MISP is free and it’s one of the best threat sharing platforms I could find. The beauty of MISP is how easy it is to integrate with tools like bro, Snort, and RPZ. You can do API calls and pull in only the data that you want to either alert on or block.
Multiple modules can be installed on MISP for additional functionality or enrichment. https://github.com/MISP/misp-modules/
There are many ways MISP can be extended and integrated with other tools. http://www.misp-project.org/tools/#software-or-services-with-misp-support-or-extending-misp-functionalities/
The install process is lengthy, but straight forward. I’m using Ubuntu 16 server.
https://github.com/MISP/MISP/blob/2.4/INSTALL/INSTALL.ubuntu1604.txt
Once installed, you’ll have a set of built in feeds. http://www.misp-project.org/communities/
You can go through and publish what you want. Most export functions for automation require that an event is published and/or marked ‘to IDS.’ Some feeds, like text or XML can be crafted to include everything. You can also import your own feed lists, like IPs, hashes, and domains.
Once that’s complete, you can enable automatic feeding of tools as follows.
Bro:
I created a tag called NOBRO for lists that I don’t want to import and alert on. In my curl command, I specify !NOBRO so those feeds never enter bro intel. I created the script below to pull in domains, IPs, URLs, hashes, filenames and email addresses. I use the CA certificate for Apache because it’s self signed, and use an API key for authentication.
#!/bin/sh #https://misp/attributes/bro/download/[type]/[tags]/[event_id]/[allowNonIDS]/[from]/[to]/[last] curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/domain/!NOBRO/' -o "/bro/feeds/domain.intel" curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/ip/!NOBRO' -o "/bro/feeds/ip.intel" curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/url/!NOBRO' -o "/bro/feeds/url.intel" curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/email/!NOBRO' -o "/bro/feeds/email.intel" curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/filename/!NOBRO' -o "/bro/feeds/filename.intel" curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/bro/download/filehash/!NOBRO' -o "/bro/feeds/filehash.intel"
Then in local.bro, enable the feeds.
# Intel Framework @load frameworks/intel/seen @load frameworks/intel/do_notice redef Intel::read_files += { "/bro/feeds/domain.intel", "/bro/feeds/email.intel", "/bro/feeds/filehash.intel", "/bro/feeds/filename.intel", "/bro/feeds/ip.intel", "/bro/feeds/url.intel", };
Bro will then log indicator hits from the feeds in ‘intel.log.’
Hits look like below, and you can reference the unique identifier in MISP to get the context of the event.
1304908789.116914 C0Hz124edOtIB387ak X.X.X.X 11405 Y.Y.Y.Y 53 badguy.com Intel::DOMAIN DNS::IN_REQUEST WKR-30 Intel::DOMAIN SNZ MISP (123289b7-88c0-4eba-8347-145bc78688a1) - SNZ - - - 1304908790.144854 asdfib2Y2VPvaZ9mD9 X.X.X.X 54333 Y.Y.Y.Y 80 Y.Y.Y.Y Intel::ADDR Conn::IN_RESP WKR-26 Intel::SUBNET SNZ MISP (12347a01-c960-4833-bbf1-5575c78688a1) - SNZ - - - 1304908796.304244 asdf4O1et5uFzEYkO1 X.X.X.X 56473 Y.Y.Y.Y 443 evil.com Intel::DOMAIN X509::IN_CERT WKR-26 Intel::DOMAIN SNZ MISP (12328f5e-288c-4557-8dad-12f4c78688a1) - SNZ asdfPPq8NIz9OWHsk application/pkix-cert Y.Y.Y.Y:443/tcp 1304908800.535570 asdfFy3IOvcb43kPtb X.X.X.X 58839 Y.Y.Y.Y 443 Y.Y.Y.Y Intel::ADDR Conn::IN_RESP WKR-7 Intel::SUBNET SNZ MISP (12347a01-c960-4833-bbf1-5575c78688a1) - SNZ - - - 1304908809.306765 asdfZ53n2ySgcYUBti X.X.X.X 64491 Y.Y.Y.Y 53 notallowed.com Intel::DOMAIN DNS::IN_REQUEST WKR-14 Intel::DOMAIN SNZ MISP (12328f5e-288c-4557-8dad-12f4c78688a1) - SNZ - - -
RPZ:
RPZ can be used to block known malicious domains that you don’t want to risk. With the MISP API, you can craft a pull to include ALL domains, published, marked ‘To IDS’, and more. More information on RPZ here: http://www.zytrax.com/books/dns/ch9/rpz.html.
To configure RPZ for bind9, first configure the zone in named.conf.local
zone "rpz" { type master; file "/etc/bind/rpz.zone"; allow-query {none;}; };
Then, add a response-policy config to the options section of your bind.conf.options
response-policy { zone "rpz"; };
After that, you can pull the domain indicators zone file from MISP via a curl command and restart bind.
curl -H "Authorization: asdfasdfasdf" http://misp/attributes/rpz/download -o "/etc/bind/rpz.zone"
Or, you can grab a flat text list and convert it.
#!/bin/sh # First, cd into a temp directory, remove the old file and pull a new domain list. cd /var/tmp/feeds rm -f domains.txt #This downloads published and marked to_ids curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/text/download/domain' -o "domains.txt" #This downloads all unpublished and NOT marked to_ids #curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/text/download/domain/false/false/true/false/false/false/false/true' -o "domains.txt" #this downloads all unpublished and marked to_ids #curl --cacert "/usr/share/CA.crt" -H "Authorization: asdfasdfasdfasdf" 'https://misp/attributes/text/download/domain/false/false/false/false/false/false/false/true' -o "domains.txt" # Delete the old zone file rm -f /var/named/chroot/var/named/rpz.zone # Create the zone file's header information SERIAL=`date +%Y%m%d%H` echo "\$TTL 900 ;15 minutes" > /var/named/chroot/var/named/rpz.zone echo "@ IN SOA self.domain.com. root.domain.com. (" >> /var/named/chroot/var/named/rpz.zone echo " ${SERIAL} ; serial" >> /var/named/chroot/var/named/rpz.zone echo " 900 ; refresh (15 minutes)" >> /var/named/chroot/var/named/rpz.zone echo " 300 ; retry (5 minutes)" >> /var/named/chroot/var/named/rpz.zone echo " 86400 ; expire (1 day)" >> /var/named/chroot/var/named/rpz.zone echo " 600 ; minimum (10 minutes)" >> /var/named/chroot/var/named/rpz.zone echo ")" >> /var/named/chroot/var/named/rpz.zone echo " NS self.domain.com." >> /var/named/chroot/var/named/rpz.zone echo " NS myns2.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "" >> /var/named/chroot/var/named/rpz.zone # dump the domains.txt list into the zone file for domain in `cat domains.txt` do echo "$domain CNAME walledgarden.domain.com." echo "*.$domain CNAME walledgarden.domain.com." done >> /var/named/chroot/var/named/rpz.zone # Add some top level domain blocks to the end echo "*.tk CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.pw CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.ninja CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.ads CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.aq CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.bit CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.cab CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.cf CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.coin CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.construction CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.corp CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.docs CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.emc CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.exit CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.ga CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.gq CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.i2p CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.inua CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.mail CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.ml CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.xxx CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.xyz CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.zip CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.onion CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.review CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.download CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone echo "*.top CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone #whitelist a domain, and then block it's TLD. echo "blah.blah.tv CNAME blah.blah.tv." >> /var/named/chroot/var/named/rpz.zone echo "*.tv CNAME walledgarden.domain.com." >> /var/named/chroot/var/named/rpz.zone # Mod permissions chown root:named /var/named/chroot/var/named/rpz.zone chmod 640 /var/named/chroot/var/named/rpz.zone # Restart bind to load the zone systemctl restart named-chroot.service
All users using nameservers with RPZ will be protected from resolving the malicious domains that are in MISP.
Enjoy!
0 Comments