Replies: 1 comment
-
Update: What is the correct way to query a module from a remote host? Local Query: Response: Remote Query 1: This produces no response. Specifying port 6666 results in "connection refused". Remote Query 2: This also produces no response. Using "https://MispServer/modules" or "https://MispServer/modules/hashlookup" produces no response. Remote Query 3: This produces a massive amount of text that appears to be a dump of all events. Remote Query 4: This produces an HTML response with the message, "Error: The requested address '/attributes/restSearch/value' was not found on this server." The query in the first post still produces |
Beta Was this translation helpful? Give feedback.
-
Hello. I'm attempting to get MISP to query MD5 hashes of new files and report any malware it finds. The end goal will be to use Graylog to do a hash lookup when a new file is added to an endpoint and use the resulting data for log enrichment. Unfortunately, I can't seem to get a useful result from MISP when I send it a hash as part of a query.
I've enabled the following settings in Administration > Server Settings And Maintenance > Plugins > Enrichment:
Plugin.Enrichment_hashlookup_enabled true
Plugin.Enrichment_hashlookup_restrict MyOrg
When I attempt to query MISP with the MD5 hash for the malware test file, "eicar.com", I get an empty response.
curl -k -X POST -H "Authorization: MyKey" -H "Content-Type: application/json" -d '{ "value": "44d88612fea8a8f36de82e1278abb02f", "EventID": 0 }' https://MyServer/attributes/restSearch
{"response": {"Attribute": []}}
I've tried other ways to query MISP, and get the same result.
curl -k -H "Authorization: MyKey" -H "Content-Type: applicatio n/json" -H "Accept: application/json" "https://MyServer/attributes/restSearch/value:44d88612fea8a8f36de82e1278abb02f"
{"response": {"Attribute": []}}
I am able to do web site queries in this way, and get the expected results.
curl -k -H "Authorization: MyKey" -H "Content-Type: applicatio n/json" -H "Accept: application/json" "https://MyServer/attributes/restSearch/value:google.com
{"response": {"Attribute": [{"id":"49601","event_id":"201","object_id":"0","object_relation":null,"category":"Network activity","type":"domain"...
What am I doing wrong?
Thanks for any help you can provide.
Beta Was this translation helpful? Give feedback.
All reactions