8000 Enable both live- and retro-matching by 0snap · Pull Request #95 · tenzir/threatbus · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on May 29, 2024. It is now read-only.

Enable both live- and retro-matching #95

Merged
merged 4 commits into from
Feb 15, 2021
Merged

Enable both live- and retro-matching #95

merged 4 commits into from
Feb 15, 2021

Conversation

0snap
Copy link
Contributor
@0snap 0snap commented Feb 3, 2021
edited
Loading

📔 Description

Allow the user to configure using both, live-matching and retro-matching at the same time for one given IoC.

📝 Checklist

  • All user-facing changes have changelog entries.
  • The changes are reflected on docs.tenzir.com/threatbus, if necessary.
  • The PR description contains instructions for the reviewer, if necessary.

🎯 Review Instructions

You can test this interactively as follows:

  • Annotate a vast-schema with #ioc e.g., the hostname field of suricata logs
  • Start VAST-Pro
  • Start Threat Bus
  • Start pyvast-threatbus, change the config so both live_match and retro_match are set to true
  • Ingest suricata data into vast, manipulate a hostname
  • Inject IoCs into Threat Bus (either via a local MISP instance or by directly injecting into the backbone, e.g., RabbitMQ), use the same hostname you ingested via the logs. That should trigger two things:
    • a retro-match
    • the IoC is made known to the vast matcher
  • ingest the same manipulated log again
    • that should trigger a live-match

Note: I did the above on my machine and can confirm this works with an old version of VAST Pro (2020.08.28-263-ga7b5ed3b) on Arch Linux, using Python 3.8.6.

@0snap 0snap marked this pull request as ready for review February 3, 2021 11:26
@0snap 0snap requested review from mavam and tobim February 3, 2021 11:26
@0snap 0snap added the enhancement An improvement of existing code label Feb 3, 2021
@mavam
Copy link
Member
mavam commented Feb 7, 2021

@tobim or @lava, could I ask you to test this locally? Unfortunately I won't be able to get to in the next couple of days.

@0snap 0snap requested a review from lava February 8, 2021 10:26
tobim
tobim reviewed Feb 9, 2021
View reviewed changes
tobim
tobim approved these changes Feb 15, 2021
View reviewed changes
Copy link
Member
@tobim tobim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally and verified the functionality.

@0snap 0snap merged commit c00b43f into master Feb 15, 2021
@0snap 0snap deleted the story/ch22432 branch February 15, 2021 14:20
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tobim tobim tobim approved these changes

@mavam mavam Awaiting requested review from mavam

@lava lava Awaiting requested review from lava

Assignees
No one assigned
Labels
enhancement An improvement of existing code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@0snap @mavam @tobim
0