Soc Deploy Misp
Deploy MISP threat intelligence platform on any Docker-ready Linux host. Official misp-docker project with automatic MariaDB memory tuning (prevents OOM on s...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 67 · 0 current installs · 0 all-time installs
bySolomon Neas@solomonneas
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description match what the code does: cloning the official misp-docker repo, configuring .env, tuning InnoDB buffer pool, running docker compose, and generating an API key. Minor inconsistency: the manifest lists no required binaries, but the SKILL.md and scripts clearly expect git, docker (compose v2), curl, openssl, sed/grep/hostname, and ssh/scp for deployment.
Instruction Scope
Instructions stay within deployment scope: copy and run setup.sh on the target host, poll local endpoints, generate API key via cake CLI inside the container, and save credentials to ~/misp/api-key.txt. Nothing in the instructions reads or transmits unrelated system credentials or posts data to external endpoints.
Install Mechanism
No install spec is included (instruction-only) and the script clones the official GitHub repo (https://github.com/MISP/misp-docker.git). No downloads from unknown hosts or extract-from-arbitrary-URLs are used.
Credentials
The skill does not request external credentials (good). It generates and writes sensitive secrets (MySQL root/user passwords, admin password, API key) into the repo .env and into a plaintext file in the target user's home directory. This is expected for deployment, but users should be aware that credentials are stored in cleartext by default.
Persistence & Privilege
The skill does not request permanent platform privileges (always:false). It creates files under the target user's home (~/misp, ~/misp/misp-docker) and .env there, which is appropriate for a deploy script and does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says, but review and validate before use: 1) Ensure you run setup.sh on a trusted target host with Docker and Compose v2 installed (the script expects git, docker, curl, openssl, etc.). 2) Provide a strong admin password and consider not using the defaults. 3) The script saves MySQL credentials and the MISP API key in plaintext at ~/misp/api-key.txt and in .env — move these to a secure secrets store or restrict access on the host. 4) Verify the cloned repo URL and inspect the upstream misp-docker repo (and any changes applied) before running. 5) For production, replace self-signed certs and avoid exposing the host publicly until you’ve hardened the instance. If you want higher assurance, ask the author for an explicit list of required host binaries and confirm the GitHub repo/commit used by the script.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
SOC Deploy: MISP (Malware Information Sharing Platform)
Deploy MISP threat intelligence platform on any Docker-ready Linux host using the official misp-docker project.
This skill does NOT create VMs. It expects an SSH target with Docker installed. Use hyperv-create-vm or proxmox-create-vm first if you need infrastructure.
When to Use
- "deploy misp"
- "set up misp"
- "install misp"
- "threat intel platform"
- "ioc sharing platform"
User Inputs
| Parameter | Default | Required |
|---|---|---|
| SSH target | - | Yes (user@host) |
| Admin email | admin@misp.local | No |
| Admin password | ChangeMe123! | No |
| Host RAM (for buffer pool) | 4GB | No |
Prerequisites Check
# SSH works
ssh <target> "echo OK"
# Docker + Compose v2
ssh <target> "docker --version && docker compose version"
# RAM check (need 3GB+ free)
ssh <target> "free -h | grep Mem"
Execution
Single command deployment
scp scripts/setup.sh <target>:~/
ssh <target> "bash ~/setup.sh 'admin@misp.local' '<password>'"
What setup.sh does
- Clone official misp-docker from GitHub
- Configure .env:
MISP_BASEURL,MISP_ADMIN_EMAIL,MISP_ADMIN_PASSPHRASE- Generate random MySQL passwords
- Set
INNODB_BUFFER_POOL_SIZEbased on host RAM (CRITICAL)
docker compose up -d- Poll for MISP readiness (5-10 min on first boot for DB migrations)
- Generate API key via cake CLI:
docker compose exec -T misp /var/www/MISP/app/Console/cake user change_authkey <email> - Verify API with
/servers/getVersion - Save credentials to
~/misp/api-key.txt
Output to User
MISP deployed!
URL: https://<target>
Admin: admin@misp.local / <password>
API Key: <key>
MCP Connection:
MISP_URL=https://<target>
MISP_API_KEY=<key>
MISP_VERIFY_SSL=false
Note: Self-signed HTTPS. Use curl -k for API calls.
Credentials saved to: ~/misp/api-key.txt
InnoDB Buffer Pool Sizing
The #1 failure on small VMs. Default buffer pool is 2GB, which kills MariaDB on 4GB hosts.
| Host RAM | INNODB_BUFFER_POOL_SIZE |
|---|---|
| 4 GB | 512M |
| 8 GB | 2048M |
| 16 GB | 4096M |
Critical Gotchas
See references/gotchas.md for full details:
- MariaDB OOM (showstopper): Default InnoDB buffer pool is 2GB. On 4GB hosts, MariaDB crashes instantly. MUST set
INNODB_BUFFER_POOL_SIZEin.env - Recovery from OOM:
docker compose down -vto wipe failed DB volume, fix.env, restart - First boot is slow: 5-10 min for DB schema creation and initial data load
- Self-signed HTTPS: Use
curl -kfor all API calls - Advanced authkeys: Enabled by default.
cakeCLI is the most reliable key generation method - MISP web UI:
https://<ip>(port 443, not 80)
Timeout Strategy
Total: ~12-15 min (docker pull + first boot + setup). Split:
- Turn 1: Clone, configure,
docker compose up -d(~3 min + pull time) - Turn 2: Wait for health + generate API key (~5-7 min)
Pairs With
hyperv-create-vm- create a Hyper-V VM, then deploy MISP on itproxmox-create-vm- create a Proxmox LXC/VM, then deploy MISP on itsoc-deploy-thehive- deploy TheHive alongside for case management
Files
5 totalSelect a file
Select a file to preview.
Comments
Loading comments…