Threat Intelligence with MISP: Part 1 – Setting up MISP with Docker

Sharing is caring
This entry is part 18 of 23 in the series Threat Detection Engineering

Views: 61

Step-by-Step Guide to Install MISP Using Docker on Ubuntu

In this guide, we will walk through the steps to install the MISP (Malware Information Sharing Platform) using Docker on an Ubuntu server.

Before we begin, make sure your system meets the following requirements:

  • Ubuntu Server (LTS versions like 20.04 or 22.04 are recommended)
  • Root or sudo access
  • Docker and Docker Compose installed

First, ensure your server is updated and install Docker and Docker Compose.

sudo apt update && sudo apt upgrade -y
sudo apt install docker.io -y
sudo apt install docker-compose -y
sudo systemctl enable docker
sudo systemctl start docker

Now, clone the official MISP Docker repository to get the necessary files.

sudo apt install git -y
git clone https://github.com/MISP/misp-docker.git
cd misp-docker

In the root of the cloned repository, you will find a .env file template. This file contains environment variables used for the MISP Docker setup.

  1. Copy the template .env file:
cp template.env .env
  1. Open the .env file in your preferred text editor:
nano .env
  1. Update the BASE_URL field to match your server’s IP address or domain:
BASE_URL=https://your-server-ip
  1. Save and close the file.

Now, we will pull the necessary Docker images and start the MISP containers.

  1. Pull the Docker images:
docker-compose pull
  1. Start the MISP containers:
docker-compose up -d
  1. Verify that all containers are running:
docker ps

You should see several containers (misp, misp_db, redis, etc.) running.


  1. Open your browser and navigate to the IP address or domain of your server:
https://your-server-ip
  1. Log in to MISP using the default credentials:
Username: [email protected]
Password: admin
  1. After logging in, be sure to change the default credentials for security.

Default Page:


To ensure that data persists between container restarts, you can map Docker volumes.

  1. Open the docker-compose.yml file:
nano docker-compose.yml
  1. Add persistent storage for the database (misp_db):
volumes:
  - ./db:/var/lib/mysql
  1. Save the file and restart the containers:
docker-compose down
docker-compose up -d

To manage and update MISP, you will need to periodically pull updates and restart the Docker containers.

  1. Pull the latest updates from the repository:
git pull
  1. Rebuild and restart the containers:
docker-compose pull
docker-compose up -d

Voilà, we have now installed MISP using Docker on Ubuntu server! You can further customize your setup based on your requirements, such as, integrating with other tools, and setting up regular backups.

Series Navigation<< YaraSplunk SIEM: Exploring SPL >>