Part 2: Using MISP-dockerized

As demonstrated in Part 1 of this blog article, installing MISP with MISP-dockerized is quite simple. All you have to do is this:

$> git clone https://github.com/DCSO/MISP-dockerized.git
$> cd MISP-dockerized
$> make install

After starting the command “make install,” MISP-dockerized guides you through the installation, which usually takes less than five minutes and your MISP instance is ready to use.

How to update

To update to the latest commit from the 2.4 branch simply pull the latest commit:

cd /var/www/MISP
git pull origin 2.4
git submodule update --init --recursive

But usually that’s not the whole story, since the dependencies MISP relies on also need to be updated. For the dependencies that are provided through packages like .deb or .rpm, this is usually quite easy, but for dependencies like mixbox, STIX, and the various Python packages, it is sometimes not.

As with everything else, we wanted the MISP-dockerized upgrade process to be as simple as we are used to from just using Git. Docker significantly simplifies the process of updating the MISP and all dependencies by its concept of separating the permanent data into so-called volumes from the used application or runtime. Thus, only the currently used container has to be exchanged.
MISP update function

Since MISP-dockerized consists of several containers that are used, it provides an update function that automatically checks and loads the latest available images and starts the appropriate container.

The update is simply performed as follows:

$> make update

And the script takes care of the rest.

How to backup

Like the script to update your instance, MISP-dockerized provides support to easily backup and restore your instance. All a user has to do is this:

$> make backup-all

or

$> make restore

What else?

MISP-dockerized also already includes several additional components like MISP modules, which can be used directly from the start and also all the dependencies that are needed for the advanced attachment tools used, for example, advanced attachment extraction in MISP.

Version 1.0.0 also comes with a test framework that automatically checks each new image of the MISP version to ensure correct functioning.

The full documentation for MISP-dockerized can be found at: https://dcso.github.io/MISP-dockerized-docs/

Outlook

We have been continuously developing MISP-dockerized since the start of the project in early 2018, and we released the stable version 1.0.0 in December 2018. Some of the key features we want to develop in 2019 are:

  • Improve the existing test scripts to further improve the quality of new releases.
  • Develop a diagnose and support script that quickly helps to check and gather information about the health status of the instance.
  • Implement monitoring capabilities to quickly check to see if everything, like the CakeResque workers, runs well.

Links

MISP project page: https://github.com/MISP/MISP
MISP-dockerized project page: https://github.com/DCSO/MISP-dockerized
MISP-dockerized documentation: https://dcso.github.io/MISP-dockerized-docs/

Who we are

The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries to their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.