by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • May 26 15:40

    chrisr3d on master

    add: Documentation on Search qu… (compare)

  • May 06 05:37
    adulau commented #197
  • May 06 05:37

    adulau on master

    Update Ubuntu 18.04 from 7.2 to… Merge pull request #197 from ma… (compare)

  • May 06 05:37
    adulau closed #197
  • May 05 22:53
    malwaredevil opened #197
  • Apr 20 06:56
    jmozley-infoblox opened #196
  • Apr 20 06:44
    cudeso opened #195
  • Mar 10 13:00
    adulau commented #194
  • Mar 10 13:00

    adulau on master

    Minor changes to wording, fixes… Merge remote-tracking branch 'u… Merge pull request #194 from Wa… (compare)

  • Mar 10 13:00
    adulau closed #194
  • Mar 10 10:36
    Wachizungu opened #194
  • Mar 03 08:01
    adulau commented #193
  • Mar 03 08:00

    adulau on master

    test test img test2 and 10 more (compare)

  • Mar 03 08:00
    adulau closed #193
  • Mar 02 13:25
    frantz2501 opened #193
  • Feb 05 10:18
    adulau commented #192
  • Feb 05 10:18

    adulau on master

    Update README.md Adding IOCs f… Merge pull request #192 from Yu… (compare)

  • Feb 05 10:18
    adulau closed #192
  • Feb 05 09:59
    Yuvraj-Takey opened #192
  • Jan 21 08:44

    adulau on master

    new: [attributes] chrome-extens… Merge branch 'master' of github… (compare)

cbboggs
@cbboggs
all good, thanks! just trying to wrap our heads around this and kinda pilot test it
Andras Iklody
@iglocska
makes sense, if you want a sanity check or something holler!
Sami Mokaddem
@mokaddem
Have a look at issue #5836. That particular feature is described here. If you want to add something to the discussion, do not hesitate as I might implement it in batch ;)
Andras Iklody
@iglocska
ah bummer missed that
even replied to it
wow
Sami Mokaddem
@mokaddem
I guess you thought it was done already ;)
Andras Iklody
@iglocska
I totally have no recollection of us even discussing this less than 3 weeks ago haha
cbboggs
@cbboggs
oh haha now I'm remembering some discussion here on Gitter regarding that issue
I just hadn't delved into the decay stuff very much yet so it didn't stick
Andras Iklody
@iglocska
it makes a lot of sense though, switching to the last seen when available would be great
cbboggs
@cbboggs
is the retention taxonomy deprecated? I see it's referenced in the NIDS model, but if used by itself - what process is checking the tag to uncheck the IDS box per the taxonomy description?
cbboggs
@cbboggs
or is that something you have to set up yourself
dan00bielb
@dan00bielb
Hi all, i've opened the following issue for the problem MISP/MISP#5923
any advice?
cybgit
@cybgit
@dan00bielb hey, apologies if you've already checked this, but the error message on remote server to me suggest not enough memory could be assigned? Have you ran a top or vmstat etc on the remote server when you try the pull job from server A? See if its running away with memory anywhere?
dan00bielb
@dan00bielb
yes, we already tried to size the limit of the memory on the remote server on 5 GB
we're actually troubleshooting the issue too
cybgit
@cybgit
think it read to me that it exhausted at ~500mb
Are you trying to pull a log of event info? Are there any pull filters and maybe something has been tagged incorrectly on remote server which could be causing a ton of data to match the pull? Just throwing ideas out. Hope you sort it
obstgit
@obstgit
Sorry if this is a "easy" question:
I want to try MISP in our local network with access to the internet but not with access from the internet. Can i install it there (without Domain etc.) and, for example, can sync it with the CIRCL MISPPRIV instance?
Thank you in advance ;)
Jason Kendall
@coolacid
@obstgit Yes, that's a typical install method.
@dan00bielb Is the error the exact same? I would have expected the number to be different.
dan00bielb
@dan00bielb
i'd expected it too; but it seems it's the same error as before. I'll keep you updated
Jason Kendall
@coolacid
@dan00bielb Is there any other php.ini files - change them all, just in case - also, which file is that screen shot from?
Dhanush794
@Dhanush794
hi im trying to insatll misp to my siem tool "Arcsight".
once the connector
once the connector is installed the feeds are not populating in the siem tool .
can anyone suggest on it.
a Stryder
@StryderScreams_twitter

Hey, I'm trying to use CLI to enrich events using a script and some magic
Is there any example code of a working instance of
MISP/app/Console/cake Event enrichEvent [user_id] [event_id] [modules] ?

Even when correctly formatted I end up geting the --help output from cake event

5 replies
Gregory Hall, Ph.D.
@gregoryahall
Noob question here. I've been trying to set up two instances of MISP in separate virtual machines. MISP1 is where I would publish events and I wanted MISP2 as a subscriber to receive events. I read through the documentation and added organizations, sync user, etc. I can test the connection and it all shows success. When I publish an event on MISP1, I expected it to automatically appear on MISP2. But it doesn't. Also, in the log, I see MISP1 attempt to send an email to the sync user (which naturally fails as the Ubuntu Server 18.04 VM has no email settings configured). Was I wrong in my expectation that the event would get pushed to MISP2 and automatically appear? Does an email have to be received and approved?
Sami Mokaddem
@mokaddem

@gregoryahall Your expectation is correct. If you have setup a PUSH connection from MISP1 to MISP2, events should be pushed automatically upon publishing if some criterias are met:

  • You have a working connection from MISP1 to MISP2 (can be tested with the builtin widget run connection test on /servers/index)
  • The role of the user owning the connection to MISP2 should be able to create data on MISP2 (It's always usually the case unless you have touched the role's permission)
  • The distribution of the event is at least Connected Communities. If it's below this distribution level, it will not be pushed.
  • The event contains at least one attribute. This is to avoid pushing meaningless empty events
  • The pushed event is not blacklisted on MISP2 (if you have deleted the event on MISP2, it appears on a blacklist to avoid getting it again. You can clear the blacklist here /eventBlacklists
  • Your wokers are healthy. The default behavior when publishing events is asynchronous and done by workers. You may have issues if they are not working. You can see the progress of the publish job here /jobs/index and the health of workers here /servers/serverSettings/workers

I might have missed something so if the PUSH connection still doesn't work for you after checking all these points, get back to us!

6 replies
eCrimeLabs
@eCrimeLabs
Any of you tried this integration between MISP and Microsoft Graph https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/MISP
I followed the guide here https://www.circl.lu/doc/misp/connectors/#misp-to-microsoft-graph-security-script however there could be some permission issues I have on the Microsoft side getting 400 error
befrankt
@befrankt
hey guys, I have an issue with MISP where it can't seem to connect to the redis db... that means fetch feeds fail... the error sits in the error.log where a new fetch produces the following line "Could not reach Redis". When I "monitor" Redis however, via redis-cli, I can see the fetch coming in and I don't see any errors there... The configuration in config.php has not been changed and if it was correct, I should't see the activity via the redis-cli monitor I think. Any change the database has become corrupted or something else I could look at? If I hit "Search feed caches" I get "an internal error has occurred." If I try to Cache my feeds, nothing happens... As I understand it there are 2 redis databases and this all seems to relate to the one that holds the cache for the events?
Christophe Vandeplas
@cvandeplas

What would be the best way to remediate the issue of spreading corrupted events from other parties?

  • during a moment your MISP install was broken, file attachments were therefore not saved to the disk. The event/attribute were however accepted by your MISP instance
  • during this time other parties downloaded this data to their MISP.
  • you can easily fix the issue on your side: remove broken events/attributes and download them again from the 3rd party MISP instance.
  • but how can you 'notify' the other MISPs that you fixed your broken events?

Doing timestamp++ seems the only way, but is not ideal, as you're modifying someone else's data.
Any other ideas?

kaljoup
@kaljoup

Hello everybody, two (noobish, sorry) questions:

  • I installed a fresh MISP instance multiple times. There are always 2 test errors:
======================================================================
FAIL: test_user_settings (__main__.TestComprehensive)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "tests/testlive_comprehensive.py", line 2080, in test_user_settings
    self.assertEqual(len(mail_logs), 3)
AssertionError: 2 != 3

======================================================================
FAIL: test_zmq (__main__.TestComprehensive)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "tests/testlive_comprehensive.py", line 1404, in test_zmq
    self.assertEqual(r['message'], 'Event published to ZMQ')
AssertionError: 'ZMQ event publishing not enabled.' != 'Event published to ZMQ'
- ZMQ event publishing not enabled.
+ Event published to ZMQ

Is this normal behavior and can i ignore this?

  • For what is PGP used in MISP context? I think for encrypted mails to the users, anything in addition to that?
vimtechnologies
@vimtechnologies
Good afternoon any of you implemented ssl for misp-dashboard
when i edit the config.cfg file and enable SSL and point to the wildcard cert my page does not load
befrankt
@befrankt
ok I think I resolved my issue... I think there are 2 redis databases, one for cache and one for config, correct? One was set to use AUTH and one wasnt. I brought that back in line with the MISP settings for redis password. Just for future reference for others; the problem seems to be resolved for me now.
Antoine Cailliau
@ancailliau
I have issues with taxonomies. I updated the git submodules, but I don't see the new taxonomy. And I see an error "Undefined index" in the debug.log. Any idea how to solve this ?
Mihai Damian Visan
@visanmihaidamian_gitlab
Hello! I have some problems searching events in a MISP instance using pymisp. i'm trying to get events that have any of the tags in a list of tags and a timestamp older than a given one. What happens is that the search matches all events with the given tags, so i assume something is wrong with my timestamp (the search worked before). I am using this code. Can anyone provide any input?
        timestamp_max = int((datetime.date.today() - datetime.timedelta(max_age)).strftime("%s"))
        events = self.mispClient.search(tags=["TAG1", "TAG2"], timestamp=[0, timestamp_max])
JDPey
@JDPey
Hi, I'm fairly new to MISP and I was wondering if there is a way to keep your event list relevant (in an automated way of course). So any ideas on how to check if an IOC/event is still relevant after an amount of time? I use MISP as a sort of CTI platform and correlate IOCs/attributes (that we collect from all kinds of places) with our firewall logs.
Christophe Vandeplas
@cvandeplas
You could use the IOC decay feature. It's explained in very long here but also in this training.
Feel free to also check out https://github.com/MISP/misp-decaying-models/blob/master/README.md
srikanthprathi
@srikanthprathi
Is there documentation to configure the MISP external authentication with the OAuth2.0
mammamiiiya
@mammamiiiya
Anybody here implementing Let's Encrypt in their MISP instance? Need help.
mammamiiiya
@mammamiiiya
This was the error:
The following errors were reported by the server:

   Domain: misp.domain.net
   Type:   unauthorized
   Detail: Invalid response from https://misp.domain.net/users/login
   [X.X.X.X]: "<!DOCTYPE html>\n<html
   xmlns=\"http://www.w3.org/1999/xhtml\">\n<head>\n    <meta
   http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" />\n "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
KZcsirtCY
@KZcsirtCY
Hello All,
I am trying to export via curl the snort rules from my misp instance (ticket issue #5950).
I am using the path https://[misp_instance_url]/attributes/restSearch and get a snort rules file of size appr. 500MB.
When I go through Export->Snort->Download, there is a 1.1GB file.
Which one is the correct file and is it accessible for restSearch?
Thank you all in advance.
Przemek
@przemekzny_twitter

Hello All,
I observe a lot of errors:
Failed to pull event #5d...
Reason:Event could not be saved: Event in the request not newer than the local copy.

My MISP server is connected to 3 organizations/servers. When I checked events which generated errors I noticed a difference 2 hours between created time at my MISP and another. I use local time (UTC+2). Other organization UTC.
How to resolve this problem?