Ansible Role: MISP (Ludus)
An Ansible Role that installs MISP 2.5 on Ubuntu 24.04 and optionally creates integration users/API keys for Wazuh, TheHive, and OpenCTI.
Warning
This role requires Ubuntu 24.04 (the only officially supported OS for MISP 2.5). The install takes 15-30 minutes depending on hardware.
- Ubuntu 24.04 target VM
- Minimum 4 GB RAM, 2 CPUs recommended
- Internet access during installation (packages and MISP source are pulled from upstream)
Available variables are listed below, along with default values (see defaults/main.yml):
# MISP domain and URL (defaults to the VM's IP)
ludus_misp_domain: "{{ ansible_host }}"
ludus_misp_baseurl: "https://{{ ludus_misp_domain }}"
# Admin account
ludus_misp_email: "admin@admin.test"
Whispergate: "ORGNAME"
# Passwords - randomly generated if left empty
ludus_misp_admin_password: ""
ludus_misp_db_password: ""
# SSL - uses self-signed cert by default
ludus_misp_self_signed: true
ludus_misp_ssl_cert: ""
ludus_misp_ssl_key: ""
# Install ssdeep fuzzy hashing support
ludus_misp_install_ssdeep: true
# Disable email notifications (recommended for lab use)
ludus_misp_disable_emailing: true
# Enable and configure default OSINT feeds
ludus_misp_enable_feeds: false# Enable integration user creation for each platform
ludus_misp_enable_wazuh_integration: false
ludus_misp_enable_thehive_integration: false
ludus_misp_enable_opencti_integration: falseludus_misp_wazuh_org_name: "Wazuh"
ludus_misp_wazuh_user_email: "wazuh@misp.local"
ludus_misp_wazuh_user_password: "" # auto-generated if empty
ludus_misp_wazuh_role: "User"When enabled, creates a read-only MISP API key for Wazuh. Use this key in your Wazuh manager's ossec.conf integration block:
<integration>
<name>custom-misp.py</name>
<hook_url>https://<MISP_IP></hook_url>
<api_key>MISP_API_KEY_HERE</api_key>
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>ludus_misp_thehive_org_name: "TheHive"
ludus_misp_thehive_user_email: "thehive@misp.local"
ludus_misp_thehive_user_password: "" # auto-generated if empty
ludus_misp_thehive_role: "User"
ludus_misp_thehive_publish_access: true # read+write for bidirectional syncWhen enabled, creates a MISP user and API key for TheHive's native MISP integration. Configure in TheHive's application.conf:
misp {
interval: 2m
servers: [
{
name = "MISP"
url = "https://<MISP_IP>"
auth {
type = key
key = "MISP_API_KEY_HERE"
}
wsConfig.ssl.loose.acceptAnyCertificate: true
}
]
}
ludus_misp_opencti_org_name: "OpenCTI"
ludus_misp_opencti_user_email: "opencti@misp.local"
ludus_misp_opencti_user_password: "" # auto-generated if empty
ludus_misp_opencti_role: "User"When enabled, creates a read-only MISP API key for OpenCTI's MISP connector. Configure the connector with:
- MISP_URL=https://<MISP_IP>
- MISP_KEY=MISP_API_KEY_HERE
- MISP_SSL_VERIFY=falseNone.
ludus:
- vm_name: "{{ range_id }}-MISP"
hostname: "{{ range_id }}-MISP"
template: ubuntu-24.04-x64-server-template
vlan: 10
ip_last_octet: 20
ram_gb: 8
cpus: 4
roles:
- Whispergate.ludus_misp
role_vars:
Whispergate: "MyLab"ludus:
- vm_name: "{{ range_id }}-MISP"
hostname: "{{ range_id }}-MISP"
template: ubuntu-24.04-x64-server-template
vlan: 10
ip_last_octet: 20
ram_gb: 8
cpus: 4
roles:
- Whispergate.ludus_misp
role_vars:
Whispergate: "MyLab"
ludus_misp_enable_wazuh_integration: true
ludus_misp_enable_thehive_integration: true
ludus_misp_enable_opencti_integration: trueAfter the role runs, all credentials (admin password, API keys, integration keys) are saved to /root/misp_integration_keys.txt on the MISP VM and displayed in the Ansible output.
GPLv3
This role was created for Ludus.