Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • May 14 11:39

    rommelfs on main

    added microsoftgraph repo (compare)

  • Apr 29 07:45
    adulau commented #275
  • Apr 29 07:45

    adulau on main

    new: update add feed docs with … Merge pull request #275 from ri… (compare)

  • Apr 29 07:45
    adulau closed #275
  • Apr 29 07:13
    righel edited #275
  • Apr 29 07:11
    righel opened #275
  • Apr 26 10:19
    cvandeplas commented #15
  • Apr 26 10:19

    cvandeplas on master

    Update README.md Removed dupli… Merge pull request #15 from vpi… (compare)

  • Apr 26 10:19
    cvandeplas closed #15
  • Apr 26 09:59
    vpiserchia opened #15
  • Mar 04 16:03

    righel on main

    chg: add decomission step for s… (compare)

  • Jan 05 15:11

    righel on main

    fix: add flag to update deps as… (compare)

  • Dec 23 2021 15:06
    adulau commented #274
  • Dec 23 2021 15:06

    adulau on main

    add: SimpleBackgroundJobs migra… Merge pull request #274 from ri… (compare)

  • Dec 23 2021 15:06
    adulau closed #274
  • Dec 23 2021 14:53
    righel opened #274
  • Nov 30 2021 13:08

    cvandeplas on main

    chg: [feeds] added inherit from… (compare)

  • Nov 29 2021 15:33
    besendorf opened #273
  • Oct 26 2021 09:39

    adulau on main

    chg: [types and categories] ssh… Merge branch 'main' of github.c… (compare)

  • Oct 13 2021 20:04
    adulau commented #272
Luca
@lucacyber
ok, but why if import this json from the MISP web interface works?
andras
@andras:matrix.circl.lu
[m]
Because it’s a different endpoint
Luca
@lucacyber
yes okay now i change into {
"Event": {
"id": "xxxxx",
"orgc_id": "xxxxx",
"org_id": "xxxxx",
"date": "2021-08-10",
"threat_level_id": "3",
"info": "Ixxxxx",
"published": true,
"uuid": "xxxxx",
"attribute_count": "21",
"analysis": "2",
"timestamp": "xxxxx",
"distribution": "2",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "xxxxx",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
and give me this
{
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": []
}
i run this----> curl -d "@filename.json" --insecure -H "Authorization: KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://MY_IP/events/add
Sascha Rommelfangen
@rommelfs
what have you changed?
Or shall we ask all the questions again?
andras
@andras:matrix.circl.lu
[m]
😭
Luca
@lucacyber
i put {
"Event": {
"id": "xxxxx",
or
{
"id": "xx",
"orgc_id": "xx",
"org_id": "xx", }
but is the same i have {
"saved": false,
"name": "Could not add Event",
"message": "Could not add Event",
"url": "\/events\/add",
"errors": []
}
Sascha Rommelfangen
@rommelfs
If you allow to share an approach that helps both sides: create a synthetic example of your working and not-working files. In addition share the command you use to upload it. Then we can try to reproduce it.
Luca
@lucacyber

1) i run this --> curl -d "@2343038.json" --insecure -H "Authorization: KEY" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://172.x.x.x/events/add

2) this is the json file called 2343038.json:

{
"id": "xxxx",
"orgc_id": "xxx",
"org_id": "xxx",
"date": "2021-08-10",
"threat_level_id": "3",
"info": "xxx",
"published": true,
"uuid": "xxx",
"attribute_count": "21",
"analysis": "2",
"timestamp": "1628675907",
"distribution": "2",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "1628675971",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "xxx",
"name": "xxx",
"uuid": "xxx"
},
"Orgc": {
"id": "xxx",
"name": "xxx",
"uuid": "xxx"
},
"Attribute": [
{
"id": "xxx",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "xxx",
"event_id": "2343038",
"distribution": "5",
"timestamp": "1628610665",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "xxx",
"ShadowAttribute": []
},
{
"id": "139562452",
"type": "filename",
"category": "Payload delivery",
"to_ids": false,
"uuid": "",
"event_id": "2343038",
"distribution": "5",
"timestamp": "1628611134",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "cache.dll",
"ShadowAttribute": []
}

the json file is tool long i take just the first part.
Sascha Rommelfangen
@rommelfs
Ok, now can you create two synthetic examples? Short and anonymous enough to be shared? One that works and one that fails?
Luca
@lucacyber
do you mean error that this comand give me ?
can you sand me a json file to import, i can try so change the file, so if is the file the problem it will be ok and will be work
Sascha Rommelfangen
@rommelfs
I think that’s exactly what you want to do now. Reducing the complexity of your problem to a bare minimum.
You had a working file and modified something. Since then it doesn’t work.
Luca
@lucacyber
no never work the import of the events using curl
Sascha Rommelfangen
@rommelfs
Then I don’t know what I read earlier today in this channel
Luca
@lucacyber
i'd like just to import json misp event using curl
Sascha Rommelfangen
@rommelfs
please share your full json file or create one that you can share.
Luca
@lucacyber
now it works, mabye syntax error of json file. How can i understand if curl will b successful exeduted or not? Cause i'd like to run the script with cron job so i'd like to know witch json file are successful imported and witch are not imported on misp. Thank you
3 replies
luciano (righel)
@luciano:matrix.circl.lu
[m]
/var/www/MISP/app/tmp/logs
match-markhattarki
@match-markhattarki

hello... I just stood up my own misp instance. I installed it on a ubuntu system, following the instructions as best as I could. I ran the INSTALL.SH -c, as per the instructions. I am not sure if I need to install modules or other components.

When I try to add a feed, I get a "feed not added" banner at the top. I don't see any errors in the logs. I am guessing that something might not be writable.

PLEASE! Any help or pointers would be greatly appreciated!!!!

1 reply
Milann SHRESTHA
@milannshrestha
How do i revert to Org Name from Org Logo.. I don't see any option..
Luca
@lucacyber
if i use "timestamp" to export events that i have imported on the last 24 hours is correct? I want to export just events that i have imported on my SIEM on the last 24 hours
this is my curl:
curl --insecure -H "Authorization: KEY " -H "Content-type: application/json" -H "Accept: application/json" -X "POST" https://MYIP/events/restSearch -d '{"returnFormat": "stix", "publish_timestamp": "24h"}'
IF I RUN THIS CURL query gives me also events that i imported on 13/08/2021 not ONLY the events imported on the last 24 hours
5 replies
Fatima Sadiq
@fatimasadiq
Hello everyone, I want to fetch only info and threat level from the event attribute i tried with misp search , controller and attribue but it didn't work... can anyone help please ... which query is going to used for this .. Thank you
r = misp.search_index(attribute='info' ) it fetching all attributes of event ...i just need info and threat level
Luca
@lucacyber
@lucatrabalza
if i use "timestamp" to export events that i have imported on the last 24 hours is correct? I want to export just events that i have imported on my SIEM on the last 24 hours
this is my curl:
curl --insecure -H "Authorization: KEY " -H "Content-type: application/json" -H "Accept: application/json" -X "POST" https://MYIP/events/restSearch -d '{"returnFormat": "stix", "publish_timestamp": "24h"}'
IF I RUN THIS CURL query gives me also events that i imported on 13/08/2021 not ONLY the events imported on the last 24 hours
how can i change timestamp to Published ??
i'd like export events published on the last 24 h
2 replies
mtoivo
@mtoivo_twitter
A quick question: after installing hotfix update, should the MYSQL.sql be imported again? It should not overwrite anything, but new tables will be created etc?
Also: diagnostics show that expected_db version is: 72, but the MYSQL.sql included inserts db_version to: 61
mtoivo
@mtoivo_twitter
And finally: I cannot (hotfix-)update the installed MISP via git, because the underlying OS does not have internet connection. Therefore I've just packaged the MISP elsewhere beforehand, created an archive out of it and just unarchived that on top of the old installation, saving the old config file (and not deleting stuff created there after previous installation). Is it possble that I run into poblems with this approach?
War10ck3
@War10ck3
I am attempting a new MISP deployment and am unable to install the PHP repo. I also attempted to install it manually using install.sh during the MISP installation process, but I received a gpg error. How can I troubleshoot this?
php issue.png
Luca
@lucacyber
how can i export all ip address of all events in my misp ?
LFED-FP
@LFED-FP
Hey y'all!!! I have a quick question I hope someone can help me out with
I am running MISP v 2.4.141
I can build and docker-compose up my local version of misp just fine

But I am getting these weird message constantly being spamed

misp_web        | 2021-08-18 17:53:38,764 INFO success: master entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
misp_web        | 2021-08-18 17:53:38,773 INFO exited: master (exit status 1; not expected)
misp_web        | 2021-08-18 17:53:39,781 INFO spawned: 'master' with pid 185

Any idea why and how I might be able to fix this?

Further, when I visit my local host I am being redirected to this url https://gearssdk.opswat.com? Is this normal? Any clarity would be greatly appreciated!!
LFED-FP
@LFED-FP
Im on mac catalina V10.15.7
docker info
 ~ docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  scan: Docker Scan (Docker Inc., v0.5.0)

Server:
 Server Version: 20.10.5