Plugin Configuration

Before running the plugin, you need to locate the script on the server, set execution permissions, and collect connection details for both Pandora FMS and MISP.

1. Script Location and Permissions

It is recommended to place the script misp_to_pandora.py in the standard Pandora FMS server plugin directory.

Upload the file to the server and run the following command to make it executable:

chmod +x /usr/share/pandora_server/util/plugin/misp_to_pandora.py

2. Pandora FMS API Configuration (ACL)

For the script to inject rules via the API, the IP executing the script must be authorized.

1. Log in to the Pandora FMS web console as an administrator.

2. Navigate to: Management → Settings → System Settings → General Setup → Security tab.

3. Check the field IP list with API access.

   • Ensure the IP of the server running the script (or 127.0.0.1 if running locally) is included, separated by commas.

   • You can also use * to allow any IP.

4. Generate a V2 API authorization token following the official documentation.

3. Parameters Collection

The script requires 5 mandatory parameters that must be passed in a specific order during execution:

• API_URL: Full path to your Pandora FMS API v2 endpoint (must end with /api/v2)
  Example: http://192.168.1.100/pandora_console/api/v2

• TOKEN: Pandora FMS API authorization token obtained in the previous step

• MISP_URL: URL of your MISP instance
  Example: https://misp.midominio.com

• MISP_KEY: Authentication key (Auth Key) for your MISP user
  Generate it in MISP via: Global Actions → My Profile → Auth Keys

• RULE_ID: Numeric ID of the SIEM rule the script will create or update in Pandora FMS
  Example: 200200

Recommended: use a high number to avoid conflicts with native or previously created custom rules

Once all the required data is collected, you can proceed to run the plugin.