threatbus-cif3 2022.5.16

A plugin to enable indicators to be submitted to CIFv3 in real-time

Threat Bus CIFv3 Plugin

A Threat Bus plugin to push indicators from Threat Bus to Collective Intelligence Framework v3.

The plugin uses the cifsdk (v3.x) Python client to submit indicators received from Threat Bus into a CIFv3 instance.

The plugin breaks with the pub/sub architecture of Threat Bus, because CIF does not subscribe itself to the bus. Instead, the plugin actively contacts a CIF endpoint.

Installation

pip install threatbus-cif3

Configuration

Configure this plugin by adding a section to Threat Bus' config.yaml file, as follows:

...
plugins:
  cif3:
    api:
      host: http://cif.host.tld:5000
      ssl: false
      token: CIF_TOKEN
    group: everyone
    confidence: 7.5
    tlp: amber
    tags:
      - test
      - malicious
...

Development Setup

The following guides describe how to set up local, dockerized instances of CIF.

Dockerized CIFv3

Use dockerized CIFv3 to set up a local CIFv3 environment:

Setup a CIFv3 docker container

git clone https://github.com/sfinlon/cif-docker.git
cd cif-docker
docker-compose build

Edit the docker-compose.yml

vim docker-compose.yml

Find the section cif in the configuration and edit the following as appropriate to bind port 5000 to your localhost:

cif:
    ...
    ports:
      - "5000:5000"
    ...

Start the container

docker-compose up -d
# Get an interactive shell in the container:
docker-compose exec cif /bin/bash
# Become the cif user:
su cif
# check to see if access tokens were successfully created. Copy the `admin`
# token to the CIF config section:
cif-tokens
# Ping the router to ensure connectivity:
cif --ping

License

Threat Bus comes with a 3-clause BSD license.