Skip to content
This repository has been archived by the owner on Feb 2, 2024. It is now read-only.

Filtering not working #15

Open
CerberusAI opened this issue Feb 11, 2020 · 3 comments
Open

Filtering not working #15

CerberusAI opened this issue Feb 11, 2020 · 3 comments

Comments

@CerberusAI
Copy link

All IoC's are pulling without any changes to base config from misp.tlpWhiteEvent.
When using that prototype, I would expect the miner to only pull in events / IoC's that are tagged as "tlp:white" but it's not filtering (all IoC's are ingested).

I've also tried filtering by custom tags I have in MISP but then it won't pull anything.
Please let me know if I'm missing something or how I can fix it.
Thanks

My stack...
MISP Extension - 2.4.96b1
MISP Docker - https://github.com/MISP/docker-misp
MineMeld Docker - https://live.paloaltonetworks.com/t5/MineMeld-Articles/Running-MineMeld-using-Docker/ta-p/289062

@Feldunost
Copy link

Part of the issue in "IOC type email / Tags filter #14".
I didn't fix it out, and didn't find any clue yet.

@Feldunost
Copy link

Feldunost commented Feb 12, 2020

Little clue, checked on MISP in /var/log/apache2/misp-dashboard.local_access.log

When u do a pull manually from minemeld, it outputs correctly the event IDs that had the tag you settled on minemeld with filter tags: 55 for example. So basically the request seems correct but doesn't go further.

... - - [12/Feb/2020:11:11:13 +0000] "GET /servers/getPyMISPVersion.json HTTP/1.1" 200 3263 "-" "PyMISP 2.4.96 - Python 2.7.12"
..
. - - [12/Feb/2020:11:11:13 +0000] "GET /attributes/describeTypes.json HTTP/1.1" 200 22452 "-" "PyMISP 2.4.96 - Python 2.7.12"
... - - [12/Feb/2020:11:11:13 +0000] "POST /events/index HTTP/1.1" 200 7037 "-" "PyMISP 2.4.96 - Python 2.7.12"
..
. - - [12/Feb/2020:11:11:13 +0000] "GET /events/blablablablabla2 HTTP/1.1" 200 86224 "-" "PyMISP 2.4.96 - Python 2.7.12"
..*. - - [12/Feb/2020:11:11:13 +0000] "GET /events/blablablablabla HTTP/1.1" 200 153137 "-" "PyMISP 2.4.96 - Python 2.7.12"

I'll edit infos about that issue.

@cyb3rfox
Copy link

cyb3rfox commented Apr 8, 2020

Doesn't work for me either. I tried the following configurations butt it still fetches all events.

Config1:

misp-blockable-green:
filters:
tag:
- 'TLP:GREEN'
- Block
inputs: []
output: true
prototype: misp.anyEvent

-- Config 2 --
misp-blockable-green:
filters:
tag: 'TLP:GREEN'
inputs: []
output: true
prototype: misp.anyEvent

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants