NetWitness Community

EricPartington · ‎2019-04-05

RSA NetWitness has a number of integrations with threat intel data providers but two that I have come across recently were not listed (MISP and Minemeld) so I figured that it would be a good challenge to see if they could be made to provide data in a way that NetWitness understood.

Current RSA Ready Integrations

https://community.rsa.com/community/products/rsa-ready/rsa-ready-documentation/content?filterID=contentstatus%5Bpublished%5D~objecttype~objecttype%5Bdocument%5D&filterID=contentstatus%5Bpublished%5D~tag%5Bthreat+intel%5D&sortKey=contentstatus%5Bpubli...

MISP

Install the MISP server in a few different ways

https://www.misp-project.org/

VMWare image, Docker image or on an OS are all available (VMware image worked the best for me)

https://www.circl.lu/misp-images/latest/

Authenticate and setup the initial data feeds into the platform

Set the schedule to get them polling for new data

Once created and feeds are being pulled in you can look at the attributes to make sure you have the data you expect

Test the API calls using PyMISP via Jupyter Notebook

https://github.com/epartington/rsa_nw_misp/blob/master/get-misp.ipynb

you can edit the notebook code to change the interval of data to pull back (last 30 days, all data or such to limit impact on the MISP server)
You can change the indicator type (ip-dst, domain etc.) to pull back the relevant columns of data
You can change the column data to make sure you have what you need as other feed data

Once that checks out and you have the output data you want via the notebook you can add the python script to the head server of NetWitness

Install PyMISP on the head server of the NetWitness system so that you can crontab the query.

Install PyMISP using PIP

(keep in mind that updating the code on the head server could break things so be careful and test early and often before committing this change in production)

yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install python-pip
OWB_FORCE_FIPS_MODE_OFF=1 python
OWB_FORCE_FIPS_MODE_OFF=1 pip install pymisp
OWB_FORCE_FIPS_MODE_OFF=1 pip install --upgrade pip
OWB_FORCE_FIPS_MODE_OFF=1 ./get-misp.py
yum repolist
vi /etc/yum.repos.d/epel.repo
change enabled from 1 to 0‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Make sure you disable the epel repo after installing so that you don't create package update issues later

Now setup the query that is needed in a script (export the Jupyter notebook as python script)

https://github.com/epartington/rsa_nw_misp/blob/master/get-misp.py

Crontab the query to schedule it (the OWB is required to work around FIPS restrictions that seem to break a number of script related items in python)

23 3 * * * OWB_FORCE_FIPS_MODE_OFF=1 /root/rsa-misp/get-misp.py > /var/lib/netwitness/common/repo/misp-ip-dst.csv‍‍

Now setup the NetWitness recurring feed to pull from the local feed location

map the ip-dst values (for this script) to the 3rd column and the other columns as required

Minemeld

Minemeld is another free intel aggregation tool from Palo Alto Networks and can be installed many ways (i tried a number of installs on different Ubuntu OSes and had difficulties), the one that worked the best for me was via a docker image.

https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld

https://github.com/PaloAltoNetworks/minemeld/wiki

Docker image that worked well for my testing

https://github.com/jtschichold/minemeld-docker

docker run -it --tmpfs /run -v /somewhere/minemeld/local:/opt/minemeld/local -p 9443:443 jtschichold/minemeld‍‍

to make it run as daemon after testing add the -d command to have it continue running after you exit the terminal

After installing (if you do this right you can get a certificate included in the initial build of the container that will help with the Certificate trust to NW) you will log in and set up a new output action to take your feeds and map them to a format and output that can be used with RSA NetWitness.

This is the pipeline that we will create which will map a sample threat intel list to an output action so that NetWitness can consume that information

And it gets defined by editing the yml configuration file (specifically this section creates the outboundhcvalues section that NetWitness reads)

https://github.com/epartington/rsa_nw_minemeld/blob/master/minemeld-netwitness-hcvalues.yml

outboundfeedhcvalues:
 inputs:
 - aggregatorIPv4Outbound-1543370742868
 output: false
 prototype: stdlib.feedHCGreenWithValue‍‍‍‍‍‍‍‍‍‍

This is a good start for how to create custom miners

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-Create-a-Custom-Miner/ta-p/227694

Once created and working you will have a second miner listed and the dashboard will update

You can test the feed output using a direct API call like this via the browser

https://192.168.x.y:9443/feeds/"$feed_name"?tr=1&v=csv&f=indicator&f=confidence&f=share_level&f=sources‍‍

the query parameters are explained here:

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170

in this case:

tr=1	translate IP ranges into CIDRs. This can be used also with v=json and v=csv.

v=csv

returns the indicator list in CSV format.

The list of the attributes is specified by using the parameter f one or more times. The default name of the column is the name of the attribute, to specify a column name add |column_name in the f parameter value.

The h parameter can be used to control the generation of the CSV header. When unset (h=0) the header is not generated. Default: set.

Encoding is utf-8. By default no UTF-8 BOM is generated. If ubom=1 is added to the parameter list, a UTF-8 BOM is generated for compatibility.

F are the column names from the feed

This command testing drops a file in your browser to look at and make sure you have the data and columns that you want

Now once you are confident in the process and the output format you can script and crontab the output to drop into the local feed location on the head server (I did this as i couldn't figure out how to accept the self signed certificate from the docker image).

https://github.com/epartington/rsa_nw_minemeld/blob/master/script-rsa-minemeld.sh

# 22 3 * * * /root/rsa-minemeld/script-rsa-minemeld.sh‍‍

Now create the same local recurring feed file to pull in the information as feed data on your decoders.

Define the column to match column 1 for the IP in CIDR notation and map the other columns as required

Done

Now we have a pipeline for two additional threat data aggregators that you may have a need for in your environment.

Anonymous · ‎2019-06-03

Thanks for this Eric, it's great.

Do you think that installing PyMISP into a python Virtualenv would help to keep the code separate from the NetWitness code?

AlainSilva · ‎2019-10-16

I tried but does not work! Do you have any solution to this?

OWB_FORCE_FIPS_MODE_OFF=1 /root/rsa-misp/get-misp.py > /var/www/misp/misp-ip-dst.csv
Traceback (most recent call last):
File "/root/rsa-misp/get-misp.py", line 22, in <module>
from pymisp import PyMISP
File "/usr/lib/python2.7/site-packages/pymisp/__init__.py", line 33, in <module>
from .api import PyMISP # noqa
File "/usr/lib/python2.7/site-packages/pymisp/api.py", line 21, in <module>
from .mispevent import MISPEvent, MISPAttribute, MISPUser, MISPOrganisation, MISPSighting, MISPFeed, MISPObject, MISPSharingGroup
File "/usr/lib/python2.7/site-packages/pymisp/mispevent.py", line 51, in <module>
import jsonschema
File "/usr/lib/python2.7/site-packages/jsonschema/__init__.py", line 31, in <module>
import importlib_metadata
File "/usr/lib/python2.7/site-packages/importlib_metadata/__init__.py", line 9, in <module>
import zipp
File "/usr/lib/python2.7/site-packages/zipp.py", line 12, in <module>
import more_itertools
File "/usr/lib/python2.7/site-packages/more_itertools/__init__.py", line 1, in <module>
from more_itertools.more import * # noqa
File "/usr/lib/python2.7/site-packages/more_itertools/more.py", line 340
def _collate(*iterables, key=lambda a: a, reverse=False):
^
SyntaxError: invalid syntax

AlainSilva · ‎2019-10-16

Python3 version

[root@server rsa-misp]# sudo OWB_FORCE_FIPS_MODE_OFF=1 python3 /root/rsa-misp/get-misp.py > /var/www/misp/misp-ip-dst.csv
/usr/local/lib/python3.6/site-packages/wrapt/wrappers.py:603: DeprecationWarning: Call to deprecated method __init__. (Please use ExpandedPyMISP instead (requires Python 3.6+). This class will be an alias of ExpandedPyMISP early 2020 and your code will most probably fail.)
args, kwargs)
INFO [api.py:102 - __init__() ] To configure logging in your script, leave it to None and use the following: import logging; logging.getLogger('pymisp').setLevel(logging.DEBUG)
/usr/local/lib/python3.6/site-packages/wrapt/wrappers.py:603: DeprecationWarning: Call to deprecated method get_recommended_api_version. (Use ExpandedPyMISP.recommended_pymisp_version) -- Deprecated since version 2.4.110.
args, kwargs)
DEBUG [api.py:165 - _prepare_request() ] GET - http://my.ip:80/servers/getPyMISPVersion.json
DEBUG [api.py:193 - _prepare_request() ] {'User-Agent': 'PyMISP 2.4.114 - Python 3.6.8', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'Connection': 'keep-alive', 'Authorization': 'blablablamyapikey', 'content-type': 'application/json'}
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked,
File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 394, in connect
ssl_context=context,
File "/usr/local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 383, in ssl_wrap_socket
return context.wrap_socket(sock)
File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
_context=self, _session=session)
File "/usr/lib64/python3.6/ssl.py", line 773, in __init__
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1033, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 645, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 720, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='my.ip', port=443): Max retries exceeded with url: /servers/getPyMISPVersion.json (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/pymisp/api.py", line 106, in __init__
response = self.get_recommended_api_version()
File "/usr/local/lib/python3.6/site-packages/wrapt/wrappers.py", line 603, in __call__
args, kwargs)
File "/usr/local/lib64/python3.6/site-packages/deprecated/classic.py", line 233, in wrapper_function
return wrapped_(*args_, **kwargs_)
File "/usr/lib/python3.6/site-packages/pymisp/api.py", line 1522, in get_recommended_api_version
response = self._prepare_request('GET', url)
File "/usr/lib/python3.6/site-packages/pymisp/api.py", line 198, in _prepare_request
return s.send(prepped, **settings)
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 668, in send
history = [resp for resp in gen] if allow_redirects else []
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 668, in <listcomp>
history = [resp for resp in gen] if allow_redirects else []
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 247, in resolve_redirects
**adapter_kwargs
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='my.ip', port=443): Max retries exceeded with url: /servers/getPyMISPVersion.json (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/root/rsa-misp/get-misp.py", line 24, in <module>
misp = PyMISP(misp_url, misp_key, debug=True)
File "/usr/local/lib/python3.6/site-packages/wrapt/wrappers.py", line 603, in __call__
args, kwargs)
File "/usr/local/lib64/python3.6/site-packages/deprecated/classic.py", line 233, in wrapper_function
return wrapped_(*args_, **kwargs_)
File "/usr/lib/python3.6/site-packages/pymisp/api.py", line 120, in __init__
raise PyMISPError('Unable to connect to MISP ({}). Please make sure the API key and the URL are correct (http/https is required): {}'.format(self.root_url, e))
pymisp.exceptions.PyMISPError: Unable to connect to MISP (http://my.ip:80). Please make sure the API key and the URL are correct (http/https is required): HTTPSConnectionPool(host='my.ip', port=443): Max retries exceeded with url: /servers/getPyMISPVersion.json (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))

LuizMonge · ‎2020-08-04

Having problems integrating with MISP on 11.4, when i try to install pymisp on the HU i get this errors:

Installing collected packages: pymisp
Running setup.py install for pymisp ... error
Complete output from command /usr/bin/python2 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-ilNQm_/pymisp/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-vzuYue-record/install-record.txt --single-version-externally-managed --compile:
/usr/lib64/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'python_requires'
warnings.warn(msg)
running install
running build
running build_py
creating build
creating build/lib
creating build/lib/pymisp
copying pymisp/__init__.py -> build/lib/pymisp
copying pymisp/abstract.py -> build/lib/pymisp
copying pymisp/api.py -> build/lib/pymisp
copying pymisp/exceptions.py -> build/lib/pymisp
copying pymisp/mispevent.py -> build/lib/pymisp
package init file 'pymisp/data/misp-objects/__init__.py' not found (or not a regular file)
creating build/lib/pymisp/data
creating build/lib/pymisp/data/misp-objects
copying pymisp/data/misp-objects/unique_uuid.py -> build/lib/pymisp/data/misp-objects
package init file 'pymisp/data/misp-objects/tools/__init__.py' not found (or not a regular file)
creating build/lib/pymisp/data/misp-objects/tools
copying pymisp/data/misp-objects/tools/adoc_objects.py -> build/lib/pymisp/data/misp-objects/tools
copying pymisp/data/misp-objects/tools/alfred_links_to_relarelationships.py -> build/lib/pymisp/data/misp-objects/tools
copying pymisp/data/misp-objects/tools/list_of_objects.py -> build/lib/pymisp/data/misp-objects/tools
creating build/lib/pymisp/tools
copying pymisp/tools/__init__.py -> build/lib/pymisp/tools
copying pymisp/tools/abstractgenerator.py -> build/lib/pymisp/tools
copying pymisp/tools/asnobject.py -> build/lib/pymisp/tools
copying pymisp/tools/create_misp_object.py -> build/lib/pymisp/tools
copying pymisp/tools/csvloader.py -> build/lib/pymisp/tools
copying pymisp/tools/domainipobject.py -> build/lib/pymisp/tools
copying pymisp/tools/elfobject.py -> build/lib/pymisp/tools
copying pymisp/tools/emailobject.py -> build/lib/pymisp/tools
copying pymisp/tools/ext_lookups.py -> build/lib/pymisp/tools
copying pymisp/tools/fail2banobject.py -> build/lib/pymisp/tools
copying pymisp/tools/feed.py -> build/lib/pymisp/tools
copying pymisp/tools/fileobject.py -> build/lib/pymisp/tools
copying pymisp/tools/genericgenerator.py -> build/lib/pymisp/tools
copying pymisp/tools/geolocationobject.py -> build/lib/pymisp/tools
copying pymisp/tools/git_vuln_finder_object.py -> build/lib/pymisp/tools
copying pymisp/tools/load_warninglists.py -> build/lib/pymisp/tools
copying pymisp/tools/machoobject.py -> build/lib/pymisp/tools
copying pymisp/tools/microblogobject.py -> build/lib/pymisp/tools
copying pymisp/tools/neo4j.py -> build/lib/pymisp/tools
copying pymisp/tools/openioc.py -> build/lib/pymisp/tools
copying pymisp/tools/peobject.py -> build/lib/pymisp/tools
copying pymisp/tools/reportlab_generator.py -> build/lib/pymisp/tools
copying pymisp/tools/sbsignatureobject.py -> build/lib/pymisp/tools
copying pymisp/tools/sshauthkeyobject.py -> build/lib/pymisp/tools
copying pymisp/tools/stix.py -> build/lib/pymisp/tools
copying pymisp/tools/urlobject.py -> build/lib/pymisp/tools
copying pymisp/tools/vehicleobject.py -> build/lib/pymisp/tools
copying pymisp/tools/vtreportobject.py -> build/lib/pymisp/tools
error: can't copy 'pymisp/data': doesn't exist or not a regular file

----------------------------------------
Command "/usr/bin/python2 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-ilNQm_/pymisp/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-vzuYue-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-ilNQm_/pymisp/
You are using pip version 8.1.2, however version 20.2.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

After the error from above i tried to update pip as sugested after the update i get this error:

Collecting pymisp
Downloading pymisp-2.4.121.1.tar.gz (1.6 MB)
|████████████████████████████████| 1.6 MB 9.7 MB/s
ERROR: Command errored out with exit status 1:
command: /usr/bin/python2 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-JEcrkS/pymisp/setup.py'"'"'; __file__='"'"'/tmp/pip-install-JEcrkS/pymisp/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-UyK7hk
cwd: /tmp/pip-install-JEcrkS/pymisp/
Complete output (10 lines):
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-install-JEcrkS/pymisp/setup.py", line 7, in <module>
import pymisp
File "pymisp/__init__.py", line 26, in <module>
from .abstract import AbstractMISP, MISPEncode, pymisp_json_default, MISPTag, Distribution, ThreatLevel, Analysis # noqa
File "pymisp/abstract.py", line 46
def _load_json(path: Path) -> Union[dict, None]:
^
SyntaxError: invalid syntax
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.

Is this a problem with python version? i tried to update it but says that is on the latest version 2.7 and it isnt the latest one.

JoshRandall · ‎2020-08-05

Yes, its an issue with the python version. PyMISP no longer supports python2, as of January this year:

https://github.com/MISP/PyMISP/blob/main/README.md

LuizMonge · ‎2020-08-06

So i guess that means that the integration with MISP doesnt work for now right? since the HU doesnt update the python version.

drewjc · ‎2020-08-14

Great post topic. I'm guessing those platforms don't support indicator distribution via a recurring STIX feed? Also, the RSA ready integrations link for threat intelligence is blank for me. I would have expected some listed.

Thanks.

Anonymous · ‎2020-08-16

I can see a few threat intel vendors . https://community.rsa.com/community/products/netwitness/integrations/catalog

Filter by 'Threat Intel'

AgustinGras · ‎2021-07-21

Anyone knows if this still working? @JoshRandall said that PyMISP no longer supports python2 and NW 11.x has python 2.7 installed.

is it safe install python3 in the admin server and then PyMISP and PIP?. Could this broke some service or task that python do in the NW server?

VincentWareham · ‎2022-03-24

Hello

From NW 11.6+ both python and python3 are now installed.

# python -V
Python 2.7.5
# python3 -V
Python 3.6.8

NetWitness Community

Threat Intel Integration with MISP and Minemeld