A simple ZMQ app to connect to Threat Bus and ingest indicators as Suricata rules via `suricatasc`
Project description
Suricata Threat Bus App
Threat Bus is a publish-subscribe broker for threat intelligence. It is expected that applications register themselves at the bus. Since Suricata can't do that on it's own (yet) this app works as a bridge application in the meantime.
It receives indicators from Threat Bus and picks up all those where the STIX-2
pattern_type equals "suricata". The suricata rules from those IoCs are then
forwarded to Suricata using a pre-configured rules file and then reloaded via
suricatasc.
Make sure to run this app on the same host as your Suricata installation.
Make also sure that this app (e.g., user running this app) has the correct
permissions to use the suricatasc command line utility and can read/write the
rules file.
Received rule updates are not applied instantaneously to minimize load on
Suricata. Instead, users must configure the reload_interval (seconds) in the
config file to enable periodic reloads for Suricata to pick up rule changes.
Quick Start
You can configure the app via a YAML configuration file. See
config.yaml.example for an example config file. Rename the example to
config.yaml before starting.
Alternatively, configure the app via environment variables, similarly to Threat
Bus, or pass a path to configuration file via -c /path/to/config.yaml.
Install suricata-threatbus in a virtualenv and start:
python -m venv venv
source venv/bin/activate
make dev-mode
suricata-threatbus
You first need to configure the rules_file option in the config file. See also
below for configuring your local Suricata installation to work with this app.
Suricata Preparation
This app maintains a file with Suricata rules. The app writes to it and Suricata
reads from it. You need to make this file known to your Suricata installation by
adding it to the rules configuration section in the suricata.yaml config file.
Suricata won't pick up rule changes if you skip this step.
Here is an example snippet to add to your Suricata config file:
/etc/suricata/suricata.yaml
--------------------------------------------------------------------------------
....
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
- threatbus.rules # !! managed by suricata-threatbus
....
In this example, we configure Suricata to read additional rules from a file
called threatbus.rules, located in the default rule path
/var/lib/suricata/rules.
You need to provide the path of your custom rule file to this app, so it can
modify the file contents when new indicators arrive. See also the rules_file
config option in the config.yaml.example file.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
| Filename, size | File type | Python version | Upload date | Hashes |
|---|---|---|---|---|
| Filename, size suricata_threatbus-2021.9.30-py3-none-any.whl (8.1 kB) | File type Wheel | Python version py3 | Upload date | Hashes View |
| Filename, size suricata-threatbus-2021.9.30.tar.gz (9.1 kB) | File type Source | Python version None | Upload date | Hashes View |
Hashes for suricata_threatbus-2021.9.30-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 9d0d010920d8eee908a2782dcb482df0b477883f28288996bf0a7bb84acada0a |
|
| MD5 | c6cd3219e6cdad1c8ee151ecb00d53e6 |
|
| BLAKE2-256 | 311ee2c23010ffc9299f6def70e31d28b2eb53c3474be98a5913d04e8825194a |
Hashes for suricata-threatbus-2021.9.30.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 985071b7377b53355032b7c566830c54a2f8ef32348aef5a5b0b49438e5f7482 |
|
| MD5 | db2dee331e5aae6e9d495878d4795bcf |
|
| BLAKE2-256 | 2fcd5540fc9ec3b3d6716a7f8e2c9f1d04c69996ae9a6103e001e8bb82c326f3 |