MISP 2.4.80 released (aka MISP objects release)

September 18, 2017

A new version of MISP 2.4.80 has been released including the most awaited MISP objects feature along with other new features, security fix CVE-2017-14337 and improvements.

MISP Objects

MISP now includes support for MISP objects. This allows MISP to support complex/combined objects in a flexible way along with their relationships towards other objects or even attributes.

MISP objects already available by default are documented in HTML or PDF.

The object model allows MISP users to add objects in addition to standard attributes to an event. Objects are composed of one or more attributes which are defined by the object templates. The object templates are public and can be easily contributed to by everyone, allowing analysts, users and security professionals to build their own representation of various objects and share them back to their communities.

The default MISP object templates included are: ail-leak, cookie, credit-card, ddos, domain|ip, elf, elf-section, email, file, geolocation, http-request, ip|port, macho, macho-section, passive-dns, pe, pe-section, person, phone, r2graphity, regexp, registry-key, tor-node, url, vulnerability, whois, x509, yabin.

An example which describes a DGA (Domain Generation Algorithm) linked to two domain indicators using the MISP object functionality:

DGA expressed as MISP object

Relationships can be described from an existing list of relationship types (e.g. executed-by, impersonates, communicates-with,…) or by values from your own relationship vocabulary. This allows to model a fairly large set of cases from incident, collected intelligence, attacks or course-of-action to malware analysis.

Version 2.4.80 also includes an extended file import for binaries relying on PyMISP and LIEF to create parsed file objects for PE, ELF and MachOS binary formats.

We are expecting to see many creative uses of the new MISP object feature and improvements in the following weeks.

If you upgrade from an existing version of MISP, don’t forget to do a git submodule init && git submodule update (or use the update in the UI) and restart the workers.

This release includes many bug fixes, improvements and new features.

The full change log is available here. PyMISP change log is also available.

Don’t hesitate to open an issue if you have any feedback, found a bug or want to propose new features.

Don’t forget our MISP summit 0x3 before the hack.lu 2017 conference which will take place from 14:00 to 18:00, Monday 16 October 2017. The core team of MISP will also join the hack.lu open source security software hackathon 0x2 which will take place 19-20 October 2017.

A new MISP training will take place in Luxembourg the 21st November 2017, registration is now open.