Threat Intelligence with MISP: Part 1 – Setting up MISP with Docker

by
Sharing is caring
This entry is part 18 of 23 in the series Threat Detection Engineering

Views: 61

Step-by-Step Guide to Install MISP Using Docker on Ubuntu

In this guide, we will walk through the steps to install the MISP (Malware Information Sharing Platform) using Docker on an Ubuntu server.

Prerequisites

Before we begin, make sure your system meets the following requirements:

  • Ubuntu Server (LTS versions like 20.04 or 22.04 are recommended)
  • Root or sudo access
  • Docker and Docker Compose installed

Step 1: Update Your Server and Install Docker

First, ensure your server is updated and install Docker and Docker Compose.

sudo apt update && sudo apt upgrade -y
sudo apt install docker.io -y
sudo apt install docker-compose -y
sudo systemctl enable docker
sudo systemctl start docker

Step 2: Clone the MISP Docker Repository

Now, clone the official MISP Docker repository to get the necessary files.

sudo apt install git -y
git clone https://github.com/MISP/misp-docker.git
cd misp-docker

Step 3: Configure the .env File

In the root of the cloned repository, you will find a .env file template. This file contains environment variables used for the MISP Docker setup.

  1. Copy the template .env file:
cp template.env .env
  1. Open the .env file in your preferred text editor:
nano .env
  1. Update the BASE_URL field to match your server’s IP address or domain:
BASE_URL=https://your-server-ip
  1. Save and close the file.

Step 4: Pull Docker Images and Start Containers

Now, we will pull the necessary Docker images and start the MISP containers.

  1. Pull the Docker images:
docker-compose pull
  1. Start the MISP containers:
docker-compose up -d
  1. Verify that all containers are running:
docker ps

You should see several containers (misp, misp_db, redis, etc.) running.

Step 5: Access MISP

  1. Open your browser and navigate to the IP address or domain of your server:
https://your-server-ip
  1. Log in to MISP using the default credentials:
Username: [email protected]
Password: admin
  1. After logging in, be sure to change the default credentials for security.

Default Page:

Step 6: Enable Persistent Storage (Optional)

To ensure that data persists between container restarts, you can map Docker volumes.

  1. Open the docker-compose.yml file:
nano docker-compose.yml
  1. Add persistent storage for the database (misp_db):
volumes:
  - ./db:/var/lib/mysql
  1. Save the file and restart the containers:
docker-compose down
docker-compose up -d

Step 7: Managing and Updating MISP

To manage and update MISP, you will need to periodically pull updates and restart the Docker containers.

  1. Pull the latest updates from the repository:
git pull
  1. Rebuild and restart the containers:
docker-compose pull
docker-compose up -d

Voilà, we have now installed MISP using Docker on Ubuntu server! You can further customize your setup based on your requirements, such as, integrating with other tools, and setting up regular backups.

Series Navigation<< YaraSplunk SIEM: Exploring SPL >>