Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 15:12
    mokaddem commented #5337
  • 15:12
    mokaddem commented #5337
  • 15:12
    mokaddem closed #5337
  • 15:12
    mokaddem closed #5337
  • 15:12

    mokaddem on 2.4

    chg: [internal] Much faster Gal… Merge branch '2.4' of github.co… (compare)

  • 15:12

    mokaddem on 2.4

    chg: [internal] Much faster Gal… Merge branch '2.4' of github.co… (compare)

  • 15:07
    JakubOnderka opened #5540
  • 15:07
    JakubOnderka opened #5540
  • 15:07
    carnak labeled #5539
  • 15:07
    carnak labeled #5539
  • 15:07
    carnak labeled #5539
  • 15:07
    carnak labeled #5539
  • 15:07
    carnak labeled #5539
  • 15:07
    carnak labeled #5539
  • 15:07
    carnak opened #5539
  • 15:07
    carnak opened #5539
  • 14:59
    NetEyes commented #5536
  • 14:59
    NetEyes commented #5536
  • 14:55
    gitnorty commented #5484
  • 14:55
    gitnorty commented #5484
Koen Van Impe
@cudeso
v2.4.119
Andras Iklody
@iglocska
it should be on the add attribute view
but it was recently refactored
maybe we broke it
if you're not seeing it there
I'll have a look tonight after the meetings I'm in ;)
Koen Van Impe
@cudeso
Thanks. I tried via add attribute; it's not there. It's a fresh (demo) install.
Andras Iklody
@iglocska
ok will have a look, that sucks
confirmed
works on previous
not on current
poornenduan
@poornenduan
@iglocska Hi Andras, Thanka for your message, I am trying to get all the events from MISP B(ORGB) into my instance (ORGA -MISP A) so that we could integrate the intelligence of both instances.
poornenduan
@poornenduan
  1. The user from ORGA is assigned as a sync user in the ORGB- MISP B server.
  2. There are no pull filters configured in the new server(MISP A) setup by me (ORGA) for the sync.
  3. Since MISP B is of a different org (ORG B) they have not setup any jobs for the sync user.
  4. I have logs of data being pulled from the ORG B, also I have no failed jobs for the pull - however the information retrieved is not up to date. MISP B has events created today(2020-01-14), but the data we pull is dated sometime back in 2019.
I would like to know if the new server setup is supposed to let me see everything from the MISP B instance instantly .
Also, the sync user in MISP B from ORG A is an admin in MISP A. Just FYI
@iglocska Hi Andras, Thanka for your message, I am trying to get all the events from MISP B(ORGB) into my instance (ORGA -MISP A) so that we could integrate the intelligence of both instances.
poornenduan
@poornenduan
  1. The user from ORGA is assigned as a sync user in the ORGB- MISP B server.
  2. There are no pull filters configured in the new server(MISP A) setup by me (ORGA) for the sync.
  3. Since MISP B is of a different org (ORG B) they have not setup any jobs for the sync user.
  4. I have logs of data being pulled from the ORG B, also I have no failed jobs for the pull - however the information retrieved is not up to date. MISP B has events created today(2020-01-14), but the data we pull is dated sometime back in 2019.
I had done a manual pull( click on the down arrow button when the server was setup) which took more than 3 days and was still at 19%. I had purged that job , but I am not sure if that job is killed. So the pull happening may be that job working in the background. I tried to setup a cron job to pull the server feeds using the commands given in the automation page, which resulted in an error stating that mysql flag is set to read only - SQLSTATE[HY000]: General error: 1290 The MySQL server is running with the --read-only option so it cannot execute this statement @iglocska
Koen Van Impe
@cudeso
Good morning! Any suggestions on how to best handle this situation? TI data is provided via a STIX feed, not coming from MISP and to >200 orgs. MISP will replace the platform but in the mean time STIX data should still remain available. STIX export from MISP is slow, so having 200 users connect via restAPI and download STIX will likely kill the machine. Besides prepare the export via scheduled jobs I didn't immediately saw an option.
Andras Iklody
@iglocska
hmm interesting, indeed the STIX libraries are bloody slow with the conversion, so if you have to do it over and over that's nasty
perhaps a solution that would require some glue, but I am not 100% sure how feasible that would be:
use the feed generator to generate a MISP feed -> loop through the generated events and feed them to the STIX converter
and host that
STIX 1 I guess, right?
  1. The user from ORGA is assigned as a sync user in the ORGB- MISP B server.
  2. There are no pull filters configured in the new server(MISP A) setup by me (ORGA) for the sync.
  3. Since MISP B is of a different org (ORG B) they have not setup any jobs for the sync user.
  4. I have logs of data being pulled from the ORG B, also I have no failed jobs for the pull - however the information retrieved is not up to date. MISP B has events created today(2020-01-14), but the data we pull is dated sometime back in 2019.

I had done a manual pull( click on the down arrow button when the server was setup) which took more than 3 days and was still at 19%. I had purged that job , but I am not sure if that job is killed. So the pull happening may be that job working in the background. I tried to setup a cron job to pull the server feeds using the commands given in the automation page, which resulted in an error stating that mysql flag is set to read only - SQLSTATE[HY000]: General error: 1290 The MySQL server is running with the --read-only option so it cannot execute this statement @iglocska

woah ok the cron job is weird.

for the job that lasted 3 days at 19% - it probably died very quickly (at 19% of the process)
the job view is more of a log, so it's the last known state of the job
the error / worker error logs should have more information
Steffen Sauler
@SHSauler
image.png
Andras Iklody
@iglocska
rofl
poornenduan
@poornenduan
Hi guys, Do you know if it is possible to pull data only for a certain time period for the server pull in MISP? Like my instance wants to pull data from within the last 3 months in another instance.
Sascha Rommelfangen
@rommelfs
It’s a recent feature request you can find in the GitHub issues
Feel free to add your ideas or implementation
Koen Van Impe
@cudeso
@poornenduan Depending on your use case you can also implement this in PyMISP. See this example https://github.com/MISP/PyMISP/blob/master/examples/last.py
huntercrack
@huntercrack

Hei!!, I would like to ask you if it is possible to synchronize events between two instances of MISP but that synchronization is only a range of dates and not by a tag, since the tag brings me events of more than 2 years ago

Cheers

Sascha Rommelfangen
@rommelfs
No, there is an open feature request for that. Since this is the development room, I invite you to implement the feature ;)
Abel Luck
@abeluck
hi folks.. i see that misp has postgresql schema files in its repo. Is postgresql supported?
poornenduan
@poornenduan
@cudeso Thanks for the input.
Sami Mokaddem
@mokaddem
@abeluck Some of the feature are built with other database than mysql in mind but I cannot guaranty that using postegresql will work out of the box
Robert Nixon
@robertnixon2003
I am seeing some errors after the latest pull (timeline)
On the update progress tab:
ALTER TABLE `attributes` DROP INDEX last_seen
Issues executing the SQL query for `seenOnAttributeAndObject`. The returned error is:
SQLSTATE[42000]: Syntax error or access violation: 1091 Can't DROP 'last_seen'; check that column/key exists
It is also stuck here:
Update 6 ALTER TABLE attributes ADD COLUMN [...] Started @ 2020-01-21 19:08:25 Elapsed Time @ 19:16:09
Robert Nixon
@robertnixon2003
Never mind it is working
eCrimeLabs
@eCrimeLabs
After updating pymisp I get this error, anyone seen a similar one ?
python3
Python 3.5.3 (default, Sep 27 2018, 17:25:39)
[GCC 6.3.0 20170516] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pymisp
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/var/www/MISP/PyMISP/pymisp/__init__.py", line 28, in <module>
    from .abstract import AbstractMISP, MISPEncode, pymisp_json_default, MISPTag, Distribution, ThreatLevel, Analysis  # noqa
  File "/var/www/MISP/PyMISP/pymisp/abstract.py", line 111
    self.__edited: bool = True  # As we create a new object, we assume it is edited
                 ^
SyntaxError: invalid syntax
eCrimeLabs
@eCrimeLabs
This I spottet the issue Python 3.5.3
Sami Mokaddem
@mokaddem

Never mind it is working

Hey, could you have a look at the database schema (/servers/dbSchemaDiagnostic) just to be sure that every is correct and you are not missing indexes? Thanks a lot!

@robertnixon2003
cyberreaper
@frantz2501
Hi,
I have an issue with galaxies matrix: I modified the branded_vulnerabilities json files (galaxy and cluster) to fit my needs. I got the matrix running on my test instance. When I copy/paste on my working instance, it imports well but I lose the matrix display, I have only the list display. How is setup the matrix display?
Sami Mokaddem
@mokaddem

@frantz2501 maybe have a look a these slides starting form slide 14.
https://www.misp-project.org/misp-training/3.2-misp-galaxy.pdf

You can also have a look at an example:

Do not hesitate if you have any other questions

cyberreaper
@frantz2501
@mokaddem thanks for answering. Yes I used these docs and I manage to have it work properly on a first instance BUT it switch to classical list on another instance. I kept the branded_vulnerability.json name because otherwise the galaxy is not loaded properly.