MISP is free and it’s one of the best threat sharing platforms I could find.  The beauty of MISP is how easy it is to integrate with tools like bro, Snort, and RPZ.  You can do API calls and pull in only the data that you want to either alert on or block.

Multiple modules can be installed on MISP for additional functionality or enrichment. https://github.com/MISP/misp-modules/

There are many ways MISP can be extended and integrated with other tools. http://www.misp-project.org/tools/#software-or-services-with-misp-support-or-extending-misp-functionalities/

The install process is lengthy, but straight forward.  I’m using Ubuntu 16 server.
https://github.com/MISP/MISP/blob/2.4/INSTALL/INSTALL.ubuntu1604.txt

Once installed, you’ll have a set of built in feeds. http://www.misp-project.org/communities/

You can go through and publish what you want.  Most export functions for automation require that an event is published and/or marked ‘to IDS.’  Some feeds, like text or XML can be crafted to include everything.  You can also import your own feed lists, like IPs, hashes, and domains.

Once that’s complete, you can enable automatic feeding of tools as follows.

 

Bro:

I created a tag called NOBRO for lists that I don’t want to import and alert on.  In my curl command, I specify !NOBRO so those feeds never enter bro intel.  I created the script below to pull in domains, IPs, URLs, hashes, filenames and email addresses.  I use the CA certificate for Apache because it’s self signed, and use an API key for authentication.

#!/bin/sh
#https://misp/attributes/bro/download/[type]/[tags]/[event_id]/[allowNonIDS]/[from]/[to]/[last]
curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/domain/!NOBRO/' -o "/bro/feeds/domain.intel"
curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/ip/!NOBRO' -o "/bro/feeds/ip.intel"
curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/url/!NOBRO' -o "/bro/feeds/url.intel"
curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/email/!NOBRO' -o "/bro/feeds/email.intel"
curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/filename/!NOBRO' -o "/bro/feeds/filename.intel"
curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/filehash/!NOBRO' -o "/bro/feeds/filehash.intel"

Then in local.bro, enable the feeds.

# Intel Framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
 "/bro/feeds/domain.intel",
 "/bro/feeds/email.intel",
 "/bro/feeds/filehash.intel",
 "/bro/feeds/filename.intel",
 "/bro/feeds/ip.intel",
 "/bro/feeds/url.intel",
 };

Bro will then log indicator hits from the feeds in ‘intel.log.’

Hits look like below, and you can reference the unique identifier in MISP to get the context of the event.

1304908789.116914 C0Hz124edOtIB387ak X.X.X.X 11405 Y.Y.Y.Y 53 badguy.com Intel::DOMAIN DNS::IN_REQUEST WKR-30 Intel::DOMAIN SNZ MISP (123289b7-88c0-4eba-8347-145bc78688a1) - SNZ - - -
1304908790.144854 asdfib2Y2VPvaZ9mD9 X.X.X.X 54333 Y.Y.Y.Y 80 Y.Y.Y.Y Intel::ADDR Conn::IN_RESP WKR-26 Intel::SUBNET SNZ MISP (12347a01-c960-4833-bbf1-5575c78688a1) - SNZ - - -
1304908796.304244 asdf4O1et5uFzEYkO1 X.X.X.X 56473 Y.Y.Y.Y 443 evil.com Intel::DOMAIN X509::IN_CERT WKR-26 Intel::DOMAIN SNZ MISP (12328f5e-288c-4557-8dad-12f4c78688a1) - SNZ asdfPPq8NIz9OWHsk application/pkix-cert Y.Y.Y.Y:443/tcp
1304908800.535570 asdfFy3IOvcb43kPtb X.X.X.X 58839 Y.Y.Y.Y 443 Y.Y.Y.Y Intel::ADDR Conn::IN_RESP WKR-7 Intel::SUBNET SNZ MISP (12347a01-c960-4833-bbf1-5575c78688a1) - SNZ - - -
1304908809.306765 asdfZ53n2ySgcYUBti X.X.X.X 64491 Y.Y.Y.Y 53 notallowed.com Intel::DOMAIN DNS::IN_REQUEST WKR-14 Intel::DOMAIN SNZ MISP (12328f5e-288c-4557-8dad-12f4c78688a1) - SNZ - - -

 

RPZ:

RPZ can be used to block known malicious domains that you don’t want to risk.  With the MISP API, you can craft a pull to include ALL domains, published, marked ‘To IDS’, and more.  More information on RPZ here: http://www.zytrax.com/books/dns/ch9/rpz.html.

To configure RPZ for bind9, first configure the zone in named.conf.local

zone "rpz" {
 type master;
 file "/etc/bind/rpz.zone";
 allow-query {none;};
};

Then, add a response-policy config to the options section of your bind.conf.options

response-policy { zone "rpz"; };

After that, you can pull the domain indicators zone file from MISP via a curl command and restart bind.

curl -H "Authorization: asdfasdfasdf" http://misp/attributes/rpz/download -o "/etc/bind/rpz.zone"

Or, you can grab a flat text list and convert it.

#!/bin/sh
# First, cd into a temp directory, remove the old file and pull a new domain list.
cd /var/tmp/feeds
rm -f domains.txt

#This downloads published and marked to_ids
curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/text/download/domain' -o "domains.txt"

#This downloads all unpublished and NOT marked to_ids
#curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/text/download/domain/false/false/true/false/false/false/false/true' -o "domains.txt"

#this downloads all unpublished and marked to_ids
#curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/text/download/domain/false/false/false/false/false/false/false/true'  -o "domains.txt"

# Delete the old zone file
rm -f /var/named/chroot/var/named/rpz.zone

# Create the zone file's header information
SERIAL=`date +%Y%m%d%H`
echo "\$TTL 900 ;15 minutes" > /var/named/chroot/var/named/rpz.zone
echo "@ IN SOA self.domain.com. root.domain.com. (" >> /var/named/chroot/var/named/rpz.zone
echo "          ${SERIAL}     ; serial" >> /var/named/chroot/var/named/rpz.zone
echo "          900             ; refresh (15 minutes)" >> /var/named/chroot/var/named/rpz.zone
echo "          300             ; retry   (5 minutes)" >> /var/named/chroot/var/named/rpz.zone
echo "          86400           ; expire  (1 day)" >> /var/named/chroot/var/named/rpz.zone
echo "          600             ; minimum (10 minutes)" >> /var/named/chroot/var/named/rpz.zone
echo ")" >> /var/named/chroot/var/named/rpz.zone
echo "                  NS      self.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "                  NS      myns2.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "" >> /var/named/chroot/var/named/rpz.zone

# dump the domains.txt list into the zone file
for domain in `cat domains.txt`
do
echo "$domain   CNAME   walledgarden.domain.com."
echo "*.$domain   CNAME   walledgarden.domain.com."
done >> /var/named/chroot/var/named/rpz.zone

# Add some top level domain blocks to the end
echo "*.tk CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.pw CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.ninja CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.ads CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.aq CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.bit CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.cab CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.cf CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.coin CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.construction CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.corp CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.docs CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.emc CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.exit CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.ga CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.gq CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.i2p CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.inua CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.mail CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.ml CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.xxx CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.xyz CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.zip CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.onion CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.review CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.download CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone
echo "*.top CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone

#whitelist a domain, and then block it's TLD.
echo "blah.blah.tv CNAME blah.blah.tv." >> /var/named/chroot/var/named/rpz.zone
echo "*.tv CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone

# Mod permissions
chown root:named /var/named/chroot/var/named/rpz.zone
chmod 640 /var/named/chroot/var/named/rpz.zone

# Restart bind to load the zone
systemctl restart named-chroot.service

 

All users using nameservers with RPZ will be protected from resolving the malicious domains that are in MISP.

 

Enjoy!

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *