Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 05 2019 13:38
    New CIRCL OSINT: Phishing collection (via URLabuse service)
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - DarkHydrus delivers new Trojan that can use Google Drive for C2 communications
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - [Emering] FIN7 JScript Loader Malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - A journey to Zebrocy land
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Felipe, a new infostealer Trojan
  • Aug 05 2019 13:38
    New CIRCL OSINT: Kaspersky Lab: Spearphishing attack hits industrial companies
  • Aug 05 2019 13:38
    New CIRCL OSINT: 2019-07-18: Newer "PoSeidon" aka "FindPOS" aka "FindStr" 15.10 Point-of-Sale Malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Repository containting orignal and decompiled files of TRISIS/TRITON/HATMAN malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Very nasty Linux backdoor with multiple components
  • Aug 05 2019 13:38
    New CIRCL OSINT: Targeted phishing - PDF documents / phishkit
  • Aug 05 2019 13:38
    New CIRCL OSINT: 2019-03-08: TerraLoader Signed -> JS RAT
  • Aug 05 2019 13:38
    New CIRCL OSINT: IoT malware - Gafgyt.Gen28 (active) - 20190220 - 20190222
  • Aug 05 2019 13:38
    New CIRCL OSINT: Shamoon potential samples
  • Aug 05 2019 13:38
    New CIRCL OSINT: Turla Outlook White Paper
  • Aug 05 2019 13:38
    New CIRCL OSINT: Blog Post: EMOTET INFECTION WITH ICEDID
  • Aug 05 2019 13:38
    New CIRCL OSINT: US-CERT Alert (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Turla renews its arsenal with Topinambour
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - .sg domain used to host malware
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - SWEED: Exposing years of Agent Tesla campaigns
  • Aug 05 2019 13:38
    New CIRCL OSINT: OSINT - Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
Sascha Rommelfangen
@rommelfs
That instance is the source of the public feed, however, the public feed only has TLP:White information
much more to discover ;)
info@circl.lu for requests
cybgit
@cybgit
Hey, real noob question i know, but im trying to get my head around communities and organisations. ORgs are different organisations on the same misp instance right and a community is external/other misp instances? If so, what is This community which you can select when creating an event. Does that mean all organisations on the same instance can see that event?
cbboggs
@cbboggs
the distribution level is kind of a proximity/hop based sharing mechanism. A "community" only exists in practice by other MISP instances being set up to sync to one another.
or by allowing a user assigned to another org to actually directly access the misp instance (i.e. a normal user account).
well, I'm afraid my attempts to simplify may only confuse further lol
it took me nearly a year of trying to use this in practice between a few different orgs to really understand, haha
cbboggs
@cbboggs
and I've even done some presentations/training on the subject at a small scale lol
cybgit
@cybgit
thanks @cbboggs I take solace in the fact its not trivial to get it.
cbboggs
@cbboggs
no problem. Ask away if you need clarification. The distribution mechanism itself is very simple in concept, but in practice when you start connecting up various instances it can get very confusing.
cybgit
@cybgit
yeah i've got that to come. There seems different ways via sharing groups, syncs, and i guess you can use tags to control what stuff is shared too, so i'll have to do a bit of testing for sure
Andras Iklody
@iglocska
correct, keep in mind that MISP networks can be interlinked through several nodes
so with tag based flow control you're just controlling the flow of data going through your instance
an example:
cybgit
@cybgit
oh dear. hahah even more to it now.
Andras Iklody
@iglocska
you (A) are connected to 2 instances, B and C
you set up a sync filter on a tag to not share anything tagged t1 to C
you share the data with distribution set to all communities
with t1 set
it reaches B
and B will happily share it with C
if they sync with each other
;)
cybgit
@cybgit
let me guess, if B doesnt have the same tag filter it will share it onward
yeah gotcha
Andras Iklody
@iglocska
so there are some tricky things
cybgit
@cybgit
I guess once you share with B you can't really control onwards distribution
So you want to be trusting your sync partners, or only sharing TLPwhite / stuff you're happy could end up anywhere
good to know.
Andras Iklody
@iglocska
well you can
cbboggs
@cbboggs
well, yes but if you don't use "All communities" misp itself will decrement the distribution. that's the simple part
Andras Iklody
@iglocska
using sharing groups
yep!
Community only is a good solution
(as long as you rely on the other party pulling rather than you pushing)
cybgit
@cybgit
arr so if i say community only, it wouldnt onwards share with C
as C wouldnt be in my community, even though its in theirs
Thanks guys. Some good points and considerations i've noted to look into more
Andras Iklody
@iglocska
B-)
the community stuff is confusing
for all intents and puroses
replace the name "community" with server
cybgit
@cybgit
yeah i've used instance as a MISP instance = MISP server
Andras Iklody
@iglocska
there is one caveat - main reason we call it a community
you can connect more than one server to act as a community
using the internal server sync setting
that blocks the downgrade of distribution levels during the sync
so community only on internal instance A will become community only on internal instance B
cybgit
@cybgit
ok cool