-
-
Notifications
You must be signed in to change notification settings - Fork 16
Cannot subscribe to MISP and Failed to start MISP plugin #82
Comments
Hi @nillay
|
Sir, ============ config-new.yaml content: plugins: Sir as suggested in here. I have installed misp using:
|
Can you try setting |
Thanks a lot @0ortmann sir. I can't thank you enough for helping me out, in which I was stuck for so long. |
In the default installation, MISP creates a self-signed certificate. The certificate check errors, because it is not a valid certificate. Using |
You're very welcome :) |
Thank you @0ortmann sir for such an crucial information from bottom of my heart. A great learning for me today. Sir, You really made my day. |
@0ortmann sir, sorry to bother you again but I am little stuck in one more issue. Sir I will be very thankful if you could guide me for the same, I know I am doing very silly mistake like before, my apologies for same: So with threatbus plugin, I am successfully able to detect the intel into the zeek and threatbus... Although I am not sure that will these intel will be deleted when we remove it from MISP, or some other config will be required to do that ! But the primary issue I am facing is that "After sighting got recorded in zeek" as well as "Threatbus" console. Misp is "Not" reflecting the same. Its stuck to 0 count. I published the event with IDS checkbox "on". but sighting not been updating to MISP. Attaching screenshot here: Kind regards |
Hi @nillay |
Hello @0ortmann sir, |
From the logs in the screenshot you provided, we can see that the MISP plugin reports back the sighting to your MISP instance. When you reload the MISP event page in your browser (CRTL+Shift+R), does the it show the sighting? |
No sir no sighting shown in MISP. Reloaded multiple times. Zeek and threatbus talking perfectly. Generating Intel logs and so on. But MISP seems to into 1-Way communication mode. |
I will try to reproduce the behavior with the MISP version I see in your screenshot |
@0ortmann Thank you sir. |
Hi @nillay
Unfortunately, I cannot reproduce your error. Sightings get reported back to MISP as they should. We just merged a PR #87 to add error logging in case the sighting reporting to MISP errors. Can I kindly ask you to install the latest Threat Bus version from GitHub master and retry? In case you see error logs, please paste them in this GitHub issue. |
sure sir doing the same, will let you know asap. thanks a lot for checking the issue from your side. @0ortmann. |
@0ortmann Sir I pulled the threatbus, threatbus misp, threatbus inmem from pip3..... can you please refer me to the document where i can manully build all three tools from source code..... or can you suggest me the right way to install the most updated threatbus..... ? Also is there a way to check the current running version, if yes please let me know. I will be very grateful for you. thanks. |
I don't want to derail the conversation, and have limited ability to aid in debugging, but it looks like there's an error on the Zeek side: can show the contents of |
@mavam Sir, my apology, actually that second tab is not related to the that, I am doing some log related experiment in zeek script, so I duplicated the zeek script for that. Otherwise with original script its working fine. But I thank you for adding your observation to it. Please guide me through in handling the issue. These screenshots are only meant to show the versions i am running..... |
Hi @nillay You seem to run into multiple issues at once. When you first opened this issue, the Threat Bus <-> Zeek connection worked fine as can be seen in the first screenshot you provided here. Please restore your setup back to that point. As per the question how you can install Threat Bus from source, without PyPI:
|
@0ortmann Sir thank you for your revert. I am trying hard to restore the setup of last known good config but I seems like no luck in that. Just tried as per recommendation #and still getting the same error, sir, should I create a separate thread for this issue ? Also If you think I should try it in fresh installed system then I will try to do that too please let me know, Thanks :
|
@nillay The Dumb question: when you manually add a Sighting in your MISP web-interface, does it show up? Also, when you login as |
@0ortmann sir, sounds interesting. Yeap sir after being frustrated a lot I started added the sighting manually when sighting was occurred 😁 at least I was feeling little better while doing so 😆 |
Does the web-interface show the sighting that you added manually? |
Sorry @0ortmann sir, just saw the message. somehow I missed this message. Yes sir, manual sighting is shown in web-interface. Please accept my apology for the late reply. |
Hi @nillay I now extended the misp testutil so it also reports an artificial sighting. Could you please download the updated script and run it again? Please note that you need to update the Please paste the logs in this issue. It should create an attribute (if it does not exist already) and report a sighting. |
Hi @nillay Could you please run another test?
|
@0ortmann sir, I tried as you instructed, so here is the outcome as follows:
Attaching the screenshots for the same. |
Hi @nillay
Once installed, please run the test again and post the new Threat Bus logs. |
@0ortmann sir, thanks a lot for your kind words. Sir, I am the newbie in these domain. So I am grateful that you are giving your precious time and effort in finding the root cause of the issue. I have no words to thank you. In this noble work, if I can become useful in anyway, I will consider myself lucky enough. Sir, I have ran the procedures as you instructed, Please find the screenshots of the same.Although its was just for debugging as you said but just for the record Count is still not increased. Kind Regards |
Hi @nillay, Happy new year and thanks for your patience! Were you able to make any progress yet?
Then generate a sighting with Zeek as we did before. |
Hello @0snap sir,
|
Thanks for running the test, @nillay
Going forward with the debug output from the new logs, can you please run the following
Please replace To answer your other question:
|
@0snap sir, thank you for your kind reply. After running the API call seems like its not responding to MISP for some reasons. |
Hi @nillay, |
Thanks sir for reply. No sir, No sightings were attached in webui. |
When the web-ui does not show the sightings, even when added directly with How did you install MISP? I still cannot reproduce this issue (I use the pre-built virtual machines provided on the MISP website, i.e., this one). |
Sir I installed from misp script provided in their documentation. I think they created 2 shell scripts for the same. Seems like some internal config issue is occurring when we are not using their prebuilt MISP. Sir let me use their Vm and hopefully then I don't need to manually look under the hood. Will update you about at first either I am able to connect the misp MV with threatbus and secondly if it's responding well or not. Thanks a lot sir taking your precious time and efforts to look into my issue. It really means a lot to me. 🙏 |
@0snap sir, |
Hi @nillay
You also need to enable the zmq plugin:
|
@0snap Sir, Also I gave curl command as in previous instruction you gave, throwing some kind of error: Kind Regards |
Hi @nillay Thanks for your tests. In the last curl command, please replace the |
@0snap sir, |
The curl commands indicate success, they return a |
no sir, sightings are not visible, even new event or any attribute is not added..... |
Hi @nillay, Sorry, I'm at a loss understanding why these sightings won't show up in your MISP web view. |
Hi @0snap sir, Kind Regards, |
You're welcome! Please come over to our chat for future questions about running Threat Bus. |
Hello sir,
I am very new to the threatbus and misp. So sincere apology for asking the naive question here.
I am trying to figure out how threatbus works with zeek and misp. Also I referred the youtube video put my tenzir team regarding that. I am using misp and zeek all on same host inside a ubuntu 20.04 vm. I am able to access the misp through https://localhost from inside And using https://localhost:8443 from outside vm. I am struggling through the following problem, I will be very grateful if someone can take a look about why I am getting this error:
Observed Behavior
(venv) root@ubuntu-pc:/home/ubuntu# threatbus -c config-new.yaml
2020-12-09 20:52:48 INFO [threatbus] Starting plugins...
2020-12-09 20:52:48 INFO [threatbus_inmem.plugin] In-memory backbone started.
2020-12-09 20:52:48 INFO [threatbus_inmem.plugin] Adding subscription to: threatbus/snapshotrequest
2020-12-09 20:52:48 INFO [threatbus_inmem.plugin] Adding subscription to: threatbus/snapshotenvelope
2020-12-09 20:52:48 INFO [threatbus_zeek.plugin] Zeek plugin started
2020-12-09 20:52:48 ERROR [threatbus_misp.plugin] Cannot subscribe to MISP at https://localhost, using SSL: True
2020-12-09 20:52:48 ERROR [threatbus_misp.plugin] Failed to start MISP plugin
The text was updated successfully, but these errors were encountered: