color{delim}{[}}}}{1}
{]}{{{\color{delim}{]}}}}{1},
}
\begin{frame}[t,plain]
\titlepage
\end{frame}
\begin{frame}
\frametitle{MISP Feed - Basics}
MISP Feeds provide a way to
\begin{itemize}
\item {\bf Exchange information via any transports} (e.g. HTTP, TLS, USB keys)
\item Preview events along with their attributes, objects
\item Select and import events
\item {\bf Correlate attributes using caching}
\end{itemize}
MISP Feeds have the following advantages
\begin{itemize}
\item Feeds work without the need of MISP synchronisation (reducing attack surface and complexity to a static directory with the events)\\
\item {\bf Feeds can be produced without a MISP instance} (e.g. security devices, honeypot sensors)
\note{Feeds can be used to produce output from various security devices}
\end{itemize}
\end{frame}
\begin{frame}{Feed - Overview}
\begin{itemize}
\item By default, MISP is bundled with $\sim$50 default feeds (MISP feeds, CSV or freetext feeds) which are not enabled by default and described in a simple JSON file\footnote{\url{https://github.com/MISP/MISP/blob/2.4/app/files/feed-metadata/defaults.json}}.
\item The feeds include CIRCL OSINT feed but also feeds like abuse.ch, Tor exit nodes or many more \footnote{\url{http://www.misp-project.org/feeds/}}.
\end{itemize}
\vspace{-25px}
\begin{figure}
\includegraphics[width=1.05\linewidth]{pics/feeds1.png}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{Feed - Operations}
\begin{figure}
\includegraphics[width=0.35\linewidth]{pics/feeds2.png}
\end{figure}
\begin{itemize}
\item Cache feed attributes for correlation (not imported but visible in MISP)
\item Disable feed
\item Explore remote events
\item Fetch all events (imported in MISP as event)
\item Edit the feed configuration (e.g. authentication, URL,...)
\item Remove feed
\item Download feed metadata (to share feed details)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Feed - Creation using PyMISP \texttt{feed generator}}
\texttt{feed generator} fetches events (matching some filtering) from a MISP instance and construct the manifest (defined in \textit{MISP core format}) needed to export data.
\vspace{15px}
Particularly,
\begin{itemize}
\item Used to generate the {\bf CIRCL OSINT feed}
\item Export events as json based on tags, organisation, events, ...
\item Automatically update the dumps and the metadata file
\item Comparable to a lighweight {\bf TAXII interface}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{\texttt{Feed generator} - configuration file}
\begin{lstlisting}
url = 'your/misp/url'
key = 'YourAPIKey'
ssl = True
outputdir = 'output_directory'
filters = {
'tag':'tlp:white|feed-export|!privint',
'org':'CIRCL'
}
# the above would generate a feed for all events created by CIRCL, tagged tlp:white and/or feed-export but exclude anything tagged privint
valid_attribute_distribution_levels = ['0', '1', '2', '3', '4', '5']
# 0: Your Organisation Only
# 4: Sharing Group
# 5: Inherit Event
\end{lstlisting}
\end{frame}
\begin{frame}
\frametitle{{\it Real-time} Feed generator - Purpose}
The PyMISP feed generator is great but may be inadequate or ineficient:
\begin{itemize}
\item Batch import of attributes/objects
\item Data producer doesn't have a MISP instance at hand and only wants to {\bf produce a directly consumable feed}:
\end{itemize}
\vspace{15px}
\begin{center}
\begin{tikzpicture}[scale=2.0]
%styles
\tikzstyle{n}=[ellipse,draw,align=center]
\tikzstyle{t}=[align=center]
\tikzstyle{misp}=[rectangle,draw, align=center, fill={rgb:red,0;green,0;blue,3}]
\tikzstyle{commu}=[->,>=latex,very thick]
%nodes
\node[n] (honey) at (0,0) {Honeypot};
\node[misp] (misp) at (2,0) {\color{white}MISP};
\node[t] (text) at (1.5,-0.8) {\parbox[l]{3.0cm}{ip-src\\payload-delivery\\url\\malware\\...}};
%arraws
\draw[commu] (honey)--(misp);
\end{tikzpicture}
\end{center}
\end{frame}
\begin{frame}[fragile]
\frametitle{{\it Real-time} Feed generator - Usage}
\begin{itemize}
\item \texttt{generator.py} exposes a class allowing to generate a MISP feed in real-time
\item Each items can be appended on daily generated events
\end{itemize}
Example:
\begin{lstlisting}
# Init generator
generator = FeedGenerator()
# Adding an attribute to the daily event
attr_type = "ip-src"
attr_value = "8.8.8.8"
additional_data = {}
generator.add_attribute_to_event(attr_type,
attr_value,
**additional_data)
\end{lstlisting}
\end{frame}
\begin{frame}[fragile]
\frametitle{{\it Real-time} Feed generator - Usage (2)}
\begin{lstlisting}
# Adding a MISP object (cowrie) to the daily event
obj_name = "cowrie"
obj_data = {
"session": "session_id",
"username": "admin",
"password": "admin",
"protocol": "telnet"
}
generator.add_object_to_event(obj_name, **obj_data)
\end{lstlisting}
\end{frame}
\begin{frame}
\frametitle{Adding custom feed to MISP}
\begin{minipage}{0.48\linewidth}
\includegraphics[width=1.0\linewidth]{pics/feeds3.png}
\end{minipage}
\hfill
\begin{minipage}{0.48\linewidth}
\begin{itemize}
\item Enabled
\item Lookup visible
\item Name
\item Provider
\item Source Format
\item Url
\item Source Format
\item Headers
\item Distribution
\item Default Tag
\item Filter rules
\end{itemize}
\end{minipage}
\end{frame}
\begin{frame}[t,fragile] {Q\&A}
\includegraphics[scale=0.5]{misplogo.pdf}
\begin{itemize}
\item \url{https://github.com/MISP/PyMISP}
\item \url{https://github.com/MISP/}
\item We welcome new functionalities and pull requests.
\end{itemize}
\end{frame}

BIN
a.3-misp-feed/logo-circl.pdf Normal file
View File

Binary file not shown.

BIN
a.3-misp-feed/misp.pdf Normal file
View File

Binary file not shown.

BIN
a.3-misp-feed/misplogo.pdf Normal file
View File

Binary file not shown.

BIN
a.3-misp-feed/pics/feeds1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
a.3-misp-feed/pics/feeds2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.1 KiB

BIN
a.3-misp-feed/pics/feeds3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

75
a.3-misp-feed/slide.tex Normal file
View File

@ -0,0 +1,75 @@
\PassOptionsToClass{10pt}{beamer}
\documentclass{beamerswitch}
%\handoutlayout{nup=2}
%\setbeameroption{show notes on second screen}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usepackage{listings}
\usepackage{adjustbox}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes,arrows}
%\usepackage[T1]{fontenc}
%\usepackage[scaled]{beramono}
\usepackage{xcolor}
\usepackage{colortbl}
\definecolor{mygreen}{rgb}{0,0.6,0}
\definecolor{mygreen2}{rgb}{0,0.56,0.16}
\definecolor{myred}{rgb}{0.6,0.066,0.066}
\definecolor{redCIRCL}{RGB}{213,43,30}
\definecolor{mygray}{rgb}{0.5,0.5,0.5}
\definecolor{mymauve}{rgb}{0.58,0,0.82}
\definecolor{mygray}{gray}{0.9}
\definecolor{mywhite}{rgb}{1,1,1}
\definecolor{myblack}{rgb}{0,0,0}
\definecolor{mybeige}{HTML}{eeeeee}
%\usepackage{tcolorbox}
\usepackage[listings]{tcolorbox}
\tcbuselibrary{listings}
\lstdefinestyle{code}{ %
backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
breaklines=true, % sets automatic line breaking
captionpos=b, % sets the caption-position to bottom
commentstyle=\color{mygreen}, % comment style
deletekeywords={...}, % if you want to delete keywords from the given language
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
frame=single, % adds a frame around the code
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
keywordstyle=\color{blue}, % keyword style
language=Python, % the language of the code
morekeywords={*,...}, % if you want to add more keywords to the set
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
numbersep=5pt, % how far the line-numbers are from the code
numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
showstringspaces=false, % underline spaces within strings only
showtabs=false, % show tabs within strings adding particular underscores
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
stringstyle=\color{mymauve}, % string literal style
tabsize=2, % sets default tabsize to 2 spaces
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
}
\lstset{style=code}
\author{\small{\input{../includes/authors.txt}} \\ \emph{TLP:WHITE}}
\title{MISP feeds - A simple and secure approach to generate, select and collect intelligence}
\subtitle{Providing ready-to-use threat intelligence in MISP standard format}
\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}}
\date{\input{../includes/location.txt}}
\begin{document}
\mode<all>
\include{content}
\end{document}

2
build.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# #
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp") slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed")
mkdir output mkdir output
export TEXINPUTS=::`pwd`/themes/ export TEXINPUTS=::`pwd`/themes/
echo ${TEXINPUTS} echo ${TEXINPUTS}