This week: MISP, Snort, Network miner
MISP #
I took part in an online training about MISP and threat intelligence Public MISP Training - April 2025. It was a good opportunity to dive into this tool more. So I researched the tool more in advance. This training was very useful and more practical than I expected. We did some exercises where we encoded threat data in the platform while learning about the best practices to follow.
It wasn't so clear for me at first how people were really using MISP in "real life" . MISP is in fact integrated in a lot of tools. This was confirmed while I was reading some training material and checking popular security products integrations.
The true power of MISP is that you can feed MISP TI data into security products to block or alert on IoCs.
One of the main goals of MISP is to feed protective or detection tools with data
- IDSes / IPSes (e.g. Suricata, Bro, Snort format as included in Cisco products)
- SIEMs (e.g. CEF, CSV or real-time ZMQ pub-sub or Sigma)
- Host scanners (e.g. OpenIOC, STIX, yara rule-set, CSV)
- Various analysis tools (e.g. Maltego)
- DNS policies (e.g. RPZ)
Some ressources
- There are a lot of training material available on MISP Github repo
- Best Practices in Threat Intelligence - Gather, document, analyse and contextualise intelligence using MISP
Network traffic analysis tools #
I spend time exploring the IDS / IPS Snort, specifically the different modes and how to read write Snort rules. I also used Network miner, which is really great for getting an overview of a pcap file. Brim is also good for that. It's more convenient that diving in a pcap with Wireshark. But to get a detailed packet view, that's Wireshark shines.
Misc #
hping3 #
hping3 is a command-line tool for crafting and sending custom TCP/IP packets.