Integrate with MISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Integrate with MISP

L2 Linker

Hi all,

 

Do you know something sample about integration with MISP (Malware Information share platform)???

 

So another question is about scripts, can I launch a script into conifg a new prototype? If I've created a new prototype I set a url option...can I set the url option for script option????

 

Thanks a lot

19 REPLIES 19

L7 Applicator

Hi @SantiBT,

about MISP integration, we are planning to add it in the short term. Would you be interested in a Miner for MISP or sending indicators to MISP ?

 

luigi

Hi Lmori!!

 

Yes, I'm interesting in a miner for MISP!!!! it will be a great idea!!!!

 

Do you known that??????

 

Please, let me know if you need more info about this!!

 

Regards!

Hi @SantiBT,

I am planning to start working on it in a couple of weeks, would you be interested in testing the beta ?

 

luigi

Of course! Tell me when and I'll check your mine!

 

Thanks a lot

Hi,

 

maybe you already have some beta version for testing?

Sorry, running late on this. First beta code should be available the week of April 10th (2017)

Hi everyone,

I succeeded in using MISP extension in order to get data from a misp server...but now I cannot 

export data via output node.

My feed pass through a stdlib.aggregatorDomain and then I'm trying to have them available through a stdlib.feedLCGreenWithValue output node.

No luck so far...on the output node I see non zero statistics for

updated.queue, update.rx, withdraw.processed, withdraw.queued, withdraw.rx

while zero value for

checkpoint.* and removed

 

If I try to connect to the FEED BASE URL of the output node I get status 200 but a blank page.

I'm probably overlooking some important point...

Regards.

Sebastiano

Hi @Sebastiano,

could you check in the Miner LOGS which type of share level is applied to the indicators ?

Go to the MISP Miner and click on LOGS, there you will see the extracted indicators. If you click on one of them you will see the full list of attributes assigned to the indicators and you will be able to check the share_level attribute.

Hi @lmori and thanks a lot for you answer.

I checked the log of the misp miner and I see share_level set to 'white' so I think those should be good 'candidates' for output.

 

{
"_age_out": 4294967295000,
"confidence": 70,
"share_leve": "white",
"misp_event_tags": [

<snip>

 }

 

I'm using minemeld version 0.9.40

and minemeld-misp version 0.1b5

kind regars

Seba

 

Edit....

Was a confidence problem...as my output node was a low confidence one... so confidence < 50...

Now it works like a charm...

 

Is it possible to create one for sending indicators to MISP as well? Would be great if it can work both ways. Reason is that, MineMeld can take a lot of indicators from different sources, which some of them will create a lot of noise/false positives (IPv4 for example) and need to be 'curated' and 'enriched' before feeding it to other platforms such as SIEMs. So from my perspective MISP fits into that role of repository and enricher. Also, GOSINT from Cisco looks promising as well when it comes to data enricher.

@vedd3r,

 

MineMeld is modular enough to accomodate 'enrichement'. For instance you could create an aggregator sort of node that checks IPv4 against your threat intel source (i.e. Wildfire / AutoFocus) to attach 'enrichement attributes' to that indicator.

 

I'm planning, for instance, on creating an enrichement node for MineMeld that will attach the PAN-DB URL category value as an attribute to all URL indicators received by that node. Each node in a MineMeld graph has the native capability of filtering (accept/discard) indicators based on attribute values. In my case the idea will be for the output node to discard all URL indicators received from this 'enriched graph' that are classified as malware or phishing by PAN-DB because the URL-Filtering feature would be taking care of them already.

Thanks


@xhoms wrote:

@vedd3r,

 

MineMeld is modular enough to accomodate 'enrichement'. For instance you could create an aggregator sort of node that checks IPv4 against your threat intel source (i.e. Wildfire / AutoFocus) to attach 'enrichement attributes' to that indicator.

 

I'm planning, for instance, on creating an enrichement node for MineMeld that will attach the PAN-DB URL category value as an attribute to all URL indicators received by that node. Each node in a MineMeld graph has the native capability of filtering (accept/discard) indicators based on attribute values. In my case the idea will be for the output node to discard all URL indicators received from this 'enriched graph' that are classified as malware or phishing by PAN-DB because the URL-Filtering feature would be taking care of them already.


 

Thanks!

L3 Networker

I found error when activate "minemeld-misp" extensions

 

Please recommend me:

 

Collecting pymisp (from minemeld-misp==0.1b5)
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /simple/pymisp/
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning

see full log in attachments

@lmori

Do you have .yml file? My company block .git file from Server.

 

https://github.com/PaloAltoNetworks/minemeld-misp

  • 15754 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!