Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 13 22:09
    Wachizungu opened #269
  • Jun 01 19:08
    Wachizungu opened #268
  • May 09 08:38
    adulau commented #267
  • May 09 08:38
    adulau closed #266
  • May 09 08:38

    adulau on main

    chg: [warninglists] Restructure… Merge pull request #267 from Wa… (compare)

  • May 09 08:38
    adulau closed #267
  • May 08 18:29
    Wachizungu opened #267
  • May 05 09:13
    Wachizungu edited #245
  • May 05 06:05
    adulau labeled #266
  • May 04 22:23
    Wachizungu opened #266
  • May 04 16:25
    adulau commented #265
  • May 04 16:25

    adulau on main

    chg: [User stories] Fix typo Merge pull request #265 from Wa… (compare)

  • May 04 16:25
    adulau closed #265
  • May 04 09:24
    Wachizungu opened #265
  • May 01 21:01
    Wachizungu commented #264
  • May 01 20:42
    adulau commented #264
  • May 01 20:42

    adulau on main

    chg: [FAQ] add sudo with user w… Merge pull request #264 from Wa… (compare)

  • May 01 20:42
    adulau closed #264
  • May 01 18:41
    Wachizungu opened #264
  • Apr 24 13:07

    adulau on main

    chg: [automation] add doc for /… Merge pull request #263 from Wa… (compare)

andras
@andras:matrix.circl.lu
[m]
So basically what we do normally
If we have a source in a format misp can’t cope with
Chris Lott
@chrisInMtown_twitter
I think you're suggesting, if we consume a premium feed and transform it to a MISP-friendly format, then we could use the MISP ingester, which would also allow us to use the MISP cacher. Did I understand correctly?
andras
@andras:matrix.circl.lu
[m]
We generate a misp feed out of it with a simple pymisp script + our own conversion logic
Indeed
What you said
That way we can interact with the feed’s content as if it was a misp instance
Chris Lott
@chrisInMtown_twitter
Thanks for clarifying. I will take this under advisement. It is not at all clear to me if this will let us cope with all the special situations; for example in some cases we delete the old event before ingesting a new version of it.
andras
@andras:matrix.circl.lu
[m]
Not sure. Think you folks have some pretty specific use cases that might not fit. If you see any obvious limitations holler maybe we have some ideas
Chris Lott
@chrisInMtown_twitter
well, the use cases are invariably driven by provider data oddities, the need to avoid duplicates, etc.
andras
@andras:matrix.circl.lu
[m]
Yeah duplicate management can be tough especially for sources that don’t contain unique identifiers
Chris Lott
@chrisInMtown_twitter
good day, this is probably a really dumb question, but does MISP serve out a self-documenting REST API page like what Swagger can generate with annotations? The only doc I find is from humans: https://www.circl.lu/doc/misp/automation/#search
Andras Iklody
@iglocska
that documentation is generally pretty outdated. Best to use /events/automation in MISP directly or the REST Client
OpenAPI is in the works
Chris Lott
@chrisInMtown_twitter
right, swagger is the old system, OpenAPI is the new one. Glad to hear it. I hope PHP supports annotations so the doc is always in sync with the system
1 reply
Andras Iklody
@iglocska
it doesn't per se, but @righel is working on the current state + we'll have a workflow to maintain it with each release / automatically sanity check if something is unmapped before each release
Chris Lott
@chrisInMtown_twitter
Sounds tricky. Swagger/openAPI annotations in java & python are like magic, you do a bit of work and beautiful, accurate documentation pops out. Hope your system works.
1 reply
Andras Iklody
@iglocska
it depends on the framework how supported it is less so than the language - hope so too.
andras
@andras:matrix.circl.lu
[m]
yeah I wouldn't call annotations automatic unless the annotations themselves are built automatically ^^
Chris Lott
@chrisInMtown_twitter
Oh I was not saying that the annotations are automatic! I was saying that with a modest amount of work to write the annotations in the code, the resulting documentation is really great; total effort to produce great doc is modest.
andras
@andras:matrix.circl.lu
[m]

Definitely wouldn't call that modest ;)

Also, commenting every endpoint is exactly as much effort as building an API map with all parameters, that was also @righel's point

Chris Lott
@chrisInMtown_twitter
so, my experience was with Java and Python where the only annotations I had to make were explanatory/help text for the parameters; all the endpoints, parameter names & types were available to OpenAPI from the introspection magic.
I think @luciano:matrix.circl.lu is saying that isn't available in PHP7
andras
@andras:matrix.circl.lu
[m]
exactly, what he is doing now is describing exactly that for each endpoint, just outside of the codebase.
Chris Lott
@chrisInMtown_twitter
ouch, that's a lotta work
andras
@andras:matrix.circl.lu
[m]
exactly as much work
as commenting the functions
Chris Lott
@chrisInMtown_twitter
well I hope PHP8 is on your roadmap.
andras
@andras:matrix.circl.lu
[m]
it is, but it won't make a major difference in this in particular.
most of the parameters have to be hand evaluated either way - so whether you put the annotation in a comment above the function, or a separate JSON document doesn't matter
Chris Lott
@chrisInMtown_twitter
I have to disagree with you there @andras. It absolutely matters if the doc is with the code, not four directories and a file away. Remember TeX and literate programming? old lessons :/
andras
@andras:matrix.circl.lu
[m]
sure, we have tooling that composes it for us and points it out if something is missing, so we get easily around that
btw, we use TeX for all our slides, so perhaps it's a different mindset ;)
Chris Lott
@chrisInMtown_twitter
omg people still use slitex?
andras
@andras:matrix.circl.lu
[m]
absolutely
Chris Lott
@chrisInMtown_twitter
Please answer a quick question about MISP <-> PyMISP version correspondence: the MISP version tagged 2.4.141 has its PyMISP submodule at a commit for version 2.4.140. I think they should match. Is the mismatch on purpose or a defect?
Maybe that tiny difference doesn't matter, but we noticed this in our upgrade effort and are concerned
andras
@andras:matrix.circl.lu
[m]
no need to be concerned, all good
there was no change to pymisp
Chris Lott
@chrisInMtown_twitter
Thanks @andras:matrix.circl.lu
Andras Iklody
@iglocska
no worries

With the new API key security in place is there any way through PyMISP to create a user add it to an organisation AND create an API key for this user ("Service Account") and get this output .... Currently I've only found that I can create the user then login and create the api key and then copy it from there .... Thanks in advance :)

The response from MISP when you create a user should include an API key that you can use (in theory)

cbboggs
@cbboggs
how would one go about deleting a cached instance of a server? for example - if we added a server entry - set it to cache only, but then later decided to pull events and don't want them all correlating to a cached event as well?
cbboggs
@cbboggs
I can understand existing correlations not being removed just because we uncheck "Caching Enabled" - but I have a feeling that the existing cache is causing some stress on the database while we attempt to sync these events, causing mysql to die and the sync hangs.
Chris Lott
@chrisInMtown_twitter
Unfortunately @andras I found a small but extremely annoying difference PyMISP 2.4.140->2.4.141, the logging behavior; also see MISP/PyMISP#731
Andras Iklody
@iglocska
That could be. However, PyMISP 2.4.141 came out after the MISP release so it will be included with the next MISP release ;) You're obviously free to use a newer PyMISP version
or maybe I misunderstood it
ok I see thought this still had to do with the version pinned in MISP
that is indeed annying