• Stars
    star
    184
  • Rank 209,187 (Top 5 %)
  • Language
    JavaScript
  • License
    GNU Affero Genera...
  • Created about 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A live dashboard for a real-time overview of threat intelligence from MISP instances

misp-dashboard

A dashboard showing live data and statistics from the ZMQ feeds of one or more MISP instances. The dashboard can be used as a real-time situational awareness tool to gather threat intelligence information. The misp-dashboard includes a gamification tool to show the contributions of each organisation and how they are ranked over time. The dashboard can be used for SOCs (Security Operation Centers), security teams or during cyber exercises to keep track of what is being processed on your various MISP instances.

Features

Live Dashboard

  • Possibility to subscribe to multiple ZMQ feeds from different MISP instances
  • Shows immediate contributions made by organisations
  • Displays live resolvable posted geo-locations

Dashboard live

Geolocalisation Dashboard

  • Provides historical geolocalised information to support security teams, CSIRTs or SOCs in finding threats within their constituency
  • Possibility to get geospatial information from specific regions

Dashbaord geo

Contributors Dashboard

Shows:

  • The monthly rank of all organisations
  • The last organisation that contributed (dynamic updates)
  • The contribution level of all organisations
  • Each category of contributions per organisation
  • The current ranking of the selected organisation (dynamic updates)

Includes:

  • Gamification of the platform:
    • Two different levels of ranking with unique icons
    • Exclusive obtainable badges for source code contributors and donator

Dashboard contributors Dashboard contributors2

Users Dashboard

  • Shows when and how the platform is used:
    • Login punchcard and contributions over time
    • Contribution vs login

Dashboard users

Trendings Dashboard

  • Provides real time information to support security teams, CSIRTs or SOC showing current threats and activity
    • Shows most active events, categories and tags
    • Shows sightings and discussion overtime

Dashboard users

Installation

Before installing, consider that the only supported system are open source Unix-like operating system such as Linux and others.

  1. You will need to create a free MaxMind account.
  2. Set your password and create a license key 2.1 Make a note of your License Key it's needed during install.
  • Launch ./install_dependencies.sh from the MISP-Dashboard directory (idempotent-ish)
  • Update the configuration file config.cfg so that it matches your system
    • Fields that you may change:
      • RedisGlobal -> host
      • RedisGlobal -> port
      • RedisGlobal -> zmq_url
      • RedisGlobal -> misp_web_url
      • RedisMap -> pathMaxMindDB

Updating by pulling

  • Re-launch ./install_dependencies.sh to fetch new required dependencies
  • Re-update your configuration file config.cfg by comparing eventual changes in config.cfg.default

⚠️ Make sure no zmq python3 scripts are running. They block the update.

+ virtualenv -p python3 DASHENV
Already using interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /home/steve/code/misp-dashboard/DASHENV/bin/python3
Traceback (most recent call last):
  File "/usr/bin/virtualenv", line 9, in <module>
    load_entry_point('virtualenv==15.0.1', 'console_scripts', 'virtualenv')()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 942, in create_environment
    site_packages=site_packages, clear=clear, symlink=symlink))
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 1261, in install_python
    shutil.copyfile(executable, py_executable)
  File "/usr/lib/python3.5/shutil.py", line 115, in copyfile
    with open(dst, 'wb') as fdst:
OSError: [Errno 26] Text file busy: '/home/steve/code/misp-dashboard/DASHENV/bin/python3'
  • Restart the System: ./start_all.sh OR ./start_zmq.sh and ./server.py &

Starting the System

⚠️ You should not run it as root. Normal privileges are fine.

  • Be sure to have a running redis server
    • e.g. redis-server --port 6250
  • Activate your virtualenv . ./DASHENV/bin/activate
  • Listen to the MISP feed by starting the zmq_subscriber ./zmq_subscriber.py &
  • Start the dispatcher to process received messages ./zmq_dispatcher.py &
  • Start the Flask server ./server.py &
  • Access the interface at http://localhost:8001/

Alternatively, you can run the start_all.sh script to run the commands described above.

Authentication

Authentication can be enable in config/config.cfg by setting auth_enabled = True. Users will be required to login to MISP and will be allowed to proceed if they have the User Setting's dashboard_access sets to 1 for the MISP user account.

Debug

Debug is fun and gives you more details on what is going on when things fail. Bare in mind running Flask in debug is NOT suitable for production, it will drop you to a Python shell if enabled, to do further digging.

Just before running ./server.py do:

export FLASK_DEBUG=1
export FLASK_APP=server.py
flask run --host=0.0.0.0 --port=8001 # <- Be careful here, this exposes it on ALL ip addresses. Ideally if run locally --host=127.0.0.1

OR, just toggle the debug flag in start_all.sh or config.cfg.

Happy hacking ;)

Restart from scratch

To restart from scratch and empty all data from your dashboard you can use the dedicated cleaning script clean.py


Clean data stored in the redis server specified in the configuration file

optional arguments:
  -h, --help    show this help message and exit
  -b, --brutal  Perfom a FLUSHALL on the redis database. If not set, will use
                a soft method to delete only keys used by MISP-Dashboard.

Notes about ZMQ

The misp-dashboard being stateless in regards to MISP, it can only process data that it received. Meaning that if your MISP is not publishing all notifications to its ZMQ, the misp-dashboard will not have them.

The most revelant example could be the user login punchcard. If your MISP doesn't have the option Plugin.ZeroMQ_audit_notifications_enable set to true, the punchcard will be empty.

Dashboard not showing results - No module named zmq

When the misp-dashboard does not show results then first check if the zmq module within MISP is properly installed.

In Administration, Plugin Settings, ZeroMQ check that Plugin.ZeroMQ_enable is set to True.

Publish a test event from MISP to ZMQ via Event Actions, Publish event to ZMQ.

Verify the logfiles

${PATH_TO_MISP}/app/tmp/log/mispzmq.error.log
${PATH_TO_MISP}/app/tmp/log/mispzmq.log

If there's an error ModuleNotFoundError: No module named 'zmq' then install pyzmq.

$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install pyzmq

zmq_subscriber options


A zmq subscriber. It subscribe to a ZMQ then redispatch it to the MISP-dashboard

optional arguments:
  -h, --help            show this help message and exit
  -n ZMQNAME, --name ZMQNAME
                        The ZMQ feed name
  -u ZMQURL, --url ZMQURL
                        The URL to connect to

Deploy in production using mod_wsgi

Install Apache mod-wsgi for Python3

sudo apt-get install libapache2-mod-wsgi-py3

Caveat: If you already have mod-wsgi installed for Python2, it will be replaced!

The following packages will be REMOVED:
  libapache2-mod-wsgi
The following NEW packages will be installed:
  libapache2-mod-wsgi-py3

Configuration file /etc/apache2/sites-available/misp-dashboard.conf assumes that misp-dashboard is cloned into /var/www/misp-dashboard. It runs as user misp in this example. Change the permissions to your custom folder and files accordingly.

<VirtualHost *:8001>
    ServerAdmin [email protected]
    ServerName misp.local

    DocumentRoot /var/www/misp-dashboard
    
    WSGIDaemonProcess misp-dashboard \
       user=misp group=misp \
       python-home=/var/www/misp-dashboard/DASHENV \
       processes=1 \
       threads=15 \
       maximum-requests=5000 \
       listen-backlog=100 \
       queue-timeout=45 \
       socket-timeout=60 \
       connect-timeout=15 \
       request-timeout=60 \
       inactivity-timeout=0 \
       deadlock-timeout=60 \
       graceful-timeout=15 \
       eviction-timeout=0 \
       shutdown-timeout=5 \
       send-buffer-size=0 \
       receive-buffer-size=0 \
       header-buffer-size=0 \
       response-buffer-size=0 \
       server-metrics=Off

    WSGIScriptAlias / /var/www/misp-dashboard/misp-dashboard.wsgi

    <Directory /var/www/misp-dashboard>
        WSGIProcessGroup misp-dashboard
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>

    LogLevel info
    ErrorLog /var/log/apache2/misp-dashboard.local_error.log
    CustomLog /var/log/apache2/misp-dashboard.local_access.log combined
    ServerSignature Off
</VirtualHost>

License

    Copyright (C) 2017-2021 CIRCL - Computer Incident Response Center Luxembourg (c/o smile, security made in Lëtzebuerg, Groupement d'Intérêt Economique)
    Copyright (c) 2017-2020 Sami Mokaddem

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

Images and logos are handmade for:

  • rankingMISPOrg/
  • rankingMISPMonthly/
  • MISPHonorableIcons/

Note that:

More Repositories

1

MISP

MISP (core software) - Open Source Threat Intelligence and Sharing Platform
PHP
4,717
star
2

misp-galaxy

Clusters and elements to attach to MISP events or attributes (like threat actors)
Python
439
star
3

misp-warninglists

Warning lists to inform users of MISP about potential false-positives or other information in indicators
Python
412
star
4

PyMISP

Python library using the MISP Rest API
Python
381
star
5

misp-modules

Modules for expansion services, enrichment, import and export in MISP and other tools.
Python
344
star
6

misp-training

MISP trainings, threat intel and information sharing training materials with source code
TeX
316
star
7

x_old_misp_docker

MISP Docker (XME edition)
Shell
283
star
8

misp-book

User guide of MISP
Shell
253
star
9

misp-taxonomies

Taxonomies used in MISP taxonomy system and can be used by other information sharing tool.
Python
237
star
10

MISP-maltego

Set of Maltego transforms to inferface with a MISP Threat Sharing instance, and also to explore the whole MITRE ATT&CK dataset.
Python
156
star
11

misp-docker

A production ready Dockered MISP
Shell
156
star
12

docker-misp

Automated Docker MISP container - Malware Information Sharing Platform and Threat Sharing
Dockerfile
100
star
13

misp-objects

Definition, description and relationship types of MISP objects
Python
83
star
14

MISP-Taxii-Server

An OpenTAXII Configuration for MISP
Python
79
star
15

mail_to_misp

Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.
Python
67
star
16

MISP-STIX-Converter

A utility repo to assist with converting between MISP and STIX formats
Python
64
star
17

misp-cloud

misp-cloud - Cloud-ready images of MISP
Shell
64
star
18

misp-stix

MISP-STIX-Converter - Python library to handle the conversion between MISP and STIX formats
Python
49
star
19

best-practices-in-threat-intelligence

Best practices in threat intelligence
HTML
44
star
20

misp-playbooks

MISP Playbooks
Jupyter Notebook
41
star
21

misp-rfc

Specifications used in the MISP project including MISP core format
HTML
41
star
22

misp-vagrant

Deploy MISP Project software with Vagrant.
Shell
41
star
23

threat-actor-intelligence-server

A simple ReST server to lookup threat actors (by name, synonym or UUID) and returning the corresponding MISP galaxy information about the known threat actors.
Python
37
star
24

intelligence-icons

intelligence-icons is a collection of icons and diagrams for building training and marketing materials around Intelligence sharing; including but not limited to CTI, MISP Threat Sharing, STIX 2.
JavaScript
35
star
25

misp-compliance

Legal, procedural and policies document templates for operating MISP and information sharing communities
33
star
26

misp-packer

Build Automated Machine Images for MISP
Shell
29
star
27

MISPego

Maltego Transform to put entities into MISP events
Python
26
star
28

misp-training-lea

Practical Information Sharing between Law Enforcement and CSIRT communities using MISP
TeX
26
star
29

PyTaxonomies

Python module to use the MISP Taxonomies
Python
26
star
30

misp-workbench

MISP Workbench
Python
26
star
31

PyMISPWarningLists

Pythonic way to work with the warning lists defined there: https://github.com/MISP/misp-warninglists
Python
26
star
32

misp-wireshark

Lua plugin to extract data from Wireshark and convert it into MISP format
Lua
23
star
33

ansible

MISP - Ansible installation script
PHP
22
star
34

misp-website

MISP website (hugo-based)
HTML
21
star
35

misp-takedown

A curses-style interface for automatic takedown notification based on MISP events.
Python
20
star
36

misp-graph

A tool to convert MISP XML files (events and attributes) into graphs
Python
20
star
37

PyMISPGalaxies

Pythonic way to work with the galaxies defined there: https://github.com/MISP/misp-galaxy
Python
17
star
38

misp-grafana

A real-time Grafana dashboard using MISP ZeroMQ message queue and InfluxDB
Python
13
star
39

misp-privacy-aware-exchange

A privacy-aware exchange module to securely and privately share your indicators
Python
13
star
40

misp-sighting-server

MISP sighting server is a fast sighting server to store and look-up sightings on attributes (network indicators, file hashes, system indicators) in a space efficient way.
Python
13
star
41

data-processing

Scripts to process big chunks of data from MISP and do in depth correlations on samples.
Python
12
star
42

yara-misp

Export MISP attributes in Yara
Python
12
star
43

misp-workflow-blueprints

Library of blueprints usable in MISP Workflows
Shell
11
star
44

MISP-sizer

Sizing your MISP instance
JavaScript
11
star
45

cexf

Common Exercise Format - CEXF
Python
10
star
46

misp-guard

misp-guard is a mitmproxy addon that inspects and blocks outgoing events to external MISP instances via sync mechanisms (pull/push) based on a set of customizable block rules.
Python
10
star
47

misp-bump

Simple and secure synchronisation of MISP instances with mobile phones
Java
9
star
48

evtx-toolkit

Tool to read EVTX files including SYSMON and convert to JSON, MISP Objects and Graph stream
Python
9
star
49

misp-decaying-models

MISP decaying models
Shell
9
star
50

threat-intelligence-browser

A browser for the threat intelligence knowledge base of the MISP project galaxies
JavaScript
9
star
51

MISP-presentations

8
star
52

misp-noticelist

Notice lists to inform users of MISP about legal or technical implication for some attributes, categories and objects
8
star
53

dockerized_training_environment

A training environment, with docker.
Python
8
star
54

misp-opendata

Tool to submit / delete data from MISP to opendata portal
Python
8
star
55

MISP-RPM

RPM packages for MISP
Makefile
8
star
56

misp-standard.org

misp-standard.org website
HTML
7
star
57

PyIntel471

Python API for PyIntel471
Python
7
star
58

misp-bloomfilter

A tool to create bloom filters from MISP records to share IOCs with others without breaking confidentiality.
Python
6
star
59

matrix-misp-bot

Very basic MISP bot for matrix.
Python
6
star
60

misp-expansion

MISP expansion - a browser extension (Firefox and Chrome) to lookup on MISP
JavaScript
5
star
61

misp-darwin

MISP darwin is a model and tools to automatically translate in natural language technical or structured information from MISP
Python
5
star
62

mail_to_misp_test

Test emails for mail to misp
4
star
63

LuaMISP

Lua Library to create and manipulate MISP entities
Lua
3
star
64

pdf_fonts

PDF Fonts used by PyMISP PDFtools export to support internalization
3
star
65

misp-usage-statistics

MISP usage statistics using bokeh (as a static webpage)
Python
3
star
66

misp-sighting-tools

Tools to support sighting from various sources (e.g. network pcap) to sight attributes in MISP instances
Python
3
star
67

misp-monitoring

Tools and documentation related to MISP instance monitoring in production/corporate environments
Shell
3
star
68

pypraware

Python Privacy Aware (pypraware) module containing script for misp-privacy-aware-exchange
Python
3
star
69

misp-stix-tests

STIX files for testing misp-stix and various libraries
2
star
70

misp_dockerized_testing

Test MISP instances using a dockerized infrastructure
Python
2
star
71

widget-collection

PHP
1
star
72

cakephp

CakePHP (v2.x branch + updates)
PHP
1
star
73

PyMISPObjectTemplates

Python API to create and update MISP Object templates
Python
1
star