Mateo Martinez – Krav Maga Hacking | Boutique Cybersecurity Consultancy Firm

Installing MISP Dashboard

Install MISP Dashboard

We will cover 2 different scenarios:

A) MISP v2.4 installed without the Dashboard. Installed with the script without parameter -D or without being installed because of the changes on versiones 2.4.122 & 2.4.123 related to changes in MaxMind.

B) MISP 2.4 installed with a version older than MISP 2.4.121 and using the script with -D parameter.

Verification os scenarios A) or B):

if you have a /var/www/misp-dashboard & /etc/apache2/sites-available/misp-dashboard.conf then you are in B) else you are in case A)

Step by Step Guide

Create free account in MaxMind for the product geolite2

https://www.maxmind.com/en/geolite2/signup

Log in: https://www.maxmind.com/en/account/login

Go to My License Key:

Imagen que contiene captura de pantalla

Descripción generada automáticamente

Generate a new key

Add description (1), configure it for GeoIP Update (2) and versions older than 3.1.1 (3). Confirm.

Note the User ID (1) ad created License Key (2). Download the configuration.

Wait for 5 min for the key confirmation and receive a confirmation email.
Access your MISP server through SSH
Download the scripts in $HOME

DOWNLOAD THE SCRIPTS FROM HERE (Google Drive Shared Folder) https://drive.google.com/drive/folders/1q6dclzFvEFIIFd-atGx5npRCN8pDJoxY?usp=sharing

For Scenario A

INSTALL_MISP_DASHBOARD.sh

INSTALL_DEPENDENCIES_MOD.sh

For Scenario B

MODIFY_MISP_DASHBOARD.sh

Execute:

For Scenario A

$ bash INSTALL_MISP_DASHBOARD.sh

For Scenario B

$ bash MODIFY_MISP_DASHBOARD.sh

Your MaxMind user and password will be required
Edit /var/www/misp-dashboard/config/config.cfg and change the host IP from 0.0.0.0 to your MISP server IP

Imagen que contiene interior, pared

Descripción generada automáticamente

Restart network interface

$ sudo netplan apply

Access your new dashboard on the port 8001 over https (https://MISP-IP:8001)

Imagen que contiene captura de pantalla, monitor

Descripción generada automáticamente

Created by Enrique Rossel – KMHCORP – 13/3/2020.

Integrating TheHive and MISP

Edit the file /opt/thehive/conf/application.conf and enable the MISP section by uncommenting (deleting the #) the following lines and adding some configuration information.

Uncomment some lines (delete the # at the start of the lines)
Add MISP url and sync user key
Define sync time interval in minutes (m) or hours(h)
Save the file and restart TheHive service (service thehive restart)

if TheHive fails to start, check all the modifications to the application.conf file, you may mistype something.

If everything is working fine, you will see this icon in the lower right corner of TheHive web console:

—- extract from /opt/thehive/conf/application.conf —-

# MISP

# TheHive can connect to one or multiple MISP instances. Give each MISP

# instance a name and specify the associated Authkey that must be used

# to poll events, the case template that should be used by default when

# importing events as well as the tags that must be added to cases upon

# import.

# Prior to configuring the integration with a MISP instance, you must

# enable the MISP connector. This will allow you to import events to

# and/or export cases to the MISP instance(s).

play.modules.enabled += connectors.misp.MispConnector

misp {

# Interval between consecutive MISP event imports in hours (h) or

# minutes (m).

interval = 5m

“MISP-SERVER-ID” {

# # MISP connection configuration requires at least an url and a key. The key must

# # be linked with a sync account on MISP.

url = “https://your-misp-server-url/”

key = “MISP-SYNC-USER-KEY”

#

# # Name of the case template in TheHive that shall be used to import

# # MISP events as cases by default.

# caseTemplate = “<Template_Name_goes_here>

#

# # Optional tags to add to each observable imported from an event

# # available on this instance.

# tags = [“misp-server-id”]

#

# ## MISP event filters

# # MISP filters is used to exclude events from the import.

# # Filter criteria are:

# # The number of attribute

# max-attributes = 1000

# # The size of its JSON representation

# max-size = 1 MiB

# # The age of the last publish date

# max-age = 7 days

# # Organization and tags

# exclusion {

# organisation = [“bad organisation”, “other organisations”]

# tags = [“tag1”, “tag2”]

# }

#

# ## HTTP client configuration (SSL and proxy)

# # Truststore to use to validate the X.509 certificate of the MISP

# # instance if the default truststore is not sufficient.

# # Proxy can also be used

# ws {

# ssl.trustManager.stores = [ {

# path = /path/to/truststore.jks

# } ]

# proxy {

# host = proxy.mydomain.org

# port = 3128

# }

#

# # MISP purpose defines if this instance can be used to import events (ImportOnly), export cases (ExportOnly) or both (ImportAndExport)

# # Default is ImportAndExport

# purpose = ImportAndExport

} ## <– Uncomment to complete the configuration

}

Now you can see MISP alerts on TheHive and you can create cases from MISP events or merge MISP events into TheHive Cases

Installing TheHive is really easy!

Installing TheHive on Ubuntu 18.04

1) Install JDK

sudo apt-get install openjdk-11-jre-headless

If fails, run: apt-get update --fix-missing and run it again

2) Install Elasticsearch

# PGP key installation
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key D88E42B4

# Debian repository configuration
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list

# Install https support for apt
sudo apt install apt-transport-https

# Elasticsearch installation
sudo apt update && sudo apt install elasticsearch
service elasticsearch start
service elasticsearch status

if fails, edit file vim /etc/elasticsearch/jvm.options and change heap space to:

-Xms1g
-Xmx1g

3)Download and unzip TheHive

cd /opt
wget https://dl.bintray.com/thehive-project/binary/thehive-latest.zip
apt install unzip
unzip thehive-latest.zip
ln -s thehive-3.4.0-1 thehive

4)Add user and define service

sudo addgroup thehive
sudo adduser --system thehive
sudo cp /opt/thehive/package/thehive.service /usr/lib/systemd/system
sudo chown -R thehive:thehive /opt/thehive
sudo chgrp thehive /opt/thehive/conf/application.conf
sudo chmod 640 /opt/thehive/conf/application.conf

5) Configure the service for TheHive

Edit the paths in the file  /usr/lib/systemd/system/thehive.service

ExecStart=/opt/thehive/bin/thehive \
        -Dconfig.file=/opt/thehive/conf/application.conf \
        -Dlogger.file=/opt/thehive/conf/logback.xml \
        -Dpidfile.path=/dev/null


6) Update Service configuration

systemctl daemon-reload

7) Define Secret Code in the Application.conf file

Edit file /opt/thehive/conf/application.conf and uncomment secret code section and define a new one

8) Enable Service and Start TheHive
sudo systemctl enable thehive
sudo service thehive start

9) Launch TheHive, update Database and define login user

Go to the server IP and port 9000 in your browser. Update Database and define users.

Install MISP in 2 easy steps

Prepare an Ubuntu 18.04.
Execute the following commands:
- wget -O /tmp/INSTALL.sh https://lnkd.in/e6TAh22
- bash /tmp/INSTALL.sh

Author - Mateo Martinez

Install AIL Framework

Installing CORTEX

Installing MISP Dashboard

Integrating TheHive and MISP

Installing TheHive is really easy!

Install MISP in 2 easy steps