new: [2] MISP administration overview added
|
@ -0,0 +1,319 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\lstdefinelanguage{json}{
|
||||||
|
basicstyle=\ttfamily\footnotesize,
|
||||||
|
numbers=left,
|
||||||
|
numberstyle=\ttfamily\footnotesize,
|
||||||
|
stepnumber=1,
|
||||||
|
numbersep=8pt,
|
||||||
|
showstringspaces=false,
|
||||||
|
breaklines=true,
|
||||||
|
frame=lines,
|
||||||
|
backgroundcolor=\color{background},
|
||||||
|
literate=
|
||||||
|
*{0}{{{\color{numb}0}}}{1}
|
||||||
|
{1}{{{\color{numb}1}}}{1}
|
||||||
|
{2}{{{\color{numb}2}}}{1}
|
||||||
|
{3}{{{\color{numb}3}}}{1}
|
||||||
|
{4}{{{\color{numb}4}}}{1}
|
||||||
|
{5}{{{\color{numb}5}}}{1}
|
||||||
|
{6}{{{\color{numb}6}}}{1}
|
||||||
|
{7}{{{\color{numb}7}}}{1}
|
||||||
|
{8}{{{\color{numb}8}}}{1}
|
||||||
|
{9}{{{\color{numb}9}}}{1}
|
||||||
|
{:}{{{\color{punct}{:}}}}{1}
|
||||||
|
{,}{{{\color{punct}{,}}}}{1}
|
||||||
|
{\{}{{{\color{delim}{\{}}}}{1}
|
||||||
|
{\}}{{{\color{delim}{\}}}}}{1}
|
||||||
|
{[}{{{\color{delim}{[}}}}{1}
|
||||||
|
{]}{{{\color{delim}{]}}}}{1},
|
||||||
|
}
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - VM}
|
||||||
|
\begin{itemize}
|
||||||
|
\item VM can be downloaded at \url{https://www.circl.lu/misp-training/}
|
||||||
|
\item Credentials
|
||||||
|
\begin{itemize}
|
||||||
|
\item MISP admin: admin@admin.test/admin
|
||||||
|
\item SSH: misp/Password1234
|
||||||
|
|
||||||
|
\end{itemize}
|
||||||
|
\item 2 network interfaces
|
||||||
|
\begin{itemize}
|
||||||
|
\item NAT
|
||||||
|
\item Host only adapter
|
||||||
|
\end{itemize}
|
||||||
|
\item Start the enrichment system by typing:
|
||||||
|
\begin{itemize}
|
||||||
|
\item cd /home/misp/misp-modules/bin
|
||||||
|
\item python3 misp-modules.py
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Administration}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Plan for this part of the training
|
||||||
|
\begin{itemize}
|
||||||
|
\item User and Organisaton administration
|
||||||
|
\item Sharing group creation
|
||||||
|
\item Templates
|
||||||
|
\item Tags and Taxonomy
|
||||||
|
\item Whitelisting and Regexp entries
|
||||||
|
\item Setting up the synchronisation
|
||||||
|
\item Scheduled tasks
|
||||||
|
\item Feeds
|
||||||
|
\item Settings and diagnostics
|
||||||
|
\item Logging
|
||||||
|
\item Troubleshooting and updating
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Creating Users}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Add new user (andras.iklody@circl.lu)
|
||||||
|
\item NIDS SID, Organisation, disable user
|
||||||
|
\item Fetch the PGP key
|
||||||
|
\item Roles
|
||||||
|
\begin{itemize}
|
||||||
|
\item Re-using standard roles
|
||||||
|
\item Creating a new custom role
|
||||||
|
\end{itemize}
|
||||||
|
\item Send out credentials
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Creating Organisations}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Adding a new organisation
|
||||||
|
\item UUID
|
||||||
|
\item Local vs External organisation
|
||||||
|
\item Making an organisation self sustaining with Org Admins
|
||||||
|
\item Creating a sync user
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Sharing groups}
|
||||||
|
\begin{itemize}
|
||||||
|
\item The concept of a sharing group
|
||||||
|
\item Creating a sharing group
|
||||||
|
\item Adding extending rights to an organisation
|
||||||
|
\item Include all organisations of an instance
|
||||||
|
\item Not specifying an instance
|
||||||
|
\item Making a sharing group active
|
||||||
|
\item Reviewing the sharing group
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Templates}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Why templating?
|
||||||
|
\item Create a basic template
|
||||||
|
\item Text fields
|
||||||
|
\item Attribute fields
|
||||||
|
\item Attachment fields
|
||||||
|
\item Automatic tagging
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Tags and Taxonomies}
|
||||||
|
\begin{itemize}
|
||||||
|
\item git submodule init \&\& git submodule update
|
||||||
|
\item Loading taxonomies
|
||||||
|
\item Enabling taxonomies and associated tags
|
||||||
|
\item Tag management
|
||||||
|
\item Exportable tags
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Object Templates}
|
||||||
|
\begin{itemize}
|
||||||
|
\item git submodule init \&\& git submodule update
|
||||||
|
\item Enabling objects (and what about versioning)
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Whitelisting, Regexp entries, Warninglists}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Block from exports - whitelisting
|
||||||
|
\item Block from imports - blacklisting via regexp
|
||||||
|
\item Modify on import - modification via regexp
|
||||||
|
\item Maintaining the warninglists
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Setting up the synchronisation}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Requirements - versions
|
||||||
|
\item Pull/Push
|
||||||
|
\item One way vs Two way synchronisation
|
||||||
|
\item Exchanging sync users
|
||||||
|
\item Certificates
|
||||||
|
\item Filtering
|
||||||
|
\item Connection test tool
|
||||||
|
\item Previewing an instance
|
||||||
|
\item Cherry picking and keeping the list updated
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Scheduled tasks}
|
||||||
|
\begin{itemize}
|
||||||
|
\item How to schedule the next execution
|
||||||
|
\item Frequency, next execution
|
||||||
|
\item What happens if a job fails?
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Setting up the synchronisation}
|
||||||
|
\begin{itemize}
|
||||||
|
\item MISP Feeds and their generation
|
||||||
|
\item PyMISP
|
||||||
|
\item Default free feeds
|
||||||
|
\item Enabling a feed
|
||||||
|
\item Previewing a feed and cherry picking
|
||||||
|
\item Feed filters
|
||||||
|
\item Auto tagging
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Settings and diagnostics}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Settings
|
||||||
|
\begin{itemize}
|
||||||
|
\item Settings interface
|
||||||
|
\item The tabs explained at a glance
|
||||||
|
\item Issues and their severity
|
||||||
|
\item Setting guidance and how to best use it
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Settings and diagnostics continued}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Basic instance setup
|
||||||
|
\item Additional features released as hotfixes
|
||||||
|
\item Customise the look and feel of your MISP
|
||||||
|
\item Default behaviour (encryption, e-mailing, default distributions)
|
||||||
|
\item Maintenance mode
|
||||||
|
\item Disabling the e-mail alerts for an initial sync
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Settings and diagnostics continued}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Plugins
|
||||||
|
\begin{itemize}
|
||||||
|
\item Enrichment Modules
|
||||||
|
\item RPZ
|
||||||
|
\item ZeroMQ
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Settings and diagnostics continued}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Diagnostics
|
||||||
|
\begin{itemize}
|
||||||
|
\item Updating MISP
|
||||||
|
\item Writeable Directories
|
||||||
|
\item PHP settings
|
||||||
|
\item Dependency diagnostics
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Settings and diagnostics continued}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Workers
|
||||||
|
\begin{itemize}
|
||||||
|
\item What do the background workers do?
|
||||||
|
\item Queues
|
||||||
|
\item Restarting workers, adding workers, removing workers
|
||||||
|
\item Worker diagnostics (queue size, jobs page)
|
||||||
|
\item Clearing worker queues
|
||||||
|
\item Worker and background job debugging
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Settings and diagnostics continued}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Seeking help
|
||||||
|
\begin{itemize}
|
||||||
|
\item Dump your settings to a file!
|
||||||
|
\item Make sure to sanitise it
|
||||||
|
\item Send it to us together with your issue to make our lives easier
|
||||||
|
\item Ask Github (https://github.com/MISP/MISP)
|
||||||
|
\item Have a chat with us on gitter (https://gitter.im/MISP/MISP)
|
||||||
|
\item Ask the MISP mailing list
|
||||||
|
\item If this is security related, drop us a PGP encrypted email to \url{mailto:info@circl.lu}
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Logging}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Audit logs in MISP
|
||||||
|
\item Enable IP logging / API logging
|
||||||
|
\item Search the logs, the fields explained
|
||||||
|
\item External logs
|
||||||
|
\begin{itemize}
|
||||||
|
\item /var/www/MISP/app/tmp/logs/error.log
|
||||||
|
\item /var/www/MISP/app/tmp/logs/resque-worker-error.log
|
||||||
|
\item /var/www/MISP/app/tmp/logs/resque-scheduler-error.log
|
||||||
|
\item /var/www/MISP/app/tmp/logs/resque-[date].log
|
||||||
|
\item /var/www/MISP/app/tmp/logs/error.log
|
||||||
|
\item apache access logs
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Updating MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item git pull
|
||||||
|
\item git submodule init \&\& git submodule update
|
||||||
|
\item reset the permissions if it goes wrong according to the INSTALL.txt
|
||||||
|
\item when MISP complains about missing fields, make sure to clear the caches
|
||||||
|
\begin{itemize}
|
||||||
|
\item in /var/www/MISP/app/tmp/cache/models remove myapp*
|
||||||
|
\item in /var/www/MISP/app/tmp/cache/persistent remove myapp*
|
||||||
|
\end{itemize}
|
||||||
|
\item No additional action required on hotfix level
|
||||||
|
\item Read the migration guide for major and minor version changes
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP - Administrative tools}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Upgrade scripts for minor / major versions
|
||||||
|
\item Maintenance scripts
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
After Width: | Height: | Size: 2.9 KiB |
After Width: | Height: | Size: 3.6 KiB |
After Width: | Height: | Size: 4.7 KiB |
After Width: | Height: | Size: 5.3 KiB |
After Width: | Height: | Size: 5.7 KiB |
After Width: | Height: | Size: 5.9 KiB |
After Width: | Height: | Size: 8.8 KiB |
|
@ -0,0 +1,26 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
|
||||||
|
\usepackage[utf8]{inputenc}
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usepackage{adjustbox}
|
||||||
|
\usetikzlibrary{positioning}
|
||||||
|
\usetikzlibrary{shapes,arrows}
|
||||||
|
|
||||||
|
\author{\small{\input{../includes/authors.txt}}}
|
||||||
|
|
||||||
|
\title{MISP User Training - Administration of MISP 2.4}
|
||||||
|
\subtitle{MISP Threat Sharing}
|
||||||
|
\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}}
|
||||||
|
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
|
||||||
|
\date{\input{../includes/location.txt}}
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|
2
build.sh
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
|
|
||||||
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp")
|
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration")
|
||||||
mkdir output
|
mkdir output
|
||||||
export TEXINPUTS=::`pwd`/themes/
|
export TEXINPUTS=::`pwd`/themes/
|
||||||
echo ${TEXINPUTS}
|
echo ${TEXINPUTS}
|
||||||
|
|