-
Notifications
You must be signed in to change notification settings - Fork 1
3. Add on Sync DDD VASO to MISP feed
please install TM-MISP first before add the add-on or download tmconfig.py to same folder as tm-to-misp.py
sudo pip3 install taxii2-client
sudo curl https://raw.githubusercontent.com/chackco/tm-misp/master/tm-to-misp.py --output /var/www/MISP/PyMISP/examples/tm-to-misp.pysudo vi /var/www/MISP/PyMISP/examples/tmconfig.py- change ddd_url = 'https://10.0.0.100' to your Deep Discovery Director URL
ddd_url = 'https://10.0.0.100'- save tmconfig.py, press "ESC" and type :wq to save
- If you host feed file in MISP host as default config, you will need to disable SSL connection checking
sudo vi /var/www/MISP/app/Lib/cakephp/lib/Cake/Network/Http/HttpSocket.php- find and edit 'true' to 'false' in this line
'ssl_verify_peer' => false - save file by press "ESC" and type :wq to save file
- Then, restart apache2
sudo service apache2 restart- It should have no error, other than cert error
- You should get 5 new files in folder /var/www/MISP/app/webroot/ which are tm-export-domain.txt tm-export-ip.txt tm-export-url.txt tm-export-sha1.txt tm-export-sha256.txt
sudo python3 /var/www/MISP/PyMISP/examples/tm-to-misp.pysudo crontab -e- edit crontab to run every hour
0 * * * * python3 /var/www/MISP/PyMISP/examples/tm-to-misp.py-
go to menu [Sync actions] > [List Feeds] > [Add Feed]
-
add first feed "DOMAIN" by click "Enabled" "Caching Enabled" "Lookup Visible"
-
type name "TM SO DOMAIN", Provider "TM", Input source "Network"
-
type URL "https://[misp-ip-address]/tm-export-domain.txt
-
Source Format "Simple CSV Parsed Feed", Target Event "Fixed Event", Target Event ID [leave blank]
-
Value field(s) in the CSV "1", Delimiter [leave blank], Exclusion Regex [leave blank]
-
"Checked" Auto Publish, and "Checked" Delta Merge, then click "Add"
-
add second feed "IP" by click [Add Feed] in left menu again
-
click "Enabled" "Caching Enabled" "Lookup Visible"
-
type name "TM SO IP", Provider "TM", Input source "Network"
-
type URL "https://[misp-ip-address]/tm-export-ip.txt
-
Source Format "Simple CSV Parsed Feed", Target Event "Fixed Event", Target Event ID [leave blank]
-
Value field(s) in the CSV "1", Delimiter [leave blank], Exclusion Regex [leave blank]
-
"Checked" Auto Publish, and "Checked" Delta Merge, then click "Add"
-
add third feed "URL" by click [Add Feed] in left menu again
-
click "Enabled" "Caching Enabled" "Lookup Visible"
-
type name "TM SO URL", Provider "TM", Input source "Network"
-
type URL "https://[misp-ip-address]/tm-export-url.txt
-
Source Format "Simple CSV Parsed Feed", Target Event "Fixed Event", Target Event ID [leave blank]
-
Value field(s) in the CSV "1", Delimiter [leave blank], Exclusion Regex [leave blank]
-
"Checked" Auto Publish, and "Checked" Delta Merge, then click "Add"
-
add forth feed "SHA1" by click [Add Feed] in left menu again
-
click "Enabled" "Caching Enabled" "Lookup Visible"
-
type name "TM SO SHA1", Provider "TM", Input source "Network"
-
type URL "https://[misp-ip-address]/tm-export-sha1.txt
-
Source Format "Simple CSV Parsed Feed", Target Event "Fixed Event", Target Event ID [leave blank]
-
Value field(s) in the CSV "1", Delimiter [leave blank], Exclusion Regex [leave blank]
-
"Checked" Auto Publish, and "Checked" Delta Merge, then click "Add"
-
add fifth feed "SHA256" by click [Add Feed] in left menu again
-
click "Enabled" "Caching Enabled" "Lookup Visible"
-
type name "TM SO SHA256", Provider "TM", Input source "Network"
-
type URL "https://[misp-ip-address]/tm-export-sha256.txt
-
Source Format "Simple CSV Parsed Feed", Target Event "Fixed Event", Target Event ID [leave blank]
-
Value field(s) in the CSV "1", Delimiter [leave blank], Exclusion Regex [leave blank]
-
"Checked" Auto Publish, and "Checked" Delta Merge, then click "Add"
-
test by click [List Feeds] in left menu and find the feed above, click icon "magnifying glass" to see if we can download feed, if no error, then click icon "Fetch all events" to fetch IOC event
[ TM-MISP Project ]