Filebeat misp module

Charles100 · March 19, 2021, 5:54pm

Hi, I'm playing the filebeat MISP module and getting this error when starting filebeat : : ERROR fileset/factory.go:97 Error creating input: (assert) value of type 'string' not convertible into unsupported go type 'tlscommon.Config' accessing 'request.ssl'

This error seems related to this option in misp.yml:

var.ssl: |-
     {
       verification_mode: none
     }

If I commented this, filebeat is saying that the certificate is not trusted but thats normal (it's a self-signed). Any idea how to use a misp self-signed certificate with filebeat ?

Thx

Charles100 · March 19, 2021, 5:56pm

Oh, I just found that there's a new filebeat module called "Threath intel" where there's a mips mention:

misp : Supports gathering threat intel attributes from MISP (replaces MISP module).

So I guess I should use that module instead

Andre_Letterer · March 22, 2021, 1:09am

Hi Charles,

I think what you are referring to in your last comment is this documentation page:

However the issue is this will be rolled out in 7.12 which is not live until now.
In the current 7.11 you still have to use MISP module:

So the question here would rather be possible that the yaml identation is wrong and additionally why using the json syntax for this singular setting?
So I would set it up in misp.yml like this one:

- module: misp
  threat:
    enabled: true
    var.api_key: xxxx
    var.http_request_body.limit: 1000
    var.url: xxxx
    var.ssl.verification_mode: none

Can you give this a shot?

system · April 19, 2021, 1:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.