Install AIL Framework
git clone https://github.com/CIRCL/AIL-framework.git cd AIL-framework ./installing_deps.sh cd ~/AIL-framework/ cd bin/ ./LAUNCH.sh -l
git clone https://github.com/CIRCL/AIL-framework.git cd AIL-framework ./installing_deps.sh cd ~/AIL-framework/ cd bin/ ./LAUNCH.sh -l
cd /opt
wget https://dl.bintray.com/thehive-project/binary/cortex-latest.zip
unzip cortex-latest.zip
ln -s cortex-3.0.1-1/ cortex
cd /opt/cortex/conf
mv application.sample application.conf
sudo chgrp cortex /opt/cortex/conf/application.conf
sudo chmod 640 /opt/cortex/conf/application.conf
Edit application.conf and uncomment and create secret
Edit /usr/lib/systemd/system/cortex.service and update with correct paths to /opt
ExecStart=/opt/cortex/bin/cortex \
-Dconfig.file=/opt/cortex/config/application.conf \
-Dlogger.file=/opt/cortex/config/logback.xml \
-Dpidfile.path=/dev/null
Edit /opt/cortex/package/cortex.service
ExecStart=/opt/cortex/bin/cortex \
-Dconfig.file=/opt/cortex/conf/application.conf \
-Dlogger.file=/opt/cortex/conf/logback.xml \
-Dpidfile.path=/dev/null
Edit /opt/cortex/package/cortex.conf
script
DAEMON_USER="cortex"
DAEMON_ARGS="-Dconfig.file=/opt/cortex/conf/application.conf -Dlogger.file=/opt/cortex/conf/logback.xml -Dpidfile.path=/dev/null"
systemctl daemon-reload
sudo systemctl enable cortex
sudo service cortex start
Install MISP Dashboard
We will cover 2 different scenarios:
A) MISP v2.4 installed without the Dashboard. Installed with the script without parameter -D or without being installed because of the changes on versiones 2.4.122 & 2.4.123 related to changes in MaxMind.
B) MISP 2.4 installed with a version older than MISP 2.4.121 and using the script with -D parameter.
Verification os scenarios A) or B):
if you have a /var/www/misp-dashboard & /etc/apache2/sites-available/misp-dashboard.conf then you are in B) else you are in case A)
Step by Step Guide
Go to My License Key:
DOWNLOAD THE SCRIPTS FROM HERE (Google Drive Shared Folder) https://drive.google.com/drive/folders/1q6dclzFvEFIIFd-atGx5npRCN8pDJoxY?usp=sharing
For Scenario A
INSTALL_MISP_DASHBOARD.sh
INSTALL_DEPENDENCIES_MOD.sh
For Scenario B
MODIFY_MISP_DASHBOARD.sh
For Scenario A
$ bash INSTALL_MISP_DASHBOARD.sh
For Scenario B
$ bash MODIFY_MISP_DASHBOARD.sh
$ sudo netplan apply
Created by Enrique Rossel – KMHCORP – 13/3/2020.
Edit the file /opt/thehive/conf/application.conf and enable the MISP section by uncommenting (deleting the #) the following lines and adding some configuration information.
if TheHive fails to start, check all the modifications to the application.conf file, you may mistype something.
If everything is working fine, you will see this icon in the lower right corner of TheHive web console:
—- extract from /opt/thehive/conf/application.conf —-
# MISP
# TheHive can connect to one or multiple MISP instances. Give each MISP
# instance a name and specify the associated Authkey that must be used
# to poll events, the case template that should be used by default when
# importing events as well as the tags that must be added to cases upon
# import.
# Prior to configuring the integration with a MISP instance, you must
# enable the MISP connector. This will allow you to import events to
# and/or export cases to the MISP instance(s).
play.modules.enabled += connectors.misp.MispConnector
misp {
# Interval between consecutive MISP event imports in hours (h) or
# minutes (m).
interval = 5m
“MISP-SERVER-ID” {
# # MISP connection configuration requires at least an url and a key. The key must
# # be linked with a sync account on MISP.
url = “https://your-misp-server-url/”
key = “MISP-SYNC-USER-KEY”
#
# # Name of the case template in TheHive that shall be used to import
# # MISP events as cases by default.
# caseTemplate = “<Template_Name_goes_here>
#
# # Optional tags to add to each observable imported from an event
# # available on this instance.
# tags = [“misp-server-id”]
#
# ## MISP event filters
# # MISP filters is used to exclude events from the import.
# # Filter criteria are:
# # The number of attribute
# max-attributes = 1000
# # The size of its JSON representation
# max-size = 1 MiB
# # The age of the last publish date
# max-age = 7 days
# # Organization and tags
# exclusion {
# organisation = [“bad organisation”, “other organisations”]
# tags = [“tag1”, “tag2”]
# }
#
# ## HTTP client configuration (SSL and proxy)
# # Truststore to use to validate the X.509 certificate of the MISP
# # instance if the default truststore is not sufficient.
# # Proxy can also be used
# ws {
# ssl.trustManager.stores = [ {
# path = /path/to/truststore.jks
# } ]
# proxy {
# host = proxy.mydomain.org
# port = 3128
# }
# }
#
# # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)
# # Default is ImportAndExport
# purpose = ImportAndExport
} ## <– Uncomment to complete the configuration
}
Now you can see MISP alerts on TheHive and you can create cases from MISP events or merge MISP events into TheHive Cases
Installing TheHive on Ubuntu 18.04
1) Install JDK
sudo apt-get install openjdk-11-jre-headless
If fails, run: apt-get update --fix-missing and run it again
2) Install Elasticsearch
# PGP key installation
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4
# Debian repository configuration
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
# Install https support for apt
sudo apt install apt-transport-https
# Elasticsearch installation
sudo apt update && sudo apt install elasticsearch
service elasticsearch start
service elasticsearch status
if fails, edit file vim /etc/elasticsearch/jvm.options and change heap space to:
-Xms1g
-Xmx1g
3)Download and unzip TheHive
cd /opt
wget https://dl.bintray.com/thehive-project/binary/thehive-latest.zip
apt install unzip
unzip thehive-latest.zip
ln -s thehive-3.4.0-1 thehive
4)Add user and define service
sudo addgroup thehive
sudo adduser --system thehive
sudo cp /opt/thehive/package/thehive.service /usr/lib/systemd/system
sudo chown -R thehive:thehive /opt/thehive
sudo chgrp thehive /opt/thehive/conf/application.conf
sudo chmod 640 /opt/thehive/conf/application.conf
5) Configure the service for TheHive
Edit the paths in the file /usr/lib/systemd/system/thehive.service
ExecStart=/opt/thehive/bin/thehive \
-Dconfig.file=/opt/thehive/conf/application.conf \
-Dlogger.file=/opt/thehive/conf/logback.xml \
-Dpidfile.path=/dev/null
6) Update Service configuration
systemctl daemon-reload
7) Define Secret Code in the Application.conf file
Edit file /opt/thehive/conf/application.conf and uncomment secret code section and define a new one
8) Enable Service and Start TheHive
sudo systemctl enable thehive
sudo service thehive start
9) Launch TheHive, update Database and define login user
Go to the server IP and port 9000 in your browser. Update Database and define users.