Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to view the threat intelligence information of MISP instances in real time. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

The following will show you how to use Misp-Dashboard to view threat intelligence information from MISP instances in real time. Misp-Dashboard can help researchers view the data and statistical results passed by MISP instances (ZMQ Feeds) in real time. Misp-Dashboard is a dashboard tool that can be used as a real-time threat intelligence awareness tool that inherits the Gamification tool to show each organization's contribution and real-time rankings. The dashboard content can also provide threat tracking services to the Security Operations Center (SOC), security research teams, or cyber security testers.

Function introduction real-time information dashboard

1. Subscribe to multiple ZMQ feeds from different MISP instances

2. You can view the real-time contribution of different organizations

3. Display the real-time and resolvable geographic location of threat intelligence release

Geolocation instrument panel

1. Provide historical geolocation information to support security teams, CSIRT or SOC in finding threats in their constituencies

2. Obtain geographic location information from specific areas

Contribution dashboard (integrated Gamification)

1. Monthly contribution of all organizations

2. Organizations with latest contributions (dynamic updates)

3. Level of contribution of all organizations

4. Contribution categories of each organization

5. The current ranking of the selected organization (dynamic update)

User dashboard

1. Display the time and mode of use of the platform

2. Login and contribution time

Trend dashboard

1. Provide real-time information to support security teams, CSIRT or SOC to detect threats and malicious activities

2. Show more activity events, categories, and tags

3. Display discussion information

Tool installation

Note: this tool currently only supports running on Unix-like operating system platforms, such as Linux, and so on.

First, clone the project source code locally using the following command:

Git clone https://github.com/MISP/misp-dashboard.git

Then change to the local project directory and run the following command:

. / install_dependencies.sh

Update the configuration file config.cfg and match the user's local system. The parameters that need to be modified are as follows:

EdisGlobal-> hostRedisGlobal-> portRedisGlobal-> zmq_urlRedisGlobal-> misp_web_urlRedisMap-> pathMaxMindDB tool update

Rerun the install_dependencies.sh script to get the new dependent components:

. / install_dependencies.sh

Compare the changes in the config.cfg.default file, and then update your configuration file config.cfg.

Make sure that no zmq Python3 script is currently running because it prevents project updates:

+ virtualenv-p python3 DASHENVAlready using interpreter / usr/bin/python3Using base prefix'/ usr'New python executable in/ home/steve/code/misp-dashboard/DASHENV/bin/python3Traceback (most recent call last): File "/ usr/bin/virtualenv", line 9, in load_entry_point ('virtualenv==15.0.1',' console_scripts', 'virtualenv') () File "/ usr/lib/python3/dist-packages/virtualenv.py", line 719 In main symlink=options.symlink) File "/ usr/lib/python3/dist-packages/virtualenv.py", line 942, in create_environment site_packages=site_packages, clear=clear, symlink=symlink) File "/ usr/lib/python3/dist-packages/virtualenv.py", line 1261, in install_python shutil.copyfile (executable, py_executable) File "/ usr/lib/python3.5/shutil.py", line 115, in copyfile with open (dst) 'wb') as fdst:OSError: [Errno 26] Text file busy:' / home/steve/code/misp-dashboard/DASHENV/bin/python3'

Next, restart the system by running the following command:

. / start_all.sh

Or

. / start_zmq.sh./server.py & Boot the system

Note: Misp-Dashboard only needs regular permissions to run and does not need to use root permissions.

Ensure that the Redis server is running locally:

Redis-server-port 6250

Activate your Virtualenv environment:

. . / DASHENV/bin/activate

Enable zmq_subscriber to listen on MISP feed:

. / zmq_subscriber.py &

Open the scheduler to process the received information:

. / zmq_dispatcher.py &

Turn on the Flask server:

. / server.py &

Access interface:

Http://localhost:8001/

Alternatively, you can run the start_all.sh script directly to automatically run all of the above commands.

Identity authentication

We can enable authentication by setting "auth_enabled = True" in the config/config.cfg file.

Zmq_subscriber option A zmq subscriber. It subscribe to a ZMQ then redispatch it to the MISP-dashboardoptional arguments:-h,-- help show this help message and exit-n ZMQNAME,-- name ZMQNAME The ZMQ feed name-u ZMQURL,-- url ZMQURL The URL to connect to use mod_wsgi to complete deployment in the product

Install Apache mod-wsgi (Python 3):

Sudo apt-get install libapache2-mod-wsgi-py3

If you install the Python2 version of mod_wsgi, the older version will be replaced:

The following packages will be REMOVED: libapache2-mod-wsgiThe following NEW packages will be installed: libapache2-mod-wsgi-py3

Next, configure project folder permissions and files ("/ etc/apache2/sites-available/misp-dashboard.conf"):

ServerAdmin admin@misp.local ServerName misp.local DocumentRoot / var/www/misp-dashboard WSGIDaemonProcess misp-dashboard\ user=misp group=misp\ python-home=/var/www/misp-dashboard/DASHENV\ processes=1\ threads=15\ maximum-requests=5000\ listen-backlog=100\ queue-timeout=45\ socket-timeout=60\ connect-timeout=15\ request-timeout=60\ inactivity-timeout=0\ deadlock-timeout=60\ graceful -timeout=15\ eviction-timeout=0\ shutdown-timeout=5\ send-buffer-size=0\ receive-buffer-size=0\ header-buffer-size=0\ response-buffer-size=0\ server-metrics=Off WSGIScriptAlias / / var/www/misp-dashboard/misp-dashboard.wsgi WSGIProcessGroup misp-dashboard WSGIApplicationGroup% {GLOBAL} Require all granted LogLevel info ErrorLog / var/log/apache2/misp-dashboard.local _ error.log CustomLog / var/log/apache2/misp-dashboard.local_access.log combined ServerSignature Off threat intelligence information on how to view MISP instances in real time is shared here I hope the above content can be of some help to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.