Open TiagoSantos84 opened 5 years ago
bsellick
commented
5 years ago filters: to_ids: 1 enforceWarninglist: 1 published: 1 publish_timestamp: 3650d
From my understanding, enforceWarningList: 1 is valid using the search function of PyMISP, but may not be a valid filter for this extension? @jtschichold or @scoggins may be able to confirm.
I would love to see this option added as our MISP uses warning lists to cut down on false-positive IOCs from being exported.
TiagoSantos84
commented
5 years ago Hi,
I ask some help again for this. There is no option to enforceWarninglist: 1 or to_ids: 1.
You have the honour IDS flag, however it isn't working properly as well.
honour_ids_flag: true (It doesn't do anything).
@jtschichold, Can you review the code of this miner to deal with warning lists and IDS flag?
Thank you, Tiago
jtschichold
commented
5 years ago Hi @TiagoSantos84, by default to_ids is honoured: https://github.com/PaloAltoNetworks/minemeld-misp/blob/develop/mmmisp/node.py#L63
which version of MISP are you using? Which version of minemeld-misp?
Thanks
TiagoSantos84
commented
5 years ago @jtschichold,
I'm using MISP version… v2.4.102 For the minemeld-misp: 2.4.96b1
I know that to_ids is honoured, however I'm still receiving 8.8.8.8 on the output log nodes.
Output node for siem isn't working as well ... or working with deep malfunction.
Thank you for your repply.
bsellick
commented
5 years ago @jtschichold,
Can you confirm if enforceWarningList will work as a filter option on a MISP miner node, or will the extension need to be updated first?
davecabio
commented
3 years ago I'm trying to do the same using the enforceWarningList. @bsellick had you solved it?
Hi,
I would like to configure the filter to avoid false positives such as "8.8.8.8" by using warninglists and/or IDS flag.
From contributes of MISP comunity, I know that filter should be like:
filters: to_ids: 1 enforceWarninglist: 1 published: 1 publish_timestamp: 3650d
It seems not working..
Any help is welcome!