Security Analyst’s Trinity: MISP Installation

Shreenkhala Bhattarai
3 min readJan 13, 2023

--

MISP (Malware Information Sharing Platform) is an open-source software platform for collecting, storing, distributing, and sharing cybersecurity indicators, incident analysis, and malware analysis. It also assists SOC analyst, incident responder, security and ICT professionals, or malware reverse engineers in their day-to-day operations by allowing them to efficiently share structured information.

This blog post focuses on MISP installation and its potential when combined with platforms like TheHive and Cortex as Case management systems and Threat exchange respectively.

MISP have a docker installation ready to use in their github.

The following section includes steps for manually installing MISP using docker

Docker needs to be set up on the machine.

Install complementary packages for Docker.

$ sudo apt-get update
$ sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release

Add Docker official key.

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Set up the stable repository.

$ echo \
"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update the packages, and install the latest version of Docker.

$ sudo apt-get update
$ sudo apt-get install docker-ce docker-ce-cli containerd.io

Clone the MISP project from the github.

$ cd ~
$ git clone https://github.com/harvard-itsecurity/docker-misp.git

Jump to misp-docker directory.

$ cd docker-misp

Edit the file build.sh.

$ vim build.sh

Change the configurations in bold.

#!/bin/bash
docker rmi harvarditsecurity/misp
docker build \
--rm=true --force-rm=true \
--build-arg MYSQL_MISP_PASSWORD=ChangeThisDefaultPassworda9564ebc3289b7a14551baf8ad5ec60a \
--build-arg POSTFIX_RELAY_HOST=localhost \
--build-arg MISP_FQDN=localhost \
--build-arg MISP_EMAIL=admin@localhost \
--build-arg MISP_GPG_PASSWORD=ChangeThisDefaultPasswordXuJBao5Q2bps89LWFqWkKgDZwAFpNHvc \
-t harvarditsecurity/misp container

Build the Docker image.

$ ./build.sh

Create a directory to the MISP database.

$ mkdir -p /docker/misp-db

Initialize MISP database.

$ docker run -it --rm \
-v /docker/misp-db:/var/lib/mysql \
harvarditsecurity/misp /init-db

Create a self signed certificate for MISP.

$ mkdir -p /docker/certs/
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /docker/certs/misp.key -out /docker/certs/misp.crt

Start the container.

$ docker run -it -d \
-p 443:443 \
-p 80:80 \
-p 3306:3306 \
-v /docker/certs:/etc/ssl/private \
-v /docker/misp-db:/var/lib/mysql \
harvarditsecurity/misp

Try access MISP in your browser.

https://localhost (or your "MISP_FQDN" setting)
Login: admin@admin.test
Password: admin

Change the password. Password must contain at least 12 characters with one uppercase and one special charater.

Configuring MISP

Let’s configure some administrative settings.

Go to Administration, Server Settings & Maintenance, MISP Settings

Change the configurations below.

MISP.live=TRUE
MISP.disable_emailing=TRUE
MISP.baseurl=IP do MISP

Update the configuration.

Go to Administration and Scheduled Tasks
Set fetch_feeds to 24

Click Update All.

MISP comes with a variety of IOC’s sources. We need to enable them. You can also import your preference feeds.

Go to Sync Actions and List Feeds.

Click in Load default feed metadata.

Click in All feeds menu.

Select all feeds and click Enable selected. Then click Fetch and store all feed data.

You can see the the progress in Administration > Jobs.

The last configuration we need to do is create a key to communicate with Cortex and TheHive.

Go to Administration, Add User.

Provide an email, select Role as User and deselect all the checkboxes below.

Copy the key and click Save.

--

--

Shreenkhala Bhattarai
Shreenkhala Bhattarai

No responses yet