Running MISP in a Docker Container

MISP LogoMISP (“Malware Information Sharing Platform“) is a free software which was initially created by the Belgian Defence to exchange IOC’s with partners like the NCIRC (NATO). Today it became an independent project and is mainly developed by a group of motivated people. MISP is mainly used by CERT’s (“Computer Emergency Response Team”) but also private companies to exchange thousands on IOC’s on a daily basis.

MISP is a wonderful tool but, honestly, it is not easy to setup. Many components (Apache, PHP, MySQL, Redis, CakePHP, …) must be installed and configured to work together in a smooth way. When I’m talking about MISP with other people, most of them have the same feeling: the setup is a pain. In the past, live-CD distributions or virtual machines were mainly used to provide ready-to-run environments but they were relying on huge files and the maintenance is not easy (the MISP code is changing quickly with bug fixes and new features). Today, Docker is the new way to distribute and run applications. I took some time to build a Docker container with MISP for a project. The challenge was to build a single container with all the components. Why not make it available for everybody?

The goal was to automate the MISP deployment as much as possible. The build performs the following steps:

  • Based on Ubuntu:latest
  • Install all the required packages (dependencies)
  • Install all the components
  • Perform the basic configuration
    • Generate a new salt
    • Create the MISP database
    • Enable TLS support

To build the Docker image:

# git clone
# cd misp-docker
# docker build -t misp/misp --build-arg MYSQL_ROOT_PASSWORD=<mysql_root_pw> .
# cat <<__END__ >env.txt
# docker run -d -p 443:443 --env-file=env.txt --restart=always --name misp misp/misp

Note: the env.txt file is used during the first boot to populate the MISP database.

Once the container booted, there are still some manual operations to perform. Feel free to fine-tune it to your needs if you already know the tool.

  • Change the ‘baseurl‘ parameter in /var/www/MISP/app/Config/config.php
  • Reconfigure Postfix to match your SMTP environment

To use MISP, point your browser to https://your-docker-server:443.

The files are available on my repository.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.