Using the MISP API

[Jaap79]

Hi,

We noticed today that the so-download-misp script is using wget.. this prevents the MISP API from being used and could be replaced with curl. That should allow for more flexibility instead of downloading all MISP rules in one large batch.

Is there a go-to method to exclude false positives from importing into SecurityOnion by using MISP’s Warning Lists by any chance?

[weslambert]

Are you referring to an internal hesitation or non-compliance with regard to use of wget? Or are you referring to how we interface with MISP, for example not using the API, but just the NIDS, etc endpoint?

I've considered revamping the script, as I agree grabbing all rules at once is not always the best approach. We could obviously filter out certain IOCs based on age, and/or do an interval/diff-based pull.

We can also get the data into Security Onion through the use of the Threat Intel module for Elastic: https://glue.ghost.io/leveraging-threat-intel-for-event-enrichment-in-security-onion/

If there are specific features you had in mind for this repo, please feel free to drop them in as feature requests.

[Jaap79]

Good afternoon,

Thanks for your reply and sorry for the late reply from my side. I'm afraid I'm not familiar with the term 'internal hesitation or non-compliance' but the following is the case. I'll also post it as a feature request though.

The script is currently using wget. However, I found that I cannot effectively use filtering - something that does work when using curl. So instead using curl would be beneficial to wget for our situation.

Although, looking at the site you mentioned, maybe it's even better to just enrich the data using the Elastic ingestion directly. That said, I'd like to filter out all MISP rules that are 'flagged' by using the Warning Lists. So basically, if a MISP rule is flagged as 'false positive', I'd like to not import that rule to begin with.