search

MISP / misp-dashboard

A live dashboard for a real-time overview of threat intelligence from MISP instances
GNU Affero General Public License v3.0
194 stars 66 forks source link

Dashboard not showing results #158

Open woodonggyu opened 3 years ago

woodonggyu commented 3 years ago

Currently, I can access misp-dashboard. but when did something (ex. add event), misp-dashboard not showing any results.

The settings are as follows.

in. config.cfg

[Auth]
auth_enabled = False
misp_fqdn = https://192.168.22.128
ssl_verify = False
session_secret = **Change_Me**
\# Only send cookies with requests over HTTPS if the cookie is marked secure.
session_cookie_secure = False

in. MISP ZeroMQ settings (+ installed pyzmq)


Optional | Plugin.ZeroMQ_enable | true | Enables or disables the pub/sub feature of MISP. Make sure that you install the requirements for the plugin to work. Refer to the installation instructions for more information. |  
Optional | Plugin.ZeroMQ_port | 50000 | The port that the pub/sub feature will use. |  
Optional | Plugin.ZeroMQ_username |   | The username that client need to use to connect to ZeroMQ. | Value not set.
Optional | Plugin.ZeroMQ_password |   | The password that client need to use to connect to ZeroMQ. | Value not set.
Optional | Plugin.ZeroMQ_redis_host | redis | Location of the Redis db used by MISP and the Python PUB script to queue data to be published. |  
Optional | Plugin.ZeroMQ_redis_port | 6379 | The port that Redis is listening on. |  
Optional | Plugin.ZeroMQ_redis_password |   | The password, if set for Redis. | Value not set.
Optional | Plugin.ZeroMQ_redis_database | 1 | The database to be used for queuing messages for the pub/sub functionality. |  
Optional | Plugin.ZeroMQ_redis_namespace | mispq | The namespace to be used for queuing messages for the pub/sub functionality. |  
Optional | Plugin.ZeroMQ_include_attachments | true | Enable this setting to include the base64 encoded payloads of malware-samples/attachments in the output. |  
Optional | Plugin.ZeroMQ_event_notifications_enable | true | Enables or disables the publishing of any event creations/edits/deletions. |  
Optional | Plugin.ZeroMQ_object_notifications_enable | true | Enables or disables the publishing of any object creations/edits/deletions. |  
Optional | Plugin.ZeroMQ_object_reference_notifications_enable | true | Enables or disables the publishing of any object reference creations/deletions. |  
Optional | Plugin.ZeroMQ_attribute_notifications_enable | true | Enables or disables the publishing of any attribute creations/edits/soft deletions. |  
Optional | Plugin.ZeroMQ_tag_notifications_enable | true | Enables or disables the publishing of any tag creations/edits/deletions as well as tags being attached to / detached from various MISP elements. |  
Optional | Plugin.ZeroMQ_sighting_notifications_enable | true | Enables or disables the publishing of new sightings to the ZMQ pubsub feed. |  
Optional | Plugin.ZeroMQ_user_notifications_enable | true | Enables or disables the publishing of new/modified users to the ZMQ pubsub feed. |  
Optional | Plugin.ZeroMQ_organisation_notifications_enable | true | Enables or disables the publishing of new/modified organisations to the ZMQ pubsub feed. |  
Optional | Plugin.ZeroMQ_audit_notifications_enable | true | Enables or disables the publishing of log entries to the ZMQ pubsub feed. Keep in mind, this can get pretty verbose depending on your logging settings.

What more can you doubt? Thank you.

woodonggyu commented 3 years ago

While looking for a problem, I found several suspicious problem.

The currently running environment is as follows.

According to the link below, ZeroMQ uses localhost:50000 by default. (ref. https://www.circl.lu/doc/misp/misp-zmq/)

so, Can't connect to ZeroMQ from zmq_subscriber.py.

How change ZeroMQ setting in MISP ? (like as access external)

    parser = argparse.ArgumentParser(description='A zmq subscriber. It subscribes to a ZMQ then redispatch it to the misp-dashboard')
    parser.add_argument('-n', '--name', required=False, dest='zmqname', help='The ZMQ feed name', default="MISP Standard ZMQ")
    parser.add_argument('-u', '--url', required=False, dest='zmqurl', help='The URL to connect to', default="tcp://localhost:50000")
    args = parser.parse_args()

When running diagnostic.py, The result is as follows.

✔ Virtual environment and packages
✔ Configuration
✔ File permission
✔ Redis
⠼ checking zmq of misp - elapsed time: 5s

in. config.cfg

[RedisGlobal]
host=192.168.22.128
port=6379
misp_web_url = https://192.168.22.128
misp_instances = [{
    "name": "misp",
    "url": "https://192.168.22.128",
    "zmq": "tcp://localhost:50000"}]
mokaddem commented 3 years ago

Hey, Did you manage to solve your issue? If not, what is the full output of the diagnostic.py? Thanks!