Skip to main content

A simple ZMQ app to connect to Threat Bus and ingest indicators as Suricata rules via `suricatasc`

Project description

Suricata Threat Bus App

Threat Bus is a publish-subscribe broker for threat intelligence. It is expected that applications register themselves at the bus. Since Suricata can't do that on it's own (yet) this app works as a bridge application in the meantime.

It receives indicators from Threat Bus and picks up all those where the STIX-2 pattern_type equals "suricata". The suricata rules from those IoCs are then forwarded to Suricata using a pre-configured rules file and then reloaded via suricatasc.

Make sure to run this app on the same host as your Suricata installation. Make also sure that this app (e.g., user running this app) has the correct permissions to use the suricatasc command line utility and can read/write the rules file.

Received rule updates are not applied instantaneously to minimize load on Suricata. Instead, users must configure the reload_interval (seconds) in the config file to enable periodic reloads for Suricata to pick up rule changes.

Quick Start

You can configure the app via a YAML configuration file. See config.yaml.example for an example config file. Rename the example to config.yaml before starting.

Alternatively, configure the app via environment variables, similarly to Threat Bus, or pass a path to configuration file via -c /path/to/config.yaml.

Install suricata-threatbus in a virtualenv and start:

python -m venv venv
source venv/bin/activate
make dev-mode
suricata-threatbus

You first need to configure the rules_file option in the config file. See also below for configuring your local Suricata installation to work with this app.

Suricata Preparation

This app maintains a file with Suricata rules. The app writes to it and Suricata reads from it. You need to make this file known to your Suricata installation by adding it to the rules configuration section in the suricata.yaml config file. Suricata won't pick up rule changes if you skip this step.

Here is an example snippet to add to your Suricata config file:

/etc/suricata/suricata.yaml
--------------------------------------------------------------------------------

....

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
  - threatbus.rules         # !! managed by suricata-threatbus

....

In this example, we configure Suricata to read additional rules from a file called threatbus.rules, located in the default rule path /var/lib/suricata/rules.

You need to provide the path of your custom rule file to this app, so it can modify the file contents when new indicators arrive. See also the rules_file config option in the config.yaml.example file.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

suricata-threatbus-2021.7.29.tar.gz (9.2 kB view details)

Uploaded Source

Built Distribution

suricata_threatbus-2021.7.29-py3-none-any.whl (8.2 kB view details)

Uploaded Python 3

File details

Details for the file suricata-threatbus-2021.7.29.tar.gz.

File metadata

  • Download URL: suricata-threatbus-2021.7.29.tar.gz
  • Upload date:
  • Size: 9.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.6.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.61.2 CPython/3.8.11

File hashes

Hashes for suricata-threatbus-2021.7.29.tar.gz
Algorithm Hash digest
SHA256 80abfa225352738af68fdabd1a36060bb8b3b5abdd4b8d269bfc0806271d0673
MD5 4e7adce359b9a07b08085d951be0a550
BLAKE2b-256 c73cb748cd62b25c23ddd3e92403030a3c3308aa356ab9cccf09adab64a9b51f

See more details on using hashes here.

File details

Details for the file suricata_threatbus-2021.7.29-py3-none-any.whl.

File metadata

  • Download URL: suricata_threatbus-2021.7.29-py3-none-any.whl
  • Upload date:
  • Size: 8.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.6.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.61.2 CPython/3.8.11

File hashes

Hashes for suricata_threatbus-2021.7.29-py3-none-any.whl
Algorithm Hash digest
SHA256 be5aa4701d1c5e085ca4a93fc90da57494de99b8a405fd727e00cfb81d70be32
MD5 bda2221a45c450e06da19118713ea0a0
BLAKE2b-256 7fbcd964251a067a90107ce829d1304dd0f2fc30b2a5b92f328727f06a5bd354

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page