Open
Description
Work Environment
Question | Answer |
---|---|
OS version (server) | Ubuntu 18.04.5 LTS |
TheHive version / git hash | 4.0.0-1 |
Package Type | DEB |
Problem Description
When configuring the connector between TH4 and MISP it appears that the setting in application.conf to 'purpose = ExportOnly' is being ignored. Likewise exclusion {} also appears to have no impact on data ingested into TH4 from MISP.
Steps to Reproduce
- Configure /etc/thehive/application.conf
# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md
# Enable MISP connector
`play.modules.enabled` += org.thp.thehive.connector.misp.MispModule
misp {
interval: 1 hour
servers: [
{
name = "MISP" # MISP name
url = "https://misp.XXXX.XXX" # URL or MISP
tags = ["misp"]
certpath = false
caseTemplate = "MISP-EVENT"
exportCaseTags = true
max-age = 7 days
purpose = ExportOnly
exclusion {
organsation = ["XXXXXX"]
}
auth {
type = key
key = "XXXXXXXXXXXXXXXXX" # MISP API key
}
// wsConfig {} # HTTP client configuration (SSL and proxy)
}
]
}
-
Restart TheHive.
-
Alerts still continue to populate TH4 from MISP. Deleting all of the MISP events and clearing alerts is short lives as they all seem to be replaced again (looks like by the same alerts).
Have tried putting the 'purpose' in various places in the config file as well as surrounding "ExportOnly" in quotes but still seems to be ignored.