MISP (Malware Information Sharing Platform) Setup
MISP (Malware Information Sharing Platform) is a free, open source threat intelligence platform that can store, correlate, and share IoCs. Here are its features. It can be used by cyber threat intel analysts, OSINT analysts, and other InfoSec pros.
You can use explore MISP using the demo instance.
There are various ways to set up your own MISP instance, including installing it on an existing Linux machine (Ubuntu is recommended), using a Docker container, or downloading a preconfigured VM. I’ll show how to do the latter.
How to Set Up a MISP VM
- Download a MISP VM.
- Start the VM.
- In a browser on your host machine, open https://localhost:8443. Ignore the certificate warning (MISP uses a self-signed certificate).
- Log in with the default username admin@admin.test and password admin. When prompted, change the password.
- Click Edit My Profile and change email address if you want to receive emails for the default admin account.
- Click Sync Actions > List Feeds. Click Load default feed metadata.
- Check the boxes for any feeds you want to enable, then click Enable selected.
- Click Fetch and store all feed data.
- Click Administration > Jobs and ensure the fetch_feed job succeeded. If it didn’t, check the error log at /var/log/apache2/misp.local_error.log. When I first tried, mine failed because my VM lost Internet connectivity when I changed networks and enabled the VPN on my host.
- Click Administration > Add User and create a non-admin user account for your regular use of MISP.
- Log out, then log back in as the new user.
- You’ll see the Home page, which shows events.
You can explore events by clicking event IDs to see details. To learn more about what you can do with MISP, read the documentation and watch the videos linked below.