Open TiagoSantos84 opened 5 years ago
filters: to_ids: 1 enforceWarninglist: 1 published: 1 publish_timestamp: 3650d
From my understanding, enforceWarningList: 1 is valid using the search function of PyMISP, but may not be a valid filter for this extension? @jtschichold or @scoggins may be able to confirm.
I would love to see this option added as our MISP uses warning lists to cut down on false-positive IOCs from being exported.
Hi,
I ask some help again for this. There is no option to enforceWarninglist: 1 or to_ids: 1.
You have the honour IDS flag, however it isn't working properly as well.
honour_ids_flag: true (It doesn't do anything).
@jtschichold, Can you review the code of this miner to deal with warning lists and IDS flag?
Thank you, Tiago
Hi @TiagoSantos84, by default to_ids is honoured: https://github.com/PaloAltoNetworks/minemeld-misp/blob/develop/mmmisp/node.py#L63
which version of MISP are you using? Which version of minemeld-misp?
Thanks
@jtschichold,
I'm using MISP version… v2.4.102 For the minemeld-misp: 2.4.96b1
I know that to_ids is honoured, however I'm still receiving 8.8.8.8 on the output log nodes.
Output node for siem isn't working as well ... or working with deep malfunction.
Thank you for your repply.
@jtschichold,
Can you confirm if enforceWarningList will work as a filter option on a MISP miner node, or will the extension need to be updated first?
I'm trying to do the same using the enforceWarningList. @bsellick had you solved it?
Hi,
I would like to configure the filter to avoid false positives such as "8.8.8.8" by using warninglists and/or IDS flag.
From contributes of MISP comunity, I know that filter should be like:
filters: to_ids: 1 enforceWarninglist: 1 published: 1 publish_timestamp: 3650d
It seems not working..
Any help is welcome!