This tutorial is based on the official MISP website instructions (https://misp-project.org/). The HackInSDN project utilizes Docker container solutions with images maintained by Stefano Ortolani of VMware, which are regularly updated in the MISP GitHub repository. Access MISP documentation for installation options. Instructions for installation using images maintained by Stefano Ortolani can be found at: https://github.com/MISP/misp-docker.
Minimum requirements to implement a MISP instance:
Step 1: Clone the misp-docker repository. Execute the following command in your terminal:
git clone https://github.com/MISP/misp-docker/ && cd docker-mispStep 2: Copy the environment file and remove its temporary prefix:
cp template.env .envStep 3: Inside the created directory, check if the docker-compose.yml file was downloaded correctly. If so, you will need to pull precompiled images or build new ones, with the second option being more recommended. To pull precompiled images:
docker compose pullTo build new images:
docker compose buildNOTE: The image generation process may take some time. Wait until it is completed before proceeding to the next step. In case of errors, refer to the Troubleshooting section available in the repository referenced in this tutorial.
Step 4: Now, you need to load the containers responsible for enabling the necessary components (misp, misp-modules, redis, database, and mail) for MISP to function.
docker compose upStep 5: Access the MISP web interface at https://localhost using the credentials:
admin@admin.testadminAfter installing MISP, some configurations are required, such as changing passwords, creating organizations, and adding new users.
To change the default user password, click on Administration » List Users, then Set password. After entering the new password, confirm the current password (admin) and submit the changes.
To create a new organization, click on Administration » Add Organisations and fill in the fields with the name, UUID, description, nationality, sector, and other relevant information about your organization.
To create a new user, click on Administration » Add User and fill in the fields with the name, email, password, role, organization, and other pertinent information for the new user in your organization.
PyMISP is a Python library that facilitates interaction with the MISP platform through its REST API. With PyMISP, you can perform operations such as retrieving events, adding or modifying events and attributes, uploading or updating samples, and searching for attributes. To install the library, follow the steps below:
Step 1: Install the required dependencies:
pip3 install pymispStep 2: Access the directory at https://github.com/MISP/PyMISP/tree/main/examples
Modify the keys.py.sample file to include your MISP URL and API key:
cd examples
cp keys.py.sample keys.py
vim keys.pyTo export compromised IPs from your MISP instance in Suricata rule format, run the export_suricata script:
sh export_suricataTo export indicators of compromise for a specific event in CSV format, run the export_csv script with the following command:
python3 export_csv -e -fThe importCauma.py script performs basic data import into a MISP instance. In the example below, malicious URLs collected from the Malicious URL Catalog (https://cauma.pop-ba.rnp.br/) are inserted. To execute the script, use the command:
python3 importCauma.py