FR: Better MISP options

[DigiAngel]

So spender has these for MISP options:

title = IOCs 
network = yes
ids_files = no
dropped = yes
registry = no
mutexes = yes

whereas cuckoo2 has these:

mode = maldoc ipaddr hashes url

Can we get title, registry, and mutex as well please? Thank you.

[Tux-Panik]

Thanks @DigiAngel, I'm facing the same issue. I assume 2.0.5.3 doesn't include all MISP options, and compared to previous version we used (2.0rc2) we have an important regression.

So, from my side I suggest to implement in the future the following options, especially TO AVOID IRRELEVANT EVENT PUBLICATION, if your server is linked to a public one:

For processing.conf: only_ids = yes|no ioc_blacklist =

For reporting.conf: tag = min_malscore = threads = extend_context = yes|no upload_iocs = yes|no title = network = yes|no ids_files = yes|no dropped = yes|no registry = yes|no mutexes = yes|no distribution = 0|1|2|3|4 threat_level_id = 0|1|2|3 analysis = 0|1|2 ioc_blacklist =

I found some contributions from @xme and also @daniel-gallagher: https://github.com/xme/cuckoo https://github.com/daniel-gallagher/modules-cuckoo-mod

Please, if you are facing the same issue in 2.0.5.3, please keep me in touch, to be sure I'm not alone. Thanks in advance, Kind regards, Julien

[doomedraven]

you can easily extend that for what you want with few lines of code

[Tux-Panik]

In 2.0.5.3, the are no longer files as modules/processing/misp.py or modules/reporting/misp.py. So, I assume the modifications you suggest (what "lines of code") should be made in the "virtualenv". How do I do this? However, thanks for your answer.

[doomedraven]

they are in another folder, just do search locate misp.py

[Tux-Panik]

Thanks, I found them in:

• /cuckoo/cuckoovenv/lib/python2.7/site-packages/cuckoo/processing/misp.py
• /cuckoo/cuckoovenv/lib/python2.7/site-packages/cuckoo/reporting/misp.py

I'm applied some modifications, but they raised exception, indeed nothing is easy :-/ However, it's not fun to change core code, especially when the modification can be useful to the whole users.

So, I really think these features should be pushed in the future releases. Thanks again,

[doomedraven]

that where you need to learn cuckoo internals ;) wipe hashes.txt and no issues anymore

[SparkyNZL]

misp.py ... Mist that was a cool game it its time.

On Wed, Feb 21, 2018 at 3:45 AM, doomedraven notifications@github.com wrote:

they are in another folder, just do search locate mist.py

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2127#issuecomment-366999433, or mute the thread https://github.com/notifications/unsubscribe-auth/AQ_imASrD0aGslE5cd3DzqtRrsFCQ60rks5tWtpsgaJpZM4SJZeO .

[Tux-Panik]

Not sure to understand your answer @doomedraven . I opened the following issue due to an "indentation error": https://github.com/xme/cuckoo/issues/1. But I don't think my problem is related to "hashes.txt" but due to a syntax/interpretation error. Thanks,

[doomedraven]

good luck

[DigiAngel]

Any movement on this? Here's a comparison of cuckoo1 vs cuckoo2

3 vs 573...

[doomedraven]

You can port it :p

[DigiAngel]

LoL...doomed my friend..if I could actually DO this, then I wouldn't be here wasting peoples time...I would have done it already. The only reason I'm here is because I DON'T KNOW HOW. I'm all for learning however...care to point me in the right direction for porting it?

[doomedraven]

Check my cuckoo mod misp.py and here misp.py and just add/remove what you need ;) i doubt what misp is prior as there much more cool stuff in dev ;) and i dont use misp anymore so cant help

[DigiAngel]

Ok cool thanks...looking at this now:

https://github.com/doomedraven/cuckoo/blob/master/cuckoo/reporting/misp.py

[doomedraven]

Em that is 404 no?

[Tux-Panik]

Hello,

Bad links:

• https://github.com/doomedraven/cuckoo/blob/master/cuckoo/processing/misp.py
• https://github.com/doomedraven/cuckoo/blob/master/cuckoo/reporting/misp.py

@DigiAngel : keep us in touch if you have better results using those files. Thx

Regards,

[doomedraven]

My repo shoudnt exist, and if it, its only to push things to this repo

[DigiAngel]

Ok...so doomed where exactly is "Check my cuckoo mod misp.py"? I thought it was in your repo :(

[doomedraven]

In cuckoo-modified repo

[DigiAngel]

Ok...let's shoot for this beastie:

https://github.com/spender-sandbox/cuckoo-modified/blob/master/modules/reporting/misp.py

Will try out some options and see what happens thanks.

[DigiAngel]

Well that was fun. Ya there's no way in Hades I'll be able to do any significant work on this...the two reporting/misp.py files a radically different...and me not being a python programmer, I'm just not going to be able to do much besides just break things. Here's a screenshot of just the def run section.

[Tux-Panik]

@DigiAngel Did you try to change the newmisp.py by the oldmisp.py? I think I tested it and Cucko didn't restart.

[DigiAngel]

I did not..I can already tell that this isn't going to be a simple copy/paste of regkey and mutex...but something a lot more in depth. We are at the whims of the devs on this one I think.

[doomedraven]

Replace them wont work as internals are different, you need then to wait for python coder who uses cuckoo and misp

[RicoVZ]

Hi @DigiAngel ,

I'll ask this to be marked as a feature request. It will then be easier to find for people who seek to contribute some code etc.

[DigiAngel]

I appreciate that!

[Tux-Panik]

Thanks @RicoVZ for the update. I already pushed this need to MISP developers team (CIRCL) especially to @adulau I hope it will help. Regards, Julien

[adulau]

We had a chat with @jbremer and we have some plan to improve it all together.

[jbremer]

Exactly! :-) Cuckoo & MISP bonding period is starting soon.

[Tux-Panik]

Very Very good news. Obviously present to help and support you, as far as I can with all Gemalto CERT members.

Regards, Julien

[DigiAngel]

Count me on in the testing side as well!

[trismegistusX]

Any update on this testing?

Would be useful to get the tagging import working again.

[Tux-Panik]

Unfortunately, not on my side... still praying :-)

[SparkyNZL]

This is being worked on, it is mainly due to the changes in the new pymisp

On Fri, Sep 14, 2018 at 8:36 AM trismegistusX notifications@github.com wrote:

Any update on this testing?

Would be useful to get the tagging import working again.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2127#issuecomment-421144394, or mute the thread https://github.com/notifications/unsubscribe-auth/AQ_imBW3v9rd3ump6zydSHEbSB0G-Crwks5uasHLgaJpZM4SJZeO .

[DigiAngel]

Excellent...excited to see the results.

[Tux-Panik]

Hi, I took the time to work again on this topic. After downloading the latest Cuckoo version (2.0.6) the old MISP filters are still not working.

May you, please, clarify if this feature is still present in Cuckoo's roadmap or not?

Thanks a lot. Regards, Julien

[doomedraven]

just upgrade pymisp

[Tux-Panik]

So, I updated the pymisp version, using PIP:

pip install -U pymisp cuckoo 2.0.6.2 has requirement pymisp==2.4.54, but you'll have pymisp 2.4.98 which is incompatible. Installing collected packages: pymisp Found existing installation: pymisp 2.4.54 Uninstalling pymisp-2.4.54: Successfully uninstalled pymisp-2.4.54 Successfully installed pymisp-2.4.98

Then, I uncommented only 2 legacy MISP options in "processing.conf" (Tag + Distribution) and I restarted the cuckoo's service but the following warnings were raised:

2018-12-04 11:18:20,978 [cuckoo.common.config] ERROR: Type of config parameter reporting:misp:tag not found! This may indicate that you've incorrectly filled out the Cuckoo configuration, please double check it. 2018-12-04 11:18:20,979 [cuckoo.common.config] ERROR: Type of config parameter reporting:misp:distribution not found! This may indicate that you've incorrectly filled out the Cuckoo configuration, please double check it.

Come back at start point... Thank you for your support, Regards, Julien

[doomedraven]

mode = maldoc ipaddr hashes url

it doesnt' support other options

[misp]
enabled = {{ reporting.misp.enabled }}
url = {{ reporting.misp.url }}
apikey = {{ reporting.misp.apikey }}

# The various modes describe which information should be submitted to MISP,
# separated by whitespace. Available modes: maldoc ipaddr hashes url.
mode = {{ reporting.misp.mode }

[Tux-Panik]

That's right... and come back at start point. No way to filter the events that are pushed to MISP... that's nothing or all!

[doomedraven]

well if you miss something you always can improve and push PR ;) looks like just nobody uses it who would care to extend it so far

[Tux-Panik]

Dear, I just sent a pull request. Attached is my code suggestion to:

• Add TAG capabilities
• Filter the publication according to a minimal score (set to 7 by default)
• Limit the publication to "Your Organization" only
• IP/FQDN is available line 62

Note: sometimes, line 90 must be adapted to fit your cuckoo results path.

Regards, Julien

misp.zip