Integration with MISP

[ghost]

Much like the crits integration, an integration module for MISP would be excellent. I may look into this if I have time.

[ghost]

Started looking into this already: managed to get a working version which captures the Event ID for the event which the sample is contained within. Happy to share my code if you would like.

I'm not the strongest when it comes to PHP, and have a little issue which would require more work, but the fundamentals seem to be working nicely.

[r3comp1le]

good idea. please share code and I will also look at MISP api

[ghost]

Code for vt_runMISP.php

<?
require('config.php');

$counter = 0;
$m = new MongoClient("mongodb://".$mongo_server_host.":".$mongo_server_port);
$db = $m->selectDB($mongo_db);
$collection = new MongoCollection($db, $mongo_collection);
$cursor = $collection->find();

if($misp_on == "true")
{
    foreach ($cursor as $array)
    {
        $data = array('request' => array('value' => $array['md5'],"type" => "md5"));
        $data_json = json_encode($data);
        $context = stream_context_create(array(
            'http' => array(
                'method' => 'POST',
                'header' => "Authorization:" . $misp_key ."\r\n" .
                            "Accept: application/json\r\n" .
                            "content-type: application/json\r\n",
                'content' => $data_json
            )
        ));
        $url = $misp_url . "/events/restSearch/download";
        $result2 = file_get_contents($url, false, $context);
        $thejson = json_decode($result2, true);
        if (is_array($thejson) && array_key_exists('response',$thejson)){
            $jsoncount = count($thejson['response']);
            if($jsoncount > 0)
            {
                $jsonevents = "";
                $jsoncounter = 0;
                foreach ($thejson['response'] as $jsonevent)
                {
                    $jsoncounter++;
                    if($jsoncount==0 || $jsoncount == $jsoncounter)
                    {
                        $jsonevents .= $jsonevent['Event']['id'];
                    }
                    else
                    {
                        $jsonevents .= $jsonevent['Event']['id'] .', ';
                    }
                }
                $retval = $collection->findAndModify(
                     array("id" => $array['id']),
                     array('$set' => array('misp' => "true",'misp_event' => $jsonevents))
                );
                $counter++;
            }
        }
    }
    echo "Found " . $counter . " Samples in MISP";
}
else
{
    echo "MISP config is set to False";
}
?>

[ghost]

Couple other small bits in config etc, but this is the bulk. Pulls back correctly, but seem to get a lot of 404 failure requests for hits which aren't in MISP. Should come back with a response of "no results"

[r3comp1le]

thanks, might need to hold off till I have a MISP to test against

[tomking2]

Excellent, hope it goes successfully when you do get one set up.

Feel free to take a look at my active development of MISP integration. https://github.com/tomking2/VT-Hunter/tree/MISP

[tomking2]

Thanks for integrating, it's looking good. This can be closed now.