Manual Execution

Once permissions are set and access data collected, it is highly recommended to perform an initial manual execution from the Pandora FMS server terminal. This confirms bidirectional connectivity (with MISP and the Pandora FMS API) and verifies that the SIEM rule is correctly injected.

1. Command Structure

Run the script with python3, passing the 5 parameters in quotes to avoid issues with special characters:

python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py "<PANDORA_API_URL>" "<PANDORA_TOKEN>" "<MISP_URL>" "<MISP_KEY>" "<RULE_ID>"

Example:

python3 /usr/share/pandora_server/util/plugin/misp_to_pandora.py \
"http://192.168.1.142/pandora_console/api/v2" \
"ff94a1fa-5cc4-4636-..." \
"https://misp.midominio.com" \
"lpY9q5yy72SC..." \
"200200"

2. Verifying Results

If execution is successful, the script will:

1. Connect to MISP

2. Download malicious IPs from the last 30 days

3. Generate the regular expression

4. Reload the SIEM engine

You can verify success in two ways:

1. Plugin Log

Check the detailed log at:

tail -f /var/log/pandora/misp_api_sync.log

A successful log shows:

• Number of attackers found

• Rule creation or update

• Final message: Hot-Reload SUCCESSFUL.

2. Pandora FMS Console

1. Go to Operations → SIEM → Rules

2. Search for the RULE_ID used (e.g., 200200)

3. Verify that the rule:

   • Was created with severity 14 (Critical)

   • Contains the full list of IPs for intrusion detection in your logs

Once the rule is confirmed in the SIEM Rules section, you can proceed to configure periodic execution via crontab.