MISP Exercise 1

MISP Lab 01: Introduction

1. Introduction

In this Lab you will learn about MISP. MISP stands for Malware Information Sharing Platform and is used by many organisations around the world. The project is also Open Source.

The main purpose of MISP is to have a central system for registering, tracking and analysing malware.

2. MISP Docker setup

  1. Download Docker Image

cd /home/hacker/ git clone https://github.com/Hacking-Lab/misp-docker-image.git

  1. Start the docker container with the following command:

cd /home/hacker/misp-docker-image docker-compose up

Connect to MISP by opening your preferred web browser and open the url http://misp.localhost.

The MISP instance initialises all labs. Please wait until you are able to see the Hacking-Lab icon.

Login with the following credentials:

User: admin@misp-lab.com Password: compass

3. Pulling a feed of events

At this point, your MISP instance does not have any event it's database. Therefore we will subscribe to a feed which will populate your instance with events.

Sync Actions -> List Feeds

You will now see two default feeds. But they are not enabled, so no events are pulled from these sources. Please enable the feed with id 1 by clicking the checkmark and then hit enable selected.

Fetch and store all data

You can find the running background jobs under Administration -> Jobs . It should look something like this.

After a while, events will show up under Home . Take a look at some of the pulled events.

4. Viewing an Event

After a few minutes MISP should have pulled multiple events from the feed into its database. To view the Event, go to

Home -> List Events

You will see a list of all the events gathered by the feed you subscribed earlier. It should look something like this.

Please view two other events and compare the events. Click around and see what information can be stored and how this might be useful.

To shutdown your MISP instance, go back to your terminal window and press CTRL + C once. This command stops your docker containers. The data will be persistent.

^CGracefully stopping... (press Ctrl+C again to force)
Stopping misp-instance-E                    ... done
Stopping misp-instance-B                    ... done
Stopping misp-instance-A                    ... done
Stopping misp-instance-default              ... done
Stopping misp-docker-image_errorservice_1   ... done
Stopping database-instance-B                ... done
Stopping database-instance-default          ... done
Stopping database-instance-E                ... done
Stopping database-instance-A                ... done
Stopping traefik                            ... done

After the docker containers have been stopped, please executed the following command to delete the data folder. This will clean your instance for the next lab.

cd /home/hacker/misp-docker-image docker-compose down sudo rm -rf data-instance-default/

3. Security Questions

  1. Describe in your own words: What is MISP?

  2. Note what you think MISP is used for.

  3. Explain what a feed is.

4. Answers

The main purpose of MISP is to have a central system for registering, tracking and analysing malware.

MISP is an open source software solution for collecting, storing, distributing and sharing cybersecurity indicators and threats about cyber security incidents analysis and malware analysis.

Feeds are remote or local ressources containing indicators that can be automatically imported into MISP at regular intervals.

PreviousThreat IntelligenceNextMISP Exercise 2

Last updated