AIL-framework
AIL-framework copied to clipboard
CIRCL
Auto create MISP Events
I receive in my MISP server each day an Event labeled "Daily AIL-leaks
It should work if you go to: https://YourAILInstance/PasteSubmit/edit_tag_export Select the desired tags and apply the changes
Thanks. I wondered if checking the desired tags at https://YourAILInstance/PasteSubmit/edit_tag_export would do the trick but nothing has shown up in MISP. I checked "infoleak:automatic-detection="bitcoin-address"" and "infoleak:automatic-detection="credit-card"" a few days ago but still nothing in MISP. I have 20 entries in AIL that are tagged "infoleak:automatic-detection="bitcoin-address"" but nothing has been auto-pushed to MISP. Not for sure if related but the misp_the_hive_feeder queue in the Dashboard shows red/stuck.
Can you check via ssh what is the state of your module ? To run the monitor: $ screen -r Script and press CTRL+a p or CTRL+a n to switch until the monitor terminal. Inside the monitor try to start the misp_the_hive_feeder module. If you have the following error:
bash: ./misp_the_hive_feeder.py: No such file or directory
bad news for you... I opened an issue for it #256 .] My actual fix is to do a symlink on this file: AIL-framework/bin/MISP_The_Hive_feeder.py
Hope I helped you ./
Hey @timhux123,
Can you give me the output of the bin/MISP_The_Hive_feeder.py script ?
If you used the bin/LAUNCH.sh script, you shouldn't have the same issue as #256.
If I run "./bin/MISP_The_Hive_feeder.py" from within the virtual env I get:
New event created: 46612 Connected to MISP: https://192.168.1.1
On the MISP server 1 event is created:
Event ID: 46612 Name: Daily AIL-leaks 2018-09-21 Tags: infoleak:output-format="ail-daily"
@timhux123 @FafnerKeyZee @Terrtia can you let me know how exactly you started running MISP and how to access its web interface? Everytime i run ./MISP_The_Hive_feeder.py I just get:
Misp keys not present
The HIVE keys not present
Hey,
Rename for MISP /configs/keys/mispKEYS.py.sample to /config/keys/mispKEYS.py and complete the configuration. Do the same for TheHive and VT if you need it.
But there is no MISP instance with AIL, you have to use your own.
Best Regards,
So I have to install and run MISP separately? How will I be able to make a connection from AIL so that I can export my data to MISP? @FafnerKeyZee
Rename for MISP /configs/keys/mispKEYS.py.sample to /config/keys/mispKEYS.py and complete the configuration. Do the same for TheHive and VT if you need it.
I did this actually and changed the permission to 777 as well. But I still get that Misp keys not present output
So I have to install and run MISP separately?
Yes
But I still get that Misp keys not present output
When MISP is installed, please fill the config file with the domain/IP and your API key
@FafnerKeyZee If I need to get alert feeds from MISP directly to AIL,do you know how I should do that?
Hi @annetteshajan !
Do you want to import some MISP objects in AIL ? Which objects do you want to import ?
Do you have an example ?
Yes I did @Terrtia For example if I want to get some alerts regarding a particular CVE id, how exactly should I do that? Is it possible for MISP feeds regarding the particular CVE id to go directly to AIL without me uploading MISP object json files manually? @FafnerKeyZee
Hi @annetteshajan ! You can create a term tracker if you want to track all items that contain this CVE number. AIL doesn't support the import of CVE objects or attributes from a MISP event or feed.
I created two issues regarding the tracking/correlation on CVE numbers ail-project/ail-framework/issues/19 and ail-project/ail-framework/issues/18
Good point, we could indeed add in AIL a way to interact with a MISP feed, import objects or create trackers from a MISP feed ail-project/ail-framework/issues/20. However, I'll add this feature after the integration with the MISP modules.