Skip to main content

A plugin to connect apps via ZeroMQ.

Project description

Threat Bus App Plugin for ZMQ Protocol

PyPI Status Build Status License

A Threat Bus plugin that enables communication with any application that can communicate via [ZeroMQ].

Installation

pip install threatbus-zmq

Configuration

The plugin uses ZeroMQ to communicate with applications, like vast-threatbus. The plugin serves three ZeroMQ endpoints to connect with. One endpoint for managing subscriptions (and thus snapshot requests). The other two endpoints exist for pub-sub operations.

...
plugins:
  zmq:
    host: "127.0.0.1"
    manage: 13370
    pub: 13371
    sub: 13372
...

Initially, apps that want to connect with this plugin only need to know the manage endpoint. The plugin and the app negotiate all other internals for pub-sub message exchange at runtime. See the protocol definition below for details.

Management Protocol

Subscriptions and unsubscriptions are referred to as management. All management messages are JSON formatted and exchanged via the manage ZMQ endpoint that the plugin exposes.

The manage endpoint uses the ZeroMQ Request/Reply pattern for message exchange. That means, all messages get an immediate response from the server. With each JSON reply, the zmq Threat Bus plugin sends a status field that indicates the success of the requested operation.

Subscribe at the Plugin

To subscribe to Threat Bus via the zmq plugin, an app needs to send a JSON struct as follows to the manage endpoint of the plugin:

{
  "action": "subscribe",
  "topic": <TOPIC>,       # either 'threatbus/sighting' or 'threatbus/intel'
  "snapshot": <SNAPSHOT>  # number of days for a snapshot, 0 for no snapshot
}

In response, the app will either receive a success or error response.

  • Error response:

    {
      "status": "error"
    }
    
  • Success response:

    {
      "topic": <P2P_TOPIC>,
      "pub_port": 13371,
      "sub_port": 13372,
      "status": "success",
    }
    

    The pub_port and sub_port of the reply provide the port that an app should connect with to participate in the pub/sub message exchange. A connecting app can access these ports following the ZeroMQ Pub/Sub pattern. The plugin will publish messages on the pub_port and accept messages on the sub_port.

    The topic field of the response contains a unique topic for the client. That topic must be used to receive messages. The unique topic is a 32 characters wide random string and guarantees that other subscribers won't accidentally see traffic that should only be visible to the new client.

    For more details see below at Pub/Sub via ZeroMQ.

Unsubscribe from the Plugin

To unsubscribe, a connected app has to send a JSON struct to the manage endpoint of the plugin, as follows:

{
  "action": "unsubscribe",
  "topic": <P2P_TOPIC>       # the 32-characters random topic that the app got during subscription handshake
}

In response, the app will either receive a success or error response.

  • Error response:
    {
      "status": "error"
    }
    
  • Success response:
    {
      "status": "success"
    }
    

Heartbeats

The plugin supports synchronous heartbeats from subscribed apps. Both, Threat Bus and the connected apps benefit from heartbeats, they can mutually ensure that the connected party is still alive.

Subscribed apps can send heartbeat messages with the following JSON format to the manage endpoint of this plugin:

{
  "action": "heartbeat",
  "topic": <P2P_TOPIC>       # the 32-characters random topic that the app got during subscription handshake
}

As stated in the beginning of this section, the manage endpoint implements the ZeroMQ Request/Reply pattern. Threat Bus answers immediately to each heartbeat request with either a success or error response.

  • Error response:
    {
      "status": "error"
    }
    
  • Success response:
    {
      "status": "success"
    }
    

An error response indicates that either Threat Bus has internal errors or that it lost track of the app's subscription. Note: This only happens when Threat Bus is restarted. Apps can then use that information to re-subscribe.

If Threat Bus does not answer a heartbeat message, it is either down or not reachable (e.g., due to network issues). Plugins can use that information to try again later.

Pub/Sub via ZeroMQ

Once an app has subscribed to a certain Threat Bus topic using the manage endpoint of the zmq plugin, it gets a unique, random p2p_topic (see above). The p2p_topic differs from the subscribed Threat Bus topic. The zmq plugin uses only the p2p_topic to publish messages to subscribers. Messages are either STIX-2 Indicators and Sightings or are of the types specified in threatbus.data, i.e., SnapshotRequest, and SnapshotEnvelope.

ZeroMQ uses prefix matching for pub/sub connections. The zmq plugin leverages this feature to indicate the type of each sent message to the subscriber. Hence, an app can simply match the topic suffix to determine the message type.

For example, all STIX-2 Indicators will always be sent on the topic p2p_topic + "indicator", all messages of the type threatbus.data.SnapshotRequest on the topic p2p_topic + "snapshotrequest" and so forth.

Snapshots

Threat Bus' snapshot feature allows apps to request a snapshot during subscription. Threat Bus always forwards snapshot requests to all app plugins. The zmq plugin again forwards these SnapshotRequests to all connected apps. Apps, however, can decide if they want to implement this feature, i.e., whether they respond to SnapshotRequest messages or not.

SnapshotRequests are received like any other messages, via the p2p_topic. In case the app wants to provide this feature, it must handle message of this type (see above for an explanation of topic suffix matching).

Once the snapshot is handled, the app must use the SnapshotEnvelope message type to send back messages to the plugin.

License

Threat Bus comes with a 3-clause BSD license.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

threatbus-zmq-2021.8.26.tar.gz (11.4 kB view details)

Uploaded Source

Built Distribution

threatbus_zmq-2021.8.26-py3-none-any.whl (8.9 kB view details)

Uploaded Python 3

File details

Details for the file threatbus-zmq-2021.8.26.tar.gz.

File metadata

  • Download URL: threatbus-zmq-2021.8.26.tar.gz
  • Upload date:
  • Size: 11.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.7.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.8.11

File hashes

Hashes for threatbus-zmq-2021.8.26.tar.gz
Algorithm Hash digest
SHA256 4f28e4094dc7dbc674ea0f3b6d1cabb50d61cd3d6961a4d3d1c868ced7cc07a2
MD5 ee427361f909f42678f0fd84fc37f750
BLAKE2b-256 71e31946368cf81ac30dd899972b5aac4d42d1ee612ab3d6f2f77bdb02d4e3a1

See more details on using hashes here.

File details

Details for the file threatbus_zmq-2021.8.26-py3-none-any.whl.

File metadata

  • Download URL: threatbus_zmq-2021.8.26-py3-none-any.whl
  • Upload date:
  • Size: 8.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.7.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.8.11

File hashes

Hashes for threatbus_zmq-2021.8.26-py3-none-any.whl
Algorithm Hash digest
SHA256 116878e7f12eaed8cb9484aa51033bd9929dcab31d35d4c9fa2cbbed7dda461b
MD5 2b93d2e9f7bf5e86bb14f74fc2800dca
BLAKE2b-256 cb9e18b2939a24c4d0698ba5754b2ba3d3843a46740c90d17703851b4647b61f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page