02-20-2017 09:02 AM
Hi all,
Do you know something sample about integration with MISP (Malware Information share platform)???
So another question is about scripts, can I launch a script into conifg a new prototype? If I've created a new prototype I set a url option...can I set the url option for script option????
Thanks a lot
02-22-2017 12:26 AM
Hi Lmori!!
Yes, I'm interesting in a miner for MISP!!!! it will be a great idea!!!!
Do you known that??????
Please, let me know if you need more info about this!!
Regards!
02-22-2017 09:36 AM
Hi @SantiBT,
I am planning to start working on it in a couple of weeks, would you be interested in testing the beta ?
luigi
02-23-2017 12:21 AM
Of course! Tell me when and I'll check your mine!
Thanks a lot
03-27-2017 02:37 AM
Hi,
maybe you already have some beta version for testing?
03-27-2017 04:45 AM
Sorry, running late on this. First beta code should be available the week of April 10th (2017)
08-23-2017 12:51 AM
Hi everyone,
I succeeded in using MISP extension in order to get data from a misp server...but now I cannot
export data via output node.
My feed pass through a stdlib.aggregatorDomain and then I'm trying to have them available through a stdlib.feedLCGreenWithValue output node.
No luck so far...on the output node I see non zero statistics for
updated.queue, update.rx, withdraw.processed, withdraw.queued, withdraw.rx
while zero value for
checkpoint.* and removed
If I try to connect to the FEED BASE URL of the output node I get status 200 but a blank page.
I'm probably overlooking some important point...
Regards.
Sebastiano
08-23-2017 07:20 AM
Hi @Sebastiano,
could you check in the Miner LOGS which type of share level is applied to the indicators ?
Go to the MISP Miner and click on LOGS, there you will see the extracted indicators. If you click on one of them you will see the full list of attributes assigned to the indicators and you will be able to check the share_level attribute.
08-24-2017 01:22 AM - edited 08-24-2017 02:00 AM
Hi @lmori and thanks a lot for you answer.
I checked the log of the misp miner and I see share_level set to 'white' so I think those should be good 'candidates' for output.
{
"_age_out": 4294967295000,
"confidence": 70,
"share_leve": "white",
"misp_event_tags": [
<snip>
}
I'm using minemeld version 0.9.40
and minemeld-misp version 0.1b5
kind regars
Seba
Edit....
Was a confidence problem...as my output node was a low confidence one... so confidence < 50...
Now it works like a charm...
08-24-2017 02:16 AM
Is it possible to create one for sending indicators to MISP as well? Would be great if it can work both ways. Reason is that, MineMeld can take a lot of indicators from different sources, which some of them will create a lot of noise/false positives (IPv4 for example) and need to be 'curated' and 'enriched' before feeding it to other platforms such as SIEMs. So from my perspective MISP fits into that role of repository and enricher. Also, GOSINT from Cisco looks promising as well when it comes to data enricher.
08-24-2017 05:50 AM
MineMeld is modular enough to accomodate 'enrichement'. For instance you could create an aggregator sort of node that checks IPv4 against your threat intel source (i.e. Wildfire / AutoFocus) to attach 'enrichement attributes' to that indicator.
I'm planning, for instance, on creating an enrichement node for MineMeld that will attach the PAN-DB URL category value as an attribute to all URL indicators received by that node. Each node in a MineMeld graph has the native capability of filtering (accept/discard) indicators based on attribute values. In my case the idea will be for the output node to discard all URL indicators received from this 'enriched graph' that are classified as malware or phishing by PAN-DB because the URL-Filtering feature would be taking care of them already.
09-03-2017 06:36 AM
Thanks
@xhoms wrote:
MineMeld is modular enough to accomodate 'enrichement'. For instance you could create an aggregator sort of node that checks IPv4 against your threat intel source (i.e. Wildfire / AutoFocus) to attach 'enrichement attributes' to that indicator.
I'm planning, for instance, on creating an enrichement node for MineMeld that will attach the PAN-DB URL category value as an attribute to all URL indicators received by that node. Each node in a MineMeld graph has the native capability of filtering (accept/discard) indicators based on attribute values. In my case the idea will be for the output node to discard all URL indicators received from this 'enriched graph' that are classified as malware or phishing by PAN-DB because the URL-Filtering feature would be taking care of them already.
Thanks!
09-27-2017 03:10 AM
I found error when activate "minemeld-misp" extensions
Please recommend me:
Collecting pymisp (from minemeld-misp==0.1b5)
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /simple/pymisp/
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
see full log in attachments
11-03-2017 03:05 AM
@lmori
Do you have .yml file? My company block .git file from Server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
