8000 GitHub - tenzir/threatbus at 2020.11.30
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on May 29, 2024. It is now read-only.
/ threatbus Public archive

🚌 Threat Bus – A threat intelligence dissemination layer for open-source security tools.

docs.tenzir.com/threatbus

License

BSD-3-Clause license
261 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tenzir/threatbus

BranchesTags

Repository files navigation

Threat Bus

The missing tool to interconnect open-source security applications.

PyPI Status Build Status Total alerts Language grade: Python Development Status Latest Release Chat License

Getting Started β€” Contributing Guidelines β€” Writing Plugins β€” License β€” Documentation

Chat with us on Matrix.

Key Features

  • Connect Open-Source Security Tools: Threat Bus is a pub-sub broker for threat intelligence data. With Threat Bus you can seamlessly integrate MISP intelligence with the Zeek intel framework or report sightings from IDS deployments to some data base.

  • Plugin-based Architecture: The project is plugin-based and can be extended easily. We welcome contributions to adopt new open source tools! So far, there exist plugins for VAST, MISP, Zeek, and CIFv3.

  • Snapshotting: The snapshot feature allows subscribers to directly request threat intelligence data for a certain time range from other applications. Threat Bus handles the point-to-point communication of all involved apps.

Getting Started

The config.yaml.example file provides a working configuration for Threat Bus with all existing application plugins enabled together with the RabbitMQ backbone.

The following example shows how to connect MISP, Zeek via Threat Bus. There are more integrations available, so make sure to check out all Threat Bus projects on PyPI.

Start Threat Bus

mv config.yaml.example config.yaml   # rename example config file
venv/bin/threatbus -c config.yaml

Start Zeek as Threat Bus app

zeek -i <INTERFACE> -C ./apps/zeek/threatbus.zeek

Start Zeek and request a snapshot

zeek -i <INTERFACE> -C ./apps/zeek/threatbus.zeek -- "Tenzir::snapshot_intel=30 days"

Threat Bus also ships as pre-built Docker image and is available on Docker Hub.

Use the Threat Bus Docker container

docker run tenzir/threatbus:latest --help

Start Threat Bus container with a custom config file

docker run -p 47661:47661 -v $PWD/my-custom-config.yaml:/opt/tenzir/threatbus/my-custom-config.yaml tenzir/threatbus:latest -c my-custom-config.yaml

Installation

Install threatbus and all plugins that you require. Optionally, use a virtual environment.

virtualenv venv           # optional
source venv/bin/activate  # optional
pip install threatbus
pip install threatbus-inmem
pip install threatbus-misp
pip install threatbus-zeek
pip install threatbus-rabbitmq
pip install threatbus-<plugin_name>

Testing

Use the Makefile to run unit and integration tests.

make unit-tests
make integration-tests

The integration tests require a local Zeek installation.

Plugin Development

Setup a virtual environment and install threatbus and some plugins with the in development mode:

virtualenv venv
source venv/bin/activate
make dev-mode

Configuration & Extension

A plugin must define a setup.py. Whenever a plugin is installed, you have to add a corresponding configuration section to threatbus' config.yaml. That section has to be named after the name in the entrypoint declaration of the plugin's setup.py file.

Please adhere to the plugin naming conventions and always prefix your plugin name with threatbus-.

Plugins can either be apps or backbones. Application plugins (apps) add new functionality to threatbus and allow communication to a threat-intelligence-enabled app (e.g., Zeek or Suricata). Backbone plugins add a new storage and distribution backend to threatbus (e.g., in-memory or Kafka).

Example:

  • plugin folder structure: 
    plugins
β”œβ”€β”€ apps
|   └── threatbus-zeek
β”‚       β”œβ”€β”€ setup.py
|       └── threatbus_zeek.py
└── backbones
    └── threatbus-inmem
        β”œβ”€β”€ setup.py
        └── threatbus_inmem.py
  • setup.py 
    from setuptools import setup
setup(
  name="threatbus-myapp",
  install_requires="threatbus",
  entry_points={"threatbus.app": ["myapp = threatbus_myapp"]},
  py_modules=["threatbus_myapp"],
)
  • config.yaml entry for threatbus 
    ...
plugins:
  apps:
    myapp:
    ...

Threat Bus API

Plugins specifications are available in threatbus/appspecs.py and threatbus/backbonespecs.py, respectively. For any plugin, you should at least implement the run function.

App plugins are provided two callback functions to use for subscription management. Internally, Threat Bus will propagate subscription requests to all installed backbone plugins.

The subscription callback allows applications to request an optinal snapshot time delta. Threat Bus will forward snapshot requests to all those apps that have implemented the snapshot feature (see threatbus/appspecs.py).

License

Threat Bus comes with a 3-clause BSD license.

About

🚌 Threat Bus – A threat intelligence dissemination layer for open-source security tools.

docs.tenzir.com/threatbus

Topics

ids threat-hunting cif misp threatintel sightings zeek threat-intelligence opencti threat-bus cif3 opencti-connector threat-intelligence-data

Resources

Readme

License

BSD-3-Clause license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

261 stars

Watchers

25 watching

Forks

16 forks
Report repository

Releases 27

Threat Bus 2022.05.16 Latest
May 16, 2022
+ 26 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 9

Languages
0