Integration with MISP (Malware Information Sharing Platform)

[elhoim]

MISP is a platform to exchange IOCs. It would be great to have integration with it, more specifically to download the IOCs and then compare those to the ones from the memory dump being analyzed.

MISP has a key-authenticated REST API available with a reference python library - PyMISP.

The documentation has a list of available IOCs types under the chapter Attribute categories and types.

A lot of types are network oriented but could also be checked in memory (e.g.: ip, hostname, url), some are host based (mutex, filename, registry key).

Some new attribute types are foreseen in a next release and they might come handy.

I have opened a ticket to add openIOC export in the REST API, since it is only JSON & XML, but MISP supports export of individual events as openIOC from the UI, but not from the API.

Feel free to open more tickets in MISP repo if more things are needed for integration.

I can arrange access to a MISP instance if you need for testing.

[TakahiroHaruyama]

Sounds great. openioc_scan uses OpenIOC 1.1 format IOCs. I think the implementation of ioc_writer is helpful for understanding the format. The specific IOC definitions for openioc_scan is included in this repository, they can be used for importing to PyIOCe, that is an open-source IOC editor. Unfortunately, I've never used MISP, but I can advice or check whether your exported outputs are available for openioc_scan. Let me know if you have any question.

[elhoim]

MISP can export individual events as openIOC 1.0, for example: http://speedy.sh/eAtuY/misp.openIOC1926.ioc . I have create the request above (https://github.com/MISP/MISP/issues/607) to be able to export the whole MISP repository as one openIOC file.

Do you want me to arrange access to a MISP repository so that you can check it out? Just for references, the instance I am talking about is with 168 organisations (384 users) sharing 224000+ IOCs.

What I am trying to do is to create an eco-system around MISP so that a number of open-source tools import data from it so that they can use it to do their work more effictively and so that MISP gains more traction and encourages people to share more IOCs.

Would you be open to the idea of creating a small additional script so that openioc_scan can use data available in a MISP instance? If https://github.com/MISP/MISP/issues/607 is done then it becomes much easier from your point of view.

[TakahiroHaruyama]

I think it's easy to implement exporting for OpenIOC 1.1 because you already have conversion function to OpenIOC 1.0. The differences are a few and ioc_writer provides the sample code for conversion.

In the mean time, could you give me the access to MISP? I'm afraid the IOCs used by openioc_scan are memory-specific, so most IOCs in MISP (e.g., hash values) may not be useful for the tool.

[perez1987]

@elhoim We are also creating a larger community for sharing IOC. I think we could be in touch via e-mail to share information about the architecture of our platforms MISP.

[elhoim]

@perez1987 gladly!

My email is my nickname + @gmail.com

[TakahiroHaruyama]

@elhoim can you give me the access to MISP? First I just want to try it.