MISP¶
NIDS Rules¶
We can leverage this functionality by quickly and easily setting up an automated mechanism to pull NIDS rules from a MISP instance and add them to our local rules for Security Onion. To do so, we just need to follow the simple steps below.
Warning¶
Please keep in mind we do not officially support this integration, so installation is at your own risk. Additionally, the current version of MISP seems to have an issue with Zeek Intel export, therefore, this particular functionality may not work as intended ( depending on the version of MISP you are using).
See: https://github.com/MISP/MISP/issues/4050 for more details.
Installation¶
Clone the repo:
git clone https://github.com/weslambert/securityonion-misp
Run the setup script:
sudo securityonion-misp/so-misp-setup
Update rules (if desired):
sudo rule-update
Confirm rules in place:
grep -i misp /etc/nsm/rules/downloaded.rules
You should now be up and running!
MISP rules will be downloaded via cron-job at the interval specified in /etc/cron.d/download-misp
.
Elastalert¶
If we want to send events to TheHive based on the MISP NIDS rules we’ve pulled into Security Onion, we can implement an Elastalert rule like the following, filtering on the alert
field for NIDS alerts:
# misp-nids-hive.yaml
# Elastalert rule to forward IDS alerts generated by MISP NIDS rules from Security Onion
# to a specified TheHive instance.
#
es_host: elasticsearch
es_port: 9200
name: MISP NIDS Rule Match
type: frequency
index: "*:logstash-ids*"
num_events: 1
timeframe:
minutes: 1
filter:
- query:
query_string:
query: "alert: MISP"
alert:
- "hivealerter"
hive_connection:
hive_host: http(s)://YOUR_HIVE_INSTANCE
hive_port: YOUR_HIVE_INSTANCE_PORT
hive_apikey: APIKEY
hive_proxies:
http: ''
https: ''
hive_alert_config:
title: '{match[alert]}'
type: 'external'
source: 'SecurityOnion'
description: '{match[message]}'
severity: 2
tags: ['elastalert, SecurityOnion, MISP, NIDS']
tlp: 3
status: 'New'
follow: True
hive_observable_data_mapping:
- ip: '{match[source_ip]}'
- ip: '{match[destination_ip]}'
- other: '{match[interface]}'
- other: '{match[sid]}'
Simply fill in the pertinent TheHive instance connection details above, and place this rule in /etc/elastalert/rules
as misp-nids-hive.yaml
.
As a result, you will receive alerts in TheHive for any matching events in the logstash-ids-*
index. The following observables will be generated for the alert:
- Source/Destination IP from alert
- Sensor interface from IDS alert
- Signature ID (sid) from alert