[Intelmq-users] MISP feed output bot usage
Bernhard Reiter
bernhard at intevation.de
Fri Sep 4 10:32:18 CEST 2020
Hello Marius,
Am Donnerstag 03 September 2020 11:21:45 schrieb Marius Urkis:
> Trying to figure out how to use MISP feed output bot, could someone
> advise.
seems my MISP foo is not strong enough to advise without doing lots of tests
myself. Just to be sure, you are talking about using
https://github.com/certtools/intelmq/blob/develop/intelmq/bots/outputs/misp/output_feed.py
as documented here
https://github.com/certtools/intelmq/blob/develop/docs/Bots.md#misp-feed
and runs into MISP as "feed", via
https://www.circl.lu/doc/misp/managing-feeds/
> MISP creates new event once per period (per hour, or per day),
> and that makes MISP doing correlation between these events created
> previously. And actually that results correlation table grows
> exponentially. Am I doing something wrong on IntelMQ side or MISP?
There are a number of options to MISP feeds, some are related to correlation
and whether to keep old data in. Personally I'd play with these and ask
in a MISP forum how they handle feeds in general.
(We've developed the IntelMQ Output MISP API bot and there you can set the
fields explicitely which you want to correlate and you have to chose a few
significant ones.)
> At IntelMQ I configure bot to make one event per day (actually
> containing ~1500 events in resulting json file). At the MISP side I have
> MISP feed format feed.
If those are different events, they should not correlate much (in my simple
understanding), but again I don't know how MISP handles other
incoming "feeds".
Best Regards,
Bernhard
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20200904/f453d49c/attachment.sig>
More information about the Intelmq-users
mailing list