search

MISP / MISP-maltego

Set of Maltego transforms to inferface with a MISP Threat Sharing instance, and also to explore the whole MITRE ATT&CK dataset.
GNU Affero General Public License v3.0
170 stars 46 forks source link

running MISP-maltego inside (centralized deployment) container #54

Closed netmg closed 2 years ago

netmg commented 2 years ago

I'm deploying MISP-maltego in a centralized fashion (because we have a large user base and we don't want to support individual installations on each user desktop). The container runs alongside our internal CTAS, iTDS and MISP servers. Inside the container, configurations have been modified by adding our misp URL and key to:

/var/plume/canari.conf
/var/plume/MISP_maltego.conf
/usr/local/lib/python3.8/site-packages/MISP_maltego/resources/etc/MISP_maltego.conf

However - these comments in the container have me confused (in canari.conf) - do I need to change anything here?:


[canari.remote]
# This section deals exclusively with remote transform execution and has no effect on local transform execution. Modify
# these options if you are running your transforms under plume.

# Additional config files that should be read to merge with the current config in remote exec mode.
configs =

# Specify any transforms that your WSGI container will host. This is for Plume ONLY.
packages =

The running container looks healthy to me (from inside container):

root@415ca0be8d10:/# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Mar09 ?        00:00:00 /bin/sh /etc/init.d/plume start-docker
nobody       7     1  0 Mar09 ?        00:00:11 /usr/local/bin/python /usr/local/bin/twistd --rundir=/var/plume --uid=65534 --gid=1000 -n web --wsgi=canari.tas.plume.application --port=tcp
root        14     0  0 Mar09 pts/0    00:00:00 /bin/bash

And if I try to curl to it from outside the container, I get an answer:

-bash-4.2$ curl -vv -k http://<dockerhost>:<misp-maltego port>/MISP_maltego.SearchInMISP
* About to connect() to <dockerhost> port misp-maltego-port> (#0)
*   Trying 1.2.3.4...
* Connected to <dockerhost> (1.2.3.4) port <misp-maltego-port> (#0)
> GET /MISP_maltego.SearchInMISP HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <dockerhost>:<misp-maltego-port>
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: TwistedWeb/22.1.0
< Date: Thu, 10 Mar 2022 19:45:01 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 4
<
* Connection #0 to host <dockerhost> left intact
Yes?

-bash-4.2$

This all looks great up to this point.

However.... I'm not sure where to go from here? On the maltego client I'm assuming I need to add an internal transform hub item pointing to this container with a seed URL? If correct - where does value needed for the seed come from?

Once the seed has been configured I'm hoping all available MISP-maltego transformations will be present in the client transform drop-down menus?

Thanks as-always for any help provided.

cvandeplas commented 2 years ago

It's excellent if your Plume is running correctly. That indicates all dependencies and so on are fine.

When running as remote transform (like you plan to do) configuration wise the misp_url, and apikey are set in the Maltego client. You could choose to change this behaviour, and set the variables in the [MISP_maltego.remote] section of the MISP_maltego.conf file so that all users connect with the parameters you have set. If you wish to do so you will need to do a minor patch in util.py#L82. It's only a few lines of code, so no rocket science, a pull-request is welcome.

When making those changes, you will need to restart plume.

Last, but not least, you will have to configure everything too, on your private CTAS. I would recommend you to look at Paterva's documentation on how to do so. What I did (for the public transforms hosted in the transform hub)

Then configure the seed in Maltego.

Here are some screenshots of my configuration for the transform hub transforms:

image

image

image

image

When all is configured:

image

netmg commented 2 years ago

Thank you Christophe for all the details above - very helpful!

I did follow the notes in here but I must have missed a step on the iTDS server admin page. Based on your screen shots and comments above, I'll revisit my path. It's probably something simple (e.g. connecting the seed to the config name maybe?)

I was starting to believe that I needed to add the transforms manually, but that doesn't appear to be the case if I do this correctly.

Thanks again - will update here with progress.

cvandeplas commented 2 years ago

Afaik it's manual, but for more info you best liaise with Paterva support.

netmg commented 2 years ago

I was able to get this working with your help above. Part of the effort included co-locating the MISP-maltego container alongside the Maltego iTDS and MISP containers, so we could avoid tweaking Maltego-provided yaml files. In the future, we don't have to worry about merging our changes into updated configs from them. (It also has the added benefits of all traffic remaining on-host between them, on a private docker network and references to container names vs. hosts or IP's - nice for trans-portability between platforms).

We are still contemplating which way we will deploy MISP keys (each desktop providing their own, or a single one inside the container). If we decide to centralize, I'll provide an update and PR for you.

Thank you for your time - both in supporting us, and in developing this tool!

cvandeplas commented 2 years ago

Thank you for the update !