MISP Exercise 1
Last updated
Last updated
In this Lab you will learn about MISP. MISP stands for Malware Information Sharing Platform and is used by many organisations around the world. The project is also Open Source.
The main purpose of MISP is to have a central system for registering, tracking and analysing malware.
Download Docker Image
cd /home/hacker/ git clone https://github.com/Hacking-Lab/misp-docker-image.git
Start the docker container with the following command:
cd /home/hacker/misp-docker-image docker-compose up
Connect to MISP by opening your preferred web browser and open the url http://misp.localhost.
The MISP instance initialises all labs. Please wait until you are able to see the Hacking-Lab icon.
Login with the following credentials:
User: admin@misp-lab.com Password: compass
At this point, your MISP instance does not have any event it's database. Therefore we will subscribe to a feed which will populate your instance with events.
Sync Actions -> List Feeds
You will now see two default feeds. But they are not enabled, so no events are pulled from these sources. Please enable the feed with id 1 by clicking the checkmark and then hit enable selected.
Fetch and store all data
You can find the running background jobs under Administration -> Jobs . It should look something like this.
After a while, events will show up under Home . Take a look at some of the pulled events.
After a few minutes MISP should have pulled multiple events from the feed into its database. To view the Event, go to
Home -> List Events
You will see a list of all the events gathered by the feed you subscribed earlier. It should look something like this.
Please view two other events and compare the events. Click around and see what information can be stored and how this might be useful.
To shutdown your MISP instance, go back to your terminal window and press CTRL + C once. This command stops your docker containers. The data will be persistent.
After the docker containers have been stopped, please executed the following command to delete the data folder. This will clean your instance for the next lab.
cd /home/hacker/misp-docker-image docker-compose down sudo rm -rf data-instance-default/
Describe in your own words: What is MISP?
Note what you think MISP is used for.
Explain what a feed is.
The main purpose of MISP is to have a central system for registering, tracking and analysing malware.
MISP is an open source software solution for collecting, storing, distributing and sharing cybersecurity indicators and threats about cyber security incidents analysis and malware analysis.
Feeds are remote or local ressources containing indicators that can be automatically imported into MISP at regular intervals.