search

remg427 / misp42splunk

A Splunk app to use MISP in background
GNU Lesser General Public License v3.0
109 stars 30 forks source link

Pull misp_instances via REST instead of relying on file in local-directory #183

Closed mmeyer21 closed 3 years ago

mmeyer21 commented 3 years ago

Hi there,

in my environment we are bound to use different stages. That is why we need to configure different misp_instances per stage. To get that done we are using different apps per stage added to this great app for interacting with misp. The configuration dashboard is working quite well in this constellation. To get the custom commands running, i needed to change the prepare_config in misp_common.py.

I changed it from relying on a /local/*conf-File to using REST (like in Config-Dashboard). Unfortunately i did not test it with cert_file or proxy_settings.

Sample code:

def prepare_config(helper, app_name, misp_instance, storage_passwords):
      config_args = dict()
      # get MISP instance to be used
      response = helper.service.get('misp42splunk_account')
      if response.status == 200:
          misp_instances = splunklib.data.load(response.body.read())['feed']['entry']
      if len(misp_instances) > 0:
          foundStanza = False
          for instance in list(misp_instances):
              if misp_instance == str(instance.get('title')):
                  app_config = instance.get('content')
                  foundStanza = True
          if not foundStanza:
              raise Exception(
                  "no misp_instance with specified name found: %s ", str(misp_instance)
              )
              return None
      else:
          raise Exception(
              "no misp_instance configured. Please "
              "configure an inputs entry for %s", misp_instance
          )
          return None
remg427 commented 3 years ago

Hi, I am working on it. I would like to clarify. In your context you have installed several instance of the app with different app names? misp_dev, misp_staging, misp_prod? and you want to use the proper instances defined in each of them from anywhere in splunk. That's why it is better to use rest that return all stanza when config file only return stanza from misp42splunk as this is hard coded in 4.0.0 and earlier.

so indeed rest is cleaner and will adapt to different situation. thank you for your prototype I am using misp_instances = splunklib.data.load(response.body.read())['feed']['entry'] on my env app_config = instance.get('content') does not work but I copy directly from instance dict; it is OK

I still need to check for proxy settings and when calling from alert action and should push to github first beginning of next week. hope this fine and thanks again for using misp42 looking forward to getting other feed back

mmeyer21 commented 3 years ago

Hi, thank you for your quick response. We would like to use your app as delivered from github or splunkbase. In addtion we have several versions of an config app with different names one per stage (for example misp_dev, mosp_staging, misp_prod). This apps only contain url, api_keys etc. for different misp_instances. Your app should be able to use misp_instances out of another app to get this work.

I`m looking forward hearing regarding this issue again.

remg427 commented 3 years ago

see latest package 4.0.1 that implements your solution for stanza settings. I wanted to do the same for proxy but for the moment it works with config file

remg427 commented 3 years ago

is fixed in 4.0.1