Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 08:58

    adulau on main

    chg: [README] updated (compare)

  • Nov 12 11:50
    adulau commented #17
  • Nov 12 11:50

    adulau on master

    Update README.md Proposal to l… Merge pull request #17 from lde… (compare)

  • Nov 12 11:50
    adulau closed #17
  • Nov 12 11:49
    ldelavaissiere opened #17
  • Nov 12 11:46
    iglocska commented #16
  • Nov 12 11:36
    ldelavaissiere commented #16
  • Nov 12 11:35
    adulau commented #16
  • Nov 12 11:35
    adulau closed #16
  • Nov 12 11:35

    adulau on master

    Create information_sharing_dora… Merge pull request #16 from lde… (compare)

  • Nov 12 11:28
    ldelavaissiere opened #16
  • Nov 06 16:52

    adulau on master

    chg: [doc] updated (compare)

  • Nov 06 16:44

    adulau on master

    fix: [book] glossary (compare)

  • Nov 06 16:20

    adulau on master

    chg: [clean-up] various updates… (compare)

  • Sep 27 09:25

    iglocska on master

    Some minor changes to the docum… (compare)

  • Sep 26 14:16
    adulau commented #284
  • Sep 26 14:15
    adulau closed #284
  • Sep 26 14:15

    adulau on main

    logical typo fixed help manual Merge pull request #284 from Co… (compare)

  • Sep 26 13:40
    Cooper-Dale opened #284
  • Sep 14 17:24
    adulau commented #283
cybgit
@cybgit
Its a bit hard getting your head around tbh
Hope that helps
E6DUchiha
@E6DUchiha
I see
I will try it, and I'll keep updated of any news, that point you mentioned about tagging and rules I've not tried it before, so I'll give it a try and I'll tell you, really thank you so much for your help 🙏 i really appreciate it ^^
E6DUchiha
@E6DUchiha
@cybgit hello there, i hope that you are having a great day today ^^,
@cybgit Well, i tried as you told me but still didn't work, it says authentication failed! I dunno if i can upload a document here with screenshots of my configuration!
Matthew
@yaekmj_twitter
Am I doing something stupid/is it expected workflow when I hit publish sometimes - the publish options disappear from the event and it doesn't get published? Can't see anything helpful in event history or the generic logs.
Ghost
@ghost~615372946da037398486bfb7
Sorry if this was already mentioned, but does anyone know why EMailObject and ExpandedPyMISP.upload_sample portions of PyMISP are getting deprecated?
GV-007
@GV-007

Did some debugging today on the OidcAuthenticate plugin (with OneLogin as provider). I added some logging in the PHP script:

        if (empty($roles)) {
            $this->log($roleProperty, "roleproperty_log");
            $roles = $oidc->requestUserInfo($roleProperty);
            $this->log($roles, "roles_log");

it seems $roles stays empty

2021-09-24 11:36:04 Info: OIDC: User `geert.verstrepen@nsoc.works` – Trying login
2021-09-24 11:36:04 Info: OIDC: User `roles` – roleproperty_log
2021-09-24 11:36:04 Info: OIDC: User `` – roles_log
2021-09-24 11:36:04 Info: OIDC: User `geert.verstrepen@nsoc.works` – User organisation `NSOC` found with ID 1.

Any suggestions ?

Nobody has used the OIDC plugin ?

andras
@andras:matrix.circl.lu
[m]
I haven't myself
but after a quick read of the codebase:
$this->getConfig('roles_property', 'roles');
this is where the key at which the roles can be found is read
which you need to configure in two places:
  1. in your MISP's oidc config
  1. your IAM / OIDC implementation needs to actually pass the roles along via that key
so make sure that this actually happens
this needs to be exposed via the userinfo endpoint, as requested by the oidc library used by the plugin here:
GV-007
@GV-007
@andras:matrix.circl.lu indeed, I am using OneLogin IdP, which by default uses groups, so I tried 2 things already:
  • In the MISP OIDC config defining 'groups' as key
  • In OneLogin changing key to roles (default of MSIP)
    In both cases $roles keeps empty
andras
@andras:matrix.circl.lu
[m]
I have never used OneLogin, if you craft a query for the userinfo endpoint, can you see groups being included as a key?
If you're OK with trying something hacky:
in the plugin itself
after this line:
GV-007
@GV-007
@andras:matrix.circl.lu I am not a programmer, so not sure how to craft the query...
you can get the full contents of the userinfo via $oidc->requestUserInfo();
it might make sense to grab that and log it
just to make sure that OneLogin actually includes the roles
GV-007
@GV-007
OK, I just add that line and then log: $this->log($oidc, "oidc_log");, right ?
andras
@andras:matrix.circl.lu
[m]
something like this rather:
$this->log(json_encode($oidc->requestUserInfo()), "oidc_log");
GV-007
@GV-007
@andras:matrix.circl.lu thanks for the tip, I don't see any roles in the output:
2021-09-29 09:42:40 Info: OIDC: User `{"sub":"59611704","email":"geert.verstrepen@XXX","preferred_username":"XXX","name":"Geert Verstrepen"}` – oidc_log
andras
@andras:matrix.circl.lu
[m]
yeah was stuck on something similar last week with another tool / another idp :)
GV-007
@GV-007
@andras:matrix.circl.lu on OneLogin end, I configured the roles parameter, so not sure why we don't see it...
andras
@andras:matrix.circl.lu
[m]
For what I was stuck on: I also configured the groups/roles in the tool (in my case it was keycloak) but I had to specifically map it so that it would actually show up in the response and the JWT
GV-007
@GV-007
@andras:matrix.circl.lu, many thanks, I'll start now by creating a ticket at OneLogin
Keep you informed
andras
@andras:matrix.circl.lu
[m]
no worries
if it helps:
from keycloak it looked like this:
it's the very last entry that did it
ended up with it being included in the JWT:
3 replies
Matthew
@yaekmj_twitter
Is there a common way to express generic $EmailRecipient rather than leaking users addresses ?
GV-007
@GV-007
@andras:matrix.circl.lu got a reply on my support case that in the request a scope should bedfined:
To allow roles to be sent, you need to set the appropriate scope, see https://developers.onelogin.com/openid-connect/scopes
Brent Murphy
@bm11100

I've got a cron just set up to cache feeds and it has been working fine. I saw the feeds havent been cached lately and when I run /var/www/MISP/app/Console/cake Server cacheFeed 2 all 2>&1 manually I am getting errors like below -

2021-09-29 14:46:41 Notice: Redis::exec(): send of 8192 bytes failed with errno=32 Broken pipe in [/var/www/MISP/app/Model/Feed.php, line 1334]
Notice Error: Redis::exec(): send of 8192 bytes failed with errno=32 Broken pipe in [/var/www/MISP/app/Model/Feed.php, line 1334]

I havent modified the Feed.php file at all, the error in this instance is $pipe->exec();. Has anyone had this issue?

Disk space is not full

Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        7.7G     0  7.7G   0% /dev
tmpfs           7.7G     0  7.7G   0% /dev/shm
tmpfs           7.7G   33M  7.7G   1% /run
tmpfs           7.7G     0  7.7G   0% /sys/fs/cgroup
/dev/nvme0n1p1  500G  9.6G  491G   2% /
tmpfs           1.6G     0  1.6G   0% /run/user/1003
1 reply
cac0ns3c
@cac0ns3c
i delete all the events from MISP using PyMISP but now when i'm trying to get them again from the feeds i'm getting the. error
2021-09-29 20:12:41 Error: Could not save freetext feed data for feed 3.
[Exception] The target event is no longer valid. Make sure that the target event 816 exists.
Stack Trace:
#0 /var/www/MISP/app/Model/Feed.php(1013): Feed->saveFreetextFeedData()
#1 /var/www/MISP/app/Console/Command/ServerShell.php(297): Feed->downloadFromFeedInitiator()
#2 /var/www/MISP/app/Console/Command/AppShell.php(35): ServerShell->fetchFeed()
#3 /var/www/MISP/app/Vendor/kamisama/php-resque-ex/lib/Resque/Job.php(199): AppShell->perform()
#4 /var/www/MISP/app/Vendor/kamisama/php-resque-ex/lib/Resque/Worker.php(278): Resque_Job->perform()
#5 /var/www/MISP/app/Vendor/kamisama/php-resque-ex/lib/Resque/Worker.php(241): Resque_Worker->perform()
#6 /var/www/MISP/app/Vendor/kamisama/php-resque-ex/bin/resque(109): Resque_Worker->work()
#7 /var/www/MISP/app/Vendor/kamisama/php-resque-ex/bin/resque(100): startWorker()
#8 {main}
andras
@andras:matrix.circl.lu
[m]
Edit the feed, remove the id for the fixed event