Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MISP Alerter #2126

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add MISP Alerter #2126

wants to merge 6 commits into from

Conversation

weslambert
Copy link

@weslambert weslambert commented Feb 10, 2019
edited
Loading

Similar to HiveAlerter, allows the user to create events within MISP from Elastalert matches using the MISPAlerter class, and alert type of mispalerter.

Rule format should be similar to the following:

es_port: 9200
name: Elastalert2MISP
type: frequency
index: "*:logstash-index*"
num_events: 1
timeframe:
    minutes: 10
buffer_time:
    minutes: 10
allow_buffer_time_overlap: true

filter:
- term:
    event_type: "snort"

alert: mispalerter

misp_connection:
  misp_url: https://192.168.3.14
  misp_key: HF4ZWQJEg1hqfPEZdpLH0rh3fm17PtL9UNoXrJf6

misp_alert_config:
  distribution: 0
  info: "This is an event generated from Elastalert to MISP!"
  analysis: 1
  threat_level_id: 1
  published: True

misp_attribute_data_mapping:
- ip-src: '{match[source_ip]}'
- ip-dst: '{match[destination_ip]}'

@weslambert
Copy link
Author

Hi @Qmando ,

Is there anything I can do to improve this, or make this more acceptable? Thanks!

@MarkDevelo
Copy link

MarkDevelo commented Feb 7, 2020
edited
Loading

Hi, im trying to use this alerter to upload an incident on my MISP server, but my rule keeps showing 1 alert sent even if there is nothing new in my MISP server.

Here is my rule log:
INFO:elastalert:Ran MyRule from 2020-02-02 11:43 CST to 2020-02-02 11:54 CST: 42 query hits (33 already seen), 9 matches, 1 alerts sent

My rule .yaml:

es_host: x.x.x.x

es_port: 9200

name: MyRule

type: any

index: myindex

filter:
- query_string:
query: "myquey"

alert: mispalerter
misp_connection:
misp_url: https://x.x.x.x
misp_key: my admin user authkey

misp_alert_config:
distribution: 0
info: "My Elastalert event"
analysis: 1
threat_level_id: 1
published: True

misp_attribute_data_mapping:
- ip-src: '{match[source_ip]}'
- ip-dst: '{match[destination_ip]}'

Im new at this so sorry if im missing something obvious. I use the same configuration with the email alerter and works fine. Thanks

@weslambert
Copy link
Author

Hi @MarkDevelo , it's been a minute since I've looked at this, so I will test again and let you know.

@MarkDevelo
Copy link

Thanks @weslambert , if it helps in the MISP logs i can see the elastalert successful authentication using the API key, in the "change" column it shows "HTTP method: GET" all HTTP methods are "GET" the "target" is the only one that changes :
"Target: /user/view/me"
"Target: /attributes/describeTypes.json"
"Target: /servers/getVersio.json"
"Target: /servers/getPyMISPVersion,json"
i have the same PyMISP version installed on both servers, the same pythons, both of them with ubuntu 16.04.6.
Thanks for your time.

@nsano-rururu
Copy link
Contributor

■README.md
Need to add "MISP" under Zabbix

■ docs/source/ruletypes.rst
Need to add explanation about MISP settings

@weslambert
Copy link
Author

I haven't tested this recently -- did this work for you, @nsano-rururu ?

@nsano-rururu
Copy link
Contributor

I haven't tested this recently -- did this work for you, @nsano-rururu ?

I haven't moved it yet.
The following items are likely to work with docker, so I'll try them.
https://github.com/coolacid/docker-misp

@nsano-rururu
Copy link
Contributor

Travis CI build failed
From the feeling of seeing the error message,
I feel that it will be resolved by just synchronizing the repository forked on GitHub with the master of the fork source repository.

@weslambert
Copy link
Author

Yes, I will have a look at it tonight -- will probably end up re-writing some of it anyway. Thanks!

@nsano-rururu
Copy link
Contributor

nsano-rururu commented Apr 23, 2021
edited
Loading

@weslambert

Any way you could push this PR to https://github.com/jertel/elastalert2 ?

@weslambert
Copy link
Author

weslambert commented Apr 23, 2021
edited
Loading

@nsano-rururu, sure thing -- will do so when I get a chance.

@nsano-rururu
Copy link
Contributor

Here are some things to keep in mind when making a pull request to elastalert2. Please note that the source code structure of the alert is now different from the original yelp / elastalert.

Structure of related files and source code

elastalert
  loaders.py
  schema.yaml
  /alerters
    mispalerter.py
  /tests
    /alerters
      mispalerter_test.py

@weslambert
Copy link
Author

Here are some things to keep in mind when making a pull request to elastalert2. Please note that the source code structure of the alert is now different from the original yelp / elastalert.

Structure of related files and source code

elastalert
  loaders.py
  schema.yaml
  /alerters
    mispalerter.py
  /tests
    /alerters
      mispalerter_test.py

Understood, thanks!

@nsano-rururu nsano-rururu mentioned this pull request Mar 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@weslambert @MarkDevelo @nsano-rururu