Skip to main content

MISP Feed Generator

CrowdSec

📚 Documentation 💠 Hub 💬 Discourse

This bouncer generates MISP Feed from CrowdSec decisions. It exposes this Feed over HTTP/S. This can be used to feed CrowdSec decisions to MISP using the "Feeds" functionality of MISP.

Quick Start

Installation using pip

Make sure you've Python 3.6+ installed. Using virtualenv is recommended. Run the following command to install the feed generator.

pip install crowdsec-misp-feed-generator

Installation using docker:

Refer to docker hub docs

Configuration

Run the following command to generate the base configuration file:

crowdsec-misp-feed-generator -g > crowdsec-misp-feed-generator.yaml

This will generate a configuration file named crowdsec-misp-feed-generator.yaml in the current directory.

You need to edit this file to configure the feed generator. Make sure you give the correct LAPI key and URL. You can generate a LAPI key using the following command on the machine with CrowdSec installed.

cscli bouncers add crowdsec-misp-feed-generator

Please refer to configuration reference section for more details on the configuration options.

Running the feed generator

After configuring the feed generator, you can run it using the following command:

crowdsec-misp-feed-generator -c crowdsec-misp-feed-generator.yaml

This will start the feed generator and expose the feed over HTTP/S, on the configured port and address.

Setting MISP to use the feed

You can now configure MISP to use this feed. To do this:

  1. Navigate to the "Feeds" tab in MISP.

MISP Feeds

  1. Click on the "Add Feed" button.

MISP Add Feed

Fill the form with appropriate details. Don't forget to set the authentication if you've enabled it in the feed generator configuration.

  1. That's it! You can now use the feed in MISP. You can test it by clicking on the "Fetch now" button in the actions column. Few events should be added to MISP.

Configuration Reference

# CrowdSec Config
crowdsec_lapi_url: http://localhost:8080/
crowdsec_lapi_key: <your-lapi-key>
crowdsec_update_frequency: 1m
include_scenarios_containing: [] # ignore IPs banned for triggering scenarios not containing either of provided word, eg ["ssh", "http"]
exclude_scenarios_containing: [] # ignore IPs banned for triggering scenarios containing either of provided word
only_include_decisions_from: [] # only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]

# MISP Config
misp_feed_reset_frequency: 1w
misp_event_analysis_level: 2
misp_feed_orgc:
name: CrowdSec
uuid: 5f6e7b5a-6b1a-4c0e-8a3c-9b9c5a474e8c

misp_feed_threat_level_id: 4
misp_feed_published: false
misp_feed_tags: []

# Bouncer Config

output_dir: ./crowdsec-misp-feed/

# Bouncer Server Config
listen_addr: 0.0.0.0
listen_port: 2450
tls:
enabled: false
cert_file: ""
key_file: ""

basic_auth:
enabled: false
username: ""
password: ""

# Log Config
log_level: info # debug, info, warning, error
log_mode: stdout # stdout, stderr, file

crowdsec_lapi_url

The URL of CrowdSec LAPI. It should be accessible from the bouncer.

crowdsec_lapi_key

It can be obtained by running the following on the machine CrowdSec LAPI is deployed on.


sudo cscli -oraw bouncers add misp-feed-generator # -oraw flag can discarded for human friendly output.

crowdsec_update_frequency

The bouncer will poll the CrowdSec every update_frequency interval.

Value can be in seconds (eg 30s), minutes (eg 5m), hours (eg 1h), days (eg 1d), weeks (eg 1w), months (eg 1M) or years (eg 1y).

include_scenarios_containing

Ignore IPs banned for triggering scenarios not containing either of provided word. Example value ["ssh", "http"]

exclude_scenarios_containing

Ignore IPs banned for triggering scenarios containing either of provided word. Example value ["ssh", "http"]

only_include_decisions_from

Only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]

misp_feed_reset_frequency

The bouncer will reset the feed every misp_feed_reset_frequency interval.

Value can be in seconds (eg 30s), minutes (eg 5m), hours (eg 1h), days (eg 1d), weeks (eg 1w), months (eg 1M) or years (eg 1y).

misp_event_analysis_level

The analysis level of the events generated. Refer to MISP docs for more details.

misp_feed_orgc.name

The name of author organisation of the feed. Example value: "CrowdSec"

misp_feed_orgc.uuid

The UUID of author organisation of the feed. Example value: "5f6e7b5a-6b1a-4c0e-8a3c-9b9c5a474e8c"

misp_feed_threat_level_id

The threat level of the feed. Refer to MISP docs. Example value: 4

misp_feed_published

Whether the feed is published or not. Refer to MISP docs. Example value: false

misp_feed_tags

The tags to be added to the events generated by the feed. Refer to MISP docs.

Example Value
[{"exportable": true,"colour": "#ffffff","name": "tlp:white","id": "2" }]

output_dir: ./crowdsec-misp-feed/

listen_addr

The address to listen on for serving the feed. Example value: "0.0.0.0"

listen_port

The port to listen on for serving the feed. Example value: 2450

tls.enabled

Whether to enable TLS for serving the feed. Example value: false

tls.cert_file

The path to the certificate file. Example value: "/etc/ssl/certs/crowdsec-misp-feed-generator.crt"

tls.key_file

The path to the key file. Example value: "/etc/ssl/private/crowdsec-misp-feed-generator.key"

basic_auth.enabled

Whether to enable basic authentication for serving the feed. Example value: false

basic_auth.username

Username for basic authentication. Example value: "crowdsec"

basic_auth.password

Password for basic authentication. Example value: "myhardtohackpassword"

log_level

The log level for the bouncer. Example value: "info"

Valid values: "debug", "info", "warning", "error"

log_mode

The log mode for the bouncer.

Valid values: "stdout", "stderr", "file"