Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • May 27 19:55
    sholland-bamboohealth labeled #8411
  • May 27 19:55
    sholland-bamboohealth labeled #8411
  • May 27 19:55
    sholland-bamboohealth opened #8411
  • May 27 19:55
    sholland-bamboohealth opened #8411
  • May 27 17:15
    ryan-niemes-helix commented #8410
  • May 27 17:15
    ryan-niemes-helix commented #8410
  • May 27 14:29
    whirlwind110 starred MISP/MISP
  • May 27 14:00
    rickhenderson starred MISP/MISP
  • May 27 12:30
    fukusuket commented #16
  • May 27 10:40

    Rafiot on main

    Explicit slowsearch parameter i… Merge pull request #16 from fuk… (compare)

  • May 27 10:40
    Rafiot closed #16
  • May 27 10:40
    Rafiot commented #16
  • May 27 09:25
  • May 27 03:48
    woodonggyu starred MISP/misp-modules
  • May 26 18:46
    github-germ commented #8407
  • May 26 18:46
    github-germ commented #8407
  • May 26 18:45
    github-germ commented #8409
  • May 26 18:45
    github-germ commented #8409
  • May 26 17:50
    sholland-bamboohealth labeled #8410
  • May 26 17:50
    sholland-bamboohealth labeled #8410
fatsheep
@fatsheep_gitlab
Hello.
I have a question about event IDs.
Is the event ID completely unique?
If I delete an event, will that event ID be used again?
Raphaël
@raph:matrix.circl.lu
[m]
They are unique on a single MISP instance and won't be reused if you delete an event
if you synchronize your events, an other instance can have an event ID you deleted on your own instance.
What will always be unique is the UUID of an event
fatsheep
@fatsheep_gitlab
@raph:matrix.circl.lu
Well noted with thanks
Jeroen Pinoy
@Wachizungu
Hey. When a user tries to use Authkey from a remote IP that is not allowed by the key, the used IP is not logged. Is there a specific reason for that?
Andras Iklody
@iglocska
that seems to be an oversight
Jeroen Pinoy
@Wachizungu
okay thx for confirming will check if I can do a PR for that in a while
subramanyamanoj
@subramanyamanoj
Is there a way to tag an indicator at MITRE Tactic level (e.g TA0011) rather than at the technique level (e.g T1071) as i dont see tactics part of the galaxy ? If yes, any recommended tagging format ?
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
Oh now, there was a typo in my first commit to MISP 😢
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
(weird, i am sure i copied it directly from a running instance that was working)
Andras Iklody
@iglocska
no worries
it happens ;)
r0sier
@r0sier
Hi team! Trying to use import STIX via the UI. Get presented with 'Could not import STIX document' which seems to be a non syntax related issue as any errors in the JSON would normally return 'Could not import STIX document: Issues executing the ingestion script or invalid input. Please check whether the dependencies for STIX are met via the diagnostic tool.'. Nothing at all within exec-errors.log. I validated the STIX files with the STIX2Validator too and no issues. Any ideas? Was working fine until recently, so I've probably messed around with the wrong thing! Diagnostic tool reports no issues either
r0sier
@r0sier
Issue was you cant import a STIX bundle, delete the event, and re-import without changing the bundle UUID. Not too sure if thats expected.. We were testing hence deleting and re-importing
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
A better error message would probably be useful
subramanyamanoj
@subramanyamanoj
Is this a right format for MITRE galaxy tag as i see this in some of recent feeds ? The technique doesnt have the name but just the code itself. (Eg: misp-galaxy:mitre-attack-pattern=“T1566.002”) ?
1 reply
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
I see that 2.4.144 is tagged ?
1 reply
(loved the birtday logo in .143 btw)
To bad my users didn't see it since we don't use the login form
Andras Iklody
@iglocska
yeah 2.4.144 is tagged, blog post should be out today
yeah that's a bummer :(
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
@coolacid: Bump to 2.4.1.44? :D
Stefano Ortolani
@ostefano
Is there a reason why creating a MISP feed with pyMISP (https://github.com/MISP/PyMISP/tree/main/examples/feed-generator) creates a file called hashes.csv? How is that file used? My understanding is that it keeps a mapping between hash of each attribute and the event. What is the reason for that?
andras
@andras:matrix.circl.lu
[m]
When you "cache" a feed
it will only ingest that file
rather than parsing the manifest -> then each individual event.json
and hashing all attribute values
it front-loads that task rather than letting all clients ingesting the feed calculate the hashes
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
    private function getOrDef($variable, $default) {
        if (Configure::check($variable)) {
            return Configure::read($variable);
        }
        return $default;
    }
I wronte the following wrapper as part of my code, to be able the read config variables with a default value. Does a function like this exsists already that i did not find ?
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
:point_up: Edit: I wrote the following wrapper as part of my code, to be able the read config variables with a default value. Does a function like this exsists already that i did not find ?
andras
@andras:matrix.circl.lu
[m]
there's Controller::getSetting($setting_name)
sorry ServersController*
    public function getSetting($setting_name)
    {
        $setting = $this->Server->getSettingData($setting_name);
        if (!empty($setting["redacted"])) {
            throw new MethodNotAllowedException(__('This setting is redacted.'));
        }
        if (Configure::check($setting_name)) {
            $setting['value'] = Configure::read($setting_name);
        }
        return $this->RestResponse->viewData($setting);
    }
the advantage of this is it loads the setting definition too
and if no setting is set, it shows the assumed default value
output for MISP.osuser on my machine:
{
    "level": 0,
    "description": "The Unix user MISP (php) is running as",
    "value": "www-data",
    "errorMessage": "",
    "test": "testForEmpty",
    "type": "string",
    "name": "MISP.osuser"
}
it's a value that is not set, so it defaults to www-data
baseurl:
{
    "level": 0,
    "description": "The base url of the application (in the format https:\/\/www.mymispinstance.com or https:\/\/myserver.com\/misp). Several features depend on this setting being correctly set to function.",
    "value": "http:\/\/localhost:5000",
    "errorMessage": "The currently set baseurl does not match the URL through which you have accessed the page. Disregard this if you are accessing the page via an alternate URL (for example via IP address).",
    "test": "testBaseURL",
    "type": "string",
    "name": "MISP.baseurl"
}
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
And I can call that from my authcomponent?
andras
@andras:matrix.circl.lu
[m]
ah no.
you'll need your own function there indeed
but I'd copy the logic of this
Server->getSettingData() you can access from the authcomponent if I am not mistaken
via
$server = ClassRegistry::init('Server');
$setting = $server->getSettingData($foo);
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
And to add setting data I would add it to server.php around line ... 4525 😯