MISP/MISP MISP/MISP

  • Stars
    star
    4,717
  • Rank 8,490 (Top 0.2 %)
  • Language
    PHP
  • License
    GNU Affero Genera...
  • Created about 11 years ago
  • Updated 6 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
MISP/MISP
github

MISP

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

MISP - Threat Intelligence Sharing Platform

logo

Latest Release GitHub version
CI Action
Gitter
Twitter
Localization
Contributors
License

MISP is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.

The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of said information by Network Intrusion Detection Systems (NIDS), LIDS but also log analysis tools, SIEMs.

MISP, Malware Information Sharing Platform and Threat Sharing, core functionalities are:

  • An efficient IOC and indicators database, allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
  • Automatic correlation finding relationships between attributes and indicators from malware, attack campaigns or analysis. The correlation engine includes correlation between attributes and more advanced correlations like Fuzzy hashing correlation (e.g. ssdeep) or CIDR block matching. Correlation can also be enabled or event disabled per attribute.
  • A flexible data model where complex objects can be expressed and linked together to express threat intelligence, incidents or connected elements.
  • Built-in sharing functionality to ease data sharing using different model of distributions. MISP can automatically synchronize events and attributes among different MISP instances. Advanced filtering functionalities can be used to meet each organization's sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms.
  • An intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators. A graphical interface to navigate seamlessly between events and their correlations. An event graph functionality to create and view relationships between objects and attributes. Advanced filtering functionalities and warning lists to help the analysts to contribute events and attributes and limit the risk of false-positives.
  • storing data in a structured format (allowing automated use of the database for various purposes) with an extensive support of cyber security indicators along fraud indicators as in the financial sector.
  • export: generating IDS, OpenIOC, plain text, CSV, MISP XML or JSON output to integrate with other systems (network IDS, host IDS, custom tools), Cache format (used for forensic tools), STIX (XML and JSON) 1 and 2, NIDS export (Suricata, Snort and Bro/Zeek) or RPZ zone. Many other formats can be easily added via the misp-modules.
  • import: bulk-import, batch-import, import from OpenIOC, GFI sandbox, ThreatConnect CSV, MISP standard format or STIX 1.1/2.0. Many other formats easily added via the misp-modules.
  • Flexible free text import tool to ease the integration of unstructured reports into MISP.
  • A user-friendly system to collaborate on events and attributes allowing MISP users to propose changes or updates to attributes/indicators.
  • data-sharing: automatically exchange and synchronize with other parties and trust-groups using MISP.
  • delegating of sharing: allows for a simple, pseudo-anonymous mechanism to delegate publication of event/indicators to another organization.
  • Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes. An exhaustive restSearch API to easily search for indicators in MISP and exports those in all the format supported by MISP.
  • Adjustable taxonomy to classify and tag events following your own classification schemes or existing classification. The taxonomy can be local to your MISP but also shareable among MISP instances.
  • Intelligence vocabularies called MISP galaxy and bundled with existing threat actors, malware, RAT, ransomware or MITRE ATT&CK which can be easily linked with events and attributes in MISP.
  • Expansion modules in Python to expand MISP with your own services or activate already available misp-modules.
  • Sighting support to get observations from organizations concerning shared indicators and attributes. Sighting can be contributed via MISP user-interface, API as MISP document or STIX sighting documents.
  • STIX support: import and export data in the STIX version 1 and version 2 format.
  • Integrated encryption and signing of the notifications via GnuPG and/or S/MIME depending on the user's preferences.
  • Real-time publish-subscribe channel within MISP to automatically get all changes (e.g. new events, indicators, sightings or tagging) in ZMQ (e.g. misp-dashboard) or Kafka publishing.

Exchanging info results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that other teams or organizations have already analyzed a specific malware.

MISP 2.4 overview

A sample event encoded in MISP:

MISP event view

Website / Support

Checkout the website for more information about MISP software, standards, tools and communities.

Information, news and updates are also regularly posted on the MISP project twitter account or the news page.

Documentation

MISP user-guide (MISP-book) is available online or as PDF or as EPUB or as MOBI/Kindle.

For the installation guide see the INSTALL or download section.

Contributing

If you are interested to contribute to the MISP project, review our contributing page. There are many ways to contribute and participate to the project.

Please see our Code of conduct.

Feel free to fork the code, play with it, make some patches and send us the pull requests via the issues.

Feel free to contact us, create issues, if you have questions, remarks or bug reports.

There is one main branch:

  • 2.4 (current stable version): what we consider as stable with frequent updates as hot-fixes.

and features are developed in separated branches and then regularly merged into the 2.4 stable branch.

License

This software is licensed under GNU Affero General Public License version 3

  • Copyright (C) 2012-2023 Christophe Vandeplas
  • Copyright (C) 2012 Belgian Defence
  • Copyright (C) 2012 NATO / NCIRC
  • Copyright (C) 2013-2023 Andras Iklody
  • Copyright (C) 2015-2023 CIRCL - Computer Incident Response Center Luxembourg
  • Copyright (C) 2016 Andreas Ziegler
  • Copyright (C) 2018-2023 Sami Mokaddem
  • Copyright (C) 2018-2023 Christian Studer
  • Copyright (C) 2015-2023 Alexandre Dulaunoy
  • Copyright (C) 2018-2022 Steve Clement
  • Copyright (C) 2020-2023 Jakub Onderka

For more information, the list of authors and contributors is available.

More Repositories

1

misp-galaxy

Clusters and elements to attach to MISP events or attributes (like threat actors)
Python
439
star
2

misp-warninglists

Warning lists to inform users of MISP about potential false-positives or other information in indicators
Python
412
star
3

PyMISP

Python library using the MISP Rest API
Python
381
star
4

misp-training

MISP trainings, threat intel and information sharing training materials with source code
TeX
316
star
5

misp-modules

Modules for expansion services, enrichment, import and export in MISP and other tools.
Python
302
star
6

x_old_misp_docker

MISP Docker (XME edition)
Shell
283
star
7

misp-book

User guide of MISP
Shell
238
star
8

misp-taxonomies

Taxonomies used in MISP taxonomy system and can be used by other information sharing tool.
Python
237
star
9

misp-dashboard

A live dashboard for a real-time overview of threat intelligence from MISP instances
JavaScript
184
star
10

MISP-maltego

Set of Maltego transforms to inferface with a MISP Threat Sharing instance, and also to explore the whole MITRE ATT&CK dataset.
Python
156
star
11

docker-misp

Automated Docker MISP container - Malware Information Sharing Platform and Threat Sharing
Dockerfile
100
star
12

misp-objects

Definition, description and relationship types of MISP objects
Python
83
star
13

MISP-Taxii-Server

An OpenTAXII Configuration for MISP
Python
79
star
14

mail_to_misp

Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.
Python
65
star
15

misp-cloud

misp-cloud - Cloud-ready images of MISP
Shell
64
star
16

MISP-STIX-Converter

A utility repo to assist with converting between MISP and STIX formats
Python
63
star
17

best-practices-in-threat-intelligence

Best practices in threat intelligence
HTML
44
star
18

misp-playbooks

MISP Playbooks
Jupyter Notebook
41
star
19

misp-rfc

Specifications used in the MISP project including MISP core format
HTML
41
star
20

misp-vagrant

Deploy MISP Project software with Vagrant.
Shell
40
star
21

misp-stix

MISP-STIX-Converter - Python library to handle the conversion between MISP and STIX formats
Python
39
star
22

threat-actor-intelligence-server

A simple ReST server to lookup threat actors (by name, synonym or UUID) and returning the corresponding MISP galaxy information about the known threat actors.
Python
37
star
23

intelligence-icons

intelligence-icons is a collection of icons and diagrams for building training and marketing materials around Intelligence sharing; including but not limited to CTI, MISP Threat Sharing, STIX 2.
JavaScript
35
star
24

misp-docker

A production ready Dockered MISP
Shell
35
star
25

misp-compliance

Legal, procedural and policies document templates for operating MISP and information sharing communities
33
star
26

misp-packer

Build Automated Machine Images for MISP
Shell
29
star
27

MISPego

Maltego Transform to put entities into MISP events
Python
26
star
28

PyTaxonomies

Python module to use the MISP Taxonomies
Python
26
star
29

misp-training-lea

Practical Information Sharing between Law Enforcement and CSIRT communities using MISP
TeX
26
star
30

misp-workbench

MISP Workbench
Python
26
star
31

PyMISPWarningLists

Pythonic way to work with the warning lists defined there: https://github.com/MISP/misp-warninglists
Python
26
star
32

misp-wireshark

Lua plugin to extract data from Wireshark and convert it into MISP format
Lua
23
star
33

ansible

MISP - Ansible installation script
PHP
22
star
34

misp-website

MISP website (hugo-based)
HTML
21
star
35

misp-graph

A tool to convert MISP XML files (events and attributes) into graphs
Python
20
star
36

misp-takedown

A curses-style interface for automatic takedown notification based on MISP events.
Python
19
star
37

PyMISPGalaxies

Pythonic way to work with the galaxies defined there: https://github.com/MISP/misp-galaxy
Python
17
star
38

misp-grafana

A real-time Grafana dashboard using MISP ZeroMQ message queue and InfluxDB
Python
13
star
39

misp-privacy-aware-exchange

A privacy-aware exchange module to securely and privately share your indicators
Python
13
star
40

misp-sighting-server

MISP sighting server is a fast sighting server to store and look-up sightings on attributes (network indicators, file hashes, system indicators) in a space efficient way.
Python
13
star
41

data-processing

Scripts to process big chunks of data from MISP and do in depth correlations on samples.
Python
12
star
42

yara-misp

Export MISP attributes in Yara
Python
12
star
43

misp-workflow-blueprints

Library of blueprints usable in MISP Workflows
Shell
11
star
44

MISP-sizer

Sizing your MISP instance
JavaScript
10
star
45

cexf

Common Exercise Format - CEXF
Python
10
star
46

misp-guard

misp-guard is a mitmproxy addon that inspects and blocks outgoing events to external MISP instances via sync mechanisms (pull/push) based on a set of customizable block rules.
Python
10
star
47

misp-bump

Simple and secure synchronisation of MISP instances with mobile phones
Java
9
star
48

evtx-toolkit

Tool to read EVTX files including SYSMON and convert to JSON, MISP Objects and Graph stream
Python
9
star
49

misp-decaying-models

MISP decaying models
Shell
9
star
50

threat-intelligence-browser

A browser for the threat intelligence knowledge base of the MISP project galaxies
JavaScript
9
star
51

MISP-presentations

8
star
52

misp-noticelist

Notice lists to inform users of MISP about legal or technical implication for some attributes, categories and objects
8
star
53

dockerized_training_environment

A training environment, with docker.
Python
8
star
54

PyIntel471

Python API for PyIntel471
Python
7
star
55

misp-standard.org

misp-standard.org website
HTML
7
star
56

misp-opendata

Tool to submit / delete data from MISP to opendata portal
Python
7
star
57

matrix-misp-bot

Very basic MISP bot for matrix.
Python
6
star
58

misp-bloomfilter

A tool to create bloom filters from MISP records to share IOCs with others without breaking confidentiality.
Python
6
star
59

misp-expansion

MISP expansion - a browser extension (Firefox and Chrome) to lookup on MISP
JavaScript
5
star
60

misp-darwin

MISP darwin is a model and tools to automatically translate in natural language technical or structured information from MISP
Python
5
star
61

MISP-RPM

RPM packages for MISP
Makefile
5
star
62

mail_to_misp_test

Test emails for mail to misp
4
star
63

LuaMISP

Lua Library to create and manipulate MISP entities
Lua
3
star
64

pdf_fonts

PDF Fonts used by PyMISP PDFtools export to support internalization
3
star
65

misp-usage-statistics

MISP usage statistics using bokeh (as a static webpage)
Python
3
star
66

misp-sighting-tools

Tools to support sighting from various sources (e.g. network pcap) to sight attributes in MISP instances
Python
3
star
67

misp-monitoring

Tools and documentation related to MISP instance monitoring in production/corporate environments
Shell
3
star
68

pypraware

Python Privacy Aware (pypraware) module containing script for misp-privacy-aware-exchange
Python
3
star
69

misp-stix-tests

STIX files for testing misp-stix and various libraries
2
star
70

misp_dockerized_testing

Test MISP instances using a dockerized infrastructure
Python
2
star
71

widget-collection

PHP
1
star
72

PyMISPObjectTemplates

Python API to create and update MISP Object templates
Python
1
star
73

cakephp

CakePHP (v2.x branch + updates)
PHP
1
star