I’m experimenting with thehive and associated projects (misp in particular) and will be describing some issues I run into & how I’ve fixed them (fingers crossed).
One of the first things I tried was to import events from wildfire to misp. I found a package called pan-stix and installed it on my osx box. Running it the first time and exporting a wildfire report was easy enough, but I wasn’t sure how to import it into misp properly, or even how it was supposed to look.
Eventually I found the right combination of arguments & import strategy:
- use -f stix-ol as an argument to wildfire-to-stix.py
- import to misp using STIX 1.1.1 format
I published the event and it showed up in the hive.
security without obscurity 