MISP Exercise 8

MISP LAB08: Warning lists

1. Introduction

In this Lab you are going to work with warning lists. The goal is to to understand when and how to use warning lists in MISP.

2. Setup

Start the docker container with the following command.

cd /home/hacker/misp-docker-image docker-compose up

Login with the following credentials:

LAB URL: http://misp.localhost

User: admin@misp-lab.com Password: compass

3. First look at warning lists

Once logged in, please go to Input Filters -> Warninglists. You should see a list of entries.

Each warninglist has an ID, name and description. You can also see a version. This indicates how many times the list has been updated. Category could sort warninglists into different groups, but there is currently only one category (False positive).

The Type attribute indicates what data the list includes (hostnames, strings, cidr etc.).

Entires shows how many values have been added to this list. To get more information about a specific warninglist click on the ID 71.

You should no see all the values, this list includes. In our example, the list contains all known Wikimedia address ranges.

To get more information about a specific warninglist click on the ID 71.

4. Enable warning lists

We will now have a look how warninglists can be used. These lists can be enabled and disabled individually.

Click on enable, you should see that the warning list has been enabled.

Congratulation, you successfully enabled your first warninglist. Please repeat this step for the lists with id 28, 37 and 67.

5. Using the warning lists

The see how a warninglist can help us, we need to create a new event. Please go to Home and click Add Event.

Next, click Add Attribute when viewing the event.

Choose Network activity and hostname and enter bit.ly as Value. Then click Submit.

A warning will be triggered!

6. Security questions

1. Explain why this information is useful and how investigators might use this feature.

2. Why does the value bit.ly set off two warning? Explain.

3. Try to add a second attribute to the event and add a value also in one of the enabled warninglists. Does it also show up as a warning? Please add a screenshot.

7. Answers

1. It can be a useful feature to get forexample warnings about potential CC Servers etc.

2. bit.ly is on two activated warning lists. It's often used for O365 URL's. Sometimes URL Shorteners will also be abused to drop malware

3. I did add an attribute with an IP Address of a google bot which triggers also an alarm