Feldunost
commented
4 years ago Part of the issue in "IOC type email / Tags filter #14". I didn't fix it out, and didn't find any clue yet.
Open CerberusAI opened 4 years ago
Feldunost
commented
4 years ago Part of the issue in "IOC type email / Tags filter #14". I didn't fix it out, and didn't find any clue yet.
Feldunost
commented
4 years ago Little clue, checked on MISP in /var/log/apache2/misp-dashboard.local_access.log
When u do a pull manually from minemeld, it outputs correctly the event IDs that had the tag you settled on minemeld with filter tags: 55 for example. So basically the request seems correct but doesn't go further.
..*.* - - [12/Feb/2020:11:11:13 +0000] "GET /servers/getPyMISPVersion.json HTTP/1.1" 200 3263 "-" "PyMISP 2.4.96 - Python 2.7.12" ... - - [12/Feb/2020:11:11:13 +0000] "GET /attributes/describeTypes.json HTTP/1.1" 200 22452 "-" "PyMISP 2.4.96 - Python 2.7.12" **..*.* - - [12/Feb/2020:11:11:13 +0000] "POST /events/index HTTP/1.1" 200 7037 "-" "PyMISP 2.4.96 - Python 2.7.12" ... - - [12/Feb/2020:11:11:13 +0000] "GET /events/blablablablabla2 HTTP/1.1" 200 86224 "-" "PyMISP 2.4.96 - Python 2.7.12" **..*. - - [12/Feb/2020:11:11:13 +0000] "GET /events/blablablablabla HTTP/1.1" 200 153137 "-" "PyMISP 2.4.96 - Python 2.7.12"
I'll edit infos about that issue.
cyb3rfox
commented
4 years ago Doesn't work for me either. I tried the following configurations butt it still fetches all events.
Config1:
misp-blockable-green: filters: tag:
-- Config 2 -- misp-blockable-green: filters: tag: 'TLP:GREEN' inputs: [] output: true prototype: misp.anyEvent
All IoC's are pulling without any changes to base config from misp.tlpWhiteEvent. When using that prototype, I would expect the miner to only pull in events / IoC's that are tagged as "tlp:white" but it's not filtering (all IoC's are ingested).
I've also tried filtering by custom tags I have in MISP but then it won't pull anything. Please let me know if I'm missing something or how I can fix it. Thanks
My stack... MISP Extension - 2.4.96b1 MISP Docker - https://github.com/MISP/docker-misp MineMeld Docker - https://live.paloaltonetworks.com/t5/MineMeld-Articles/Running-MineMeld-using-Docker/ta-p/289062