← 返回 Skills 市场
Soc Deploy Misp
作者
Solomon Neas
· GitHub ↗
· v1.0.0
· MIT-0
155
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install soc-deploy-misp
功能描述
Deploy MISP threat intelligence platform on any Docker-ready Linux host. Official misp-docker project with automatic MariaDB memory tuning (prevents OOM on s...
使用说明 (SKILL.md)
SOC Deploy: MISP (Malware Information Sharing Platform)
Deploy MISP threat intelligence platform on any Docker-ready Linux host using the official misp-docker project.
This skill does NOT create VMs. It expects an SSH target with Docker installed. Use hyperv-create-vm or proxmox-create-vm first if you need infrastructure.
When to Use
- "deploy misp"
- "set up misp"
- "install misp"
- "threat intel platform"
- "ioc sharing platform"
User Inputs
| Parameter | Default | Required |
|---|---|---|
| SSH target | - | Yes (user@host) |
| Admin email | [email protected] | No |
| Admin password | ChangeMe123! | No |
| Host RAM (for buffer pool) | 4GB | No |
Prerequisites Check
# SSH works
ssh \x3Ctarget> "echo OK"
# Docker + Compose v2
ssh \x3Ctarget> "docker --version && docker compose version"
# RAM check (need 3GB+ free)
ssh \x3Ctarget> "free -h | grep Mem"
Execution
Single command deployment
scp scripts/setup.sh \x3Ctarget>:~/
ssh \x3Ctarget> "bash ~/setup.sh '[email protected]' '\x3Cpassword>'"
What setup.sh does
- Clone official misp-docker from GitHub
- Configure .env:
MISP_BASEURL,MISP_ADMIN_EMAIL,MISP_ADMIN_PASSPHRASE- Generate random MySQL passwords
- Set
INNODB_BUFFER_POOL_SIZEbased on host RAM (CRITICAL)
docker compose up -d- Poll for MISP readiness (5-10 min on first boot for DB migrations)
- Generate API key via cake CLI:
docker compose exec -T misp /var/www/MISP/app/Console/cake user change_authkey \x3Cemail> - Verify API with
/servers/getVersion - Save credentials to
~/misp/api-key.txt
Output to User
MISP deployed!
URL: https://\x3Ctarget>
Admin: [email protected] / \x3Cpassword>
API Key: \x3Ckey>
MCP Connection:
MISP_URL=https://\x3Ctarget>
MISP_API_KEY=\x3Ckey>
MISP_VERIFY_SSL=false
Note: Self-signed HTTPS. Use curl -k for API calls.
Credentials saved to: ~/misp/api-key.txt
InnoDB Buffer Pool Sizing
The #1 failure on small VMs. Default buffer pool is 2GB, which kills MariaDB on 4GB hosts.
| Host RAM | INNODB_BUFFER_POOL_SIZE |
|---|---|
| 4 GB | 512M |
| 8 GB | 2048M |
| 16 GB | 4096M |
Critical Gotchas
See references/gotchas.md for full details:
- MariaDB OOM (showstopper): Default InnoDB buffer pool is 2GB. On 4GB hosts, MariaDB crashes instantly. MUST set
INNODB_BUFFER_POOL_SIZEin.env - Recovery from OOM:
docker compose down -vto wipe failed DB volume, fix.env, restart - First boot is slow: 5-10 min for DB schema creation and initial data load
- Self-signed HTTPS: Use
curl -kfor all API calls - Advanced authkeys: Enabled by default.
cakeCLI is the most reliable key generation method - MISP web UI:
https://\x3Cip>(port 443, not 80)
Timeout Strategy
Total: ~12-15 min (docker pull + first boot + setup). Split:
- Turn 1: Clone, configure,
docker compose up -d(~3 min + pull time) - Turn 2: Wait for health + generate API key (~5-7 min)
Pairs With
hyperv-create-vm- create a Hyper-V VM, then deploy MISP on itproxmox-create-vm- create a Proxmox LXC/VM, then deploy MISP on itsoc-deploy-thehive- deploy TheHive alongside for case management
安全使用建议
This skill appears to do what it says, but review and validate before use: 1) Ensure you run setup.sh on a trusted target host with Docker and Compose v2 installed (the script expects git, docker, curl, openssl, etc.). 2) Provide a strong admin password and consider not using the defaults. 3) The script saves MySQL credentials and the MISP API key in plaintext at ~/misp/api-key.txt and in .env — move these to a secure secrets store or restrict access on the host. 4) Verify the cloned repo URL and inspect the upstream misp-docker repo (and any changes applied) before running. 5) For production, replace self-signed certs and avoid exposing the host publicly until you’ve hardened the instance. If you want higher assurance, ask the author for an explicit list of required host binaries and confirm the GitHub repo/commit used by the script.
功能分析
Type: OpenClaw Skill
Name: soc-deploy-misp
Version: 1.0.0
The skill bundle provides a legitimate and well-documented automation for deploying the MISP threat intelligence platform via the official misp-docker repository. It includes specific logic in `scripts/setup.sh` to calculate MariaDB memory tuning (INNODB_BUFFER_POOL_SIZE) to prevent common OOM errors on small VMs and uses the internal `cake` CLI for secure API key generation. No evidence of data exfiltration, malicious persistence, or prompt injection was found; all actions are transparently aligned with the stated purpose of SOC infrastructure deployment.
能力评估
Purpose & Capability
The skill's name/description match what the code does: cloning the official misp-docker repo, configuring .env, tuning InnoDB buffer pool, running docker compose, and generating an API key. Minor inconsistency: the manifest lists no required binaries, but the SKILL.md and scripts clearly expect git, docker (compose v2), curl, openssl, sed/grep/hostname, and ssh/scp for deployment.
Instruction Scope
Instructions stay within deployment scope: copy and run setup.sh on the target host, poll local endpoints, generate API key via cake CLI inside the container, and save credentials to ~/misp/api-key.txt. Nothing in the instructions reads or transmits unrelated system credentials or posts data to external endpoints.
Install Mechanism
No install spec is included (instruction-only) and the script clones the official GitHub repo (https://github.com/MISP/misp-docker.git). No downloads from unknown hosts or extract-from-arbitrary-URLs are used.
Credentials
The skill does not request external credentials (good). It generates and writes sensitive secrets (MySQL root/user passwords, admin password, API key) into the repo .env and into a plaintext file in the target user's home directory. This is expected for deployment, but users should be aware that credentials are stored in cleartext by default.
Persistence & Privilege
The skill does not request permanent platform privileges (always:false). It creates files under the target user's home (~/misp, ~/misp/misp-docker) and .env there, which is appropriate for a deploy script and does not modify other skills or global agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install soc-deploy-misp - 安装完成后,直接呼叫该 Skill 的名称或使用
/soc-deploy-misp触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of soc-deploy-misp: deploy MISP threat intelligence platform via Docker with automatic MariaDB tuning.
- Deploys MISP on any Docker-ready Linux host, using the official misp-docker project.
- Automatically tunes MariaDB InnoDB buffer pool to avoid OOM on small VMs.
- Handles admin account setup, credential generation, and API key creation with cake CLI.
- Outputs all access details, API keys, and credentials upon completion.
- Includes clear prerequisites, timeout strategy, and self-signed HTTPS warnings for API use.
- Designed to work alongside infrastructure provisioning and related SOC automation skills.
元数据
常见问题
Soc Deploy Misp 是什么?
Deploy MISP threat intelligence platform on any Docker-ready Linux host. Official misp-docker project with automatic MariaDB memory tuning (prevents OOM on s... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 155 次。
如何安装 Soc Deploy Misp?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install soc-deploy-misp」即可一键安装,无需额外配置。
Soc Deploy Misp 是免费的吗?
是的,Soc Deploy Misp 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Soc Deploy Misp 支持哪些平台?
Soc Deploy Misp 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Soc Deploy Misp?
由 Solomon Neas(@solomonneas)开发并维护,当前版本 v1.0.0。
推荐 Skills