In this tutorial, you will learn how to install MISP on Ubuntu 22.04/Ubuntu 20.04. MISP, an acronym for Malware Information Sharing Platform, is an open source threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
Installing MISP on Ubuntu 22.04/Ubuntu 20.04
To install MISP on Ubuntu, you can use an install script or simply do the manual installation so you have an idea of what is going on. We will go the manual way in this guide.
Run system Update
To begin with, ensure your system package cache is up-to-date.
sudo apt updateInstall Postfix anf Other Required Packages
If you want to configure MISP to sent out email notifications, you install Postfix to use with your preferred mail relays.
sudo apt install postfix mailutils curl gcc git gpg-agent make libcaca-dev liblua5.3-dev \
python python3 openssl redis-server vim zip unzip virtualenv libfuzzy-dev sqlite3 \
moreutils python3-dev python3-pip libxml2-dev libxslt1-dev zlib1g-dev \
python-setuptools openssl cmakeWhen prompted to choose the Postfix general type of mail configuration, select Internet Site
For the domain part, select your domain part (not FQDN). E.g if your hostname is misp.kifarunix-demo.com, use kifarunix-demo.com.
Create MISP User Account
Run the command below to create MISP user account and add it to other system groups.
sudo useradd -s /bin/bash -m -G adm,cdrom,sudo,dip,plugdev,www-data,staff mispSet the password for the user account.
sudo passwd mispInstall LAMP Stack and Required Dependencies
Run the command below to install LAMP stack and other required packages.
Install MariaDB 10.9, current stable release version as of this writing.
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.9sudo apt install mariadb-client mariadb-server -yInstall PHP 7.4 and required PHP modules;
apt install libapache2-mod-php php php-cli php-dev php-json php-xml php-mysql php-opcache \
php-readline php-mbstring php-zip php-redis php-gnupg php-intl php-bcmath php-gd php-curlOn Ubuntu 22.04, check this guide on how to install PHP 7.4 on Ubuntu 22.04.
Next, update the following PHP configuration options;
vim /etc/php/7.4/apache2/php.iniupload_max_filesize="50M"
post_max_size="50M"
max_execution_time="300"
memory_limit="2048M"Similarly, update PHP session ID length and set strict session ID mode;
echo -e 'session0sid_length="32"\nsession0use_strict_mode="1"' | sudo tee -a /etc/php/7.4/apache2/php.iniCreate MISP Database and Database User
Login to MySQL and create MISP database and database user
First of all, run MySQL initial secure script;
sudo systemctl start mariadbsudo mysql_secure_installationOnce you have ran the script, proceed to create MISP database and database user;
sudo mysql -u root -p -e "create database misp;"sudo mysql -u root -p -e "grant all on misp.* to mispadmin@localhost identified by 'MISP-DB-Password';"sudo mysql -u root -p -e "flush privileges;"Import MISP database into database created above;
sudo -Hu www-data cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -u mispadmin -p mispInstalling MISP on Ubuntu
Create MISP directory under /var/www;
sudo mkdir /var/www/MISPClone the MISP Core Github repository into the directory above;
sudo git clone https://github.com/MISP/MISP.git /var/www/MISP/sudo git -C /var/www/MISP/ submodule update --progress --init --recursivesudo chown -R www-data: /var/www/MISPsudo -u www-data git -C /var/www/MISP submodule foreach --recursive git config core.filemode falsesudo -u www-data git -C /var/www/MISP config core.filemode falseCreate a python3 virtualenv
sudo -u www-data virtualenv -p python3 /var/www/MISP/venvCreate PIP cache directory;
sudo mkdir /var/www/.cache/sudo chown -R www-data: /var/www/.cache/Install python-stix
sudo -u www-data /var/www/MISP/venv/bin/pip install ordered-set python-dateutil six weakrefmethodsudo -u www-data /var/www/MISP/venv/bin/pip install /var/www/MISP/app/files/scripts/misp-stixInstall PyMISP;
sudo -u www-data /var/www/MISP/venv/bin/pip install /var/www/MISP/PyMISPRemove libfaup;
cd /tmpgit clone https://github.com/stricaud/faup.git faupsudo git clone https://github.com/stricaud/gtcaca.git gtcacasudo chown -R misp: faup gtcacasudo mkdir gtcaca/build && cd gtcaca/buildsudo cmake .. && sudo make && sudo make installsudo mkdir -p /tmp/faup/build && cd /tmp/faup/buildsudo cmake .. && sudo make && sudo make installCreate the necessary links and cache to the just installed libraries;
sudo ldconfigInstall PyDeep;
sudo -u www-data /var/www/MISP/venv/bin/pip install git+https://github.com/kbandla/pydeep.gitInstall lief
sudo -u www-data /var/www/MISP/venv/bin/pip install liefInstall zmq
sudo -u www-data /var/www/MISP/venv/bin/pip install zmq redisInstall python-magic
sudo -u www-data /var/www/MISP/venv/bin/pip install python-magicInstall plyara;
sudo -u www-data /var/www/MISP/venv/bin/pip install plyaraInstall CakePHP
Create PHP composer directory;
sudo mkdir -p /var/www/.composerSet the ownership;
sudo chown -R www-data: /var/www/.composerInstall CakePHP;
cd /var/www/MISP/appsudo -u www-data php composer.phar install --no-devEnable CakeResque with php-redis
sudo phpenmod redis
sudo phpenmod gnupgEnable the use of scheduler worker for scheduled tasks;
sudo -u www-data cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.phpSet Proper Permissions and Ownership of MISP directories
Once the installation of MISP is done, update the ownership and permissions of the directories;
sudo chown -R www-data: /var/www/MISPsudo chmod -R 750 /var/www/MISPsudo chmod -R g+ws /var/www/MISP/app/tmp /var/www/MISP/app/filesEnable MISP Log Rotation
sudo cp /var/www/MISP/INSTALL/misp.logrotate /etc/logrotate.d/misp
sudo chmod 0640 /etc/logrotate.d/mispThis is how to the config file is like;
cat /etc/logrotate.d/misp/var/www/MISP/app/tmp/logs/*.log {
rotate 30
dateext
missingok
notifempty
compress
daily
size 50M
maxsize 500M
copytruncate
}
Configure MISP
Rename the default configurations as follows;
sudo -u www-data cp -a /var/www/MISP/app/Config/bootstrap{.default,}.php
sudo -u www-data cp -a /var/www/MISP/app/Config/database{.default,}.php
sudo -u www-data cp -a /var/www/MISP/app/Config/core{.default,}.php
sudo -u www-data cp -a /var/www/MISP/app/Config/config{.default,}.phpUpdate database connection details;
sudo vim /var/www/MISP/app/Config/database.phpclass DATABASE_CONFIG {
public $default = array(
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => 'localhost',
'login' => 'mispadmin',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
'password' => 'MISP-DB-Password',
'database' => 'misp',
'prefix' => '',
'encoding' => 'utf8',
);
}
Save and exit the file;
Generate MISP GnuPG key;
Create a batch file to define variable required for non-interactive GPG keys generation.
tee > ~/misp-gpg-batch-file << 'EOL'
Key-Type: default
Key-Length: 4096
Subkey-Type: default
Name-Real: MISP-gpg-key
Name-Email: [email protected]
Expire-Date: 0
Passphrase: 42e9865a824b4e237c5146b0af888016de8
EOL
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --batch --gen-key ~/misp-gpg-batch-fileSample output;
gpg: directory '/var/www/MISP/.gnupg' created
gpg: keybox '/var/www/MISP/.gnupg/pubring.kbx' created
gpg: /var/www/MISP/.gnupg/trustdb.gpg: trustdb created
gpg: key DA6AA0A6057E4C28 marked as ultimately trusted
gpg: directory '/var/www/MISP/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/var/www/MISP/.gnupg/openpgp-revocs.d/757A0C2F91D894522A388A04DA6AA0A6057E4C28.rev'Export the public key to MISP webroot
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --export --armor [email protected] \
| sudo -u www-data tee /var/www/MISP/app/webroot/gpg.ascSetup MISP Background Workers
Create a systemd service for MISP background workers;
sudo tee /etc/systemd/system/misp-workers.service << 'EOL'
[Unit]
Description=MISP background workers
After=network.target
[Service]
Type=forking
User=www-data
Group=www-data
ExecStart=/var/www/MISP/app/Console/worker/start.sh
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
EOL
Reload systemd configs and start the service;
sudo systemctl daemon-reload
sudo systemctl enable --now misp-workersConfirm status;
systemctl status misp-workers.service● misp-workers.service - MISP background workers
Loaded: loaded (/etc/systemd/system/misp-workers.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-11-04 20:24:54 UTC; 10s ago
Process: 62522 ExecStart=/var/www/MISP/app/Console/worker/start.sh (code=exited, status=0/SUCCESS)
Tasks: 12 (limit: 4610)
Memory: 61.0M
CGroup: /system.slice/misp-workers.service
├─62555 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true QUEUE='default' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/1667>
├─62556 php ./bin/resque
├─62573 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true QUEUE='prio' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/1667593>
├─62574 php ./bin/resque
├─62589 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true QUEUE='cache' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/166759>
├─62590 php ./bin/resque
├─62606 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true QUEUE='email' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/166759>
├─62607 php ./bin/resque
├─62622 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex'; VERBOSE=true QUEUE='update' PIDFILE='/var/www/MISP/app/Plugin/CakeResque/tmp/16675>
├─62623 php ./bin/resque
├─62638 bash -c cd '/var/www/MISP/app/Vendor/kamisama/php-resque-ex-scheduler'; VERBOSE=true QUEUE='default' PIDFILE='/var/www/MISP/app/Plugin/CakeResqu>
└─62639 php ./bin/resque-scheduler.php
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62562]: Starting worker ... Done
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62578]: Creating workers
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62578]: Starting worker ... Done
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62594]: Creating workers
Nov 04 20:24:53 thehive.kifarunix-demo.com start.sh[62594]: Starting worker ... Done
Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62611]: Creating workers
Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62611]: Starting worker ... Done
Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62627]: Creating the scheduler workers
Nov 04 20:24:54 thehive.kifarunix-demo.com start.sh[62627]: Starting scheduler worker ... Done
Nov 04 20:24:54 thehive.kifarunix-demo.com systemd[1]: Started MISP background workers.
Next;
- disable Linux Kernel’s support for Transparent Huge Pages (THP),
- limit the number of incoming connections to 1024,
- Enable memory over-commit.
You can easily set a systemd service to sort the above;
sudo cat > /etc/systemd/system/thp-so-mo.service << 'EOL'
[Unit]
Description=Disable Kernel Support for THP, Set Socket Max Conxs and Enable Memory Overcommit.
[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && \
echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag && \
echo 1024 > /proc/sys/net/core/somaxconn && \
sysctl vm.overcommit_memory=1"
[Install]
WantedBy=multi-user.target
EOL
Initialize MISP Configuration
Initialize the user and fetch authentication key;
sudo -Hu www-data /var/www/MISP/app/Console/cake userInit -qSample out;
dLiRqsfiiNAIIza9U7zqnwKKZBf83kDBSd2BUdeAEnable database updates;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin runUpdatesDefine global time outs
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.autoRegenerate" 0
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.timeout" 600
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Session.cookieTimeout" 3600Set default tmp directory;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.tmpdir" "/var/www/MISP/app/tmp"Enable GnuPG;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.email" "[email protected]"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.homedir" "/var/www/MISP/.gnupg"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.password" "42e9865a824b4e237c5146b0af888016de8"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.obscure_subject" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "GnuPG.binary" "$(which gpg)"
Update other MISP configurations;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.host_org_id" 1
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.email" "[email protected]"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_emailing" true --force
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.contact" "[email protected]"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disablerestalert" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.showCorrelationsOnIndex" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.default_event_tag_collection" 0
Tunning Cortex;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_url" "http://127.0.0.1"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_services_port" 9000
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_timeout" 120
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_authkey" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_verify_peer" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_verify_host" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Cortex_ssl_allow_self_signed" true
Update plugin settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_policy" 0
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_anonymise" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_anonymise_as" 1
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_range" 365
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Sightings_sighting_db_enable" false
Disable API_Required modules;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_cuckoo_submit_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vmray_submit_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_circl_passivedns_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_circl_passivessl_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_domaintools_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_eupi_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_farsight_passivedns_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_passivetotal_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_passivetotal_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_virustotal_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_whois_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_shodan_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_asn_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_city_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_geoip_country_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_iprep_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_otx_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vulndb_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_crowdstrike_falcon_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_onyphe_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_xforceexchange_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_vulners_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_macaddress_io_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_intel471_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_backscatter_io_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_hibp_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_greynoise_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_joesandbox_submit_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_virustotal_public_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_apiosintds_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_urlscan_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_securitytrails_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_apivoid_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_assemblyline_submit_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_assemblyline_query_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_ransomcoindb_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_lastline_query_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_sophoslabs_intelix_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_cytomic_orion_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_censys_enrich_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_trustar_enrich_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.Enrichment_recordedfuture_enabled false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.ElasticSearch_logging_enable false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting Plugin.S3_enable false
CustomAuth Plugin;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.CustomAuth_disable_logout" falseRPZ Plugin settings
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_policy" "DROP"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_walled_garden" "127.0.0.1"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_serial" "\$date00"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_refresh" "2h"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_retry" "30m"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_expiry" "30d"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_minimum_ttl" "1h"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ttl" "1w"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ns" "localhost."
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_ns_alt" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.RPZ_email" "root.localhost"
Kafka settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_brokers" "kafka:9092"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_rdkafka_config" "/etc/rdkafka.ini"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_include_attachments" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_notifications_topic" "misp_event"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_publish_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_event_publish_notifications_topic" "misp_event_publish"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_notifications_topic" "misp_object"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_reference_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_object_reference_notifications_topic" "misp_object_reference"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_attribute_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_attribute_notifications_topic" "misp_attribute"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_shadow_attribute_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_shadow_attribute_notifications_topic" "misp_shadow_attribute"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_tag_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_tag_notifications_topic" "misp_tag"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_sighting_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_sighting_notifications_topic" "misp_sighting"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_user_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_user_notifications_topic" "misp_user"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_organisation_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_organisation_notifications_topic" "misp_organisation"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_audit_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.Kafka_audit_notifications_topic" "misp_audit"
ZeroMQ settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_host" "127.0.0.1"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_port" 50000
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "localhost"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_database" 1
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_namespace" "mispq"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_event_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_object_reference_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_attribute_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_sighting_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_user_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_organisation_notifications_enable" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_include_attachments" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Plugin.ZeroMQ_tag_notifications_enable" false
Set default language and disable proposal attributes block;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.language" "eng"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.proposals_block_attributes" falseSet Redis settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_port" 6379
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_database" 13
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.redis_password" ""Set MISP default settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.ssdeep_correlation_threshold" 40
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.extended_alert_subject" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.default_event_threat_level" 4
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.newUserText" "Dear new MISP user,\\n\\nWe would hereby like to welcome you to the \$org MISP community.\\n\\n Use the credentials below to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nPassword: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.passwordResetText" "Dear MISP user,\\n\\nA password reset has been triggered for your account. Use the below provided temporary password to log into MISP at \$misp, where you will be prompted to manually change your password to something of your own choice.\\n\\nUsername: \$username\\nYour temporary password: \$password\\n\\nIf you have any questions, don't hesitate to contact us at: \$contact.\\n\\nBest regards,\\nYour \$org MISP support team"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.enableEventBlocklisting" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.enableOrgBlocklisting" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_client_ip" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_auth" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_user_ips" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.log_user_ips_authkeys" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disableUserSelfManagement" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_login_change" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_password_change" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.disable_user_add" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_event_alert" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_event_alert_tag" "no-alerts=\"true\""
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_age" ""
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.block_old_event_alert_by_date" ""
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban_threshold" 5
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_republish_ban_refresh_on_retry" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.incoming_tags_disabled_by_default" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.maintenance_message" "Great things are happening! MISP is undergoing maintenance, but will return shortly. You can contact the administration at [email protected]."
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.footermidleft" "This is an initial install"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.footermidright" "Please configure and harden accordingly"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.welcome_text_top" "Initial Install, please configure"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.welcome_text_bottom" "Welcome to Kifarunix-demo MISP"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.attachments_dir" "/var/www/MISP/app/files"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.download_attachments_on_load" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_alert_metadata_only" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.title_text" "MISP"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.terms_download" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.showorgalternate" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "MISP.event_view_filter_fields" "id, uuid, value, comment, type, category, Tag.name"
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "debug" 0
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.auth_enforced" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.log_each_individual_auth_fail" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.rest_client_baseurl" ""
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.advanced_authkeys" false
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.password_policy_length" 12
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.password_policy_complexity" '/^((?=.*\d)|(?=.*\W+))(?![\n])(?=.*[A-Z])(?=.*[a-z]).*$|.{16,}/'
MISP Security settings;
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.disable_browser_cache" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.check_sec_fetch_site_header" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.csp_enforce" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.advanced_authkeys" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.do_not_log_authkeys" true
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin setSetting "Security.username_in_response_header" trueEnable MISP user login;
sudo -Hu www-data /var/www/MISP/app/Console/cake Live 1Update MISP Galaxies, ObjectTemplates, Warninglists, Noticelists, Templates
sudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateGalaxiessudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateTaxonomiessudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateWarningListssudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateNoticeListssudo -Hu www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "1337"Configure Apache Web Server for MISP
MISP ships with sample Apache HTTP/HTTPS configuration file under /var/www/MISP/INSTALL/apache.24.misp.ssl.
Copy this file to Apache Sites available directory;
sudo cp /var/www/MISP/INSTALL/apache.24.misp.ssl /etc/apache2/sites-available/misp.confSample contents;
sudo cat /etc/apache2/sites-available/misp.conf<VirtualHost *:80>
ServerAdmin [email protected]
ServerName misp.local
# In theory not needed, left for debug purposes
# LogLevel warn
# ErrorLog /var/log/apache2/misp.local_p80_error.log
# CustomLog /var/log/apache2/misp.local_p80_access.log combined
Header always unset "X-Powered-By"
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
ServerSignature Off
</VirtualHost>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName misp.local
DocumentRoot /var/www/MISP/app/webroot
<Directory /var/www/MISP/app/webroot>
Options -Indexes
AllowOverride all
Require all granted
</Directory>
SSLEngine On
# StrongCiphers4All! \o/
# This proposal adds strong cipher suites based on the Mozilla recommendations.
# mozilla config generator: https://ssl-config.mozilla.org/#server=apache&version=2.4.29&config=intermediate&openssl=1.1.1&guideline=5.6
# intermediate configuration
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
# enable HTTP/2, if available
Protocols h2 http/1.1
SSLCertificateFile /etc/ssl/private/misp.local.crt
SSLCertificateKeyFile /etc/ssl/private/misp.local.key
# SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
LogLevel warn
ErrorLog /var/log/apache2/misp.local_error.log
CustomLog /var/log/apache2/misp.local_access.log combined
ServerSignature Off
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header always unset "X-Powered-By"
# TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy
## Example:
# Header always set X-XSS-Protection "1; mode=block"
# Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src
# Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"
</VirtualHost>
# strongciphers4All! \o/
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
For me, there are only a few lines I will update;
ServerAdmin [email protected]
ServerName misp.local ServerAdmin [email protected]
ServerName misp.kifarunix-demo.comNext, install the SSL/TLS certificates accordingly.
We are using self-signed SSL/TLS certs in this demo.
sudo openssl req -newkey rsa:4096 -days 365 -nodes -x509 -subj "/CN=*.kifarunix-demo.com" \
-keyout /etc/ssl/private/misp.local.key -out /etc/ssl/private/misp.local.crtEnable required modules;
sudo a2enmod status ssl rewrite headersDisable default Apache sites and enable MISP site;
sudo a2dissite 000-default.confsudo a2ensite misp.confCheck Apache config errors;
sudo apache2ctl -tEnsure the output is Syntax OK.
Restart Apache;
sudo systemctl restart apache2Open Apache ports on firewall to allow external access;
ufw allow "Apache Full"Login to MISP User Interface
At this point, you can now login to MISP, using the address you defined before. e.g https://misp.kifarunix-demo.com
Default credentials;
- Username: [email protected]
- Password: admin
When you login, reset the admin password to proceed;
Change admin user email address from [email protected] to your specific admin email address. To change admin user email address;
- navigate to Administration > List Users.
- Click the edit button against the admin user.
- Change Email address and update the changes.
You can logout and login to confirm the user account changes.
The MISP Events
On a fresh install, MISP has no events on it yet.
However, it ships with ability to pull events with patterns that can be used to detect malicious activities from some default open-source feeds. The default opensource feeds are disabled by default.
To enable the default feeds, navigate to Sync Actions > List Feeds.
Select the two default feeds and click Enable Selected.
When you enable the feeds, it will start to download the events related to known malwares, APTs, ransomwares and all their attributes from the sources automatically. If the feeds are not fetched automatically, you can manually fetch the feeds by clicking the download arrow under the feed actions.
Monitor the download progress under Administration > Jobs. It may take some time to complete!
As soon as the MISP events from the default opensource feeds begin to download, you should see events populated onto MISP.
Confirm by navigating to Event Actions > List Events.
And that is it on installing MISP on Ubuntu 22.04/Ubuntu 20.04
Further Reading;
