ZMQ issue - Githubissues

MISP / misp-dashboard

A live dashboard for a real-time overview of threat intelligence from MISP instances

GNU Affero General Public License v3.0

192 stars 66 forks source link

ZMQ issue #126

Closed CriBul closed 4 years ago

CriBul commented 4 years ago

Hi all, please can someone answer me like zmq publish events. So by default all events from MISP are submitted in zmq ? i know that is possible from gui to publish event to zmq. It's possible to filter only specif event to be submitted to zmq? For example can i to publish to zmq only events changed in the last 2 days?

mokaddem commented 4 years ago

Hi @CriBul, You are correct, all events from MISP are publish onto the ZMQ channel if they are created/edited/deleted. This screenshot shows you the different configuration

If you would like to specifically publish events passing filtering rules, you could create a few lines PyMISP script that would:

fetch events passing your filtering rules (e.g. last changed in the last 2 days, last: "2d"
Iterate over all IDs
- push each IDs to ZMQ

CriBul commented 4 years ago

Hi, thanks for reply. Ok but how can i create PyMISp script that "bypass" default configuration to fecth all Event ID? Can i add my PyMISP script in default configuration files? if yes what are the files that i have to changes in MISP/ZMQ configuration?

mokaddem commented 4 years ago

What I meant is that you can create a PyMISP script that will trigger ZMQ publishing from the MISP side. Then the dashboard will receive these scripted publishings. The workflow could look like this:

misp-dashboard operate normaly
Every now and then, the script publish_recent_misp_event_to_zmq.py would fetch all recent events from MISP.
- You can put this script in a CRON job to ease the every now and then step
- Condition "publish_timestamp": "2d" might be useful
Once MISP actually publish the event to its ZMQ channel, the dashboard will receive it

Does that make sense for you?

CriBul commented 4 years ago

Hi it' clear and for me has sense. So the question it' to understand like create a script. So publish_recent_misp_event_to_zmq.py can be take from scripts zmq_subscriber.py or zmq_dispatcher.py? Are they the scripts that fetch events from MISP and subscribe to ZMQ?

mokaddem commented 4 years ago

I'm not sure to correctly understand the question.. So let me answer this: misp-dashboard never perform any query on MISP itself. It only subscribe to the ZMQ channel generated by MISP zmq_subscriber.py. That's why you don't have to provide an MISP API key to use it. However, in the scenario described above, the usage of your API key will be inevitable. Using PyMISP or some CURL commands to create the new script publish_recent_misp_event_to_zmq.py can be useful.