Instructions for setting up MISP environment for testing and development purposes.

If you’re interested in reading about the motivation behind writing this article first, jump to the end of the page. Without further delay here’s how to set up a Malware Information Sharing Platform (MISP) for testing and development purposes and how to overcome some of the problems I came across during the process.

This guide was written for Ubuntu, but the general principles should remain the same on other major Linux distributions.

All you need for this setup is Docker, Docker-compose and optionally Python with the PyMISP library if you wish to fill the MISP environment with some test data. If you’d rather read the official instructions you can do so here.

Step 1: Cloning files and modifying variables.

Clone the official MISP docker files:

$ git clone https://github.com/MISP/misp-docker
$ cd misp-docker

Edit the following environment variables from the docker-compose.yml file:

• MYSQL_DATABASE
• MYSQL_USER
• MYSQL_PASSWORD
• MYSQL_ROOT_PASSWORD
• MYSQL_MISP_PASSWORD
• MISP_ADMIN_PASSPHRASE

Step 2: Building the image.

Build the docker environment and hope everything works out alright.

$ docker-compose build

At this step something broke for my installation at the time. I didn’t spend too much time debugging the error but it seems to points to some syntax changes that came with PHP version update.

uh oh, skip ahead a little bit if the build failed.

By the time you’re reading this, this issue might have now been fixed (link to the issue page) and the build should’ve finished successfully. If that happened you should now have a working MISP docker environment ready to start.

Step 3: Running the container.

Run the following command to do so:

$ docker-compose up

You can now access MISP using your browser of choosing at localhost (or whatever you set your MISP_BASEURL variable as). The default admin account is admin@admin.test and the password is whatever you set your MISP_ADMIN_PASSPHRASE variable as (or if you skipped that step, which is probably not a good idea, the password should be just admin).

So something broke.

If however something went wrong during the installation and you don’t feel like debugging you can do what I did at the time: Use an alternative MISP Docker release. Harvard IT security club offers an alternative dockerized MISP release here. Here’s how to set it up in four quick steps:

1. Clone and build the repository.

Recommended: edit build.sh and change at least variables MISP_FQDN (domain) and MYSQL_MISP_PASSWORD.

$ git clone https://github.com/harvard-itsecurity/docker-misp.git
cd docker-misp
./build.sh

2. Create a database directory somewhere that Docker can access.

E.g.

$ mkdir -p /docker/misp-db

3. Initialize the database.

$ docker run -it --rm \
    -v docker/misp-db:/var/lib/mysql \
    harvarditsecurity/misp /init-db

4. Start the container.

$ docker run -it -d \
    -p 443:443 \
    -p 80:80 \
    -p 3306:3306 \
    -v mispdb:/var/lib/mysql \
    harvarditsecurity/misp

You should now be able to access MISP with your browser of choosing at https://localhost.

If localhost now greets you with the following page you’ve successfully installed MISP.

Additional steps

The following steps are optional, but you might want to still keep reading if you’re interested on how to enable HTTPS on your setup or how to fill MISP with premade threat intelligence feeds.

Encryption

If you installed MISP on a cloud server you might want to encrypt the traffic using HTTPS. Note that this step assumes you’re using harvarditsecurity MISP image rather than the official one. To use HTTPS with the official MISP docker image use ngix and follow their instructions.

This is pretty straightforward to do: If you don’t have the certificates to your domain available you can use certbot to automate the process. Fill variables <YOUR DNS HERE> and <YOUR EMAIL HERE> with your environment values.

$ certbot certonly --standalone -n -d <YOUR DNS HERE> --agree-tos --email <YOUR EMAIL HERE> --redirect

This should generate valid certificates that you can use with your MISP setup. Copy and rename the following files into some safe location the user you’re running the dockerized MISP as can access. Copy privkey.pem as misp.crt and cert.pem as misp.key.

You can start MISP using these keys with the following command, edit <LOCATION OF YOUR CERTS> with the absolute path to the keys that you just copied.

docker run -it -d \
    -p 443:443 \
    -p 80:80 \
    -p 3306:3306 \
    -v <LOCATION OF YOUR CERTS>:/etc/ssl/private \
    -v $docker-root/misp-db:/var/lib/mysql \
    harvarditsecurity/misp

You should now be running MISP with HTTPS enabled.

Feeding MISP with example data.

Working with an empty MISP environment is pretty boring. Wouldn’t it be nice if you could fill it with some interesting test data? Well luckily you can! The misp-project hosts several default MISP feeds that can be used as source of correlations for your own events and attributes or as in this case for populating your MISP with some interesting data. For my use case the CIRCL OSINT Feed sounded most applicable so I proceeded to fetch it with Wget.

wget -nd -A json -r https://www.circl.lu/doc/misp/feed-osint/

Now that we have some data that is in the correct format for MISP we need to somehow upload it to the database. This can easily be done for example by using the PyMISP rest API. You can install it using pip with the following command:

pip install pymisp

To upload the json files into your MISP environment you can use the following script. All that is needed is the address to the MISP instance you wish to populate the data with, user MISP key with sufficient rights and the absolute path to the folder we just downloaded the .json files into.

Fill all FIXME’s before running the code.

Motivation for this blog post and the Cincan project.

We at the Cincan project were interested in further integrating MISP into our concurrent CI/CD incident sharing and malware analysis pipelines. The first step was to setup a MISP environment to play around with and I was encouraged to document my progress in a form of a blog post. In the end I felt that this post might work better if it is divided into two parts: How to relatively quickly set up a MISP environment of your own with example data, and how to integrate MISP into one of our existing CI/CD malware analysis pipelines. If you somehow ended up reading this article without knowing what Cincan, MISP or CI/CD pipelines are in the context of incident sharing and malware analysis and feel adventurous enough to educate yourself, here are some related links that might be helpful:

Cincan: Homepage of the Cincan project with an explanation on what we’re trying to do.

MISP: Homepage of the MISP project.

CI/CD: Our blog post about the subject.

Coming soon: Blog post about integrating MISP into an existing Cincan CI/CD malware analysis pipeline.

The aim of the Cincan project is to build shareable, repeatable & history preserving analysis pipelines using your favorite tools + CI + git + containers.

For more information about this project see our homepage.