MISP Feed Generator
📚 Documentation 💠Hub 💬 Discourse
This Remediation Component generates MISP Feed from CrowdSec decisions. It exposes this Feed over HTTP/S. This can be used to feed CrowdSec decisions to MISP using the "Feeds" functionality of MISP.
Quick Start​
Installation using pip​
Make sure you've Python 3.6+ installed. Using virtualenv is recommended. Run the following command to install the feed generator.
pip install crowdsec-misp-feed-generator
Installation using docker:​
Refer to docker hub docs
Configuration​
Run the following command to generate the base configuration file:
crowdsec-misp-feed-generator -g > crowdsec-misp-feed-generator.yaml
This will generate a configuration file named crowdsec-misp-feed-generator.yaml in the current directory.
You need to edit this file to configure the feed generator. Make sure you give the correct LAPI key and URL. You can generate a LAPI key using the following command on the machine with CrowdSec installed.
cscli bouncers add crowdsec-misp-feed-generator
Please refer to configuration reference section for more details on the configuration options.
Running the feed generator​
After configuring the feed generator, you can run it using the following command:
crowdsec-misp-feed-generator -c crowdsec-misp-feed-generator.yaml
This will start the feed generator and expose the feed over HTTP/S, on the configured port and address.
Setting MISP to use the feed​
You can now configure MISP to use this feed. To do this:
- Navigate to the "Feeds" tab in MISP.
- Click on the "Add Feed" button.
Fill the form with appropriate details. Don't forget to set the authentication if you've enabled it in the feed generator configuration.
- That's it! You can now use the feed in MISP. You can test it by clicking on the "Fetch now" button in the actions column. Few events should be added to MISP.
Configuration Reference​
# CrowdSec Config
crowdsec_lapi_url: http://localhost:8080/
crowdsec_lapi_key: <your-lapi-key>
crowdsec_update_frequency: 1m
include_scenarios_containing: [] # ignore IPs banned for triggering scenarios not containing either of provided word, eg ["ssh", "http"]
exclude_scenarios_containing: [] # ignore IPs banned for triggering scenarios containing either of provided word
only_include_decisions_from: [] # only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]
# MISP Config
misp_feed_reset_frequency: 1w
misp_event_analysis_level: 2
misp_feed_orgc:
name: CrowdSec
uuid: 5f6e7b5a-6b1a-4c0e-8a3c-9b9c5a474e8c
misp_feed_threat_level_id: 4
misp_feed_published: false
misp_feed_tags: []
# Component Config
output_dir: ./crowdsec-misp-feed/
# Component Server Config
listen_addr: 0.0.0.0
listen_port: 2450
tls:
enabled: false
cert_file: ""
key_file: ""
basic_auth:
enabled: false
username: ""
password: ""
# Log Config
log_level: info # debug, info, warning, error
log_mode: stdout # stdout, stderr, file
crowdsec_lapi_url​
string
The URL of CrowdSec LAPI. It should be accessible from the component.
crowdsec_lapi_key​
string
It can be obtained by running the following on the machine CrowdSec LAPI is deployed on.
sudo cscli -oraw bouncers add misp-feed-generator # -oraw flag can discarded for human friendly output.
crowdsec_update_frequency​
string
The component will poll the CrowdSec every update_frequency interval.
Value can be in seconds (eg 30s), minutes (eg 5m), hours (eg 1h), days (eg 1d), weeks (eg 1w), months (eg 1M) or years (eg 1y).
include_scenarios_containing​
[ ]string
Ignore IPs banned for triggering scenarios not containing either of provided word.
include_scenarios_containing: ["ssh", "http"]
exclude_scenarios_containing​
[ ]string
Ignore IPs banned for triggering scenarios containing either of provided word.
exclude_scenarios_containing: ["ssh", "http"]
only_include_decisions_from​
[ ]string
Only include IPs banned due to decisions orginating from provided sources.
only_include_decisions_from: ["cscli", "crowdsec"]
misp_feed_reset_frequency​
string
The component will reset the feed every misp_feed_reset_frequency interval.
Value can be in seconds (eg 30s), minutes (eg 5m), hours (eg 1h), days (eg 1d), weeks (eg 1w), months (eg 1M) or years (eg 1y).
misp_event_analysis_level​
int
The analysis level of the events generated. Refer to MISP docs for more details.
misp_feed_orgc​
object
The author organisation of the feed.
misp_feed_orgc:
name: CrowdSec
uuid: 5f6e7b5a-6b1a-4c0e-8a3c-9b9c5a474e8c
name​
string
The name of author organisation of the feed.
uuid​
string
The UUID of author organisation of the feed.
misp_feed_threat_level_id​
int
The threat level of the feed. Refer to MISP docs.
misp_feed_threat_level_id: 4
misp_feed_published​
boolean
Whether the feed is published or not. Refer to MISP docs.
misp_feed_published: false
misp_feed_tags​
[ ]object
The tags to be added to the events generated by the feed. Refer to MISP docs.
misp_feed_tags: [{"exportable": true,"colour": "#ffffff","name": "tlp:white","id": "2" }]
output_dir: ./crowdsec-misp-feed/
listen_addr​
string
The address to listen on for serving the feed.
listen_addr: "0.0.0.0"
listen_port​
string
The port to listen on for serving the feed.
listen_port: 2450
tls​
object
TLS configuration for serving the feed.
tls:
enabled: false
cert_file: "/etc/ssl/certs/crowdsec-misp-feed-generator.crt"
key_file: "/etc/ssl/private/crowdsec-misp-feed-generator.key"
enabled​
boolean
Whether to enable TLS for serving the feed.
cert_file​
string (path to file)
The path to the certificate file.
key_file​
string (path to file)
The path to the key file.
basic_auth​
object
Basic authentication configuration for serving the feed.
basic_auth:
enabled: false
username: ""
password: ""
enabled​
boolean
Whether to enable basic authentication for serving the feed.
username​
string
Username for basic authentication.
basic_auth:
username: "crowdsec"
password​
string
Password for basic authentication.
basic_auth:
password: "myh@rdt0gu3sspassw0rd"
log_level​
debug | info | warning | error
The log level for the component.
log_level: info
log_mode​
stdout | stderr | file
The log mode for the component.
