The installation of MISP has long been a contentious issue depending on which flavour of deployment you are willing to run in your environment. I am not overly a fan of the OVA deployments (since I have no control over what was deployed in there previously), and nor would I consider deploying a prebuilt OVA of that description within a production environment.

So instead I will be walking through the deployment of MISP through a newly released Shell script which takes care of everything in a one-liner.

Install Ubuntu 18.04

I have previously worked almost exclusively with Centos 6 & 7 previously, however in the building of Security Operations tools I have been switching to Ubuntu 18 in an effort to satisfy requirements for dependancies.

For my test environment I will be deployed Ubuntu behind a router I have placed in the DMZ, the router is actually a CentOS deployment with nginx running as a reverse proxy (and all of that sitting behind Cloudflare with Access restrictions and authentication).

Once Ubuntu 18 has been deployed make sure the network is configured correctly to enable Internet connectivity - and as always make sure you are not enabling junk services, and ALWAYS run the update and upgrade on first install.

sudo apt update -y
sudo apt upgrade -y

Install MISP from a one-liner

Once Ubuntu has completed its upgrades and you have done the obligatory restart, make sure you are not logged in as root and run the following:

wget -O /tmp/
bash /tmp/ -A

If you are still logged in as root, this will fail. So please make sure you are logged in as an appropriate user. In my case I have opted to create a user called 'misp'.

In my case this took about 10 minutes to download, configure and initiate the databases. The web interfaces were available almost immediately, and at the very end of the script the access credentials for the various functions were available too.

By default, access to the MISP Dashboard is through the prepopulated user and password:

This email address is being protected from spambots. You need JavaScript enabled to view it. - admin

I understand this information is very freely available online, however I am documenting this here as an extension of the DIY SOC deployment series of articles I am writing up. Being able to ingest store, and query this information may be extremely useful for a SOC analyst, so using MISP as just one of the external threat source storage and query points of pretty attractive when it comes to economics.