Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 05 2019 13:38
    New CIRCL OSINT: Phishing collection (via URLabuse service)
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - DarkHydrus delivers new Trojan that can use Google Drive for C2 communications
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - [Emering] FIN7 JScript Loader Malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - A journey to Zebrocy land
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Felipe, a new infostealer Trojan
  • Aug 05 2019 13:38
    New CIRCL OSINT: Kaspersky Lab: Spearphishing attack hits industrial companies
  • Aug 05 2019 13:38
    New CIRCL OSINT: 2019-07-18: Newer "PoSeidon" aka "FindPOS" aka "FindStr" 15.10 Point-of-Sale Malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Repository containting orignal and decompiled files of TRISIS/TRITON/HATMAN malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Very nasty Linux backdoor with multiple components
  • Aug 05 2019 13:38
    New CIRCL OSINT: Targeted phishing - PDF documents / phishkit
  • Aug 05 2019 13:38
    New CIRCL OSINT: 2019-03-08: TerraLoader Signed -> JS RAT
  • Aug 05 2019 13:38
    New CIRCL OSINT: IoT malware - Gafgyt.Gen28 (active) - 20190220 - 20190222
  • Aug 05 2019 13:38
    New CIRCL OSINT: Shamoon potential samples
  • Aug 05 2019 13:38
    New CIRCL OSINT: Turla Outlook White Paper
  • Aug 05 2019 13:38
    New CIRCL OSINT: Blog Post: EMOTET INFECTION WITH ICEDID
  • Aug 05 2019 13:38
    New CIRCL OSINT: US-CERT Alert (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Turla renews its arsenal with Topinambour
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - .sg domain used to host malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - SWEED: Exposing years of Agent Tesla campaigns
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
Emthigious
@emthigious:utwente.io
[m]
Should I repost?
andras
@andras:matrix.circl.lu
[m]
All good, works on either channel 😎
In *
shible vich
@shiblovich
@shiblovich
hi ,
i can't send any message from misp
error in log The message could not be sent.
does anyone has idea !?
Phạm Duy Việt
@duyviet21
Hello everyone, I am doing a research project on MISP and its application in network attack detection. Currently, I have not thought of a test scenario to clarify the ability of MISP to detect network attacks. Can anyone help me?
andras
@andras:matrix.circl.lu
[m]
That’s not what misp is for though
It will not direct anything for you, it’s a TIP / sharing platform
Phạm Duy Việt
@duyviet21
thank you sir, maybe my teacher didn't understand what the purpose of MISP is
Phạm Duy Việt
@duyviet21
one more question sir, when I created an event and shared IOC to organizations or communities. Then how is ioc handled? Thank you sir
andras
@andras:matrix.circl.lu
[m]
The IoCs are propagated to other communities’s instances, where eligible users and/or tools can vote or programmatically retrieve the data
It can be used to automatically feed tools that will then use it for detecting/blocking/hunting/analysis/correlation/notifications
Phạm Duy Việt
@duyviet21
thank you so much sir
andras
@andras:matrix.circl.lu
[m]
No worries at all!
puneet khandelwal
@Sh4kt1MA4n_twitter
Hi everyone, when a feed is disbaled in the MISP UI, does it delete all the histtorical data related to it in the UI or backend automatically or we have to do it manually? If it is manually, what is the way to delete the data for that feed. Thank You!
5 replies
puneet khandelwal
@Sh4kt1MA4n_twitter
Hi everyone, I disabled multiple feeds and deleted the event IDs corresponding to these. I then checked in the UI for number of attributes and there were lot less entries. However, when I checked the DB in the backend the size of tables didn't redcuce. For the 'attributes' trable the size in fact increased. I don't understand why so. can someone please explain this. thank you!
3 replies
andras
@andras:matrix.circl.lu
[m]
Mysql doesn’t reclaim the space for you
Optimize can help
1 reply
Anders Einar (Kagee)
@hildenae:matrix.org
[m]
1 reply
puneet khandelwal
@Sh4kt1MA4n_twitter
Hi evenryone, how can we set the retention period of x number of days in MISP for a feed with a fixed event or with no fixed event. In my case I want to see only IOCs for last 30 days but not sure how I can remove the IOCs which are older than that from a feed. I don't want to do this manually so would like to know if there is a way to set it in UI or backend. Thank You!
abe ohone
@abe101_twitter
Hi folks, This might be an easy noob fix. I'm testing the VM from circl.lu in virtual box and it launches to a full screen terminal (no desktop or web access). I checked the www/misp directory, and there is no index file. Also checking the apache logs, I see errors that I don't fully understand:
2022-07-12 03:10:22 Error: [BadRequestException] The request has been black-holed
Request URL: /users/login, and
2022-07-12 03:10:10 Error: [MissingControllerException] Controller class Controller could not be found.
Exception Attributes: array (
'class' => 'Controller',
'plugin' => NULL,
)
dragsu
@dragsu
G'day, does anyone know when you configure a MISP feed with source format "MISP Feed" they are always published or it is something that is controlled by the publisher (can get both published and unpublished events from the publisher side)?
dragsu
@dragsu

Ok by looking at https://www.circl.lu/doc/misp/feed-osint/0e887f03-5aa2-4a7b-b0f7-66208c6c657b.json and https://www.circl.lu/doc/misp/feed-osint/5a3a5924-eddc-4d5c-9d5e-4de7950d210f.json for source format "MISP Feed", it is based on what is in the event (the first event is published and the other event is unpublished). I think doco confirms that too.

The feeds can be in three different formats:
MISP standardized format which is the preferred format to benefit from all the MISP functionalities.
CSV format, allowing you to pick the columns that are to be imported.
freetext format which allows automatic ingestion and detection of indicator/attribute by parsing any unstructured text.

Jeroen Pinoy
@Wachizungu
Hi all,
could anyone tell me what the main/original source is for the disposable email domains warninglist?
richard_von
@richard_von:matrix.org
[m]
Simple question. Is MISP identical with Open Threat Exchange (OTX)?
If not, then what's the big difference between them (excluding users #)?
1 reply
richard_von
@richard_von:matrix.org
[m]
Are there any list of sharing groups that anyone can join to practice on in their personal misp lab?
anierudh
@anierudh
Hi Team
After integrating MISP feeds to Splunk, I am facing an issue
When I try to fetch the last 1-day data from MISP, it is giving me any result, even though there is data for the current day. But if I give the last 30d it is giving data from old ones to the new ones.
The search I tried in Splunk side |mispgetioc misp_instance=instance name last=30d to_ids=t geteventtag=t pipesplit=t type="ip-dst, ip-src, domain|ip" limit=0
What I feel is I am not sure whether it is problem with the "last" parameter
Is it a problem on the Splunk side or the MISP side?
If it is problem from MISP Side, how to rectify it or vice versa
The MISP version I am using is 2.4.161
anierudh
@anierudh
Hi Team
Any solution for the above problem?
richard_von
@richard_von:matrix.org
[m]
Aside from this https://www.circl.lu/services/misp-training-materials/
Are there any tutorials in making my lab close to how RL CTI analysts works, especially one with better subtitle and audio?
anierudh
@anierudh
Hi Team
After integrating MISP feeds to Splunk, I am facing an issue
When I try to fetch the last 1-day data from MISP, it is not fetching any result, even though there is data for the current day. But if I give the last 30d it is giving data from old ones to the new ones.
The search I tried in Splunk side |mispgetioc misp_instance=instance name last=30d to_ids=t geteventtag=t pipesplit=t type="ip-dst, ip-src, domain|ip" limit=0
What I feel is I am not sure whether it is problem with the "last" parameter
Where can we find the configuration related to misp feeds pull parameters (no of days of data that misp can fetch and can be seen in Splunk) in the backend of the MISP server
The MISP version I am using is 2.4.161
iglocska
@andras:matrix.circl.lu
[m]
Yeah last is most likely the issue. You can use publish_timestamp or timestamp depending on which data point you want to use
1 reply
Timestamp: last time data was modified by the source
Publish_timestamp: last time the event was published on your instance (via for example a sync/feed pull)
Alternatively, if you are using attributes/restsearch
You have 3 datapoints:
Timestamp: when was the attribute created/modified
publish_timestamp: when was the event containing the attribute last published on your instance (when was it fetched/synced)
event_timestamp: when was the container event last modified by the source
anierudh
@anierudh
so this needs to be changed in splunk side or MISP side?
iglocska
@andras:matrix.circl.lu
[m]
Splunk side
It’s the query it uses to fetch data from misp
anierudh
@anierudh
got it thanks. one more doubt if there are multiple instances we need to do it manually for all right? or if we don't have access to a specific instance only way is give them the changed query right?
gabriellaatkins29
@gabriellaatkins29

Dear team,

Currently we are conducting testing, visa vi sharing groups. During testing it was revealed that when creating a sharing group from a local instance (MISP Instance 1) and giving access to an organisation in a remote instance (MISP Instance 2) if an Admin or sync user is in that remote organisation, they have the right to edit the sharing group and add other organisations to that sharing group. This is done without ticking the extend checkmark which is contradictory to what is written in the MISP manual, in which it states that this option needs to be ticked in order to do so.

Could you kindly guide us whether we are missing any configuration or other details to help us work around this issue.

iglocska
@andras:matrix.circl.lu
[m]
No, that is correct. Admins are able to override all acl on the system. Keep in mind that it is assumed that admins are purely used as administrative users, who normally also have shell access to the system, and as such would be able to tamper with sharing groups anyway by modifying the database.
gabriellaatkins29
@gabriellaatkins29

Hi Andras, understood. I have two more questions which I would like to run by you.

1) Will the original instance (local) from which the sharing group was created, be notified if any modifications are done to the sharing group on the secondary instance (remote)?
2) From testing it was revealed that if a remote organisation which has an admin in it is added to a sharing group, synced and received events, if the creator of the local instance decides to remove that particular organistaion form the list, the admin can still schedule a pull request and receive any new events which are created. Is this still supposed to happen after removing the organisation in the sharing group list of the creator of the sharing group?

puneet khandelwal
@Sh4kt1MA4n_twitter
Hi evenryone, how can we set the retention period of x number of days in MISP for a feed with a fixed event or with no fixed event. In my case I want to see only IOCs for last 30 days but not sure how I can remove the IOCs which are older than that from a feed. I don't want to do this manually so would like to know if there is a way to set it in UI or backend. Thank You!
1 reply
John F
@JohonJ
Hello everybody, anyone has experience with integration MISP and NIEM?
1 reply
Bruno Agostinho
@brunoagostinho_twitter
Hi, good afternoon. Is there some JSON repository to create Widgets?
I'm looking to create a dashboard with top shared IOCs (like a TOP 10)
joya95
@joya95:matrix.org
[m]
hello , good afternoon. for security wise concerns I'm considering not connecting mail server with misp , is there might be some problems that i might counter with this decision
1 reply
adulau
@adulau:matrix.circl.lu
[m]
Just the email notification for password or if you want to use the email MFA feature won’t be possible. But this doesn’t impact the operation of MISP.