Malware Information Sharing Platform (MISP) is an open source threat intelligence platform that develops utilities and documentation for more effective threat intelligence, by sharing indicators of compromise.
The goal of this PoC to setup the MISP Docker instance and manually create threat events with tags. Later we will automate the threat information sharing using PyMISP.
Let's breakdown the PoC into two steps.
- MISP Setup
- Event Generation from PyMISP
Before continuing, please make sure Python3 and Docker are installed on your system. Also ensure ports 443,80 and 3306 are not used. If used please change the port mapping while starting the MISP container.
- Pull the MISP docker image from Dockerhub.
docker pull harvarditsecurity/misp
- Make sure the MISP image is listed on available docker images.
docker images
- Create a directory for MISP and export a variable
dockerrootthat specifies the path of created directory.
mkdir ~/misp
export dockerroot=~/misp
- Create a Database directory and initialize Database.
mkdir -p $dockerroot/misp-db
docker run -it --rm -v $dockerroot/misp-db:/var/lib/mysql harvarditsecurity/misp /init-db
- Start the MISP container
docker run -it -d -p 443:443 -p 80:80 -p 3306:3306 -v $dockerroot/misp-db:/var/lib/mysql harvarditsecurity/misp
- Access Web URL and change the password.
Go to: https://localhost
Login: admin@admin.test
Password: admin
-
Go to MISP homepage
-
Add Threat Event
-
Add new tag
-
List available tags
-
Double-click on event from list of events and link tag to the created event
-
List of events with tag(s)
-
To create events using PyMISP we need an API key. Go to Automation page and copy the key (highlighted in the below image).
-
Update the
misp_keyvariable value in keys.py file with the key copied in the above step. -
Install PyMISP
sudo pip3 install pymisp
- Run the PyMISP code
python3 create_events.py
-
Go to list of events. You can see auto-generated event with the new tag "AutoGen-Tag" created from
create_events.py.
-
References
