securityonion-misp

Grab NIDS rules and Zeek Intel generated from a MISP instance and use them in Security Onion:
See: https://www.circl.lu/doc/misp/automation/#nids-rules-export

Prerequisites:

• Security Onion (installed,configured)
• MISP Instance and API Key

Download and Configure (on Master or Standalone)

• Clone the repo:
  git clone https://github.com/weslambert/securityonion-misp
• Run the setup script:
  sudo securityonion-misp/so-misp-setup
• Update rules (if desired):
  sudo so-rule-update
• Confirm rules in place:
  grep -i misp /opt/so/rules/nids/all.rules
• Confirm Zeek Intel in place:
  cat /opt/so/conf/zeek/policy/intel/misp-intel.dat

A cron job will run every morning at 6:01AM to download new NIDS rules and Intel.