Integrate with MISP

Reply
Highlighted
L2 Linker

Is it possible to create one for sending indicators to MISP as well? Would be great if it can work both ways. Reason is that, MineMeld can take a lot of indicators from different sources, which some of them will create a lot of noise/false positives (IPv4 for example) and need to be 'curated' and 'enriched' before feeding it to other platforms such as SIEMs. So from my perspective MISP fits into that role of repository and enricher. Also, GOSINT from Cisco looks promising as well when it comes to data enricher.

Highlighted
L5 Sessionator

@vedd3r,

 

MineMeld is modular enough to accomodate 'enrichement'. For instance you could create an aggregator sort of node that checks IPv4 against your threat intel source (i.e. Wildfire / AutoFocus) to attach 'enrichement attributes' to that indicator.

 

I'm planning, for instance, on creating an enrichement node for MineMeld that will attach the PAN-DB URL category value as an attribute to all URL indicators received by that node. Each node in a MineMeld graph has the native capability of filtering (accept/discard) indicators based on attribute values. In my case the idea will be for the output node to discard all URL indicators received from this 'enriched graph' that are classified as malware or phishing by PAN-DB because the URL-Filtering feature would be taking care of them already.

Highlighted
L2 Linker

Thanks


@xhoms wrote:

@vedd3r,

 

MineMeld is modular enough to accomodate 'enrichement'. For instance you could create an aggregator sort of node that checks IPv4 against your threat intel source (i.e. Wildfire / AutoFocus) to attach 'enrichement attributes' to that indicator.

 

I'm planning, for instance, on creating an enrichement node for MineMeld that will attach the PAN-DB URL category value as an attribute to all URL indicators received by that node. Each node in a MineMeld graph has the native capability of filtering (accept/discard) indicators based on attribute values. In my case the idea will be for the output node to discard all URL indicators received from this 'enriched graph' that are classified as malware or phishing by PAN-DB because the URL-Filtering feature would be taking care of them already.


 

Thanks!

Highlighted
L3 Networker

I found error when activate "minemeld-misp" extensions

 

Please recommend me:

 

Collecting pymisp (from minemeld-misp==0.1b5)
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /simple/pymisp/
/opt/minemeld/engine/0.9.42/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning

see full log in attachments

Highlighted
L3 Networker

@lmori

Do you have .yml file? My company block .git file from Server.

 

https://github.com/PaloAltoNetworks/minemeld-misp

Highlighted
L7 Applicator

Hi @iThreatHunt,

I have built a wheel file for it, you can download it and upload to MineMeld:

https://github.com/PaloAltoNetworks/minemeld-misp/releases/download/0.1b5/minemeld_misp-0.1b5-py2-no...

Highlighted
L3 Networker

@lmori

 

Thank you. But I activate API. I found message:

Processing /opt/minemeld/local/library/minemeld_misp-0.1b5-py2-none-any.whl
Requirement already satisfied: minemeld-core==0.9.44 in /opt/minemeld/engine/0.9.44/lib/python2.7/site-packages (from -c /opt/minemeld/local/library/constraints.txt (line 31))
Collecting pymisp (from minemeld-misp==0.1b5)
/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /simple/pymisp/
/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Retrying (Retry(total=3, connect=None, read=None, redirect=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /simple/pymisp/
/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Retrying (Retry(total=2, connect=None, read=None, redirect=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /simple/pymisp/
/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Retrying (Retry(total=1, connect=None, read=None, redirect=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /simple/pymisp/
/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Retrying (Retry(total=0, connect=None, read=None, redirect=None)) after connection broken by 'ProtocolError('Connection aborted.', error(104, 'Connection reset by peer'))': /simple/pymisp/
/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Could not find a version that satisfies the requirement pymisp (from minemeld-misp==0.1b5) (from versions: )
No matching distribution found for pymisp (from minemeld-misp==0.1b5)
/opt/minemeld/engine/0.9.44/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning

Highlighted
L7 Applicator

Hi @iThreatHunt,

are you restricting access from the VM to Internet ? It seems that python pip library is not being to reach out to the package servers.

 

Thanks,

luigi 

Highlighted
L3 Networker

Yes, I allow access to Internet by a URL for MM Server. Could you recommend me for URL list that must allow it?

Highlighted
L3 Networker

SSL Warnings

urllib3 will issue several different warnings based on the level of certificate verification support. These warning indicate particular situations and can resolved in different ways.

  • InsecureRequestWarning
    This happens when an request is made to an HTTPS URL without certificate verification enabled. Follow the certificate verification guide to resolve this warning.
  • InsecurePlatformWarning
    This happens on Python 2 platforms that have an outdated ssl module. These older ssl modules can cause some insecure requests to succeed where they should fail and secure requests to fail where they should succeed. Follow the pyOpenSSL guide to resolve this warning.
  • SNIMissingWarning
    This happens on Python 2 versions older than 2.7.9. These older versions lack SNI support. This can cause servers to present a certificate that the client thinks is invalid. Follow the pyOpenSSL guide to resolve this warning.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!