Integrate with MISP

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Integrate with MISP

Hi all,

 

Do you know something sample about integration with MISP (Malware Information share platform)???

 

So another question is about scripts, can I launch a script into conifg a new prototype? If I've created a new prototype I set a url option...can I set the url option for script option????

 

Thanks a lot

Highlighted
L7 Applicator

Hi @SantiBT,

about MISP integration, we are planning to add it in the short term. Would you be interested in a Miner for MISP or sending indicators to MISP ?

 

luigi

L2 Linker

Hi Lmori!!

 

Yes, I'm interesting in a miner for MISP!!!! it will be a great idea!!!!

 

Do you known that??????

 

Please, let me know if you need more info about this!!

 

Regards!

Highlighted
L7 Applicator

Hi @SantiBT,

I am planning to start working on it in a couple of weeks, would you be interested in testing the beta ?

 

luigi

Highlighted
L2 Linker

Of course! Tell me when and I'll check your mine!

 

Thanks a lot

Highlighted
L0 Member

Hi,

 

maybe you already have some beta version for testing?

Highlighted
L7 Applicator

Sorry, running late on this. First beta code should be available the week of April 10th (2017)

Highlighted
L1 Bithead

Hi everyone,

I succeeded in using MISP extension in order to get data from a misp server...but now I cannot 

export data via output node.

My feed pass through a stdlib.aggregatorDomain and then I'm trying to have them available through a stdlib.feedLCGreenWithValue output node.

No luck so far...on the output node I see non zero statistics for

updated.queue, update.rx, withdraw.processed, withdraw.queued, withdraw.rx

while zero value for

checkpoint.* and removed

 

If I try to connect to the FEED BASE URL of the output node I get status 200 but a blank page.

I'm probably overlooking some important point...

Regards.

Sebastiano

Highlighted
L7 Applicator

Hi @Sebastiano,

could you check in the Miner LOGS which type of share level is applied to the indicators ?

Go to the MISP Miner and click on LOGS, there you will see the extracted indicators. If you click on one of them you will see the full list of attributes assigned to the indicators and you will be able to check the share_level attribute.

Highlighted
L1 Bithead

Hi @lmori and thanks a lot for you answer.

I checked the log of the misp miner and I see share_level set to 'white' so I think those should be good 'candidates' for output.

 

{
"_age_out": 4294967295000,
"confidence": 70,
"share_leve": "white",
"misp_event_tags": [

<snip>

 }

 

I'm using minemeld version 0.9.40

and minemeld-misp version 0.1b5

kind regars

Seba

 

Edit....

Was a confidence problem...as my output node was a low confidence one... so confidence < 50...

Now it works like a charm...

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!