MISP Guard

September 13, 2022

Let’s say that by no means should an attribute of type passport-number leave your MISP instance. Aside from the analyst following best practices when encoding the data, MISP does not have a built-in mechanism to prevent these leaks to happen, but now you can achieve this by using a third-party tool called misp-guard.

misp-guard is a mitmproxy addon that inspects and blocks outgoing events to external MISP instances via sync mechanisms (PULL/PUSH) based on a set of customizable block rules.

For the example above, the block rules would look like this:

{
    "block_rules": [
        {
            "id": "no-passports",
            "description": "Block passport numbers",
            "blocked_attribute_types": [
                "passport-number"
            ]
        }
    ]
}

How it works

External PULL

From the point of view an External MISP that tries to pull from your instance, MISP Guard acts as a reverse proxy that inspects the external requests and allows only the ones strictly required for server syncronization, it then forwards the requests to your MISP instance and inspects the content of the outgoing events. If any of the block rules matches, the event is droped and never leaves your premises. External MISP servers will create the connections to MISP Guard host, not your Internal MISP instance.

Internal PUSH

From the point of view of your Internal MISP instance, you must configure MISP to use MISP Guard as a proxy (Proxy.host and Proxy.port settings). When the Internal MISP instance tries to push an event, MISP Guard inspects the content and if any of the block rules matches, the event is droped.

NOTE: By default this addon will block all outgoing HTTP requests that are not required during a MISP server sync. All rejected/blocked requests are logged.

For a more detailed explanation check misp-guard README

Block Rules

  • blocked_tags: Blocks if the event/attributes contains certain tags.
  • blocked_distribution_levels: Blocks if the event/objects/attributes matches one of the blocked distribution levels.
    • "0": Organisation Only
    • "1": Community Only
    • "2": Connected Communities
    • "3": All Communities
    • "4": Sharing Group
    • "5": Inherit Event
  • blocked_sharing_groups_uuids: Blocks if the event/objects/attributes matches one of the blocked sharing groups uuids.
  • blocked_attribute_types: Blocks if the event contains an attribute matching one of this types.
  • blocked_attribute_categories: Blocks if the event contains an attribute matching one of this categories.
  • blocked_object_types: Blocks if the event contains an object matching one of this types.

See sample config here.

Installation

$ git clone https://github.com/MISP/misp-guard.git
$ cd src/
$ pip install -r requirements.txt

Setup

  1. Define your block rules in the config.json file.

  2. Start mitmproxy with the mispguard addon:

    $ mitmdump -s mispguard.py -p 8888 --set config=config.json
    Loading script mispguard.py
    MispGuard initialized
    running block rules: no-tlp-red-events
    Proxy server listening at *:8888
    
    • Add -k to accept self-signed certificates.
    • Add --certs *=your-cert.pem to specify a leaf certificate
  3. Configure the proxy in your MISP instance, set the following MISP Proxy.host and Proxy.port settings accordingly.

Done, outgoing MISP sync requests will be inspected and dropped according to the specified block rules.

NOTE: add -v to increase verbosity and display debug logs.

Running mitmdump as a Service

Ideally you want to run mitmdump as reliably as posible, you can use Supervisor to configure it as a service.

Sample supervisord program configuration:

[program:misp-guard]
directory=/home/user/misp-guard/src
user=your-user
command=python3 /home/user/.local/bin/mitmdump -s mispguard.py -p 8888 --certs *=your-cert.pem --set config=config.json
autostart=true
autorestart=true
redirect_stderr=false
stderr_logfile=/var/log/misp-guard-error.log
stdout_logfile=/var/log/misp-guard.log