search

MISP / MISP

MISP (core software) - Open Source Threat Intelligence and Sharing Platform
https://www.misp-project.org/
GNU Affero General Public License v3.0
5.22k stars 1.37k forks source link

Galaxies/Clusters are not included in syncs #4519

Open eCrimeLabs opened 5 years ago

eCrimeLabs commented 5 years ago

Work environment

Questions Answers
Type of issue Bug
OS version (server) Debian
OS version (client) 10
PHP version 7.3
MISP version / git hash v2.4.105 (4b1733c40f66e853f821ed4f67effc37fef20f28)
Browser If applicable

Expected behavior

When an event is synced all data included in that event should be syncronized

Actual behavior

I've experienced often that Galaxies/Cluster data is being stripped or not included in sync data.

Steps to reproduce the behavior

Manual approach is to download an event manually and import it where there are atleast one galaxy added.

This has also been experienced on normal sync especially where the receiving part pulls data from a master server

adulau commented 5 years ago

By default, only the tag referencing the cluster value is included. Organisations having the local galaxy cluster will have all the information. So it's a feature. I'm not sure if you are reporting this behaviour or another one. Cheers

eCrimeLabs commented 5 years ago

What I'm experiencing is that it is not referencing it in the tag either, also the galaxy I've added was a default included one that is on "both" sides meaning on each instance.

So tags er synced, but galaxies disappears.

Attached is a sample where I've on the original one added a galaxy "attack4fraud" -> "Phishing", however when importing it this reference is gone, also I don't see it in the exported event.

Hope it makes sense :)

Phishing_event.zip

cantarini commented 10 months ago

The same happens to me. Trying to PUSH events from instance A to instance B, galaxy clusters are not pushed, nor tags are created. Instead, PULL from A to B initiated on B instance, correctly retrieves clusters as tags. All of this happens both from 2.4.90 to 2.4.174 than between 2.4.174 instances.

cantarini commented 10 months ago

The same happens to me. Trying to PUSH events from instance A to instance B, galaxy clusters are not pushed, nor tags are created. Instead, PULL from A to B initiated on B instance, correctly retrieves clusters as tags. All of this happens both from 2.4.90 to 2.4.174 than between 2.4.174 instances.

UPDATE: It was due to missing role permissions. Adding tagger, tag editor, and galaxy editor permissions to the role fixed the behaviour. BUT there is an issue on 2.4.177: editing a pushed event and deleting some clusters or tags on the source instance for an already pushed event, the deletion of tags or clusters isn't propagated to the PUSH destination instance