The missing link to connect open-source threat intelligence tools.
Project description
Threat Bus
The missing tool to interconnect open-source security applications.
Getting Started — Contributing Guidelines — Writing Plugins — License — Documentation
Chat with us on Matrix.
Key Features
-
Connect Open-Source Security Tools: Threat Bus is a pub-sub broker for threat intelligence data. With Threat Bus you can seamlessly integrate MISP intelligence with the Zeek intel framework or report sightings from IDS deployments to some data base.
-
Plugin-based Architecture: The project is plugin-based and can be extended easily. We welcome contributions to adopt new open source tools! So far, there exist plugins for VAST, MISP, Zeek, and CIFv3.
-
Snapshotting: The snapshot feature allows subscribers to directly request threat intelligence data for a certain time range from other applications. Threat Bus handles the point-to-point communication of all involved apps.
Getting Started
The config.yaml.example file provides a working configuration for Threat Bus
with all existing application plugins enabled together with the RabbitMQ
backbone.
The following example shows how to connect MISP, Zeek via Threat Bus. There are more integrations available, so make sure to check out all Threat Bus projects on PyPI.
Start Threat Bus
mv config.yaml.example config.yaml # rename example config file
venv/bin/threatbus -c config.yaml
Start Zeek as Threat Bus app
zeek -i <INTERFACE> -C ./apps/zeek/threatbus.zeek
Start Zeek and request a snapshot
zeek -i <INTERFACE> -C ./apps/zeek/threatbus.zeek -- "Tenzir::snapshot_intel=30 days"
Threat Bus also ships as pre-built Docker image and is available on Docker Hub.
Use the Threat Bus Docker container
docker run tenzir/threatbus:latest --help
Start Threat Bus container with a custom config file
docker run -p 47661:47661 -v $PWD/my-custom-config.yaml:/opt/tenzir/threatbus/my-custom-config.yaml tenzir/threatbus:latest -c my-custom-config.yaml
Installation
Install threatbus and all plugins that you require. Optionally, use a virtual
environment.
virtualenv venv # optional
source venv/bin/activate # optional
pip install threatbus
pip install threatbus-inmem
pip install threatbus-misp
pip install threatbus-zeek
pip install threatbus-rabbitmq
pip install threatbus-<plugin_name>
Testing
Use the Makefile to run unit and integration tests.
make unit-tests
make integration-tests
The integration tests require a local Zeek installation.
Plugin Development
Setup a virtual environment and install threatbus and some plugins with the
in development mode:
virtualenv venv
source venv/bin/activate
make dev-mode
Configuration & Extension
A plugin must define a setup.py. Whenever a plugin is installed, you have to
add a corresponding configuration section to threatbus' config.yaml. That
section has to be named after the name in the entrypoint declaration of the
plugin's setup.py file.
Please adhere to the plugin naming conventions
and always prefix your plugin name with threatbus-.
Plugins can either be apps or backbones. Application plugins (apps) add new
functionality to threatbus and allow communication to a
threat-intelligence-enabled app (e.g., Zeek or Suricata). Backbone plugins add a
new storage and distribution backend to threatbus (e.g., in-memory or Kafka).
Example:
- plugin folder structure:
plugins ├── apps | └── threatbus-zeek │ ├── setup.py | └── threatbus_zeek.py └── backbones └── threatbus-inmem ├── setup.py └── threatbus_inmem.py
setup.pyfrom setuptools import setup setup( name="threatbus-myapp", install_requires="threatbus", entry_points={"threatbus.app": ["myapp = threatbus_myapp"]}, py_modules=["threatbus_myapp"], )
config.yamlentry forthreatbus... plugins: apps: myapp: ...
Threat Bus API
Plugins specifications are available in threatbus/appspecs.py and
threatbus/backbonespecs.py, respectively. For any plugin, you should at least
implement the run function.
App plugins are provided two callback functions to use for subscription management. Internally, Threat Bus will propagate subscription requests to all installed backbone plugins.
The subscription callback allows applications to request an optinal snapshot
time delta. Threat Bus will forward snapshot requests to all those apps that
have implemented the snapshot feature (see threatbus/appspecs.py).
License
Threat Bus comes with a 3-clause BSD license.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file threatbus-2020.10.29.tar.gz.
File metadata
- Download URL: threatbus-2020.10.29.tar.gz
- Upload date:
- Size: 14.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.24.0 setuptools/49.2.1 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1bc25c6c934cb82849fdaa579e82d275d63c3eb5197caa35eaee1c579bba8cf2
|
|
| MD5 |
857698d2b66d78270439238338534356
|
|
| BLAKE2b-256 |
0651563e9d416935d10a68bc7dbc4cdfc87812acfb76da4d061e276bf21ebce2
|
File details
Details for the file threatbus-2020.10.29-py3-none-any.whl.
File metadata
- Download URL: threatbus-2020.10.29-py3-none-any.whl
- Upload date:
- Size: 13.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.24.0 setuptools/49.2.1 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
eb9e96082c5d89a224dc799718b5f4a8f42e0207f8052f4f56f6e8ab661618c5
|
|
| MD5 |
d0daa39211802037d714d0ebf3da3820
|
|
| BLAKE2b-256 |
e440fd660d5fe24cf0b35c4bcc051bc83a18f07651165c7ed43db5e13bc77dda
|
