MISP (“Malware Information Sharing Platform“) is a free software which was initially created by the Belgian Defence to exchange IOC’s with partners like the NCIRC (NATO). Today it became an independent project and is mainly developed by a group of motivated people. MISP is mainly used by CERT’s (“Computer Emergency Response Team”) but also private companies to exchange thousands on IOC’s on a daily basis.
MISP is a wonderful tool but, honestly, it is not easy to setup. Many components (Apache, PHP, MySQL, Redis, CakePHP, …) must be installed and configured to work together in a smooth way. When I’m talking about MISP with other people, most of them have the same feeling: the setup is a pain. In the past, live-CD distributions or virtual machines were mainly used to provide ready-to-run environments but they were relying on huge files and the maintenance is not easy (the MISP code is changing quickly with bug fixes and new features). Today, Docker is the new way to distribute and run applications. I took some time to build a Docker container with MISP for a project. The challenge was to build a single container with all the components. Why not make it available for everybody?
The goal was to automate the MISP deployment as much as possible. The build performs the following steps:
- Based on Ubuntu:latest
- Install all the required packages (dependencies)
- Install all the components
- Perform the basic configuration
- Generate a new salt
- Create the MISP database
- Enable TLS support
To build the Docker image:
# git clone https://github.com/xme/misp-docker # cd misp-docker # docker build -t misp/misp --build-arg MYSQL_ROOT_PASSWORD=<mysql_root_pw> . # cat <<__END__ >env.txt MYSQL_ROOT_PASSWORD=my_strong_root_pw MYSQL_MISP_PASSWORD=my_strong_misp_pw __END__ # docker run -d -p 443:443 --env-file=env.txt --restart=always --name misp misp/misp
Note: the env.txt file is used during the first boot to populate the MISP database.
Once the container booted, there are still some manual operations to perform. Feel free to fine-tune it to your needs if you already know the tool.
- Change the ‘baseurl‘ parameter in /var/www/MISP/app/Config/config.php
- Reconfigure Postfix to match your SMTP environment
To use MISP, point your browser to https://your-docker-server:443.
The files are available on my github.com repository.