Skip to content

Integration with MISP-Feedback#175

Open
sdaaish wants to merge 20 commits intostanfrbd:devfrom
sdaaish:feature/misp-feedback
Open

Integration with MISP-Feedback#175
sdaaish wants to merge 20 commits intostanfrbd:devfrom
sdaaish:feature/misp-feedback

Conversation

@sdaaish
Copy link
Copy Markdown
Contributor

@sdaaish sdaaish commented Apr 22, 2026

Summary

  • What does this PR change?
    This adds integration with the MISP-Feedback service to lookup observables against MISP warninglists.
  • Why is this change needed?
    To get a quick way to identify possible false positives, the MISP-Feedback service is a fast way to achieve that.
    See also Identify poorly qualified IoCs with MISP warning lists #172

Scope

  • Bug fix
  • New feature
  • Refactor
  • Documentation
  • New engine
  • Other (describe):

Validation (required)

  • I ran relevant tests locally and they pass.
  • I validated real behavior (not only code style or static checks).
  • I checked edge cases and failure paths.

Test evidence

List exact commands you ran and the outcome.

pytest -q tests/engines/test_misp_feedback.py
===================================================================================================================== test session starts =====================================================================================================================
platform linux -- Python 3.14.3, pytest-9.0.3, pluggy-1.6.0
rootdir: /home/sdaa/repos/CyberBro/cyberbro_feature-misp-feedback
configfile: pytest.ini
plugins: mock-3.15.1, Faker-40.15.0
collected 28 items

tests/engines/test_misp_feedback.py ............................                                                                                                                                                                                        [100%]

===================================================================================================================== 28 passed in 0.11s ======================================================================================================================

AI-assisted contribution disclosure

  • This PR includes AI-assisted work.
  • I reviewed and understood all generated code.
  • I refined AI output where needed (no low-quality slop).
  • I am fully responsible for this submission.

If AI was used, briefly describe what parts were AI-assisted:
The AI has written most code and documentation. I have instructed it through a PLAN and to have it read AGENTS.md and Contributions.md. And also verified the final output.

Maintainer merge policy acknowledgement

  • I understand uncertain changes may be merged to dev first for additional validation.
  • I understand main is kept clean/stable for releases and tags.

New engine checklist (only if applicable)

Engine Implementation

  • Added engine file in engines/engine_name.py (using existing engines as template).
  • Added engine import/registration in engines/__init__.py.
  • Added engine config/secret variable in utils/config.py (if relevant).

Configuration & Secrets

  • Added needed API key/config vars to .env.sample.
  • Verified variable templating in docker-compose.yml.

UI & Frontend

  • Engine result is copyable via GUI in static/format_results.js.
  • Added/updated layouts in templates/engines_layouts/ for card/table rendering.
  • Added engine in templates/display_cards.html and templates/display_table.html.
  • Added engine in templates/index.html with description (alphabetic order).
  • Added engine support for graph view in templates/graph.html.

Documentation

  • Added docs in docs/api-keys/Get-Engine-API-key.md (if relevant).
  • Added API key guide link in docs/index.md (if relevant).
  • Added engine to docs/quick-start/API-usage-and-engine-names.md.
  • Added page in mkdocs.yml sidebar.
  • Updated docs/quick-start/Quick-start-&-Installation.md and .env examples.
  • Added env vars to docs/quick-start/Advanced-options-for-deployment.md (docker compose example).
  • Updated README.md references (env vars and API/services section).

Risk and rollback

  • Risk level: Low
  • Potential impact: A fix was made in 027c9b5 that might affect edge cases
  • Rollback strategy: Exclude the engine from available choices

Additional notes

  • When setting GUI_ENABLED_ENGINES=misp_feedback did this also include the MISP service. The reason for this was Python making it a string instead of a list when there was only one engine selected in the GUI_ENABLE_ENGINES. Since MISP is a substring of the name MISP_FEEDBACK, this caused it to also be shown as engine on the main page.
    The fix is in 027c9b5 and is believed to not affect cause any side effects.
  • AI is a bit verbose when documenting, but I don't feel that it has got to excess in this case.
  • I make a pull request against dev due to a fix being implemented.

Example images:
Misp-feedback

MISP-feedback-card

stanfrbd and others added 20 commits April 4, 2026 23:56
fix: engine grep.app (GitHub) now uses browser headers instead of cla…
6c3b5c9 
…ssic python-requests that caused 429 stanfrbd#169
@stanfrbd
Merge pull request stanfrbd#170 from stanfrbd/dev
ee2f9ee 
Dev - Remove support of secrets.json and other improvements stanfrbd#166
@stanfrbd
Clarify gunicorn restart instructions for non-docker use
514e98c 
Updated instructions for restarting the gunicorn process to include using supervisord.
@sdaaish
Add MISP-feedback configuration variables
88b1e0c 
Add environment variables for MISP-feedback service:
- MISP_FEEDBACK_SERVER_URL: The URL of the MISP-feedback service
- MISP_FEEDBACK_TOKEN: Optional token for Basic authentication

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Implement MISP-feedback engine integration
1e2bf93 
Add MispFeedbackEngine class that:
- Supports MD5, SHA1, SHA256 hashes, IPv4, IPv6, and FQDN observables
- Queries the MISP-feedback service /lookup endpoint
- Supports optional Basic authentication via token
- Returns HIT status with list of matching warninglists or CLEAN status
- Formats results for CSV/Excel export

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add comprehensive tests for MISP-feedback engine
f03cbbd 
Add 28 test cases covering:
- HIT/CLEAN analysis scenarios for all supported observable types
- Basic authentication with optional token
- HTTP error handling (400, 401, 403, 404, 500, 502, 503)
- Network timeout handling (connection and read timeouts)
- Invalid JSON response handling
- Multiple matches and edge cases
- Export row formatting for CSV/Excel
- Engine properties and supported types

All tests pass with mocked API responses and integration tested with running service.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MISP-feedback UI integration
c234011 
Add MISP-feedback engine to the UI:
- Added engine to index.html with icon and filter options
- Added table column header and data display in display_table.html
- Added card view in display_cards.html
- Created misp_feedback_table.html layout showing status and warninglists
- Created misp_feedback_card.html layout for card view display

The engine now appears in the UI as a selectable option with:
- Free (no API key required) indicator
- Support for hashes, IPs, and domains
- Visual status indicator (red for HIT, green for CLEAN)
- List of matched warninglists

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MISP-feedback environment variables to docker-compose.yml
fc3ae0e 
Add MISP-feedback configuration to Docker Compose:
- MISP_FEEDBACK_SERVER_URL: URL of the MISP-feedback service
- MISP_FEEDBACK_TOKEN: Optional authentication token for Basic Auth

These environment variables are now available to the Cyberbro container
when running via docker-compose.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MispFeedbackEngine to engine loader
fc6b916 
Register MispFeedbackEngine in utils/load_engines.py:
- Import: from engines.misp_feedback import MispFeedbackEngine
- Instantiate: MispFeedbackEngine(secrets, proxies, ssl_verify)

This ensures the MISP-feedback engine is loaded and available for use
in the analysis pipeline.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Fix GUI_ENABLED_ENGINES substring matching bug
027c9b5 
The config parser was not converting single-value strings to lists,
causing GUI_ENABLED_ENGINES to be a string instead of an array when
set to a single engine name (e.g., 'misp_feedback'). This led to
JavaScript's .includes() method performing substring matching instead
of exact string matching, incorrectly displaying engines with
substring-matching names.

Fixed by ensuring gui_enabled_engines is always a list, regardless of
whether the input string contains commas.

Verified with:
- All 1217 existing tests still pass
- Config parsing correctly converts single values to list
- JavaScript filtering now uses exact string matching

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MISP_FEEDBACK configuration variables to .env.sample
d68e6fc 
Added MISP_FEEDBACK_SERVER_URL and MISP_FEEDBACK_TOKEN configuration
variables to the .env.sample file for users to configure the MISP-feedback
service integration.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Enable copy-to-clipboard formatting for misp_feedback results
ec84c73 
Added support for copying MISP-feedback analysis results to clipboard
by formatting the engine output in the plain text export. The formatting
includes the status (HIT/CLEAN) and any matched warninglists.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MISP-feedback to graph visualization
0ad9875 
Added MISP-feedback engine support to the graph visualization with:
- Two node group colors: misp_feedback_hit (red) and misp_feedback_clean (green)
- Node creation for MISP-feedback results showing the status
- Edge labels displaying status and matched warninglists if present
- Warning icon for visual identification

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MISP-Feedback authentication documentation
5a5f7c8 
Created comprehensive documentation describing:
- Optional HTTP Basic Authentication setup
- Configuration without authentication (default)
- Configuration with authentication (reverse proxy/gateway)
- Example deployments for local and remote setups
- Testing and troubleshooting guide
- Note about private infrastructure deployment

The documentation is generic to support various deployment
scenarios (reverse proxy, API gateway, SSO, etc.).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MISP-Feedback API documentation link to docs index
621eede 
Added entry for Get MISP-Feedback Authentication Token documentation
in the API Key Guides section, maintaining alphabetical order.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MISP-Feedback engine documentation to API usage guide
4591a21 
Added MISP-Feedback engine entry to the API usage and engine names
documentation with:
- Engine name: misp_feedback
- Supported observable types: hash, IP, domain
- Feature flags: free_no_key
- Description of functionality

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sdaaish
Add MISP feedback to README
9fcbc1a
@sdaaish
Update Advanced options, sort docker-compose file
bf21165
@sdaaish
Add a link to source in docs/api-keys/Get-MISP-Feedback-API-key.md
f6d3ef4
@sdaaish
Add MISP-feedback link to API docs
2b7368c
@sdaaish sdaaish mentioned this pull request Apr 22, 2026
Open
@stanfrbd
Copy link
Copy Markdown
Owner

stanfrbd commented Apr 22, 2026

How cool! 🥳
Thank you for implementing this, will review it this weekend :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sdaaish @stanfrbd