# Plugin MISP to Pandora SIEM

# Introduction

**Ver.** 06/03/2026

This plugin retrieves the 500 most frequent IPs from the last 30 days of MISP events and generates a SIEM rule to detect traffic from those IPs.

**Type:** Server Plugin

# Compatibility Matrix

<div id="bkmrk-"></div><table border="1" id="bkmrk-sistemas-donde-se-ha"><tbody><tr><td>**Systems where it has been tested**</td><td>Rocky Linux 9

</td></tr><tr><td>**Systems where it should work**</td><td>Any Linux System

</td></tr></tbody></table>

# Prerequisites

For the correct operation of the plugin, **Python 3.10 or higher** and the **PyMISP** library must be installed.

The requirements can be installed with the following commands:

**On Rocky Linux 8 and 9:**

\# Install Python and the required compilation dependencies

```bash
sudo dnf install -y python3.11 python3.11-devel python3.11-pip gcc libffi-devel openssl-devel
```

\# Install PyMISP and dependencies

```bash
sudo pip3.11 install pymisp requests urllib3
```

**On Ubuntu 22.04:**

\# Install Python and the required compilation dependencies

```bash
sudo apt update && sudo apt install -y python3 python3-dev python3-pip libffi-dev libssl-dev build-essential
```

\# Install PyMISP and dependencies

```bash
sudo pip3 install pymisp requests urllib3 --break-system-packages
```

Once all dependencies are installed, proceed with the plugin configuration.

# Plugin Configuration

Before running the plugin, you need to locate the script on the server, set execution permissions, and collect connection details for both Pandora FMS and MISP.

---

#### 1. Script Location and Permissions

It is recommended to place the script **`misp_to_pandora.py`** in the standard Pandora FMS server plugin directory.

Upload the file to the server and run the following command to make it executable:

```bash
chmod +x /usr/share/pandora_server/util/plugin/misp_to_pandora.py
```

---

#### 2. Pandora FMS API Configuration (ACL)

For the script to inject rules via the API, the IP executing the script must be authorized.

1. Log in to the Pandora FMS web console as an administrator.
2. Navigate to: **Management → Settings → System Settings → General Setup → Security tab**.
3. Check the field **IP list with API access**.
    
    
    - Ensure the IP of the server running the script (or `127.0.0.1` if running locally) is included, separated by commas.
    - You can also use `*` to allow any IP.
4. Generate a **V2 API authorization token** following the [official documentation](https://pandorafms.com/manual/!current/en/documentation/pandorafms/technical_reference/02_annex_externalapi#ks1_3).

---

#### 3. Parameters Collection

The script requires **5 mandatory parameters** that must be passed in a specific order during execution:

- **API\_URL:** Full path to your Pandora FMS API v2 endpoint (must end with `/api/v2`)  
    Example: `http://192.168.1.100/pandora_console/api/v2`
- **TOKEN:** Pandora FMS API authorization token obtained in the previous step
- **MISP\_URL:** URL of your MISP instance  
    Example: `https://misp.midominio.com`
- **MISP\_KEY:** Authentication key (Auth Key) for your MISP user  
    Generate it in MISP via: **Global Actions → My Profile → Auth Keys**
- **RULE\_ID:** Numeric ID of the SIEM rule the script will create or update in Pandora FMS  
    Example: `200200`

<p class="callout info">Recommended: use a high number to avoid conflicts with native or previously created custom rules</p>

Once all the required data is collected, you can proceed to **run the plugin**.

# Manual Execution

Once permissions are set and access data collected, it is highly recommended to perform an initial **manual execution** from the Pandora FMS server terminal. This confirms **bidirectional connectivity** (with MISP and the Pandora FMS API) and verifies that the SIEM rule is correctly injected.

---

#### 1. Command Structure

Run the script with `python3`, passing the **5 parameters in quotes** to avoid issues with special characters:

```bash
python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py "<PANDORA_API_URL>" "<PANDORA_TOKEN>" "<MISP_URL>" "<MISP_KEY>" "<RULE_ID>"
```

**Example:**

```bash
python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py \
"http://192.168.1.142/pandora_console/api/v2" \
"ff94a1fa-5cc4-4636-..." \
"https://misp.midominio.com" \
"lpY9q5yy72SC..." \
"200200"
```

---

#### 2. Verifying Results

If execution is successful, the script will:

1. Connect to **MISP**
2. Download malicious IPs from the last **30 days**
3. Generate the **regular expression**
4. Reload the **SIEM engine**

You can verify success in **two ways**:

##### 1. Plugin Log

Check the detailed log at:

```bash
tail -f /var/log/pandora/misp_api_sync.log
```

A successful log shows:

- Number of attackers found
- Rule creation or update
- Final message: `Hot-Reload SUCCESSFUL.`

[![image.png](https://pandorafms.com/guides/public/uploads/images/gallery/2026-03/scaled-1680-/OxDimage.png)](https://pandorafms.com/guides/public/uploads/images/gallery/2026-03/OxDimage.png)

##### 2. Pandora FMS Console

1. Go to **Operations **→** SIEM → Rules**
2. Search for the **RULE\_ID** used (e.g., `200200`)
3. Verify that the rule:
    
    
    - Was created with **severity 14 (Critical)**
    - Contains the full list of IPs for intrusion detection in your logs

Once the rule is confirmed in the **SIEM Rules** section, you can proceed to configure **periodic execution via crontab**.

# Automation (Crontab)

Since MISP threat intelligence continuously receives new **Indicators of Compromise (IoCs)**, it is essential to automate the script execution. This ensures that Pandora FMS updates its **Mega-Regex** automatically, keeping the SIEM engine protected against the latest threats without manual intervention.

---

#### 1. Edit the Crontab File

On the server where the script is located, edit the global crontab file `/etc/crontab` with administrative privileges using your preferred editor (e.g., `vim`, `nano`):

```bash
sudo vim /etc/crontab
```

---

#### 2. Add the Scheduled Task

Add the following line at the end of the file to run the synchronization **daily at 2:00 AM**:

```bash
0 2 * * * root /usr/bin/python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py "<PANDORA_API_URL>" "<PANDORA_TOKEN>" "<MISP_URL>" "<MISP_KEY>" "200200" > /dev/null 2>&1
```

<p class="callout info">Replace `<...>` with your actual credentials and URLs, exactly as used in the manual test.</p>

---

**Important Details about the configuration:**

- **`0 2 * * *`**: Runs the script at minute 0 of hour 2 (2:00 AM) every day of the month and week.
- **`root`**: Specifies the user executing the action. Using root ensures there are no permission issues writing to the log file.
- **Absolute paths**: Always use the full path to Python (`/usr/bin/python3`) and the script (`/usr/share/pandora_server/util/plugin/misp_to_pandora.py`) because the cron environment has a limited `$PATH`.
- **`> /dev/null 2>&1`**: Silences cron’s standard output. No data is lost, as the script logs successes and errors in `/var/log/pandora/misp_api_sync.log`.

Save the changes and exit the editor. Cron automatically detects the update and applies the new scheduled task.