search

gcrahay / otx_misp

Imports Alienvault OTX pulses to a MISP instance
Other
52 stars 42 forks source link

Description of otx-misp arguments #20

Closed ndhambi closed 6 years ago

ndhambi commented 6 years ago

Can anyone help in defining into detail what the following otx-misp argumemts mean, the douentation does not give out more info:

-t , --timestamp (what time does this represent) Last import as Date/Time ISO format or UNIX timestamp -c , --config-file (what doesthis configuration file contain) -w, --write-config Write the configuration file

gcrahay commented 6 years ago

-t: this is the time of the oldest OTX pulse the program must fetch -c: otx-misp arguments can be written to a file (with -c), so the next time you call it, you don't need to give them again (only -c) -u: Updates the timestamp of last import (the -t argument) in the configuration file

# First time
~$ otx-misp  -o <OTX API key> -s https://misp.example.com -m <MISP API key> -t  "2017-07-16T19:20:30+01:00" -u -c otx.ini -w
# Configuration file content
~# cat otx.ini
otx = <OTX API key>
server = https://misp.example.com
misp = <MISP API key>
update_timestamp = yes
[...]
# Next time
~$ otx-misp -c otx.ini
ndhambi commented 6 years ago

Thanks , I now understand it more better. one more question. The above setup means that i have to execute the "otx-misp -c otx.ini" command every time i want to import pulses. How can i do it so that it fetches the pulses when there is a new update or fetch pulses at more frequently.

gcrahay commented 6 years ago

You should configure a cron job to launch otx-misp.

ndhambi commented 6 years ago

I tried using the Cron to schedule the import,

this is what i did on my crontab file.

00 09 * /home/user1/otximport.sh

i have scheduled it to execute the import command every day at 9 am.

this is what my otximport.sh script contains

!/bin/bash

PATH=$PATH/home/user1/.local/bin export PATH otx-misp --otx "OTX API " --server "server url" --misp "MISP key" --discovertags-tags -v -v -n -a -d

This is the error message that i get from the mail log

/home/user1/otximport.sh: line5: otx-misp: command not found

jbeley commented 6 years ago

It appears that you may have a typo in your script (note the line that starts with PATH)

!/bin/bash

PATH=$PATH:/home/user1/.local/bin export PATH otx-misp --otx --server --misp --discovertags-tags -v -v -n -a -d

Also, you may wish to remove the verbosity flags, as they may produce output. The cron daemon will generate a mail message each time the script runs with output.

On Fri, Oct 6, 2017 at 4:33 AM WhiteWalker notifications@github.com wrote:

I tried using the Cron to schedule the import,

this is what i did on my crontab file.

00 09 * /home/user1/otximport.sh i have scheduled it to execute the import command every day at 9 am.

this is what my otximport.sh script contains

!/bin/bash

PATH=$PATH/home/user1/.local/bin export PATH otx-misp --otx --server --misp --discovertags-tags -v -v -n -a -d

This is the error message that i get from the mail log

/home/user1/otximport.sh: line5: otx-misp: command not found

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/gcrahay/otx_misp/issues/20#issuecomment-334693329, or mute the thread https://github.com/notifications/unsubscribe-auth/AE7zW6CRLID7QcA1zXR1cFSnCYMl0qCTks5speXbgaJpZM4PtVj8 .

ndhambi commented 6 years ago

Ya it was the typo, Thanks :), it now executes but the imported pulses don't appear on my MISP.

I checked the mail log file, it shows the events being imported (the same output it shows when i execute the otx-misp command on command line) but there is nothing on MISP

ndhambi commented 6 years ago

Fianlly got it to work, but the problem is that evrytime i execute the otx-misp command, it also imports the old pulses that were imported before (it duplicate the imports on the MISP instance). Is there a way not do import pulses that have already been imported (only import new pulses)