Skip to content

[Bug] MISP->THEHIVE4 'ExportOnly' and 'Exceptions' ignored in application.conf file #1482

Open
@confusedsecuritydudes

Description

@confusedsecuritydudes

Work Environment

Question Answer
OS version (server) Ubuntu 18.04.5 LTS
TheHive version / git hash 4.0.0-1
Package Type DEB

Problem Description

When configuring the connector between TH4 and MISP it appears that the setting in application.conf to 'purpose = ExportOnly' is being ignored. Likewise exclusion {} also appears to have no impact on data ingested into TH4 from MISP.

Steps to Reproduce

  1. Configure /etc/thehive/application.conf
# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md
# Enable MISP connector
`play.modules.enabled` += org.thp.thehive.connector.misp.MispModule
misp {
 interval: 1 hour
 servers: [
    {
     name = "MISP"            # MISP name
     url = "https://misp.XXXX.XXX" # URL or MISP
     tags = ["misp"]
     
     certpath = false
     caseTemplate = "MISP-EVENT"
     exportCaseTags = true
     max-age = 7 days
     purpose = ExportOnly
    
     exclusion {
        organsation = ["XXXXXX"]
     }

     auth {
       type = key
       key = "XXXXXXXXXXXXXXXXX"             # MISP API key
     }
//     wsConfig {}                        # HTTP client configuration (SSL and proxy)
   }
 ]
}

  1. Restart TheHive.

  2. Alerts still continue to populate TH4 from MISP. Deleting all of the MISP events and clearing alerts is short lives as they all seem to be replaced again (looks like by the same alerts).

Have tried putting the 'purpose' in various places in the config file as well as surrounding "ExportOnly" in quotes but still seems to be ignored.

Metadata

Metadata

Assignees

Labels

TheHive4TheHive4 related issuesbug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions