search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.45k stars 625 forks source link

[Bug] MISP export visibility even if not configured on your organisation #1976

Open torsolaso opened 3 years ago

torsolaso commented 3 years ago

Request Type

Bug

Work Environment

Question Answer
TheHive version / git hash 4.1.3
DB Cassandra
Index ES

Problem Description

When you click on "Export" button, Thv4 always show you all MISP instances that you configured, even though it has not been configured for this organization

Steps to Reproduce

  1. Create ORG A
  2. Create ORG B
  3. Create ORG C
  4. Configure on ORG A MISP A
  5. Configure on ORG B MISP B
  6. Configure on ORG C MISP C
  7. Create ORG D
  8. Create Case in ORG D
  9. Click on EXPORT button an see how you can see MISP A MISP B MISP C
  10. Click on Export button popup and see how UI is getting "CaseExportCtrl"
  11. Create case in ORG A
  12. Click on EXPORT button an see how you can see MISP A MISP B MISP C
  13. Check only MISP A export is working (expected)

Possible Solutions

Check organisation MISP configuration.

Complementary information

LEFT is STEP 9 and RIGHT is STEP 13 image

torsolaso commented 3 years ago

Maybe a solution could be to use a toast like "No MISP config available" like this:

image

To-om commented 3 years ago

How did you link organisation with misp ? Can you share your configuration ?

torsolaso commented 3 years ago

Sure, below is attached the configuration regarding MISP testing.

On the screenshot, LEFT is ORGANIZATION_D (no MISP config) and RIGHT is ORGANIZATION_A

## MISP configuration
# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md
play.modules.enabled += org.thp.thehive.connector.misp.MispModule

misp {
    interval: 5m
    servers: [
        {
            name = "ORGANIZATION_A"
            url = "https://mispInstance"
            auth {
                type = key
                key = "apiKey2"
            }
            purpose = ImportAndExport
            tags = ["MISP-testing"]
            max-attributes = 2000
            max-size = 16 MiB
            max-age = 30 days
            exclusion {
              organisation = ["ORGANIZATION_A"]
            }
            includedTheHiveOrganisations = ["ORGANIZATION_A"]
        },
        {
            name = "ORGANIZATION_B"
            url = "https://mispInstance"
            auth {
                type = key
                key = "apiKey1"
            }
            purpose = ImportAndExport
            tags = ["MISP-testing"]
            max-attributes = 2000
            max-size = 16 MiB
            max-age = 30 days
            exclusion {
              organisation = ["ORGANIZATION_B"]
            }
            includedTheHiveOrganisations = ["ORGANIZATION_B"]
        },
        {
            name = "ORGANIZATION_C"
            url = "https://mispInstance"
            auth {
                type = key
                key = "apiKey2"
            }
            purpose = ExportOnly
            tags = ["MISP-testing"]
            max-attributes = 2000
            max-size = 16 MiB
            max-age = 30 days
            exclusion {
              organisation = ["ORGANIZATION_C"]
            }
            includedTheHiveOrganisations = ["ORGANIZATION_C"]
        }   
    ]
}

# Define maximum size of attachments (default 10MB
play.http.parser.maxDiskBuffer: 1GB
play.http.parser.maxMemoryBuffer = 100M
play.akka.server.terminationTimeout = infinite
play.server.akka.terminationTimeout = null
torsolaso commented 3 years ago

I tested it on version 4.1.7 and the behavior remains the same. Should this be the expected behavior @To-om ?

torsolaso commented 3 years ago

@To-om Were you able to reproduce this behavior with the information I provided?