diff --git a/2-misp-administration/content.tex b/2-misp-administration/content.tex new file mode 100755 index 0000000..a8149ca --- /dev/null +++ b/2-misp-administration/content.tex @@ -0,0 +1,319 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\lstdefinelanguage{json}{ + basicstyle=\ttfamily\footnotesize, + numbers=left, + numberstyle=\ttfamily\footnotesize, + stepnumber=1, + numbersep=8pt, + showstringspaces=false, + breaklines=true, + frame=lines, + backgroundcolor=\color{background}, + literate= + *{0}{{{\color{numb}0}}}{1} + {1}{{{\color{numb}1}}}{1} + {2}{{{\color{numb}2}}}{1} + {3}{{{\color{numb}3}}}{1} + {4}{{{\color{numb}4}}}{1} + {5}{{{\color{numb}5}}}{1} + {6}{{{\color{numb}6}}}{1} + {7}{{{\color{numb}7}}}{1} + {8}{{{\color{numb}8}}}{1} + {9}{{{\color{numb}9}}}{1} + {:}{{{\color{punct}{:}}}}{1} + {,}{{{\color{punct}{,}}}}{1} + {\{}{{{\color{delim}{\{}}}}{1} + {\}}{{{\color{delim}{\}}}}}{1} + {[}{{{\color{delim}{[}}}}{1} + {]}{{{\color{delim}{]}}}}{1}, +} + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{MISP - VM} + \begin{itemize} + \item VM can be downloaded at \url{https://www.circl.lu/misp-training/} + \item Credentials + \begin{itemize} + \item MISP admin: admin@admin.test/admin + \item SSH: misp/Password1234 + + \end{itemize} + \item 2 network interfaces + \begin{itemize} + \item NAT + \item Host only adapter + \end{itemize} + \item Start the enrichment system by typing: + \begin{itemize} + \item cd /home/misp/misp-modules/bin + \item python3 misp-modules.py + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Administration} + \begin{itemize} + \item Plan for this part of the training + \begin{itemize} + \item User and Organisaton administration + \item Sharing group creation + \item Templates + \item Tags and Taxonomy + \item Whitelisting and Regexp entries + \item Setting up the synchronisation + \item Scheduled tasks + \item Feeds + \item Settings and diagnostics + \item Logging + \item Troubleshooting and updating + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Creating Users} + \begin{itemize} + \item Add new user (andras.iklody@circl.lu) + \item NIDS SID, Organisation, disable user + \item Fetch the PGP key + \item Roles + \begin{itemize} + \item Re-using standard roles + \item Creating a new custom role + \end{itemize} + \item Send out credentials + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Creating Organisations} + \begin{itemize} + \item Adding a new organisation + \item UUID + \item Local vs External organisation + \item Making an organisation self sustaining with Org Admins + \item Creating a sync user + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Sharing groups} + \begin{itemize} + \item The concept of a sharing group + \item Creating a sharing group + \item Adding extending rights to an organisation + \item Include all organisations of an instance + \item Not specifying an instance + \item Making a sharing group active + \item Reviewing the sharing group + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Templates} + \begin{itemize} + \item Why templating? + \item Create a basic template + \item Text fields + \item Attribute fields + \item Attachment fields + \item Automatic tagging + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Tags and Taxonomies} + \begin{itemize} + \item git submodule init \&\& git submodule update + \item Loading taxonomies + \item Enabling taxonomies and associated tags + \item Tag management + \item Exportable tags + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Object Templates} + \begin{itemize} + \item git submodule init \&\& git submodule update + \item Enabling objects (and what about versioning) + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Whitelisting, Regexp entries, Warninglists} + \begin{itemize} + \item Block from exports - whitelisting + \item Block from imports - blacklisting via regexp + \item Modify on import - modification via regexp + \item Maintaining the warninglists + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Setting up the synchronisation} + \begin{itemize} + \item Requirements - versions + \item Pull/Push + \item One way vs Two way synchronisation + \item Exchanging sync users + \item Certificates + \item Filtering + \item Connection test tool + \item Previewing an instance + \item Cherry picking and keeping the list updated + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Scheduled tasks} + \begin{itemize} + \item How to schedule the next execution + \item Frequency, next execution + \item What happens if a job fails? + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Setting up the synchronisation} + \begin{itemize} + \item MISP Feeds and their generation + \item PyMISP + \item Default free feeds + \item Enabling a feed + \item Previewing a feed and cherry picking + \item Feed filters + \item Auto tagging + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Settings and diagnostics} + \begin{itemize} + \item Settings + \begin{itemize} + \item Settings interface + \item The tabs explained at a glance + \item Issues and their severity + \item Setting guidance and how to best use it + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Settings and diagnostics continued} + \begin{itemize} + \item Basic instance setup + \item Additional features released as hotfixes + \item Customise the look and feel of your MISP + \item Default behaviour (encryption, e-mailing, default distributions) + \item Maintenance mode + \item Disabling the e-mail alerts for an initial sync + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Settings and diagnostics continued} + \begin{itemize} + \item Plugins + \begin{itemize} + \item Enrichment Modules + \item RPZ + \item ZeroMQ + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Settings and diagnostics continued} + \begin{itemize} + \item Diagnostics + \begin{itemize} + \item Updating MISP + \item Writeable Directories + \item PHP settings + \item Dependency diagnostics + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Settings and diagnostics continued} + \begin{itemize} + \item Workers + \begin{itemize} + \item What do the background workers do? + \item Queues + \item Restarting workers, adding workers, removing workers + \item Worker diagnostics (queue size, jobs page) + \item Clearing worker queues + \item Worker and background job debugging + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Settings and diagnostics continued} + \begin{itemize} + \item Seeking help + \begin{itemize} + \item Dump your settings to a file! + \item Make sure to sanitise it + \item Send it to us together with your issue to make our lives easier + \item Ask Github (https://github.com/MISP/MISP) + \item Have a chat with us on gitter (https://gitter.im/MISP/MISP) + \item Ask the MISP mailing list + \item If this is security related, drop us a PGP encrypted email to \url{mailto:info@circl.lu} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Logging} + \begin{itemize} + \item Audit logs in MISP + \item Enable IP logging / API logging + \item Search the logs, the fields explained + \item External logs + \begin{itemize} + \item /var/www/MISP/app/tmp/logs/error.log + \item /var/www/MISP/app/tmp/logs/resque-worker-error.log + \item /var/www/MISP/app/tmp/logs/resque-scheduler-error.log + \item /var/www/MISP/app/tmp/logs/resque-[date].log + \item /var/www/MISP/app/tmp/logs/error.log + \item apache access logs + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Updating MISP} + \begin{itemize} + \item git pull + \item git submodule init \&\& git submodule update + \item reset the permissions if it goes wrong according to the INSTALL.txt + \item when MISP complains about missing fields, make sure to clear the caches + \begin{itemize} + \item in /var/www/MISP/app/tmp/cache/models remove myapp* + \item in /var/www/MISP/app/tmp/cache/persistent remove myapp* + \end{itemize} + \item No additional action required on hotfix level + \item Read the migration guide for major and minor version changes + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP - Administrative tools} + \begin{itemize} + \item Upgrade scripts for minor / major versions + \item Maintenance scripts + \end{itemize} +\end{frame} + diff --git a/2-misp-administration/logo-circl.pdf b/2-misp-administration/logo-circl.pdf new file mode 100644 index 0000000..62c9239 Binary files /dev/null and b/2-misp-administration/logo-circl.pdf differ diff --git a/2-misp-administration/misp.pdf b/2-misp-administration/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/2-misp-administration/misp.pdf differ diff --git a/2-misp-administration/misplogo.pdf b/2-misp-administration/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/2-misp-administration/misplogo.pdf differ diff --git a/2-misp-administration/screenshots/datamodel1.png b/2-misp-administration/screenshots/datamodel1.png new file mode 100644 index 0000000..7a31661 Binary files /dev/null and b/2-misp-administration/screenshots/datamodel1.png differ diff --git a/2-misp-administration/screenshots/datamodel2.png b/2-misp-administration/screenshots/datamodel2.png new file mode 100644 index 0000000..5018708 Binary files /dev/null and b/2-misp-administration/screenshots/datamodel2.png differ diff --git a/2-misp-administration/screenshots/datamodel3.png b/2-misp-administration/screenshots/datamodel3.png new file mode 100644 index 0000000..89d97fa Binary files /dev/null and b/2-misp-administration/screenshots/datamodel3.png differ diff --git a/2-misp-administration/screenshots/datamodel4.png b/2-misp-administration/screenshots/datamodel4.png new file mode 100644 index 0000000..45d759b Binary files /dev/null and b/2-misp-administration/screenshots/datamodel4.png differ diff --git a/2-misp-administration/screenshots/datamodel5.png b/2-misp-administration/screenshots/datamodel5.png new file mode 100644 index 0000000..9a9ae5e Binary files /dev/null and b/2-misp-administration/screenshots/datamodel5.png differ diff --git a/2-misp-administration/screenshots/datamodel6.png b/2-misp-administration/screenshots/datamodel6.png new file mode 100644 index 0000000..da8dc58 Binary files /dev/null and b/2-misp-administration/screenshots/datamodel6.png differ diff --git a/2-misp-administration/screenshots/sync.png b/2-misp-administration/screenshots/sync.png new file mode 100644 index 0000000..11073e7 Binary files /dev/null and b/2-misp-administration/screenshots/sync.png differ diff --git a/2-misp-administration/slide.tex b/2-misp-administration/slide.tex new file mode 100644 index 0000000..a40e5bc --- /dev/null +++ b/2-misp-administration/slide.tex @@ -0,0 +1,26 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\author{\small{\input{../includes/authors.txt}}} + +\title{MISP User Training - Administration of MISP 2.4} +\subtitle{MISP Threat Sharing} +\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} +\date{\input{../includes/location.txt}} + +\begin{document} +\include{content} +\end{document} + diff --git a/build.sh b/build.sh index 22f2f5b..ed0b448 100644 --- a/build.sh +++ b/build.sh @@ -1,7 +1,7 @@ #!/bin/bash # -slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp") +slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration") mkdir output export TEXINPUTS=::`pwd`/themes/ echo ${TEXINPUTS}