Security Analyst’s Trinity: MISP Installation
MISP (Malware Information Sharing Platform) is an open-source software platform for collecting, storing, distributing, and sharing cybersecurity indicators, incident analysis, and malware analysis. It also assists SOC analyst, incident responder, security and ICT professionals, or malware reverse engineers in their day-to-day operations by allowing them to efficiently share structured information.
This blog post focuses on MISP installation and its potential when combined with platforms like TheHive and Cortex as Case management systems and Threat exchange respectively.
MISP have a docker installation ready to use in their github.
The following section includes steps for manually installing MISP using docker
Docker needs to be set up on the machine.
Install complementary packages for Docker.
$ sudo apt-get update
$ sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-releaseAdd Docker official key.
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpgSet up the stable repository.
$ echo \
"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/nullUpdate the packages, and install the latest version of Docker.
$ sudo apt-get update
$ sudo apt-get install docker-ce docker-ce-cli containerd.ioClone the MISP project from the github.
$ cd ~
$ git clone https://github.com/harvard-itsecurity/docker-misp.gitJump to misp-docker directory.
$ cd docker-mispEdit the file build.sh.
$ vim build.shChange the configurations in bold.
#!/bin/bash
docker rmi harvarditsecurity/misp
docker build \
--rm=true --force-rm=true \
--build-arg MYSQL_MISP_PASSWORD=ChangeThisDefaultPassworda9564ebc3289b7a14551baf8ad5ec60a \
--build-arg POSTFIX_RELAY_HOST=localhost \
--build-arg MISP_FQDN=localhost \
--build-arg MISP_EMAIL=admin@localhost \
--build-arg MISP_GPG_PASSWORD=ChangeThisDefaultPasswordXuJBao5Q2bps89LWFqWkKgDZwAFpNHvc \
-t harvarditsecurity/misp containerBuild the Docker image.
$ ./build.shCreate a directory to the MISP database.
$ mkdir -p /docker/misp-dbInitialize MISP database.
$ docker run -it --rm \
-v /docker/misp-db:/var/lib/mysql \
harvarditsecurity/misp /init-dbCreate a self signed certificate for MISP.
$ mkdir -p /docker/certs/
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /docker/certs/misp.key -out /docker/certs/misp.crtStart the container.
$ docker run -it -d \
-p 443:443 \
-p 80:80 \
-p 3306:3306 \
-v /docker/certs:/etc/ssl/private \
-v /docker/misp-db:/var/lib/mysql \
harvarditsecurity/mispTry access MISP in your browser.
https://localhost (or your "MISP_FQDN" setting)Login: admin@admin.test
Password: admin
Change the password. Password must contain at least 12 characters with one uppercase and one special charater.
Configuring MISP
Let’s configure some administrative settings.
Go to Administration, Server Settings & Maintenance, MISP Settings
Change the configurations below.
MISP.live=TRUE
MISP.disable_emailing=TRUE
MISP.baseurl=IP do MISP
Update the configuration.
Go to Administration and Scheduled Tasks
Set fetch_feeds to 24
Click Update All.
MISP comes with a variety of IOC’s sources. We need to enable them. You can also import your preference feeds.
Go to Sync Actions and List Feeds.
Click in Load default feed metadata.
Click in All feeds menu.
Select all feeds and click Enable selected. Then click Fetch and store all feed data.
You can see the the progress in Administration > Jobs.
The last configuration we need to do is create a key to communicate with Cortex and TheHive.
Go to Administration, Add User.
Provide an email, select Role as User and deselect all the checkboxes below.
Copy the key and click Save.