Skip to content
pe3zx edited this page May 1, 2022 · 16 revisions

The current domain name is *.ir.local. Replace *.ir.local in the instruction with you domain name during deployment process

Pull Submodules

mthc relies on Cortex-Analyzers and my custom version of misp-docker in a form of submodule. Thus, we need to pull a latest version of both first with git:

git submodule update --init --recursive

Docker and Docker Compose Installation

Please refer to the official documentation for installation:

Increase limits on mmapfs on host for Elasticsearch with

echo -e "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Update docker-compose.yml

On nginx-proxy, if you want to access via HTTPS, certificate and keys must be added to ./certs/.

Name of certificates and keys must be the same as name of virtual hosts specified on VIRTUAL_HOST for example, misp.ir.local.crt and misp.ir.local.key for misp.ir.local.

See more information about SSL/TLS configuration on jwilder/nginx-proxy

On misp-db, update the following parameters:

  • MYSQL_USER for MySQL user
  • MYSQL_PASSWORD for MySQL password
  • MYSQL_ROOT_PASSWORD for MySQL root password

On misp-web, update the following parameters:

  • MYSQL_USER for MySQL user as specified on misp-db
  • MYSQL_PASSWORD for MySQL password as specified on misp-db
  • MISP_ADMIN_EMAIL for username and login email
  • MISP_ADMIN_PASSPHRASE for administrator password
  • MISP_BASEURL for base URL to access the instance
  • TIMEZONE for the accurate date and time

For all VIRTUAL_HOST, update values to domain names you want to make available

Update TheHive and Cortex Configuration

For both ./conf/cortex.conf and ./conf/thehive.conf, update play.http.secret.key for the secret key used in secure cryptographic functions.

Deploy With docker-compose

Deploy services on docker-compose.yml

docker-compose up -d

Install dependencies for Cortex-Analyzers

As mentioned on installation guide, we need to install all required dependencies for the analyzers which could be done simply by running the following commands inside Cortex container:

for I in $(find Cortex-Analyzers -name 'requirements.txt'); do pip2 install -r $I; done && \
for I in $(find Cortex-Analyzers -name 'requirements.txt'); do pip3 install -r $I || true; done

Integration

Retrieve MISP API key by accessing misp.ir.local with specified credentials. If it doesn't work, try with admin@admin.test and admin.

MISP will generate API token for administrator account only after a user is login. You can either create and use API token of a new account or use administrator's token for testing purpose. Logging in and grabbing the token at https://misp.ir.local/users/view/me or https://misp.ir.local/events/automation

Next for Cortex API key, access cortex.ir.local to create a new administrator account. On https://cortex.ir.local/index.html#!/admin/users, you can either create a new account with API key or create a new API key on administrator account

Finally, we need to update ./conf/thehive.conf for our MISP API key and Cortex API KEY, add the keys on L138 for Cortex and L166 for MISP.

Also, add Cortex's API key to --cortex-key on TheHive service in docker-compose.yml

Enforce new setting for TheHive by restarting mthc_thehive_1 container, you will see the green lights on TheHive which indicate that MISP and Cortex integration is now working.