1. Automatic Install Guide
- Open browser to https://IP_of_MISP i.e. https://192.168.0.100
- Login with admin@admin.test/[ YOUR_PASSWORD ]
- Click main menu [Event Actions]>[Automation]> save text after "Your current key is" i.e. AAAAA
- Login to MISP using SSH access with misp/Password1234
curl -L https://raw.githubusercontent.com/chackco/tm-misp/master/install.sh | sudo bash -s
cd /var/www/MISP/PyMISP/examples
sudo vi keys.py-
press [i] in keyboard to start edit file
-
change: misp_url to your url i.e. 'https://192.168.0.100'
-
change: misp_key to your key i.e. 'AAAAA'
-
change: misp_verifycert = false
-
Sample >>
misp_url = 'https://192.168.0.100'
misp_key = 'AAAAA'
misp_verifycert = false- press [ESC] in keyboard and type :wq to save file
- Test connected to MISP
python3 last.py -l 1h- See if no error except unverified HTTPS request....
⚠️ NOTE: if you do not have Apex Central, please skip this
- Open Apex central console main menu > [Administration] > [Settings] > [Automation API Access Settings]
- Click "+Add"
Figure 3: Create new Apex Central API Key
- Type Application name i.e. TM-MISP and Click "Save"
- Copy (Application ID) and (API key) to notepad
⚠️ NOTE: if you do not have Deep Security, please skip this
- Open Deep Security Manager console main menu > [Administration] > [User Management] > [API keys]
- Click "New..."
Figure 4: Create new Deep Security/Workload Security API Key
- Type Name: TM-MISP
- Select Role: Full Access (or role that have application control rulesets = Full)
- Click "Next >"
- Copy key in text box to notepad and click "Close"
- Open browser to https://www.virustotal.com/gui/join-us
- Register account
- Log in to account and click your profile in top right corner
- Click API key
- Copy your API key
sudo vi tmconfig.php- press [i] in keyboard to start edit file
- change vt_api_key to your virus total key
- change ddd_url to your ddd web service share url
- Sample >>
$vt_api_key="00000";
$ddd_url = "https://8.8.8.8/blu/urlshare.txt";- press [ESC] in keyboard and type :wq to save file
sudo vi /var/www/MISP/app/webroot/tmconfig.py-
press [i] in keyboard to start edit file
-
change: insert_mode = 'manual' # you can change mode manual or auto
-
change: insert_only_tm = 'true' # set to 'true' if you need to filter only event that have tag 'TM-MISP'
⚠️ NOTE: if you do not have apex central please let use_url_base as ''
- change: use_url_base = 'https://Apex_central_ip'
- change: use_application_id = 'Apex application id'
- change: use_api_key = 'Apex api key'
⚠️ NOTE: if you do not have deep security please let ds_url_base as ''
- change: ds_url_base = 'https://dsm_ip:4119'
- change: ds_api_key = 'Deep security api key'
- Sample >>
insert_mode = 'manual'
use_url_base = 'https://192.168.0.101'
use_application_id = '7BB7B7E5-47BA-4073-B9AE-7AA7E00041D6'
use_api_key = '6549019E-FBF2-428B-ABA6-3E423AD111C5'
ds_url_base = 'https://192.168.0.102:4119'
ds_api_key = '5A0EED36-1BC8-2FA1-2D36-40999DC59F02:F2488EFD-2671-0CC7-90F6-500D2E074ABA:fLStNjL5y7roKHlLH7STKz8GFLCgKhAygLyZJ3UopKo='
insert_only_tm = "true" - press [ESC] in keyboard and type :wq to save file
- Run command at shell >>
sudo python3 tm-api.py- done!