Write a troubleshooting guide

[enjeck]

It'll be nice if there was a chapter explaining how to troubleshoot common issues that may arise when using MISP, with a clear symption-action layout.

[NetwarSystem]

This is definitely needed.

Set up a virtual machine, install using the script. This installs MISP, Apache, database, etc, all good.

Connect with web browser, get login. Give default name and password and ... it redirects to localhost:8443??

Let me be perfectly clear here, I might be building this on my desktop, but once its working it will run on a system in my office. It is wholly and utterly inappropriate to assume that VM = localhost and NAT ports.

Finally figured out that the host name is coming from the misp-ssl.conf file. Edit it to match the name for the system. Visit with browser, and it won't move forward, complains about HSTS. I have periodic need to tinker with Apache and am used to doing SSL certs, this is not entirely unfamiliar.

There doesn't seem to be any easy way to avoid HSTS. Can't just disable it. The example script that ships with the system is self-signed, it complains about that, too. Looks like the only way to make it work is to get an actual certificate?

So at this point, I can't even log in, and the system is demanding an investment of time and troubleshooting SSL before I can even see what it does.

The site says 6,000 organizations are using this thing. That's kinda mind boggling given this install process.

[adulau]

@NetwarSystem there many different ways to install MISP. You are mentioning issue with the VM? but you can install MISP automatically using the proposed scripts.

https://misp.github.io/MISP/INSTALL.ubuntu2004/
https://misp.github.io/MISP/

[NetwarSystem]

@adulau Ah, there is someone here to help, this is good.

A bit about our systems:

Xeon HP workstations and Dell rack mounts, twelve or sixteen cores, 128gb - 256gb, multiple helium filled NAS drives. ArangoDB, Elasticsearch RabbitMQ, for our internal social media threat detection system. Open Semantic Search brings Solr, spaCy, Tesseract, Tika, Neo4j into the mix. We have a lot of "operations technical" talent around to go with the "operations psychological" detection, Cisco and Juniper, some pfSense, have our fingers in multiple service providers.

I noticed MISP because it was packaged with some other stuff, it's very enticing. Our use cases would look something like this:

• Herds of bare metal systems with analytics running, would be nice to slip a MISP VM into this setup somewhere. Some places we have VirtualBox, others QEMU+KVM, Docker is cordially loathed by everyone, but this Podman thing seems tolerable. No NAT, bridged interfaces work just fine.
• Analysts have stout workstations, a quad core VM with eight or sixteen GB, no problem. Not Docker, MISP would be integrated on a machine doing other things, access is via the internal host-only subnet.
• We expose services for a limited set of clients, they auth with Cloudflare Access, service is behind Cloudflare, then internal nginx reverse proxy. We understand Apache+SSL well enough to puzzle through it, but that's unnecessary complication when there are two layers ahead of the service already doing SSL.
• There might be use cases involving Tor or I2P, that will need to be investigated.

So I would deploy MISP on bare metal Ubuntu or Debian. I would put it on a VM, but the VM would have a bridged IP from the same subnet as its host. I would run it in a VM where the host's operator expects to find services on the internal subnet provided by VirtualBox. The only place where NAT is found is between the Cloudflare CDN and an nginx reverse proxy.

We would be perfectly happy (and safe!) if we got MISP running as a plain text service on port 80. We never assume that any package can be secured on its own, there are always layered defenses employed.

[adulau]

You are free to configure your MISP internally as you like. The TLS configuration depends of what you would like do.

I would recommend to have a look at the default script for misp-cloud:

• https://github.com/MISP/misp-cloud/blob/master/dev/bootstrap

Then you can update it to your specific needs.

[NetwarSystem]

I did a fresh install of Ubuntu 20.04 and ran the script.

There is no provision to ensure that PHP is installed, so it fails at the first $CAKE invocation.

Presumably more than just PHP is needed - can I get a list of the required packages?

[iglocska]

Which script did you run? The installation of the requirements is included, including PHP, the required extensions, etc.

[NetwarSystem]

I wget this:

https://github.com/MISP/misp-cloud/blob/master/dev/bootstrap

Running on a brand new install of Ubuntu 20.04 that had been updated.

No php.

I see there is a line to do this in the file:

apt install -qy libapache2-mod-php php php-cli php-dev php-json php-xml php-mysql php7.2-opcache php-readline php-mbstring php-redis php-gnupg php-gd > /dev/null 2>&1

Will have another go at it from scratch, see if I can figure out what happened.

[iglocska]

I have no experience with misp-cloud myself, but indeed, a quick grep revealed that very line that you pasted there ;)

[NetwarSystem]

Seems like it's expecting php7.2 but "apt install php" gets 7.4.

I'm seeing errors like this:

sed: can't read /etc/php/7.2/apache2/php.ini: No such file or directory

[NetwarSystem]

Log of the failed install, with links to dpkg -l before, dpkg -l after.

https://gist.github.com/NetwarSystem/ba3dead949cd3573b63dd0ec79c0e887

Adjusted these two lines to reflect 7.4 rather than 7.2

PHP_INI='/etc/php/7.4/apache2/php.ini'
apt install -qy libapache2-mod-php php php-cli php-dev php-json php-xml php-mysql php7.4-opcache php-readline php-mbstring php-redis php-gnupg php-gd > /dev/null 2>&1

And that looks good ... took 30 minutes, but I have what seems to be a working install. Yay.