misp-takedown

A curses-style interface for generating automatic takedown notifications through RT/RTIR using MISP events as input.

Disclaimer

This code is a surprisingly well working result of an experiment. However, the code needs improvements here and there. Also, the installation process regarding urlabuse, uwhoisd, MISP and RT/RTIR is not the most straight forward. We'd be happy to find contributors for code improvements and installation documentation. Both could be part of an internship at CIRCL. Reach out if you are interested.

Requirements

misp-takedown requires a MISP instance (API access) and:

• urlabuse
• uwhoisd for lookup of abuse email addresses.
• RT/RTIR

Templates included

A series of notification templates are included, such as:

• Compromised website
• Malicious files hosted

It can be easily extended to match your abuse notification processes and/or templates.

Demo

What it looks like: video screencast

License

This software is licensed under GNU Affero General Public License version 3

• Copyright (C) 2017, 2018 Sascha Rommelfangen
• Copyright (C) 2017, 2018 CIRCL - Computer Incident Response Center Luxembourg