Implementar SOC: Instalar TheHive, Cortex y MISP
En otras entradas hablamos de lo que es un SOC y lanzamos el reto de crear mediante diferentes herramientas de código abierto, un SOC OpenSource.
En esta entrada vamos a montar 3 herramientas en una sola máquina virtual:
- The Hive:
- WEB OFICIAL: https://thehive-project.org/
- Descripción: Permite la gestión de alertas desde su creación hasta su cierre
- Cortex:
- WEB OFICIAL: https://thehive-project.org/
- Descripción: Permite el análisis mediante una página web de los diferentes analizadores detectados (IP´s, correos electrónicos, URL´s, dominios…), se usa normalmente en conjunto con The Hive para disponer de una respuesta activa
- MISP:
- WEB OFICIAL: https://www.misp-project.org/
- Descripción: Permite el intercambio de amenazas, siendo una plataforma de código abierto, mantenida por el Computer Incident Response Center Luxembourg (CIRCL) que te permite suscribirte a fuentes de inteligencia de amenazas
Son herramientas que pueden convivir en la misma máquina si las montamos sobre Docker por ejemplo o no se hace con el script automático, y que pueden estar relacionados, con lo que simplificamos nuestra infraestructura. En mi caso, como tengo recursos limitados en entorno pequeño, voy a generar una máquina con las siguientes características:
- 4 vCPUs, 64GB disco y 16 GB de RAM en un LXC Ubuntu 22.04
- Puertos de comunicación:
- TheHive -> TCP 9000
- Cortex -> TCP 9001
- MISP -> 443
- SSH -> TCP 22
Requerimientos TheHive, Cortex y MISP
Según la documentación oficial de cada proyecto, los requerimientos dependerá de los usuarios concurrentes que vayan a usar los productos. Tomaremos de referencia mínima de TheHive, pero tanto Cortex y MISP recomiendan como mínimo 16GB de RAM:
Os dejo una calculadora que os puede servir:
Instalación TheHive, Cortex y MISP bajo Ubuntu 22.04 Proxmox
Antes de empezar actualizamos el sistema e instalamos los requerimientos:
1 2 3 |
root@MISP01:~# apt update root@MISP01:~# apt upgrade -y root@MISP01:~# apt install wget gnupg2 apt-transport-https git ca-certificates curl jq software-properties-common lsb-release python3-pip iproute2 -y |
Instalar TheHive 5 en Ubuntu 20.04
DOCUMENTACION:
- https://docs.thehive-project.org/thehive/legacy/thehive3/installation/install-guide/
- https://docs.strangebee.com/thehive/setup/#installation-guides
Utilizaremos el script automatizado (el proceso manual lo tenéis https://docs.strangebee.com/thehive/setup/installation/step-by-step-guide/#installation_1):
1 |
wget -q -O /tmp/install.sh https://archives.strangebee.com/scripts/install.sh ; sudo -v ; bash /tmp/install.sh |
Elegimos la opción 2:
El script comienza el proceso de instalación de TheHive 5.1 y sus dependencias (Apache Cassandra 4.0.x y Elasticsearch 7.x):
Al terminar podéis ver la URL http://10.0.0.12:9000
Si vamos a la URL veremos el login:
El usuario por defecto para TheHive es:
- Login: admin@thehive.local
- Password: secret
Necesitaréis activar una licencia para un entorno grande, para este LAB usaré la licencia de comunidad que viene por defecto. Podéis ver sus características:
El código para generar la licencia lo podéis encontrar desde el menú Plataform Management -> License -> License Management:
Instalar Cortex en Ubuntu
DOCUMENTACION:
- https://docs.thehive-project.org/cortex/#installation-and-configuration-guides
- https://docs.strangebee.com/thehive/setup/#installation-guides
- https://www.howtoforge.com/how-to-install-cortex-on-ubuntu-22-04/
Os voy a enseñar dos métodos de instalación. Por una parte, podríamos seguir el proceso anterior de instalación de The Hive aara instalar Cortex lanzando nuevamente el script, pero eligiendo la opción 3. El problema de este proceso, es que no puede ser en la misma máquina:
1 |
wget -q -O /tmp/install.sh https://archives.strangebee.com/scripts/install.sh ; sudo -v ; bash /tmp/install.sh |
Para hacerlo en la misma máquina seguimos estos comandos, que es un proceso más manual:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 |
root@MISP01:~# wget -qO- "https://raw.githubusercontent.com/TheHive-Project/Cortex/master/PGP-PUBLIC-KEY" | gpg --dearmor -o /etc/apt/trusted.gpg.d/cortex.gpg root@MISP01:~# wget -qO- https://raw.githubusercontent.com/TheHive-Project/Cortex/master/PGP-PUBLIC-KEY | gpg --dearmor -o /etc/apt/trusted.gpg.d/thehive.gpg root@MISP01:~# echo 'deb https://deb.thehive-project.org release main' | tee -a /etc/apt/sources.list.d/thehive-project.list deb https://deb.thehive-project.org release main root@MISP01:~# apt update -y Hit:1 https://apt.corretto.aws stable InRelease Hit:2 https://artifacts.elastic.co/packages/7.x/apt stable InRelease Get:3 https://deb.thehive-project.org release InRelease [2582 B] Get:4 https://deb.thehive-project.org release/main amd64 Packages [1218 B] Hit:5 https://deb.strangebee.com thehive-5.2 InRelease Hit:7 http://archive.ubuntu.com/ubuntu jammy InRelease Get:8 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB] Get:9 http://archive.ubuntu.com/ubuntu jammy-security InRelease [110 kB] Hit:6 https://apache.jfrog.io/artifactory/cassandra-deb 40x InRelease Fetched 233 kB in 2s (133 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done All packages are up to date. root@MISP01:~# apt install cortex -y Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: alsa-topology-conf alsa-ucm-conf ca-certificates-java default-jre-headless libasound2 libasound2-data libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libgraphite2-3 libharfbuzz0b liblcms2-2 libnspr4 libnss3 libpcsclite1 openjdk-11-jre-headless Suggested packages: default-jre libasound2-plugins alsa-utils cups-common liblcms2-utils pcscd libnss-mdns fonts-dejavu-extra fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei | fonts-wqy-zenhei fonts-indic The following NEW packages will be installed: alsa-topology-conf alsa-ucm-conf ca-certificates-java cortex default-jre-headless libasound2 libasound2-data libavahi-client3 libavahi-common-data libavahi-common3 libcups2 libgraphite2-3 libharfbuzz0b liblcms2-2 libnspr4 libnss3 libpcsclite1 openjdk-11-jre-headless 0 upgraded, 18 newly installed, 0 to remove and 0 not upgraded. Need to get 150 MB of archives. After this operation, 290 MB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu jammy/main amd64 alsa-topology-conf all 1.2.5.1-2 [15.5 kB] Get:2 https://deb.thehive-project.org release/main amd64 cortex all 3.1.8-1 [105 MB] Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 libasound2-data all 1.2.6.1-1ubuntu1 [19.1 kB] Get:4 http://archive.ubuntu.com/ubuntu jammy/main amd64 libasound2 amd64 1.2.6.1-1ubuntu1 [390 kB] Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 alsa-ucm-conf all 1.2.6.3-1ubuntu1.10 [43.4 kB] Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libavahi-common-data amd64 0.8-5ubuntu5.2 [23.8 kB] Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libavahi-common3 amd64 0.8-5ubuntu5.2 [23.9 kB] Get:8 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libavahi-client3 amd64 0.8-5ubuntu5.2 [28.0 kB] Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcups2 amd64 2.4.1op1-1ubuntu4.7 [264 kB] Get:10 http://archive.ubuntu.com/ubuntu jammy/main amd64 liblcms2-2 amd64 2.12~rc1-2build2 [159 kB] Get:11 http://archive.ubuntu.com/ubuntu jammy/main amd64 libnspr4 amd64 2:4.32-3build1 [119 kB] Get:12 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libnss3 amd64 2:3.68.2-0ubuntu1.2 [1280 kB] Get:13 http://archive.ubuntu.com/ubuntu jammy/main amd64 libgraphite2-3 amd64 1.3.14-1build2 [71.3 kB] Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libharfbuzz0b amd64 2.7.4-1ubuntu3.1 [352 kB] Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpcsclite1 amd64 1.9.5-3ubuntu1 [19.8 kB] Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 openjdk-11-jre-headless amd64 11.0.21+9-0ubuntu1~22.04 [42.5 MB] Get:17 http://archive.ubuntu.com/ubuntu jammy/main amd64 default-jre-headless amd64 2:1.11-72build2 [3042 B] Get:18 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 ca-certificates-java all 20190909ubuntu1.2 [12.1 kB] Fetched 150 MB in 23s (6544 kB/s) Selecting previously unselected package alsa-topology-conf. (Reading database ... 31131 files and directories currently installed.) Preparing to unpack .../00-alsa-topology-conf_1.2.5.1-2_all.deb ... Unpacking alsa-topology-conf (1.2.5.1-2) ... Selecting previously unselected package libasound2-data. Preparing to unpack .../01-libasound2-data_1.2.6.1-1ubuntu1_all.deb ... Unpacking libasound2-data (1.2.6.1-1ubuntu1) ... Selecting previously unselected package libasound2:amd64. Preparing to unpack .../02-libasound2_1.2.6.1-1ubuntu1_amd64.deb ... Unpacking libasound2:amd64 (1.2.6.1-1ubuntu1) ... Selecting previously unselected package alsa-ucm-conf. Preparing to unpack .../03-alsa-ucm-conf_1.2.6.3-1ubuntu1.10_all.deb ... Unpacking alsa-ucm-conf (1.2.6.3-1ubuntu1.10) ... Selecting previously unselected package libavahi-common-data:amd64. Preparing to unpack .../04-libavahi-common-data_0.8-5ubuntu5.2_amd64.deb ... Unpacking libavahi-common-data:amd64 (0.8-5ubuntu5.2) ... Selecting previously unselected package libavahi-common3:amd64. Preparing to unpack .../05-libavahi-common3_0.8-5ubuntu5.2_amd64.deb ... Unpacking libavahi-common3:amd64 (0.8-5ubuntu5.2) ... Selecting previously unselected package libavahi-client3:amd64. Preparing to unpack .../06-libavahi-client3_0.8-5ubuntu5.2_amd64.deb ... Unpacking libavahi-client3:amd64 (0.8-5ubuntu5.2) ... Selecting previously unselected package libcups2:amd64. Preparing to unpack .../07-libcups2_2.4.1op1-1ubuntu4.7_amd64.deb ... Unpacking libcups2:amd64 (2.4.1op1-1ubuntu4.7) ... Selecting previously unselected package liblcms2-2:amd64. Preparing to unpack .../08-liblcms2-2_2.12~rc1-2build2_amd64.deb ... Unpacking liblcms2-2:amd64 (2.12~rc1-2build2) ... Selecting previously unselected package libnspr4:amd64. Preparing to unpack .../09-libnspr4_2%3a4.32-3build1_amd64.deb ... Unpacking libnspr4:amd64 (2:4.32-3build1) ... Selecting previously unselected package libnss3:amd64. Preparing to unpack .../10-libnss3_2%3a3.68.2-0ubuntu1.2_amd64.deb ... Unpacking libnss3:amd64 (2:3.68.2-0ubuntu1.2) ... Selecting previously unselected package libgraphite2-3:amd64. Preparing to unpack .../11-libgraphite2-3_1.3.14-1build2_amd64.deb ... Unpacking libgraphite2-3:amd64 (1.3.14-1build2) ... Selecting previously unselected package libharfbuzz0b:amd64. Preparing to unpack .../12-libharfbuzz0b_2.7.4-1ubuntu3.1_amd64.deb ... Unpacking libharfbuzz0b:amd64 (2.7.4-1ubuntu3.1) ... Selecting previously unselected package libpcsclite1:amd64. Preparing to unpack .../13-libpcsclite1_1.9.5-3ubuntu1_amd64.deb ... Unpacking libpcsclite1:amd64 (1.9.5-3ubuntu1) ... Selecting previously unselected package openjdk-11-jre-headless:amd64. Preparing to unpack .../14-openjdk-11-jre-headless_11.0.21+9-0ubuntu1~22.04_amd64.deb ... Unpacking openjdk-11-jre-headless:amd64 (11.0.21+9-0ubuntu1~22.04) ... Selecting previously unselected package default-jre-headless. Preparing to unpack .../15-default-jre-headless_2%3a1.11-72build2_amd64.deb ... Unpacking default-jre-headless (2:1.11-72build2) ... Selecting previously unselected package ca-certificates-java. Preparing to unpack .../16-ca-certificates-java_20190909ubuntu1.2_all.deb ... Unpacking ca-certificates-java (20190909ubuntu1.2) ... Selecting previously unselected package cortex. Preparing to unpack .../17-cortex_3.1.8-1_all.deb ... Unpacking cortex (3.1.8-1) ... Setting up libgraphite2-3:amd64 (1.3.14-1build2) ... Setting up liblcms2-2:amd64 (2.12~rc1-2build2) ... Setting up libasound2-data (1.2.6.1-1ubuntu1) ... Setting up libnspr4:amd64 (2:4.32-3build1) ... Setting up libavahi-common-data:amd64 (0.8-5ubuntu5.2) ... Setting up libpcsclite1:amd64 (1.9.5-3ubuntu1) ... Setting up alsa-topology-conf (1.2.5.1-2) ... Setting up libasound2:amd64 (1.2.6.1-1ubuntu1) ... Setting up libharfbuzz0b:amd64 (2.7.4-1ubuntu3.1) ... Setting up alsa-ucm-conf (1.2.6.3-1ubuntu1.10) ... Setting up libavahi-common3:amd64 (0.8-5ubuntu5.2) ... Setting up libnss3:amd64 (2:3.68.2-0ubuntu1.2) ... Setting up ca-certificates-java (20190909ubuntu1.2) ... head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory Adding debian:NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem Adding debian:GlobalSign_Root_E46.pem Adding debian:AffirmTrust_Commercial.pem Adding debian:Buypass_Class_2_Root_CA.pem Adding debian:SecureSign_RootCA11.pem Adding debian:QuoVadis_Root_CA_2.pem Adding debian:QuoVadis_Root_CA_2_G3.pem Adding debian:vTrus_ECC_Root_CA.pem Adding debian:GlobalSign_Root_CA_-_R6.pem Adding debian:UCA_Extended_Validation_Root.pem Adding debian:HiPKI_Root_CA_-_G1.pem Adding debian:DigiCert_Global_Root_G2.pem Adding debian:Certigna.pem Adding debian:Baltimore_CyberTrust_Root.pem Adding debian:Comodo_AAA_Services_root.pem Adding debian:Go_Daddy_Class_2_CA.pem Adding debian:GTS_Root_R2.pem Adding debian:Entrust_Root_Certification_Authority_-_EC1.pem Adding debian:Trustwave_Global_Certification_Authority.pem Adding debian:ISRG_Root_X2.pem Adding debian:Microsoft_ECC_Root_Certificate_Authority_2017.pem Adding debian:Go_Daddy_Root_Certificate_Authority_-_G2.pem Adding debian:OISTE_WISeKey_Global_Root_GB_CA.pem Adding debian:ssl-cert-snakeoil.pem Adding debian:ePKI_Root_Certification_Authority.pem Adding debian:Security_Communication_RootCA2.pem Adding debian:Amazon_Root_CA_2.pem Adding debian:SwissSign_Gold_CA_-_G2.pem Adding debian:Certum_EC-384_CA.pem Adding debian:USERTrust_ECC_Certification_Authority.pem Adding debian:HARICA_TLS_ECC_Root_CA_2021.pem Adding debian:D-TRUST_BR_Root_CA_1_2020.pem Adding debian:DigiCert_Global_Root_G3.pem Adding debian:Actalis_Authentication_Root_CA.pem Adding debian:AC_RAIZ_FNMT-RCM.pem Adding debian:DigiCert_Assured_ID_Root_CA.pem Adding debian:QuoVadis_Root_CA_3.pem Adding debian:XRamp_Global_CA_Root.pem Adding debian:Certainly_Root_R1.pem Adding debian:Starfield_Services_Root_Certificate_Authority_-_G2.pem Adding debian:Atos_TrustedRoot_2011.pem Adding debian:SSL.com_Root_Certification_Authority_ECC.pem Adding debian:E-Tugra_Certification_Authority.pem Adding debian:Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem Adding debian:Security_Communication_RootCA3.pem Adding debian:Amazon_Root_CA_3.pem Adding debian:CA_Disig_Root_R2.pem Adding debian:TunTrust_Root_CA.pem Adding debian:Amazon_Root_CA_4.pem Adding debian:AffirmTrust_Premium.pem Adding debian:Telia_Root_CA_v2.pem Adding debian:Microsoft_RSA_Root_Certificate_Authority_2017.pem Adding debian:Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068_2.pem Adding debian:Hongkong_Post_Root_CA_3.pem Adding debian:GlobalSign_Root_R46.pem Adding debian:Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem Adding debian:DigiCert_High_Assurance_EV_Root_CA.pem Adding debian:GTS_Root_R3.pem Adding debian:certSIGN_ROOT_CA.pem Adding debian:COMODO_ECC_Certification_Authority.pem Adding debian:Certigna_Root_CA.pem Adding debian:GTS_Root_R4.pem Adding debian:emSign_Root_CA_-_C1.pem Adding debian:COMODO_RSA_Certification_Authority.pem Adding debian:e-Szigno_Root_CA_2017.pem Adding debian:emSign_ECC_Root_CA_-_G3.pem Adding debian:DigiCert_Assured_ID_Root_G3.pem Adding debian:SZAFIR_ROOT_CA2.pem Adding debian:DigiCert_TLS_ECC_P384_Root_G5.pem Adding debian:GlobalSign_Root_CA.pem Adding debian:Entrust_Root_Certification_Authority_-_G4.pem Adding debian:DigiCert_Global_Root_CA.pem Adding debian:UCA_Global_G2_Root.pem Adding debian:emSign_ECC_Root_CA_-_C3.pem Adding debian:Certum_Trusted_Network_CA.pem Adding debian:GlobalSign_ECC_Root_CA_-_R5.pem Adding debian:DigiCert_TLS_RSA4096_Root_G5.pem Adding debian:emSign_Root_CA_-_G1.pem Adding debian:E-Tugra_Global_Root_CA_ECC_v3.pem Adding debian:ACCVRAIZ1.pem Adding debian:AffirmTrust_Networking.pem Adding debian:Starfield_Root_Certificate_Authority_-_G2.pem Adding debian:IdenTrust_Commercial_Root_CA_1.pem Adding debian:Secure_Global_CA.pem Adding debian:SSL.com_EV_Root_Certification_Authority_ECC.pem Adding debian:SwissSign_Silver_CA_-_G2.pem Adding debian:GlobalSign_Root_CA_-_R3.pem Adding debian:TWCA_Global_Root_CA.pem Adding debian:T-TeleSec_GlobalRoot_Class_2.pem Adding debian:Certainly_Root_E1.pem Adding debian:GLOBALTRUST_2020.pem Adding debian:Starfield_Class_2_CA.pem Adding debian:vTrus_Root_CA.pem Adding debian:Entrust_Root_Certification_Authority.pem Adding debian:IdenTrust_Public_Sector_Root_CA_1.pem Adding debian:USERTrust_RSA_Certification_Authority.pem Adding debian:Trustwave_Global_ECC_P256_Certification_Authority.pem Adding debian:AffirmTrust_Premium_ECC.pem Adding debian:GTS_Root_R1.pem Adding debian:HARICA_TLS_RSA_Root_CA_2021.pem Adding debian:E-Tugra_Global_Root_CA_RSA_v3.pem Adding debian:SSL.com_Root_Certification_Authority_RSA.pem Adding debian:Certum_Trusted_Root_CA.pem Adding debian:TeliaSonera_Root_CA_v1.pem Adding debian:ISRG_Root_X1.pem Adding debian:Hongkong_Post_Root_CA_1.pem Adding debian:SecureTrust_CA.pem Adding debian:D-TRUST_EV_Root_CA_1_2020.pem Adding debian:GlobalSign_ECC_Root_CA_-_R4.pem Adding debian:QuoVadis_Root_CA_3_G3.pem Adding debian:D-TRUST_Root_Class_3_CA_2_2009.pem Adding debian:Buypass_Class_3_Root_CA.pem Adding debian:Entrust_Root_Certification_Authority_-_G2.pem Adding debian:certSIGN_Root_CA_G2.pem Adding debian:Amazon_Root_CA_1.pem Adding debian:CFCA_EV_ROOT.pem Adding debian:ANF_Secure_Server_Root_CA.pem Adding debian:DigiCert_Assured_ID_Root_G2.pem Adding debian:TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem Adding debian:SSL.com_EV_Root_Certification_Authority_RSA_R2.pem Adding debian:Trustwave_Global_ECC_P384_Certification_Authority.pem Adding debian:Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem Adding debian:GDCA_TrustAUTH_R5_ROOT.pem Adding debian:Izenpe.com.pem Adding debian:AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem Adding debian:Microsec_e-Szigno_Root_CA_2009.pem Adding debian:QuoVadis_Root_CA_1_G3.pem Adding debian:Certum_Trusted_Network_CA_2.pem Adding debian:D-TRUST_Root_Class_3_CA_2_EV_2009.pem Adding debian:Security_Communication_Root_CA.pem Adding debian:NAVER_Global_Root_Certification_Authority.pem Adding debian:OISTE_WISeKey_Global_Root_GC_CA.pem Adding debian:DigiCert_Trusted_Root_G4.pem Adding debian:T-TeleSec_GlobalRoot_Class_3.pem Adding debian:COMODO_Certification_Authority.pem Adding debian:Security_Communication_ECC_RootCA1.pem Adding debian:Entrust.net_Premium_2048_Secure_Server_CA.pem Adding debian:TWCA_Root_Certification_Authority.pem done. Setting up libavahi-client3:amd64 (0.8-5ubuntu5.2) ... Setting up libcups2:amd64 (2.4.1op1-1ubuntu4.7) ... Setting up default-jre-headless (2:1.11-72build2) ... Setting up openjdk-11-jre-headless:amd64 (11.0.21+9-0ubuntu1~22.04) ... update-alternatives: using /usr/lib/jvm/java-11-openjdk-amd64/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode Setting up cortex (3.1.8-1) ... Creating system group: cortex Creating system user: cortex in cortex with cortex daemon-user and shell /bin/false Processing triggers for libc-bin (2.35-0ubuntu3.6) ... Processing triggers for ca-certificates (20230311ubuntu0.22.04.1) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. done. root@MISP01:~# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1 fx5hbiI2YM8MBNx6ZLmUmCnYJmw59lQPdKRNChskEjLmTD9hJhdyjQfYeaQjFD34 |
Descomentamos la línea y editamos la línea del fichero “nano /etc/cortex/application.conf”
1 |
play.http.secret.key="CARACTERES" |
Habilitamos el servicio:
1 2 3 4 |
root@MISP01:~# systemctl enable --now cortex Synchronizing state of cortex.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable cortex Created symlink /etc/systemd/system/multi-user.target.wants/cortex.service -> /etc/systemd/system/cortex.service. |
Y validamos:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
root@MISP01:~# systemctl enable --now cortex Synchronizing state of cortex.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable cortex Created symlink /etc/systemd/system/multi-user.target.wants/cortex.service -> /etc/systemd/system/cortex.service. root@MISP01:~# systemctl status cortex * cortex.service - cortex Loaded: loaded (/etc/systemd/system/cortex.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2024-02-21 19:35:39 UTC; 26s ago Docs: https://thehive-project.org Main PID: 9464 (java) Tasks: 47 (limit: 76811) Memory: 568.0M CPU: 12.416s CGroup: /system.slice/cortex.service `-9464 java -Duser.dir=/opt/cortex -Dconfig.file=/etc/cortex/application.conf -Dlogger.file=/etc/cortex/logba> Feb 05 19:35:39 MISP01 systemd[1]: Started cortex. |
Comprobamos que escucha en el puerto 9001:
1 2 |
root@MISP01:~# ss -antpl | grep 9001 LISTEN 0 100 *:9001 *:* users:(("java",pid=9464,fd=214)) |
Accedemos a la URL “http://10.0.0.12:9001” y pulsamos UPDATE DATABASE:
Y generamos el usuario administrador:
Comprobamos el acceso:
Generamos una nueva organización y un usuario dentro de ella:
Generamos una API Key para el usuario:
Instalar MISP en Ubuntu
DOCUMENTACION: https://misp.github.io/MISP/xINSTALL.ubuntu2204.html
Necesitamos tener un usuario diferente a root para lanzarlo:
1 2 3 4 5 |
root@MISP01:/tmp# useradd -m elblogdenegu root@MISP01:/tmp# passwd elblogdenegu New password: Retype new password: passwd: password updated successfully |
Descargamos el script:
1 2 3 4 5 6 7 8 9 10 11 |
elblogdenegu@MISP01:~$ wget https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh --2024-02-04 18:34:49-- https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.110.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 161265 (157K) [text/plain] Saving to: ‘INSTALL.sh’ INSTALL.sh 100%[===================================================>] 157.49K --.-KB/s in 0.05s 2024-02-04 18:34:49 (3.38 MB/s) - ‘INSTALL.sh’ saved [161265/161265] |
Le damos permisos de ejecución al script:
1 2 3 4 |
elblogdenegu@MISP01:~$ chmod 755 INSTALL.sh elblogdenegu@MISP01:~$ ls -l total 69 -rwxr-xr-x 1 elblogdenegu elblogdenegu 161265 Feb 04 18:34 INSTALL.sh |
Lanzamos la instalación, nos pedirá las credenciales del usuario y crear un usuario llamado MISP:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 |
elblogdenegu@MISP01:~$ ./INSTALL.sh -c -D ...... CMake. Update the VERSION argument <min> value or use a ...<max> suffix to tell CMake that the project does not need compatibility with older versions. -- The C compiler identification is GNU 11.4.0 -- The CXX compiler identification is GNU 11.4.0 -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Check for working C compiler: /usr/bin/cc - skipped -- Detecting C compile features -- Detecting C compile features - done -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Check for working CXX compiler: /usr/bin/c++ - skipped -- Detecting CXX compile features -- Detecting CXX compile features - done CMake system name: Linux -- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.2") pkg config path: -- Checking for module 'caca' -- Found caca, version 0.99.beta19 libcaca link library: -L/usr/lib/x86_64-linux-gnu;-lcaca CMake system: Linux -- Configuring done -- Generating done -- Build files have been written to: /tmp/gtcaca/build [ 4%] Building C object src/CMakeFiles/gtcaca.dir/main.c.o [ 9%] Building C object src/CMakeFiles/gtcaca.dir/iniparse.c.o /tmp/gtcaca/src/iniparse.c: In function ‘_add_section_key_value’: /tmp/gtcaca/src/iniparse.c:49:3: warning: ignoring return value of ‘asprintf’ declared with attribute ‘warn_unused_result’ [-Wunused-result] 49 | asprintf(&gkey, "%s.%s", section, key); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ 14%] Building C object src/CMakeFiles/gtcaca.dir/log.c.o [ 19%] Building C object src/CMakeFiles/gtcaca.dir/application.c.o [ 23%] Building C object src/CMakeFiles/gtcaca.dir/button.c.o [ 28%] Building C object src/CMakeFiles/gtcaca.dir/label.c.o [ 33%] Building C object src/CMakeFiles/gtcaca.dir/textlist.c.o [ 38%] Building C object src/CMakeFiles/gtcaca.dir/theme.c.o /tmp/gtcaca/src/theme.c: In function ‘gtcaca_theme_parse_ini’: /tmp/gtcaca/src/theme.c:99:3: warning: ignoring return value of ‘asprintf’ declared with attribute ‘warn_unused_result’ [-Wunused-result] 99 | asprintf(&theme_fullpath, "%s/themes/%s", GTCACA_DATA_DIR, theme); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ 42%] Building C object src/CMakeFiles/gtcaca.dir/widget.c.o [ 47%] Building C object src/CMakeFiles/gtcaca.dir/window.c.o [ 52%] Linking C shared library libgtcaca.so [ 52%] Built target gtcaca [ 57%] Building C object tests/CMakeFiles/tcaca.dir/tcaca.c.o [ 61%] Linking C executable tcaca [ 61%] Built target tcaca [ 66%] Building C object tests/CMakeFiles/simple.dir/simple.c.o [ 71%] Linking C executable simple [ 71%] Built target simple [ 76%] Building C object tests/CMakeFiles/textlist.dir/textlist.c.o [ 80%] Linking C executable textlist [ 80%] Built target textlist [ 85%] Building C object tests/CMakeFiles/2textlists2windows.dir/2textlists2windows.c.o [ 90%] Linking C executable 2textlists2windows [ 90%] Built target 2textlists2windows [ 95%] Building C object tests/CMakeFiles/button.dir/button.c.o [100%] Linking C executable button [100%] Built target button Consolidate compiler generated dependencies of target gtcaca [ 52%] Built target gtcaca Consolidate compiler generated dependencies of target tcaca [ 61%] Built target tcaca Consolidate compiler generated dependencies of target simple [ 71%] Built target simple Consolidate compiler generated dependencies of target textlist [ 80%] Built target textlist Consolidate compiler generated dependencies of target 2textlists2windows [ 90%] Built target 2textlists2windows Consolidate compiler generated dependencies of target button [100%] Built target button Install the project... -- Install configuration: "Debug" -- Installing: /usr/local/lib/pkgconfig/gtcaca.pc -- Installing: /usr/local/lib/libgtcaca.so.1 -- Installing: /usr/local/lib/libgtcaca.so -- Installing: /usr/local/include/gtcaca/application.h -- Installing: /usr/local/include/gtcaca/button.h -- Installing: /usr/local/include/gtcaca/iniparse.h -- Installing: /usr/local/include/gtcaca/label.h -- Installing: /usr/local/include/gtcaca/log.h -- Installing: /usr/local/include/gtcaca/main.h -- Installing: /usr/local/include/gtcaca/textlist.h -- Installing: /usr/local/include/gtcaca/theme.h -- Installing: /usr/local/include/gtcaca/utarray.h -- Installing: /usr/local/include/gtcaca/utlist.h -- Installing: /usr/local/include/gtcaca/widget.h -- Installing: /usr/local/include/gtcaca/window.h CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required): Compatibility with CMake < 2.8.12 will be removed from a future version of CMake. Update the VERSION argument <min> value or use a ...<max> suffix to tell CMake that the project does not need compatibility with older versions. -- The C compiler identification is GNU 11.4.0 -- The CXX compiler identification is GNU 11.4.0 -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Check for working C compiler: /usr/bin/cc - skipped -- Detecting C compile features -- Detecting C compile features - done -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Check for working CXX compiler: /usr/bin/c++ - skipped -- Detecting CXX compile features -- Detecting CXX compile features - done CMake system name: Linux -- Compile mode: Release -- Lua support: disabled -- Built-in Web Server: disabled -- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.2") -- Looking for vsnprintf -- Looking for vsnprintf - found -- Looking for snprintf -- Looking for snprintf - found -- Checking for module 'libcjson' -- No package 'libcjson' found cJSON not found, json tests will not be enabled CMake Warning at CMakeLists.txt:117 (find_package): By not providing "FindCIVETWEB.cmake" in CMAKE_MODULE_PATH this project has asked CMake to find a package configuration file provided by "CIVETWEB", but CMake did not find one. Could not find a package configuration file provided by "CIVETWEB" with any of the following names: CIVETWEBConfig.cmake civetweb-config.cmake Add the installation prefix of "CIVETWEB" to CMAKE_PREFIX_PATH or set "CIVETWEB_DIR" to a directory containing one of the above files. If "CIVETWEB" provides a separate development package or SDK, be sure it has been installed. CMake system: Linux Discovered distribution type: debian Version: 1.6 Version Major: 1 Version Minor: 6 Mandir: share/man -- Configuring done -- Generating done -- Build files have been written to: /tmp/faup/build [ 1%] Building C object src/lib/CMakeFiles/faup_static.dir/miniz/miniz.c.o [ 3%] Building C object src/lib/CMakeFiles/faup_static.dir/miniz/miniz_zip.c.o /tmp/faup/src/lib/miniz/miniz_zip.c:132:9: note: ‘#pragma message: Using fopen, ftello, fseeko, stat() etc. path for file I/O - this path may not support large files.’ 132 | #pragma message("Using fopen, ftello, fseeko, stat() etc. path for file I/O - this path may not support large files.") | ^~~~~~~ [ 5%] Building C object src/lib/CMakeFiles/faup_static.dir/miniz/miniz_tinfl.c.o [ 7%] Building C object src/lib/CMakeFiles/faup_static.dir/miniz/miniz_tdef.c.o [ 9%] Building C object src/lib/CMakeFiles/faup_static.dir/b64/cencode.c.o [ 11%] Building C object src/lib/CMakeFiles/faup_static.dir/b64/cdecode.c.o [ 13%] Building C object src/lib/CMakeFiles/faup_static.dir/hash/hash.c.o [ 15%] Building C object src/lib/CMakeFiles/faup_static.dir/hash/htable.c.o [ 16%] Building C object src/lib/CMakeFiles/faup_static.dir/datadir.c.o [ 18%] Building C object src/lib/CMakeFiles/faup_static.dir/decode.c.o [ 20%] Building C object src/lib/CMakeFiles/faup_static.dir/features.c.o [ 22%] Building C object src/lib/CMakeFiles/faup_static.dir/faup.c.o [ 24%] Building C object src/lib/CMakeFiles/faup_static.dir/options.c.o [ 26%] Building C object src/lib/CMakeFiles/faup_static.dir/output.c.o [ 28%] Building C object src/lib/CMakeFiles/faup_static.dir/portable.c.o [ 30%] Building C object src/lib/CMakeFiles/faup_static.dir/snapshot.c.o [ 32%] Building C object src/lib/CMakeFiles/faup_static.dir/snapshot-file.c.o [ 33%] Building C object src/lib/CMakeFiles/faup_static.dir/tld.c.o [ 35%] Building C object src/lib/CMakeFiles/faup_static.dir/tld-tree.c.o [ 37%] Building C object src/lib/CMakeFiles/faup_static.dir/utils.c.o [ 39%] Linking C static library libfaup_static.a [ 39%] Built target faup_static [ 41%] Building C object src/lib/CMakeFiles/faupl.dir/miniz/miniz.c.o [ 43%] Building C object src/lib/CMakeFiles/faupl.dir/miniz/miniz_zip.c.o /tmp/faup/src/lib/miniz/miniz_zip.c:132:9: note: ‘#pragma message: Using fopen, ftello, fseeko, stat() etc. path for file I/O - this path may not support large files.’ 132 | #pragma message("Using fopen, ftello, fseeko, stat() etc. path for file I/O - this path may not support large files.") | ^~~~~~~ [ 45%] Building C object src/lib/CMakeFiles/faupl.dir/miniz/miniz_tinfl.c.o [ 47%] Building C object src/lib/CMakeFiles/faupl.dir/miniz/miniz_tdef.c.o [ 49%] Building C object src/lib/CMakeFiles/faupl.dir/b64/cencode.c.o [ 50%] Building C object src/lib/CMakeFiles/faupl.dir/b64/cdecode.c.o [ 52%] Building C object src/lib/CMakeFiles/faupl.dir/hash/hash.c.o [ 54%] Building C object src/lib/CMakeFiles/faupl.dir/hash/htable.c.o [ 56%] Building C object src/lib/CMakeFiles/faupl.dir/datadir.c.o [ 58%] Building C object src/lib/CMakeFiles/faupl.dir/decode.c.o [ 60%] Building C object src/lib/CMakeFiles/faupl.dir/features.c.o [ 62%] Building C object src/lib/CMakeFiles/faupl.dir/faup.c.o [ 64%] Building C object src/lib/CMakeFiles/faupl.dir/options.c.o [ 66%] Building C object src/lib/CMakeFiles/faupl.dir/output.c.o [ 67%] Building C object src/lib/CMakeFiles/faupl.dir/portable.c.o [ 69%] Building C object src/lib/CMakeFiles/faupl.dir/snapshot.c.o [ 71%] Building C object src/lib/CMakeFiles/faupl.dir/snapshot-file.c.o [ 73%] Building C object src/lib/CMakeFiles/faupl.dir/tld.c.o [ 75%] Building C object src/lib/CMakeFiles/faupl.dir/tld-tree.c.o [ 77%] Building C object src/lib/CMakeFiles/faupl.dir/utils.c.o [ 79%] Linking C shared library libfaupl.so [ 79%] Built target faupl [ 81%] Building C object src/tools/CMakeFiles/faup.dir/faup.c.o In file included from /usr/include/signal.h:25, from /tmp/faup/src/tools/faup.c:11: /usr/include/features.h:194:3: warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" [-Wcpp] 194 | # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE" | ^~~~~~~ [ 83%] Building C object src/tools/CMakeFiles/faup.dir/shell.c.o [ 84%] Linking C executable faup [ 84%] Built target faup [ 86%] Building C object src/tests/CMakeFiles/issue36.dir/issue36.c.o [ 88%] Linking C executable issue36 [ 88%] Built target issue36 [ 90%] Building C object src/tests/CMakeFiles/issue120.dir/issue120.c.o [ 92%] Linking C executable issue120 [ 92%] Built target issue120 [ 94%] Building C object src/tests/CMakeFiles/snapshot.dir/snapshot.c.o [ 96%] Linking C executable snapshot [ 96%] Built target snapshot [ 98%] Building C object src/tests/CMakeFiles/hashtable.dir/hashtable.c.o [100%] Linking C executable hashtable [100%] Built target hashtable Consolidate compiler generated dependencies of target faup_static [ 39%] Built target faup_static Consolidate compiler generated dependencies of target faupl [ 79%] Built target faupl Consolidate compiler generated dependencies of target faup [ 84%] Built target faup Consolidate compiler generated dependencies of target issue36 [ 88%] Built target issue36 Consolidate compiler generated dependencies of target issue120 [ 92%] Built target issue120 Consolidate compiler generated dependencies of target snapshot [ 96%] Built target snapshot Consolidate compiler generated dependencies of target hashtable [100%] Built target hashtable Install the project... -- Install configuration: "Debug" -- Installing: /usr/local/lib/pkgconfig/faup.pc -- Installing: /usr/local/include/faup/version.h -- Installing: /usr/local/share/man/man1/faup.1 -- Installing: /usr/local/share/faup/mozilla.tlds -- Installing: /usr/local/share/faup/README.txt -- Installing: /usr/local/lib/libfaupl.so.1 -- Installing: /usr/local/lib/libfaupl.so -- Installing: /usr/local/include/faup/compat.h -- Installing: /usr/local/include/faup/datadir.h -- Installing: /usr/local/include/faup/decode.h -- Installing: /usr/local/include/faup/errors.h -- Installing: /usr/local/include/faup/faup.h -- Installing: /usr/local/include/faup/features.h -- Installing: /usr/local/include/faup/handler.h -- Installing: /usr/local/include/faup/options.h -- Installing: /usr/local/include/faup/output.h -- Installing: /usr/local/include/faup/portable.h -- Installing: /usr/local/include/faup/return-codes.h -- Installing: /usr/local/include/faup/scheme-codes.h -- Installing: /usr/local/include/faup/snapshot.h -- Installing: /usr/local/include/faup/snapshot-file.h -- Installing: /usr/local/include/faup/tld.h -- Installing: /usr/local/include/faup/tld-tree.h -- Installing: /usr/local/include/faup/urllengths.h -- Installing: /usr/local/include/faup/utils.h -- Installing: /usr/local/include/faup/webserver.h -- Installing: /usr/local/share/faup/modules_available/emulation_ie.lua -- Installing: /usr/local/share/faup/modules_available/ipv4toint.lua -- Installing: /usr/local/share/faup/modules_available/printcsv.lua -- Installing: /usr/local/share/faup/modules_available/redis-url-threatintel.lua -- Installing: /usr/local/share/faup/modules_available/writeall.lua -- Installing: /usr/local/share/faup/modules_available/writeinput.lua -- Installing: /usr/local/share/faup/modules_available/uppercase.lua -- Installing: /usr/local/share/faup/modules_enabled -- Installing: /usr/local/bin/faup -- Set runtime path of "/usr/local/bin/faup" to "" apt is maybe locked, waiting 3 seconds. Collecting git+https://github.com/kbandla/pydeep.git Cloning https://github.com/kbandla/pydeep.git to /tmp/pip-req-build-65wqqg7s Running command git clone --filter=blob:none --quiet https://github.com/kbandla/pydeep.git /tmp/pip-req-build-65wqqg7s Resolved https://github.com/kbandla/pydeep.git to commit 010b444245bf66545119ce7dc561ee36a62dd5f5 Preparing metadata (setup.py) ... done Building wheels for collected packages: pydeep Building wheel for pydeep (setup.py) ... done Created wheel for pydeep: filename=pydeep-0.4-cp310-cp310-linux_x86_64.whl size=12196 sha256=57f452d98d49a954d626bcba0a3d2f697bad7050c422ad22fd6329c1e29bc87d Stored in directory: /tmp/pip-ephem-wheel-cache-2caxqh5r/wheels/09/48/d1/0aa73f65971f20d70caad445493e9c5b2392e2aa6c0d7d0400 Successfully built pydeep Installing collected packages: pydeep Successfully installed pydeep-0.4 Collecting lief Downloading lief-0.14.1-cp310-cp310-manylinux_2_28_x86_64.manylinux_2_27_x86_64.whl (2.7 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.7/2.7 MB 36.0 MB/s eta 0:00:00 Installing collected packages: lief Successfully installed lief-0.14.1 Collecting zmq Downloading zmq-0.0.0.zip (2.2 kB) Preparing metadata (setup.py) ... done Collecting redis Downloading redis-5.0.1-py3-none-any.whl (250 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 250.3/250.3 KB 5.9 MB/s eta 0:00:00 Collecting pyzmq Downloading pyzmq-25.1.2-cp310-cp310-manylinux_2_28_x86_64.whl (1.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 9.3 MB/s eta 0:00:00 Collecting async-timeout>=4.0.2 Downloading async_timeout-4.0.3-py3-none-any.whl (5.7 kB) Building wheels for collected packages: zmq Building wheel for zmq (setup.py) ... done Created wheel for zmq: filename=zmq-0.0.0-py3-none-any.whl size=1275 sha256=4e97e8814d0f0b1df9c5342781beaccc0affb3d2531a0501293cdbce03c0a627 Stored in directory: /var/www/.cache/pip/wheels/ab/c5/fe/d853f71843cae26c123d37a7a5934baac20fc66f35a913951d Successfully built zmq Installing collected packages: pyzmq, async-timeout, zmq, redis Successfully installed async-timeout-4.0.3 pyzmq-25.1.2 redis-5.0.1 zmq-0.0.0 Collecting python-magic Downloading python_magic-0.4.27-py2.py3-none-any.whl (13 kB) Installing collected packages: python-magic Successfully installed python-magic-0.4.27 Collecting plyara Downloading plyara-2.1.1-py3-none-any.whl (23 kB) Collecting ply>=3.11 Downloading ply-3.11-py2.py3-none-any.whl (49 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 49.6/49.6 KB 5.2 MB/s eta 0:00:00 Installing collected packages: ply, plyara Successfully installed ply-3.11 plyara-2.1.1 ############################# (28%) Next step: Installing CakePHP No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information. Loading composer repositories with package information Updating dependencies Lock file operations: 70 installs, 0 updates, 0 removals - Locking bacon/bacon-qr-code (2.0.8) - Locking beberlei/assert (v3.3.2) - Locking browscap/browscap-php (5.1.0) - Locking cakephp/debug_kit (2.2.9) - Locking composer/ca-bundle (1.4.0) - Locking composer/installers (v1.12.0) - Locking dasprid/enum (1.0.5) - Locking daverandom/exceptional-json (v1.0.4) - Locking doctrine/cache (1.13.0) - Locking doctrine/instantiator (1.5.0) - Locking geoip2/geoip2 (v2.13.0) - Locking guzzlehttp/guzzle (7.8.1) - Locking guzzlehttp/promises (2.0.2) - Locking guzzlehttp/psr7 (2.6.2) - Locking kamisama/cake-resque (4.1.2) - Locking kamisama/monolog-init (0.2.1) - Locking kamisama/php-resque-ex (1.3.0) - Locking kamisama/php-resque-ex-scheduler (1.2.3) - Locking kamisama/resque-status (0.0.2) - Locking maxmind-db/reader (v1.11.1) - Locking maxmind/web-service-common (v0.9.0) - Locking monolog/monolog (1.25.3) - Locking myclabs/deep-copy (1.11.1) - Locking paragonie/constant_time_encoding (v2.6.3) - Locking pear/console_commandline (v1.2.6) - Locking pear/crypt_gpg (v1.6.7) - Locking pear/pear_exception (v1.0.2) - Locking phar-io/manifest (2.0.3) - Locking phar-io/version (3.2.1) - Locking php-parallel-lint/php-parallel-lint (v1.3.2) - Locking phpunit/php-code-coverage (7.0.15) - Locking phpunit/php-file-iterator (2.0.5) - Locking phpunit/php-text-template (1.2.1) - Locking phpunit/php-timer (2.1.3) - Locking phpunit/php-token-stream (4.0.4) - Locking phpunit/phpunit (8.5.36) - Locking psr/container (1.1.2) - Locking psr/http-client (1.0.3) - Locking psr/http-factory (1.0.2) - Locking psr/http-message (2.0) - Locking psr/log (1.1.4) - Locking psr/simple-cache (1.0.1) - Locking ralouphie/getallheaders (3.0.3) - Locking roave/doctrine-simplecache (2.5.0) - Locking sebastian/code-unit-reverse-lookup (1.0.2) - Locking sebastian/comparator (3.0.5) - Locking sebastian/diff (3.0.4) - Locking sebastian/environment (4.2.4) - Locking sebastian/exporter (3.1.5) - Locking sebastian/global-state (3.0.3) - Locking sebastian/object-enumerator (3.0.4) - Locking sebastian/object-reflector (1.1.2) - Locking sebastian/recursion-context (3.0.1) - Locking sebastian/resource-operations (2.0.2) - Locking sebastian/type (1.1.4) - Locking sebastian/version (2.0.1) - Locking spomky-labs/otphp (v10.0.3) - Locking symfony/console (v5.4.35) - Locking symfony/deprecation-contracts (v2.5.2) - Locking symfony/filesystem (v5.4.35) - Locking symfony/polyfill-ctype (v1.29.0) - Locking symfony/polyfill-intl-grapheme (v1.29.0) - Locking symfony/polyfill-intl-normalizer (v1.29.0) - Locking symfony/polyfill-mbstring (v1.29.0) - Locking symfony/polyfill-php73 (v1.29.0) - Locking symfony/polyfill-php80 (v1.29.0) - Locking symfony/service-contracts (v2.5.2) - Locking symfony/string (v5.4.35) - Locking thecodingmachine/safe (v1.3.3) - Locking theseer/tokenizer (1.2.2) Writing lock file Installing dependencies from lock file Package operations: 45 installs, 0 updates, 0 removals - Downloading composer/installers (v1.12.0) - Downloading dasprid/enum (1.0.5) - Downloading bacon/bacon-qr-code (2.0.8) - Downloading symfony/polyfill-php80 (v1.29.0) - Downloading symfony/polyfill-mbstring (v1.29.0) - Downloading symfony/polyfill-ctype (v1.29.0) - Downloading symfony/filesystem (v5.4.35) - Downloading symfony/polyfill-intl-normalizer (v1.29.0) - Downloading symfony/polyfill-intl-grapheme (v1.29.0) - Downloading symfony/string (v5.4.35) - Downloading symfony/deprecation-contracts (v2.5.2) - Downloading psr/container (1.1.2) - Downloading symfony/service-contracts (v2.5.2) - Downloading symfony/polyfill-php73 (v1.29.0) - Downloading symfony/console (v5.4.35) - Downloading psr/simple-cache (1.0.1) - Downloading doctrine/cache (1.13.0) - Downloading roave/doctrine-simplecache (2.5.0) - Downloading psr/log (1.1.4) - Downloading monolog/monolog (1.25.3) - Downloading psr/http-message (2.0) - Downloading psr/http-client (1.0.3) - Downloading ralouphie/getallheaders (3.0.3) - Downloading psr/http-factory (1.0.2) - Downloading guzzlehttp/psr7 (2.6.2) - Downloading guzzlehttp/promises (2.0.2) - Downloading guzzlehttp/guzzle (7.8.1) - Downloading daverandom/exceptional-json (v1.0.4) - Downloading browscap/browscap-php (5.1.0) - Downloading composer/ca-bundle (1.4.0) - Downloading maxmind/web-service-common (v0.9.0) - Downloading maxmind-db/reader (v1.11.1) - Downloading geoip2/geoip2 (v2.13.0) - Downloading kamisama/resque-status (0.0.2) - Downloading kamisama/monolog-init (0.2.1) - Downloading kamisama/php-resque-ex (1.3.0) - Downloading kamisama/php-resque-ex-scheduler (1.2.3) - Downloading kamisama/cake-resque (4.1.2) - Downloading pear/pear_exception (v1.0.2) - Downloading pear/console_commandline (v1.2.6) - Downloading pear/crypt_gpg (v1.6.7) - Downloading thecodingmachine/safe (v1.3.3) - Downloading paragonie/constant_time_encoding (v2.6.3) - Downloading beberlei/assert (v3.3.2) - Downloading spomky-labs/otphp (v10.0.3) - Installing composer/installers (v1.12.0): Extracting archive - Installing dasprid/enum (1.0.5): Extracting archive - Installing bacon/bacon-qr-code (2.0.8): Extracting archive - Installing symfony/polyfill-php80 (v1.29.0): Extracting archive - Installing symfony/polyfill-mbstring (v1.29.0): Extracting archive - Installing symfony/polyfill-ctype (v1.29.0): Extracting archive - Installing symfony/filesystem (v5.4.35): Extracting archive - Installing symfony/polyfill-intl-normalizer (v1.29.0): Extracting archive - Installing symfony/polyfill-intl-grapheme (v1.29.0): Extracting archive - Installing symfony/string (v5.4.35): Extracting archive - Installing symfony/deprecation-contracts (v2.5.2): Extracting archive - Installing psr/container (1.1.2): Extracting archive - Installing symfony/service-contracts (v2.5.2): Extracting archive - Installing symfony/polyfill-php73 (v1.29.0): Extracting archive - Installing symfony/console (v5.4.35): Extracting archive - Installing psr/simple-cache (1.0.1): Extracting archive - Installing doctrine/cache (1.13.0): Extracting archive - Installing roave/doctrine-simplecache (2.5.0): Extracting archive - Installing psr/log (1.1.4): Extracting archive - Installing monolog/monolog (1.25.3): Extracting archive - Installing psr/http-message (2.0): Extracting archive - Installing psr/http-client (1.0.3): Extracting archive - Installing ralouphie/getallheaders (3.0.3): Extracting archive - Installing psr/http-factory (1.0.2): Extracting archive - Installing guzzlehttp/psr7 (2.6.2): Extracting archive - Installing guzzlehttp/promises (2.0.2): Extracting archive - Installing guzzlehttp/guzzle (7.8.1): Extracting archive - Installing daverandom/exceptional-json (v1.0.4): Extracting archive - Installing browscap/browscap-php (5.1.0): Extracting archive - Installing composer/ca-bundle (1.4.0): Extracting archive - Installing maxmind/web-service-common (v0.9.0): Extracting archive - Installing maxmind-db/reader (v1.11.1): Extracting archive - Installing geoip2/geoip2 (v2.13.0): Extracting archive - Installing kamisama/resque-status (0.0.2): Extracting archive - Installing kamisama/monolog-init (0.2.1): Extracting archive - Installing kamisama/php-resque-ex (1.3.0): Extracting archive - Installing kamisama/php-resque-ex-scheduler (1.2.3): Extracting archive - Installing kamisama/cake-resque (4.1.2): Extracting archive - Installing pear/pear_exception (v1.0.2): Extracting archive - Installing pear/console_commandline (v1.2.6): Extracting archive - Installing pear/crypt_gpg (v1.6.7): Extracting archive - Installing thecodingmachine/safe (v1.3.3): Extracting archive - Installing paragonie/constant_time_encoding (v2.6.3): Extracting archive - Installing beberlei/assert (v3.3.2): Extracting archive - Installing spomky-labs/otphp (v10.0.3): Extracting archive 39 package suggestions were added by new dependencies, use `composer suggest` to see details. Package kamisama/php-resque-ex is abandoned, you should avoid using it. No replacement was suggested. Package kamisama/php-resque-ex-scheduler is abandoned, you should avoid using it. No replacement was suggested. Package kamisama/resque-status is abandoned, you should avoid using it. No replacement was suggested. Package phpunit/php-token-stream is abandoned, you should avoid using it. No replacement was suggested. Generating optimized autoload files 17 packages you are using are looking for funding. Use the `composer fund` command to find out more! ################################# (32%) Next step: Setting permissions ##################################### (36%) Next step: Start mysql Next step: Setting up database ######################################### (40%) Next step: Generating Apache config, if this hangs, make sure you have enough entropy (install: haveged or wait) ...+....+...........+.......+...+...+...........+...+...+....+........+.+..+.......+...+..+......+....+.....+......+..........+.........+........+...+....+......+..+..........+..+...+.............+.....+.+...+...+........+....+..+...+.......+.....+................+..+...+.........+....+.....+....+..+......+.......+..+....+..+...+.+......+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+...+.........+......+...+.+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+.+.....+...+..........+.........+.....+......+.......+...+..+..........+...+.....+......+...+.+..+.........+..........+......+............+...+..+.....................+......................+..............+.+..+.+..............+...+...+.+.....+.+.....+.............+..+.......+...........+.+...+......+............+..+.......+......+............+..+...............+.................................+.......+....................+..........+..................+...............+......+.........+........+...............+...+.........+......+.+.....+.+..............+...+............+.............+......+.....+.......+..+.+......+.....+....+..............+.......+.........+...........+.+.................+...+..........+...+...........+.............+..+....+.........+...........+....+..+.........+.........+.+..............+.......+.....+...............+...+.+..+....+...+..+.........+....+...+..+.+..+....+...................................+...+............+....+.....+.......+..+.......+.........+......+...+...+........+.+..............+.......+..+.+.....+.........+......+.+..........................+.......+..+......+...+....+.....................+.....+.......+....................+.......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...............+......+...+..+......+...+.+...+..................+..+...+....+...+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...............+..+....+..+..................................+...........+....+.....+...............+.+.....+...........................+.+.....+.+...+...........+....+..+.+..+.+....................+....+...+...............+.....+...........................+...............+...+...+....+..+..........+.....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----- Module status disabled. To activate the new configuration, you need to run: systemctl restart apache2 Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 Enabling module rewrite. To activate the new configuration, you need to run: systemctl restart apache2 Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2 Site 000-default disabled. To activate the new configuration, you need to run: systemctl reload apache2 Enabling site default-ssl. To activate the new configuration, you need to run: systemctl reload apache2 Site default-ssl disabled. To activate the new configuration, you need to run: systemctl reload apache2 Enabling site misp-ssl. To activate the new configuration, you need to run: systemctl reload apache2 ############################################# (44%) ################################################# (48%) Next step: Generating MISP config files <?php class DATABASE_CONFIG { public $default = array( 'datasource' => 'Database/Mysql', //'datasource' => 'Database/Postgres', 'persistent' => false, 'host' => 'localhost', 'login' => 'misp', 'port' => 3306, // MySQL & MariaDB //'port' => 5432, // PostgreSQL 'password' => '19404224d0dd0c71acce1058a3834f5c3763a8a06301796e7af3eba9394bac43', 'database' => 'misp', 'prefix' => '', 'encoding' => 'utf8', ); } ##################################################### (52%) gpg: directory '/var/www/MISP/.gnupg' created gpg: keybox '/var/www/MISP/.gnupg/pubring.kbx' created gpg: Generating a default key gpg: /var/www/MISP/.gnupg/trustdb.gpg: trustdb created gpg: key 83EC13CD4C31A16C marked as ultimately trusted gpg: directory '/var/www/MISP/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/var/www/MISP/.gnupg/openpgp-revocs.d/419D046ED49F6A5043A9032A83EC13CD4C31A16C.rev' gpg: done -----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBGXXJ38BDAC8hC7Oi+OwlZozQhI77ZCnsYmF4nfzqu28vV4gcPQIN4ZCUSxT EYz6IcJo4NVl2GqJFB8SdwY1s+Ynhj525mvE2QBWt7UBUKCLU7K7NfYMzxJNMR6V 1e9BoCRGQkINae5aH2NphkvrVd77jDjvVzUkAh2U4YaBRa0E8mZRz9RVDBKNAnVR oom65tp9DUeRcNhfDle7R3ugsCer05cfmsKzJgXWw4OnAAqiZtfpX58ItOZ3kbKh ylJmHRGJztsiqoVhaOaoNHIReUdaqVGv8YMAecAUtMVysP55HFU9jcyVHJPxjpaS IWmgIeJGaBHXI1YYue/cXVtpAhPu5vUB4sm1yEo2ZkJzi/blnlT7SmQ4zbXAdmtU jdgpxE7R7wCcF49zKldKh3vU1Lw2vhbay69Qdt1Z0lsjAQfEesryjwY4qsRV8VoM v8Nbzp548NlH18uzcGvL1dA4PGAjHHxKUjBIK0f2nZG1N/XwtlncbS7aoOD/ROcc MDnmLSz1JuQnwCMAEQEAAbReQXV0b2dlbmVyYXRlZCBLZXkgKFdBUk5JTkc6IE1J U1AgQXV0b0dlbmVyYXRlZCBLZXkgY29uc2lkZXIgdGhpcyBLZXkgVk9JRCEpIDxh ZG1pbkBhZG1pbi50ZXN0PokBzgQTAQoAOBYhBEGdBG7Un2pQQ6kDKoPsE81MMaFs BQJl1yd/AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEIPsE81MMaFs4/sL /RaZslSUz4+KQuCS9oMYQKrO1wWCQiSqrEQlhAcTFEOn+eK3NiAKRsHyLD91GIIl 6pmS2sHvDPygwPrOR73wZuxIo1/MRzVRZr95ztc2KXsxbVZsqFzkioApTBLviAui t0TNYXWMU0FsN1aXp4cEs4chRq5Cayudj0pfRh5dz8Hv87LgN9FxqkJBz9pqGnHz 5TQvhjV7KJ/C1F45JJIfxKn6swbCWqucWzt+0AK8yHRZBHstYS8cNoZu2RkwErbB BCaMMGF5nPkWsoo5RrtfmgA5yc2h4HB/Vcm2YAgLs33Nq14xY7teWdJJoBAi2bpk G/uEqxyRfZPGENeOYIsBGEYE3MiqXpUV2KRrM3Hhuam5bLiiC66W2UhcjPsGgeAL qLQFUuECRWJXrARrB4Cp8ROKoth2Lbp0kb5fdgAbk5a3vif+uSfAqDIuYTUsZEg1 2kob9Zun601HgxJWL6L7MZ/FQH+vn2Y0bGEglWjCKm9u0xvQ7/Fn23Ht7jUZEKol eLkBjQRl1yd/AQwAuvQRYb46B8nayxDWxV46N6KERQitsyVvlXGNluX/FnccQxVJ yVU0ZJ9XQywRw3cv2I+84NRjtexg5xDT/d5ozF2bAW4sMe0FD1aOEKQXyJdBjrRu 6Bu6zJRxcqOKHYLhO4HEnW+YEpZmeFPQ9gPqP9zSdBbbnMDZWYIMzM/z/HpbF4oN jMGqrtgqC4BKoUoBKEshEsQLtfosbxl9C95hYRICkUzp+VyJqHNf1rcsVKEOpw8s 0SmPt5agLOgRT6I7MwqdM1fhNRkUMBbnu9WhEN2KZpca2P+nPoyFzoXw6JLiD3Pf /CPxV/4LIs6k/Pp7HTrFB6gaWgJfaAvmaHF+UhUfsOdthdXnXAuxOOlshpBQFetJ m7oB/ZLBWIWFsm/35G7mCjgvV5p6jPnkrZ/UdnIET6ovvg4ltsr461X+uijD65TT 4dfBFJqvb7hHk0Q0hYRHqyZe2/4S/Ggpkwh5Vro8MY1QoGj9krY1XhcfsIPJkmk5 aLZo6p4P2B5yKjbVABEBAAGJAbYEGAEKACAWIQRBnQRu1J9qUEOpAyqD7BPNTDGh bAUCZdcnfwIbDAAKCRCD7BPNTDGhbLtODAC3Fym3+S6xoByzS36zqehwIkIo0Q11 UxrUhnm9Tk7o3iw/FmMUqWg5bQRJr2BE70utQddqYDvqKG6VN+pA8NW63dkKx/P7 aWgC39RWGW7gVgndujWTQMjHMWqUMhIMsMFvVd8DbwIxaldqYBpRHAB8mYmwKa4n 067+x/P+iuUXUolVLPH9ZUxyI3GrG5cT5RmXrjzK8YmxUsdgp+a51Ly0n8+qgGcK S5nVemJxdSimFMenHrzq0jkbtY0vGiV0J8FA39gdbx6mwHK17ZGgueUiu4aocYk2 l5yQT8cVmaxOlgflnysOJg2eAbC4MwCOPI2ThwgfaYhlXIDH3jDfV/B/ttfpm5Bg Kny6VG+DxgYgGW1nyj+MBXVnFaV61NYwxey3EUFZCnrtJ/muOPiKg9hQ/q1xhauM AY/svWD3+zfHOqoGch3PrUgA3o4lK0t6FDFrAoP+vQz15zTy1KEWuQrunu9hBpoT xvkpAnnj9jOnnOqIvrP9IUdC2xl3REgc0cs= =IJoB -----END PGP PUBLIC KEY BLOCK----- ######################################################### (56%) Next step: Setting up background workers #!/bin/sh -e exit 0 [Unit] Description=MISP background workers After=network.target [Service] Type=forking User=www-data Group=www-data ExecStart=/var/www/MISP/app/Console/worker/start.sh Restart=always RestartSec=10 [Install] WantedBy=multi-user.target Created symlink /etc/systemd/system/multi-user.target.wants/misp-workers.service → /etc/systemd/system/misp-workers.service. ############################################################# (60%) Next step: Running core Cake commands to set sane defaults for MISP Warning: This method is deprecated. Next time please use `cake user init`. TkzZLXZVODobFibjD1a6xSmw2RaONv2rpxAiobfm Executing all updates to bring the database up to date with the current version. Executing 62..................Done Executing 63..................Done Executing 64..................Done Executing 65..................Done Executing 66..................Done Executing 67..................Done Executing 68..................Done Executing 69..................Done Executing 70..................Done Executing 71..................Done Executing 72..................Done Executing 73..................Done Executing 74..................Done Executing 75..................Done Executing 76..................Done Executing 77..................Done Executing 78..................Done Executing 79..................Done Executing 80..................Done Executing 81..................Done Executing 82..................Done Executing 83..................Done Executing 84..................Done Executing 85..................Done Executing 86..................Done Executing 87..................Done Executing 88..................Done Executing 89..................Done Executing 90..................Done Executing 91..................Done Executing 92..................Done Executing 93..................Done Executing 94..................Done Executing 95..................Done Executing 96..................Done Executing 97..................Done Executing 98..................Done Executing 99..................Done Executing 100.................Done Executing 101.................Done Executing 102.................Done Executing 103.................Done Executing 104.................Done Executing 105.................Done Executing 106.................Done Executing 107.................Done Executing 108.................Done Executing 109.................Done Executing 110.................Done Executing 111.................Done Executing 112.................Done Executing 113.................Done Executing 114.................Done Executing 115.................Done Executing 116.................Done Executing 117.................Done Executing 118.................Done Executing 119.................Done Executing 120.................Done All updates completed. Setting "MISP.python_bin" changed to "/var/www/MISP/venv/bin/python" Setting "Session.autoRegenerate" changed to false Setting "Session.timeout" changed to 600 Setting "Session.cookieTimeout" changed to 3600 Setting "MISP.tmpdir" changed to "/var/www/MISP/app/tmp" Setting "GnuPG.email" changed to "admin@admin.test" Setting "GnuPG.homedir" changed to "/var/www/MISP/.gnupg" Setting "GnuPG.password" changed to "5bcd0ef89a99345dd42433084115781d460df59d71d1e41374d74ae9a9541951" Setting "GnuPG.obscure_subject" changed to true Setting "GnuPG.key_fetching_disabled" changed to false Setting "GnuPG.binary" changed to "/usr/bin/gpg" Setting "LinOTPAuth.enabled" changed to false Setting "LinOTPAuth.baseUrl" changed to "https://<your-linotp-baseUrl>" Setting "LinOTPAuth.realm" changed to "lino" Setting "LinOTPAuth.verifyssl" changed to true Setting "LinOTPAuth.mixedauth" changed to false Setting "MISP.host_org_id" changed to 1 Setting "MISP.email" changed to "info@admin.test" Setting "MISP.disable_emailing" changed to true Setting "MISP.contact" changed to "info@admin.test" Setting "MISP.disablerestalert" changed to true Setting "MISP.showCorrelationsOnIndex" changed to true Setting "MISP.default_event_tag_collection" changed to 0 Setting "Plugin.Cortex_services_enable" changed to false Setting "Plugin.Cortex_services_url" changed to "http://127.0.0.1" Setting "Plugin.Cortex_services_port" changed to 9000 Setting "Plugin.Cortex_timeout" changed to 120 Setting "Plugin.Cortex_authkey" changed to "false" Setting "Plugin.Cortex_ssl_verify_peer" changed to false Setting "Plugin.Cortex_ssl_verify_host" changed to false Setting "Plugin.Cortex_ssl_allow_self_signed" changed to true Setting "Plugin.Sightings_policy" changed to 0 Setting "Plugin.Sightings_anonymise" changed to false Setting "Plugin.Sightings_anonymise_as" changed to 1 Setting "Plugin.Sightings_range" changed to 365 Setting "Plugin.Sightings_sighting_db_enable" changed to false Setting "Plugin.ElasticSearch_logging_enable" changed to false Setting "Plugin.S3_enable" changed to false Setting "Plugin.CustomAuth_disable_logout" changed to false Error: Setting "Plugin.RPZ_policy" change rejected. Provided value DROP is not a number. Setting "Plugin.RPZ_walled_garden" changed to "127.0.0.1" Setting "Plugin.RPZ_serial" changed to "$date00" Setting "Plugin.RPZ_refresh" changed to "2h" Setting "Plugin.RPZ_retry" changed to "30m" Setting "Plugin.RPZ_expiry" changed to "30d" Setting "Plugin.RPZ_minimum_ttl" changed to "1h" Setting "Plugin.RPZ_ttl" changed to "1w" Setting "Plugin.RPZ_ns" changed to "localhost." Setting "Plugin.RPZ_ns_alt" changed to "false" Setting "Plugin.RPZ_email" changed to "root.localhost" Setting "Plugin.Kafka_enable" changed to false Setting "Plugin.Kafka_brokers" changed to "kafka:9092" Setting "Plugin.Kafka_rdkafka_config" changed to "/etc/rdkafka.ini" Setting "Plugin.Kafka_include_attachments" changed to false Setting "Plugin.Kafka_event_notifications_enable" changed to false Setting "Plugin.Kafka_event_notifications_topic" changed to "misp_event" Setting "Plugin.Kafka_event_publish_notifications_enable" changed to false Setting "Plugin.Kafka_event_publish_notifications_topic" changed to "misp_event_publish" Setting "Plugin.Kafka_object_notifications_enable" changed to false Setting "Plugin.Kafka_object_notifications_topic" changed to "misp_object" Setting "Plugin.Kafka_object_reference_notifications_enable" changed to false Setting "Plugin.Kafka_object_reference_notifications_topic" changed to "misp_object_reference" Setting "Plugin.Kafka_attribute_notifications_enable" changed to false Setting "Plugin.Kafka_attribute_notifications_topic" changed to "misp_attribute" Setting "Plugin.Kafka_shadow_attribute_notifications_enable" changed to false Setting "Plugin.Kafka_shadow_attribute_notifications_topic" changed to "misp_shadow_attribute" Setting "Plugin.Kafka_tag_notifications_enable" changed to false Setting "Plugin.Kafka_tag_notifications_topic" changed to "misp_tag" Setting "Plugin.Kafka_sighting_notifications_enable" changed to false Setting "Plugin.Kafka_sighting_notifications_topic" changed to "misp_sighting" Setting "Plugin.Kafka_user_notifications_enable" changed to false Setting "Plugin.Kafka_user_notifications_topic" changed to "misp_user" Setting "Plugin.Kafka_organisation_notifications_enable" changed to false Setting "Plugin.Kafka_organisation_notifications_topic" changed to "misp_organisation" Setting "Plugin.Kafka_audit_notifications_enable" changed to false Setting "Plugin.Kafka_audit_notifications_topic" changed to "misp_audit" Setting "Plugin.ZeroMQ_enable" changed to false Setting "Plugin.ZeroMQ_host" changed to "127.0.0.1" Setting "Plugin.ZeroMQ_port" changed to 50000 Setting "Plugin.ZeroMQ_redis_host" changed to "localhost" Setting "Plugin.ZeroMQ_redis_port" changed to 6379 Setting "Plugin.ZeroMQ_redis_database" changed to "1" Setting "Plugin.ZeroMQ_redis_namespace" changed to "mispq" Setting "Plugin.ZeroMQ_event_notifications_enable" changed to false Setting "Plugin.ZeroMQ_object_notifications_enable" changed to false Setting "Plugin.ZeroMQ_object_reference_notifications_enable" changed to false Setting "Plugin.ZeroMQ_attribute_notifications_enable" changed to false Setting "Plugin.ZeroMQ_sighting_notifications_enable" changed to false Setting "Plugin.ZeroMQ_user_notifications_enable" changed to false Setting "Plugin.ZeroMQ_organisation_notifications_enable" changed to false Setting "Plugin.ZeroMQ_include_attachments" changed to false Setting "Plugin.ZeroMQ_tag_notifications_enable" changed to false Setting "MISP.language" changed to "eng" Setting "MISP.proposals_block_attributes" changed to false Setting "MISP.redis_host" changed to "127.0.0.1" Setting "MISP.redis_port" changed to 6379 Setting "MISP.redis_database" changed to 13 Setting "MISP.redis_password" changed to "" Setting "MISP.ssdeep_correlation_threshold" changed to 40 Setting "MISP.extended_alert_subject" changed to false Setting "MISP.default_event_threat_level" changed to "4" Setting "MISP.newUserText" changed to "Dear new MISP user,\n\nWe would hereby like to welcome you to the $org MISP community.\n\n Use the credentials below to log into MISP at $misp, where you will be prompted to manually change your password to something of your own choice.\n\nUsername: $username\nPassword: $password\n\nIf you have any questions, don't hesitate to contact us at: $contact.\n\nBest regards,\nYour $org MISP support team" Setting "MISP.passwordResetText" changed to "Dear MISP user,\n\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at $misp, where you will be prompted to manually change your password to something of your own choice.\n\nUsername: $username\nYour temporary password: $password\n\nIf you have any questions, don't hesitate to contact us at: $contact.\n\nBest regards,\nYour $org MISP support team" Setting "MISP.enableEventBlocklisting" changed to true Setting "MISP.enableOrgBlocklisting" changed to true Setting "MISP.log_client_ip" changed to true Setting "MISP.log_auth" changed to false Setting "MISP.log_user_ips" changed to true Setting "MISP.log_user_ips_authkeys" changed to true Setting "MISP.disableUserSelfManagement" changed to false Setting "MISP.disable_user_login_change" changed to false Setting "MISP.disable_user_password_change" changed to false Setting "MISP.disable_user_add" changed to false Setting "MISP.block_event_alert" changed to false Setting "MISP.block_event_alert_tag" changed to "no-alerts="true"" Setting "MISP.block_old_event_alert" changed to false Error: Setting "MISP.block_old_event_alert_age" change rejected. Provided value is not a number. Error: Setting "MISP.block_old_event_alert_by_date" change rejected. Provided value is not a number. Setting "MISP.event_alert_republish_ban" changed to false Setting "MISP.event_alert_republish_ban_threshold" changed to 5 Setting "MISP.event_alert_republish_ban_refresh_on_retry" changed to false Setting "MISP.incoming_tags_disabled_by_default" changed to false Setting "MISP.maintenance_message" changed to "Great things are happening! MISP is undergoing maintenance, but will return shortly. You can contact the administration at $email." Setting "MISP.footermidleft" changed to "This is an initial install" Setting "MISP.footermidright" changed to "Please configure and harden accordingly" Setting "MISP.welcome_text_top" changed to "Initial Install, please configure" Setting "MISP.welcome_text_bottom" changed to "Welcome to MISP on ubuntu, change this message in MISP Settings" Setting "MISP.attachments_dir" changed to "/var/www/MISP/app/files" Setting "MISP.download_attachments_on_load" changed to true Setting "MISP.event_alert_metadata_only" changed to false Setting "MISP.title_text" changed to "MISP" Setting "MISP.terms_download" changed to false Setting "MISP.showorgalternate" changed to false Setting "MISP.event_view_filter_fields" changed to "id, uuid, value, comment, type, category, Tag.name" Setting "debug" changed to 0 Setting "Security.auth_enforced" changed to false Setting "Security.log_each_individual_auth_fail" changed to false Setting "Security.rest_client_baseurl" changed to "" Setting "Security.advanced_authkeys" changed to false Setting "Security.password_policy_length" changed to 12 Setting "Security.password_policy_complexity" changed to "/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/" Error: Method name must be a string #0 /var/www/MISP/app/Console/Command/AdminShell.php(548): Server->serverSettingsEditValue() #1 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/Shell.php(459): AdminShell->setSetting() #2 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/ShellDispatcher.php(222): Shell->runCommand() #3 /var/www/MISP/app/Lib/cakephp/lib/Cake/Console/ShellDispatcher.php(66): ShellDispatcher->dispatch() #4 /var/www/MISP/app/Console/cake.php(45): ShellDispatcher::run() #5 {main} Setting "Security.disable_browser_cache" changed to true Setting "Security.check_sec_fetch_site_header" changed to true Setting "Security.csp_enforce" changed to true Setting "Security.advanced_authkeys" changed to true Setting "Security.do_not_log_authkeys" changed to true Setting "Security.username_in_response_header" changed to true Warning: This method is deprecated. Next time please use `cake admin live [0|1]`. ################################################################# (64%) ##################################################################### (68%) ######################################################################### (72%) Next step: Updating Galaxies, ObjectTemplates, Warninglists, Noticelists and Templates Galaxies updated Successfully updated 149 taxonomies. 87 warninglists updated, 0 fails Notice lists updated User with ID: 1337 not found Successfully updated 338 object templates. ############################################################################# (76%) ################################################################################# (80%) ##################################################################################### (84%) ####################################################################################### (86%) url = "" key = "TkzZLXZVODobFibjD1a6xSmw2RaONv2rpxAiobfm" Entering 'pymisp/data/misp-objects' From https://github.com/MISP/misp-objects * branch main -> FETCH_HEAD Updating 3ac5099..3d12add Fast-forward relationships/definition.json | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) Entering 'pymisp/tools/pdf_fonts' fatal: couldn't find remote ref main fatal: run_command returned non-zero status for pymisp/tools/pdf_fonts . Obtaining file:///var/www/MISP/PyMISP Installing build dependencies ... done Checking if build backend supports build_editable ... done Getting requirements to build editable ... done Preparing editable metadata (pyproject.toml) ... done WARNING: pymisp 2.4.185 does not provide the extra 'neo' Requirement already satisfied: python-dateutil<3.0.0,>=2.8.2 in /var/www/MISP/venv/lib/python3.10/site-packages (from pymisp==2.4.185) (2.8.2) Requirement already satisfied: requests<3.0.0,>=2.31.0 in /var/www/MISP/venv/lib/python3.10/site-packages (from pymisp==2.4.185) (2.31.0) Requirement already satisfied: publicsuffixlist<0.11.0.0,>=0.10.0.20231214 in /var/www/MISP/venv/lib/python3.10/site-packages (from pymisp==2.4.185) (0.10.0.20240214) Requirement already satisfied: deprecated<2.0.0,>=1.2.14 in /var/www/MISP/venv/lib/python3.10/site-packages (from pymisp==2.4.185) (1.2.14) Collecting beautifulsoup4<5.0.0,>=4.12.3 Downloading beautifulsoup4-4.12.3-py3-none-any.whl (147 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 147.9/147.9 KB 4.5 MB/s eta 0:00:00 Requirement already satisfied: python-magic<0.5.0,>=0.4.27 in /var/www/MISP/venv/lib/python3.10/site-packages (from pymisp==2.4.185) (0.4.27) Collecting pydeep2<0.6.0,>=0.5.1 Downloading pydeep2-0.5.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (22 kB) Requirement already satisfied: lief<0.15.0,>=0.14.1 in /var/www/MISP/venv/lib/python3.10/site-packages (from pymisp==2.4.185) (0.14.1) Collecting reportlab<5.0.0,>=4.1.0 Downloading reportlab-4.1.0-py3-none-any.whl (1.9 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.9/1.9 MB 11.2 MB/s eta 0:00:00 Collecting validators<0.23.0,>=0.22.0 Downloading validators-0.22.0-py3-none-any.whl (26 kB) Collecting soupsieve>1.2 Downloading soupsieve-2.5-py3-none-any.whl (36 kB) Requirement already satisfied: wrapt<2,>=1.10 in /var/www/MISP/venv/lib/python3.10/site-packages (from deprecated<2.0.0,>=1.2.14->pymisp==2.4.185) (1.16.0) Requirement already satisfied: six>=1.5 in /var/www/MISP/venv/lib/python3.10/site-packages (from python-dateutil<3.0.0,>=2.8.2->pymisp==2.4.185) (1.16.0) Collecting pillow>=9.0.0 Downloading pillow-10.2.0-cp310-cp310-manylinux_2_28_x86_64.whl (4.5 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.5/4.5 MB 23.6 MB/s eta 0:00:00 Collecting chardet Downloading chardet-5.2.0-py3-none-any.whl (199 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 199.4/199.4 KB 45.8 MB/s eta 0:00:00 Requirement already satisfied: certifi>=2017.4.17 in /var/www/MISP/venv/lib/python3.10/site-packages (from requests<3.0.0,>=2.31.0->pymisp==2.4.185) (2024.2.2) Requirement already satisfied: charset-normalizer<4,>=2 in /var/www/MISP/venv/lib/python3.10/site-packages (from requests<3.0.0,>=2.31.0->pymisp==2.4.185) (3.3.2) Requirement already satisfied: urllib3<3,>=1.21.1 in /var/www/MISP/venv/lib/python3.10/site-packages (from requests<3.0.0,>=2.31.0->pymisp==2.4.185) (2.2.1) Requirement already satisfied: idna<4,>=2.5 in /var/www/MISP/venv/lib/python3.10/site-packages (from requests<3.0.0,>=2.31.0->pymisp==2.4.185) (3.6) Building wheels for collected packages: pymisp Building editable for pymisp (pyproject.toml) ... done Created wheel for pymisp: filename=pymisp-2.4.185-py3-none-any.whl size=5435 sha256=e8ad976c911d31f51855fe05615ea283f4cb2a8e5d64634543cd652c6a42ce6e Stored in directory: /tmp/pip-ephem-wheel-cache-rc0l18ln/wheels/69/10/38/769d13d11252fbc2ec682fd999cd3023c839231d77ad8fcae3 Successfully built pymisp Installing collected packages: pydeep2, validators, soupsieve, pillow, chardet, reportlab, pymisp, beautifulsoup4 Attempting uninstall: pymisp Found existing installation: pymisp 2.4.185 Uninstalling pymisp-2.4.185: Successfully uninstalled pymisp-2.4.185 Successfully installed beautifulsoup4-4.12.3 chardet-5.2.0 pillow-10.2.0 pydeep2-0.5.1 pymisp-2.4.185 reportlab-4.1.0 soupsieve-2.5 validators-0.22.0 tests/viper-test-files exists: False The test files are missing, pulling it. Cloning into 'tests/viper-test-files'... remote: Enumerating objects: 110, done. remote: Total 110 (delta 0), reused 0 (delta 0), pack-reused 110 Receiving objects: 100% (110/110), 15.18 MiB | 12.01 MiB/s, done. Resolving deltas: 100% (24/24), done. E ====================================================================== ERROR: setUpClass (__main__.TestComprehensive) ---------------------------------------------------------------------- Traceback (most recent call last): File "/var/www/MISP/PyMISP/tests/testlive_comprehensive.py", line 76, in setUpClass cls.admin_misp_connector = PyMISP(url, key, verifycert, debug=False) File "/var/www/MISP/PyMISP/pymisp/api.py", line 172, in __init__ raise NoURL('Please provide the URL of your MISP instance.') pymisp.exceptions.NoURL: Please provide the URL of your MISP instance. ---------------------------------------------------------------------- Ran 0 tests in 0.001s FAILED (errors=1) ######################################################################################### (88%) --------------------------------------------------------------------------------------------------------------------------- Admin (root) DB Password: 86fd33eb74c4a85c4680e3cd49533b9707ef5e29f57683ba1f41c6fa0bc0b77b User (misp) DB Password: 19404224d0dd0c71acce1058a3834f5c3763a8a06301796e7af3eba9394bac43 Authkey: TkzZLXZVODobFibjD1a6xSmw2RaONv2rpxAiobfm --------------------------------------------------------------------------------------------------------------------------- MISP Installed, access here: User: admin@admin.test Password: admin --------------------------------------------------------------------------------------------------------------------------- The following files were created and need either protection or removal (shred on the CLI) /home/misp/mysql.txt Contents: cat: /home/misp/mysql.txt: Permission denied /home/misp/MISP-authkey.txt Contents: cat: /home/misp/MISP-authkey.txt: Permission denied --------------------------------------------------------------------------------------------------------------------------- The LOCAL system credentials: User: misp Password: a5002fbabea35af785450df000a5287a22fc556d29f4b46036a09c5fac37c828 # Or the password you used of your custom user --------------------------------------------------------------------------------------------------------------------------- GnuPG Passphrase is: 5bcd0ef89a99345dd42433084115781d460df59d71d1e41374d74ae9a9541951 --------------------------------------------------------------------------------------------------------------------------- To enable outgoing mails via postfix set a permissive SMTP server for the domains you want to contact: sudo postconf -e 'relayhost = example.com' sudo postfix reload --------------------------------------------------------------------------------------------------------------------------- Enjoy using MISP. For any issues see here: https://github.com/MISP/MISP/issues --------------------------------------------------------------------------------------------------------------------------- To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. |
Accedemos a la url con las siguientes credenciales:
1 2 |
Username: admin@admin.test Password: admin |
En el primer login nos pedirá cambiar la contraseña:
Generaremos una nueva Auth Keys desde el perfil del usuario restringiendo la IP, de forma que cuando integremos con TheHive tenga permisos para generar eventos MISP (esto es un LAB, como con Cortex es mejor generar un usuario específico para esto):
1 |
rz6yiybzNfT1VoxrMaSYXLnrrFokcgWQC5RYj1S0 |
Integración Cortex y MISP con TheHive
Ahora tenemos que agregar Cortex y MISP con TheHive.
- https://docs.thehive-project.org/thehive/installation-and-configuration/configuration/connectors-cortex/
- https://docs.thehive-project.org/thehive/installation-and-configuration/configuration/connectors-misp/
Configurar conector Cortex en TheHive
La instalación que hemos hecho ya tiene los conectores ya habilitado por defecto en THEHIVE. Así que empezamos con Cortex, y agregamos el servidor:
Introducimos los siguientes datos:
- Server Name: cortex
- Server URL: http://127.0.0.1:9001
- API Key: Introducimos la Key del usuario que hemos generado anteriormente
- Pulsamos el test y si sale bien, agregamos el servidor
Pulsamos CONFIRM:
Validáis en TheHive:
Configurar conector MISP en TheHive
La integración del conector es prácticamente igual que con Cortex, tiene su propio apartado en los menús de gestión. Agregamos el servidor:
Rellenamos los datos, en mi caso:
- Server Name: misp
- Server url: https://10.0.0.12
- API Key: rz6yiybzNfT1VoxrMaSYXLnrrFokcgWQC5RYj1S0
- Desmarco Check Certificate Authority de momento…
Confirmamos:
Y validamos:
Una vez montados los tres productos e integrados…veremos más adelante como funcionan para completar nuestro SOC Opensource.