Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Nov 30 13:08

    cvandeplas on main

    chg: [feeds] added inherit from… (compare)

  • Nov 29 15:33
    besendorf opened #273
  • Oct 26 09:39

    adulau on main

    chg: [types and categories] ssh… Merge branch 'main' of github.c… (compare)

  • Oct 13 20:04
    adulau commented #272
  • Oct 13 20:04

    adulau on main

    Update README.md Fix typo Merge pull request #272 from cl… (compare)

  • Oct 13 20:04
    adulau closed #272
  • Oct 13 08:34
    cliodhna-lynch opened #272
  • Oct 01 17:55
    adulau commented #270
  • Oct 01 17:55

    adulau on main

    Fix typos Merge pull request #270 from ga… (compare)

  • Oct 01 17:55
    adulau closed #270
  • Oct 01 12:15
    Wachizungu opened #271
  • Oct 01 09:47
    garanews opened #270
  • Aug 20 06:34

    cvandeplas on main

    chg: [types] updated types and … (compare)

  • Jun 13 22:09
    Wachizungu opened #269
  • Jun 01 19:08
    Wachizungu opened #268
  • May 09 08:38
    adulau commented #267
  • May 09 08:38
    adulau closed #266
  • May 09 08:38

    adulau on main

    chg: [warninglists] Restructure… Merge pull request #267 from Wa… (compare)

  • May 09 08:38
    adulau closed #267
  • May 08 18:29
    Wachizungu opened #267
andras
@andras:matrix.circl.lu
[m]
I remember you had that weird issue with your redis memory usage growing - we couldn't reproduce that, though we should dig deeper with you and perhaps set up a debug session to figure out what's going on there
Michael
@ag-michael
I have a lot of headache from the whole publication process. When you have events constantly coming in where you expect them to be published by default, it isn't working well
andras
@andras:matrix.circl.lu
[m]
but it will be SLOW at times
Michael
@ag-michael
when the prio workers fails, I get 300k+ jobs in the queue in a few hours
andras
@andras:matrix.circl.lu
[m]
woaaaah
300k jobs? What the hell
Michael
@ag-michael
because I have a script that auto-publishes unpublished stuff (and it does not attempt to publish twice, even if the past attempt failed)
and I'm only publishing so the attributes are searchable outside of MISP , to make use of them operationally ,when publishing fails all those events are missed until it catches up again
strangely, after flusing redis, I now have all works with 0 jobs in their queue but endless pages of jobs in "queue"
i'll just flush all jobs and hope clearing redis made things better
I think part of it maybe that 16G ram isn't cutting it, but when redis is using 8GB ... maybe like you said there is a deeper issue, i'm just not familiar with redis to poke around and easily figure it out
it's gotten so bad, I have a script that looks at 500 errors in apache/misp logs and restarts apache every 10min (sort of improves things..until it doesn't :P )
Michael
@ag-michael
Usually, I can get something out of the logs i can use to file a bug report, but I haven't been able to for these issues.. I'll keep trying /tyvm
Michael
@ag-michael
workers aren't dead yet, but still 170K+ jobs and only increasing lol. 5 prio workers. I think a big part of the problem is how publishing has to send emails,update zmq,etc... maybe there is a setting I missed that would disable all that since I don't need those features?
eCrimeLabs
@eCrimeLabs
When enabling Advanced auth keys, is there a way to create a "Service account" and then create the API key through the API to avoid having to login as the user ?
Asking for a friend ;)
adulau
@adulau:matrix.circl.lu
[m]
Virtual MISP Summit 0x06 - Thursday 21st October 2021.
Registration is now open.
Do you want to present or show how you use MISP, the call-for-papers is also open. #ThreatIntel #OpenSource #CTI See you there!
https://misp-project.org/misp-summit/
cybgit
@cybgit
Nice one. I've signed up.
lucatrabalza
@lucatrabalza
hello , somebody that knows if can I integrate misp with Ibm Qradar?
Matthew Keay
@matthewkeay_twitter
Am I doing something stupid in that when I freetext import an IP IOC it shows correlations but when I actually import them; those correlations don't show on the event? (I can spam a screenshot/example event if nobody minds?)
Matthew Keay
@matthewkeay_twitter
(on misppriv, for context sorry)
abruce
@abruce:matrix.org
[m]
Hi all, I'm having some issues implementing a custom decay model in MISP and would appreciate any insight. I've attempted to create JSON files based on the default decay models stored in the misp-decay-model directory and have tried to update the models in the GUI however they are not appearing. (I attempted the same way I did with uploading a custom taxonomy). I've also tried uploading the file from the GUI however it tells me that I do not have proper permissions to upload.
Jan Wrona
@jwrona
Hello, I'm looking for a way to integrate CACAO Security Playbooks into MISP. I can add Event, then add the attachment attribute and paste there the full CACAO Playbook (JSON). But I would also like to have the playbook metadata stored directly in the MISP event, so I'm thinking about adding a MISP object which would just copy the playbook metadata attributes. The problem I'm dealing with here is data redundancy, since it's still needed to attach the full CACAO playbook (omitting the metadata would make it invalid). What do you think about it?
1 reply
Matthew Keay
@matthewkeay_twitter
The install.sh script seems a bit broken, if you dont change the baseurl it seems unable to make requests (invalid cert), if you give it a baseurl and quickly stick a valid cert on.. it goes and sets it back to misp.local
Jeroen Pinoy
@Wachizungu
@matthewkeay_twitter I think correlations might be disabled on that instance (MISPPRIV), that's what it looks like from statistics anyway. If anyone from the admins could confirm that would be nice though :).
bl4ckm4mb4
@bl4ckm4mb4:matrix.org
[m]
Hi Fellas , I hope you're good.
Unfortunatelly , I'm having problems with login to my MISP instance. (I tried to restart the core service for the WebUI (apache2) and I tried too to restart the server .. but I've the same problem .. The login page is showed through https /443 .. but when I try to put my user/pass , the login page stay load indefinitely. Do you know how can I to trace the error ?
1 reply
I saw into the /var/www/MISP/app/log/ directory
for the errors, but i see nothing usefull to understand the problem here ..
I appreaciate any help that you can give me. So .. i wish you a great day !
Jeroen Pinoy
@Wachizungu
your apache logs don't show anything either ?
Assuming default login (no SSO integration etc)? No disk space issues or things like that?
luciano (righel)
@luciano:matrix.circl.lu
[m]
Hello bl4ckm4mb4 , can you login via ssh to the MISP instance and check if there is enough free space?
Logs that can shed some light:
/var/www/MISP/app/tmp/logs/error.log
/var/log/apache2/error.log
/var/log/apache2/misp.local_error.log
bl4ckm4mb4
@bl4ckm4mb4:matrix.org
[m]

Hi Wachizungu , thanks for response ! My apache logs only display :

Sep 20 14:33:24 ss11080 /var/www/MISP/app/tmp/logs/[1646]: 2021-09-20 14:33:24 Notice: User (2): mail_user@company.com -- login

and the login page is stuck there. (i'm using default login, and the disk space appears to be fine on df output)

Thanks Luciano , root partition is 43% full
i will see theese logs that you suggest. Thanks for your help guys
luciano (righel)
@luciano:matrix.circl.lu
[m]
you could also verify mysql/mariadb is running.
sudo service mysql status
bl4ckm4mb4
@bl4ckm4mb4:matrix.org
[m]
yes, it's running.. here is the output from systemctl status mysql :

misp@ss11080:~$ sudo systemctl status mysql
● mariadb.service - MariaDB 10.3.31 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-09-20 14:23:21 UTC; 33min ago
Docs: man:mysqld(8)
https://mariadb.com/kb/en/library/systemd/
Process: 852 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld (code=exited, status=0/SUCCESS)
Process: 887 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
Process: 894 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= || VAR=cd /usr/bin/..; /usr/bin/galera_recovery; [ $? -eq 0 ] && systemct>
Process: 1063 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)
Process: 1069 ExecStartPost=/etc/mysql/debian-start (code=exited, status=0/SUCCESS)
Main PID: 970 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 31 (limit: 19077)
Memory: 7.3G
CGroup: /system.slice/mariadb.service
└─970 /usr/sbin/mysqld

Sep 20 14:23:20 ss11080 mysqld[970]: 2021-09-20 14:23:20 0 [Note] /usr/sbin/mysqld (mysqld 10.3.31-MariaDB-0ubuntu0.20.04.1) starting as process 970 ...
Sep 20 14:23:21 ss11080 systemd[1]: Started MariaDB 10.3.31 database server.

srry

I 've one doubt .. my MISP instance have :

4 cpu's -- 16 gb RAM, and 300 GB DISK

I assume that the hardware requirements for a simple instance are OK .. it this right ?
luciano (righel)
@luciano:matrix.circl.lu
[m]
Yes, that's more than enough
bl4ckm4mb4
@bl4ckm4mb4:matrix.org
[m]
great thank you ! .. I'm running on Ubuntu 20.04.3 LTS
andras
@andras:matrix.circl.lu
[m]
It's in /var/www/MISP/app/Config/config.php
1 reply
bl4ckm4mb4
@bl4ckm4mb4:matrix.org
[m]

Unexpectedly I have been able to log into the WebUI, (I left the browser window open trying to access for about 20 minutes), I have not modified any configuration since we started talking. I have only checked logs ..

I would appreciate if you have any ideas on how to improve this .. maybe it is some configuration about the correlations / events that are in my instance.

Any suggestion will be well received. I thank you all

I will do it , and see if the problem appears again , thank you so much Wachizungu, Luciano & Andras for your time & help
I really appreaciate that
andras
@andras:matrix.circl.lu
[m]
let us know if it does!