Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 05 2019 13:38
    New CIRCL OSINT: Phishing collection (via URLabuse service)
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - DarkHydrus delivers new Trojan that can use Google Drive for C2 communications
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - [Emering] FIN7 JScript Loader Malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - A journey to Zebrocy land
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Felipe, a new infostealer Trojan
  • Aug 05 2019 13:38
    New CIRCL OSINT: Kaspersky Lab: Spearphishing attack hits industrial companies
  • Aug 05 2019 13:38
    New CIRCL OSINT: 2019-07-18: Newer "PoSeidon" aka "FindPOS" aka "FindStr" 15.10 Point-of-Sale Malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Repository containting orignal and decompiled files of TRISIS/TRITON/HATMAN malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Very nasty Linux backdoor with multiple components
  • Aug 05 2019 13:38
    New CIRCL OSINT: Targeted phishing - PDF documents / phishkit
  • Aug 05 2019 13:38
    New CIRCL OSINT: 2019-03-08: TerraLoader Signed -> JS RAT
  • Aug 05 2019 13:38
    New CIRCL OSINT: IoT malware - Gafgyt.Gen28 (active) - 20190220 - 20190222
  • Aug 05 2019 13:38
    New CIRCL OSINT: Shamoon potential samples
  • Aug 05 2019 13:38
    New CIRCL OSINT: Turla Outlook White Paper
  • Aug 05 2019 13:38
    New CIRCL OSINT: Blog Post: EMOTET INFECTION WITH ICEDID
  • Aug 05 2019 13:38
    New CIRCL OSINT: US-CERT Alert (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Turla renews its arsenal with Topinambour
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - .sg domain used to host malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - SWEED: Exposing years of Agent Tesla campaigns
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
Andras Iklody
@iglocska
replace the name "community" with server
cybgit
@cybgit
yeah i've used instance as a MISP instance = MISP server
Andras Iklody
@iglocska
there is one caveat - main reason we call it a community
you can connect more than one server to act as a community
using the internal server sync setting
that blocks the downgrade of distribution levels during the sync
so community only on internal instance A will become community only on internal instance B
cybgit
@cybgit
ok cool
.
@Yosolo2010_twitter
Has anyone used the Crowdstrike integration module with their instance? I inputted my query API key and user, created a hash of a known file, and input it as an event. I have the IDS checked for the event, but I am not receiving any feedback from MISP or Crowdstrike that it sees the hash. Can anyone help?
Joao Paulo A. F.
@JoaoPauloF

Hello guys! I would like to know if someone could help me.

I am trying to integrate MISP with IDefense, from Accenture. Does anyone knows how to do that? Or anyone faced a similar integration?

𝙢𝙞𝙡𝙖𝙣𝙣 𝙎𝙃𝙍𝙀𝙎𝙏𝙃𝘼 大修
@x0verhaul_twitter
Heard about Recorded Future and MISP integration.
How can I add it as sync server with my instance, any insight ??
Haj33
@Haj33

Hi All,

I am planing to subscribe MISP Project Open source threat intelligence.
Can anyone please share me the prerequisites or any technicals documents or any reference urls.

mrinaljindal
@mrinaljindal
Hi! I'm trying to have MISP integrated with our AWS S3 through API. The issue is bulky metadata has not been received yet through API. We’re receiving data depend upon the particular (manually inputting) event id and collecting back passing from lambda function to S3. Can anyone share any reference or suggestions here?
dynamorichelieu
@dynamorichelieu

Hi everybody,
I am having some issue with the synchronization between two misp instances.

Is it possible to:

  • create an event1 with an attribute1 on a MISP_A (done)
  • pull this event1 from the MISP_B (done)
  • add an attribute2 to this event1 on the MISP_B (done)
  • push this event1 back to the MISP_A (done)
  • see attribute1 and attribute2 in the event1 on the MISP_A (PROBLEM: we do not see the attribute2 in this event)

I have read on MISP/MISP#5570 that "A MISP server where an event originated (either by hand or API or import) will not accept changes made to that event by another MISP server. This is by design to avoid remote servers to mess with local data."

But is there no way at all to synchronize two MISP instances?

Andras Iklody
@iglocska
this is correct
MISP_A is blocking any changes
to events that were created there locally
it's the tamper protection
elmanoferrer
@elmanoferrer

Hi,

I am developing a project to implement the MISP and I would like to know if exist a suggestion of a minimum size setup to use MISP in production?
I believe that using a MISP-sizer should be the best option, but I can not understand about “Number of users” and “number of attributes”. Anyone could help with this?
Number of users = should be people + integrated systems?
Number of attributes/Field values = ????

Abhinav Singh
@AbhinavSingh3_twitter
@elmanoferrer you can proceed with a normal setup. Likewise I am doing going with an ubuntu 18.04 with default config we get in AWS , just added some more storage like from default 8 gb to 30gb. Misp works with minimal specifics..
adulau
@adulau:matrix.circl.lu
[m]
MISP Training - CTI introduction in French - 25th February 14:00-16:30 https://twitter.com/MISPProject/status/1356546190070996992
Jason Zhang
@cyberML
Help - we are going to set up MISP in GCP, with MISP installed on GCE and Database on Cloud SQL, respectively. Does anyone have any experience on the setup, and what's the recommended instance specifications for GCE and Cloud SQL for moderate number of attributes ( < 5M)? We don't have $1M budget for it ;-) Thanks a lot for any help!! BTW, I am aware of the sizer page https://www.misp-project.org/MISP-sizer/, but this is for installing MISP app and DB on the same instance I guess.
6 replies
adulau
@adulau:matrix.circl.lu
[m]
I would strongly avoid saving external files in the DB in any case. There are many reasons to put those files as external. As usually the backup process of malicious files should be separated. It’s also easier to clearly separate A/V scanning processes. And performance wise for DB, it’s also more efficient.
Jason Zhang
@cyberML
Thanks Adulau! Agree with you. Is it possible to save the attachments to Google Cloud Storage directly (I notice there is a guide on saving into S3 buckets https://misp.github.io/MISP/CONFIG.s3-attachments/ )
Andras Iklody
@iglocska
Not really. Basically our options are: anything that is pathable locally on your system (so that could be a mounted network share) or S3 in particular as that has its own integration
letsgetraw
@letsgetraw
Hi,
is there a way to add device profiling to MISP via PyMISP or external libraries? In terms of tracking devices which sent any kind of requests to a MISP instance
I want to implement MISP on several devices and have sort of a graphical display of the different devices sending request to the remote MISP server
5 replies
andras
@andras:matrix.circl.lu
[m]
Sadly not, we never use GCP afaik
Jason Zhang
@cyberML
OK, never mind. thanks
letsgetraw
@letsgetraw
Hi!
Once again I am having a question, this time regarding threat/vulnerability propagation. Is there a module or feature to display propagation of vulnerabilities in MISP? Example: Device A has a reported vulnerability enabling the adversary to get access to Device B. Without compromising Device A, Device B wouldn't be affected either. Is there a module/feature to display such connection in MISP? A simple workaround would be to add comments to respective events, but I was looking for a more figurative presentation. I hope it is understandable. Thanks in advance!!!
1 reply
Jeroen Pinoy
@Wachizungu
Not a huge deal, but just wanted to report for awareness:
Trying to view event with UUID 5e7b5e21-1128-4efd-a5d7-0b48595a4619 on the covid community misp gives below error:
Fatal Error
Error: Allowed memory size of ******* bytes exhausted (tried to allocate 20480 bytes)
File: /var/www/MISP/app/Model/Event.php
Line: 5028

Notice: If you want to customize this error message, create app/View/Errors/fatal_error.ctp
Andras Iklody
@iglocska
will have a look in a jiffy, sounds like a massive event and that instance isn't exactly overflowing with memory ;)
joker2013
@joker2013
HI
the problem of starting OTX-MISP https://github.com/gcrahay/otx_misp
Error: 'TypeError' object has no attribute 'message'
Drupad Soni
@Drupad8140_twitter

Hello People,

I have a query,

How to push feeds from intelmq to MISP?

I have attached misp output feed and i have added feed in misp added all required details but i am not able to see any feeds in misp. please suggest

7 replies
adulau
@adulau:matrix.circl.lu
[m]
https://twitter.com/MISPProject/status/1393141380369821697 - On the 15th May 2011, a first version of MISP was released. We are celebrating our first 10 years birthday as the leading open source project for information and intelligence sharing. Thanks to all the people and organisations who support us. #opensource #infosec #DFIR #CTI
Drupad Soni
@Drupad8140_twitter
Guys, anyone worked on pushing feeds to ELK from MISP?
2 replies
PLEASE GUIDE
Drupad Soni
@Drupad8140_twitter
where does misp store all events in file directory?
I want to give path in filebeat for pushing feeds to elk
Andras Iklody
@iglocska
They are not stored in files.
but rather in the database
Jeroen Pinoy
@Wachizungu
is there a recommended way to add a file / tool / (legitimate) software that was used in a malicious way to misp?
We currently add it as attachment with malware sample checkbox ticked so we have hashes etc for correlations. Then we add a custom tag to say it's not malware. Somehow it feels like there should / might be a cleaner way
2 replies
cybgit
@cybgit
Is it a know bug that when searching on the events page (filter top right) that you can't put a URL in that contains a path? It retusn an apache error. Is this going to be fixed do we know or is there a work around?
Passimist
@Passimist
Hi, I've got a question on the Sync mechanisms:
When my MISP Instance provides a sync user to an external instance for them to pull events from my instance. Do I understand right, that I can't influence (like tag blacklisting) what events and attributes the external misp will pull?
Does setting MISP.unpublishedprivate at least prevent the external MISP from pulling unpublished events?
Koen Van Impe
@cudeso
Hi all. Does anyone have pointers for "high level" "threat intelligence sharing policies". I have an idea of what needs to be covered but instead of starting from scratch I'd prefer to build on something that's already out there (apologies for cross-posting with FIRST-channels).
4 replies
V.
@Vilius_twitter

Is it a know bug that when searching on the events page (filter top right) that you can't put a URL in that contains a path? It retusn an apache error. Is this going to be fixed do we know or is there a work around?

MISP/MISP#7478 - similar, I found it in feeds some time ago. Seeing unresolved issues pile - I think finding how to fix properly, and then contribute - is the fastest way for resolution :)

Passimist
@Passimist
Hi, can someone tell me what the client certificate in the sync servers is used for? What is its purpose? Can I configure the remote MISP to only accept connections with certain client certificates?
1 reply
adulau
@adulau:matrix.circl.lu
[m]
Virtual MISP Summit 0x06 - Thursday 21st October 2021.
Registration is now open.
Do you want to present or show how you use MISP, the call-for-papers is also open. #ThreatIntel #OpenSource #CTI See you there!
https://misp-project.org/misp-summit/
E6DUchiha
@E6DUchiha
hello everyone, I hope that you are doing well!
I would like you to help me please with the synchronization process with two instances of MISP, I tried the documentation, the GitHub issues, the forums but I couldn't arrive at any positive results! So, if anyone has an idea or already passed through this process, please let me know.
Jeroen Pinoy
@Wachizungu
@E6DUchiha it would be nice if you mention which issue(s) you encountered and what your setup is (are you syncing between your own two instances or not etc...)
adulau
@adulau:matrix.circl.lu
[m]
Live stream of the MISP Summit 0x06 https://www.youtube.com/watch?v=zLX-ykn57uQ