https://github.com/criminalip/zabbix
Criminal IP is a comprehensive OSINT-based Cyber Threat Intelligence (CTI) search engine that can be used as an automated Attack Surface Management solution.
https://github.com/criminalip/zabbix
criminalip cyberthreatintelligence malicious-ips search-engine zabbix
Last synced: about 1 month ago
JSON representation
Criminal IP is a comprehensive OSINT-based Cyber Threat Intelligence (CTI) search engine that can be used as an automated Attack Surface Management solution.
- Host: GitHub
- URL: https://github.com/criminalip/zabbix
- Owner: criminalip
- Created: 2023-04-12T02:30:52.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2023-04-12T06:32:33.000Z (about 2 years ago)
- Last Synced: 2024-11-17T01:28:48.600Z (7 months ago)
- Topics: criminalip, cyberthreatintelligence, malicious-ips, search-engine, zabbix
- Language: Python
- Homepage: https://www.criminalip.io
- Size: 10.7 KB
- Stars: 2
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-ip-search-engines - Criminal Ip Zabbix
README
# Criminalip Zabbix Template
## 1. About (Criminal IP integrated with Zabbix)
Criminal IP is a comprehensive OSINT-based Cyber Threat Intelligence (CTI) search engine that can be used as an automated Attack Surface Management solution.
We have created a template that integrates Criminal IP with Zabbix's monitoring to detect all security threats related to your exposed IP and open ports. It will notify you once a day about the number of exposed CVEs, the number of Honeypot attacks, and more.
To retrieve data, you need a Criminal IP API key. You can register for a free account at https://www.criminalip.io/ and find your API key on the My Information page.
Please note that this template was created using malicious IP info from https://www.criminalip.io/en/developer/api/get-ip-malicious-info.
In addition to the alarm service, you can also check out more detailed insights through Criminal IP integrated with Zabbix. You can search for suitable APIs and use them easily.
For more information or customization, please refer to the Web Filter and API Development Guide below:
- Web Filter: https://www.criminalip.io/en/developer/filters-and-tags/filters
- API Development Guide: https://www.criminalip.io/en/developer/api/post-user-me
## 2. Zabbix Template Structure
### 1) Macros used
Name
Description
Default
Type
{$CRIMINALIP_TARGET_PUBLIC_IP}
-
Text macro
### 2) Template links
There are no template links in this template.
### 3) Discovery rules
Name
Type
Key
Additional info
LLD Current Opened Ports
Zabbix Agent
Zabbix Agent (Active)
lld.criminalip.ports
Update: 60s
You can check the open ports and vulnerability information of the target public IP.
For more information, please refer to the Asset Search page at https://www.criminalip.io/en/asset.
Item prototypes
Zabbix Agent
Zabbix Agent (Active)
check.criminalip.port[{#SOCKEY_TYPE}, {#PORT}]
Update: 60s
It creates the Socket type and Port of the current open port data and shows you the Vulnerability category.
Trigger prototypes
last(/Template Security Criminalip/check.criminalip.port[{#SOCKEY_TYPE}, {#PORT}])>0
The vulnerability is exposed to an open port of the target IP.
For more information, please refer to the Asset Search page at https://www.criminalip.io/en/asset.
### 4) Items collected
Name
Description
Type
Key
Additional info
Criminalip: Get Criminalip API
-
Zabbix Agent
Zabbix Agent(Active)
get.criminalip.api[{$CRIMINALIP_TARGET_PUBLIC_IP}]
Update: 1d
You can get the get-ip-malicious-info information from https://api.criminalip.io and save it to a local file.
(Saved file: /tmp/criminalip_cache.txt)
You can check more details at https://www.criminalip.io/en/asset.
Criminalip: Sender Criminalip Malicious
-
Zabbix Agent
Zabbix Agent(Active)
sender.criminalip.malicious.count
Update: 1h
The saved local file, criminalip_cache.txt is read and sends you the number of vulnerabilities to the items of each Trigger type.
Criminalip: Vulnerabilities CVE stats
-
Zabbix Triggers
criminalip.vulnerability.cve.count
It counts the number of times the server has been exposed to a CVE vulnerability.
Criminalip: Vulnerabilities Honypot stats
-
Zabbix Triggers
criminalip.vulnerability.honeypot.count
It counts the number of Honeypot attacks.
Criminalip: Vulnerabilities Snort stats
-
Zabbix Triggers
criminalip.vulnerability.snort.count
It counts the number of registered Public IPs at https://www.snort.org/.
Criminalip: Vulnerabilities Webcam stats
-
Zabbix Triggers
criminalip.vulnerability.webcam.count
It counts the number of webcam exposure.
### 5) Triggers
Severit
Name
Expression
Additional info
High
Criminalip: Vulnerability exposed in {$CRIMINALIP_TARGET_PUBLIC_IP}
last(/Template Security Criminalip/criminalip.vulnerability.cve.count)>0
It triggers when the number of exposures to CVE vulnerability is greater than 0.
You can check details at https://www.criminalip.io
Average
Criminalip: {$CRIMINALIP_TARGET_PUBLIC_IP} has exposed the webcam externally.
last(/Template Security Criminalip/criminalip.vulnerability.webcam.count)>0
It triggers when the webcam exposure is greater than 0.
You can check details at https://www.criminalip.io
Warning
Criminalip: {$CRIMINALIP_TARGET_PUBLIC_IP} is detected by Honeypot as a threat.
last(/Template Security Criminalip/criminalip.vulnerability.honeypot.count)>0
It triggers when Honeypot detection is greater than 0.
You can check details at https://www.criminalip.io
Warning
Criminalip: {$CRIMINALIP_TARGET_PUBLIC_IP} is detected by Snort as a threat.
last(/Template Security Criminalip/criminalip.vulnerability.snort.count)>0
It triggers when IDS(snort) detection is greater than 0.
You can check details at https://www.criminalip.io
### 6) Graph
Graph name
Item Name
Criminalip: malicious info
Template Security Criminalip: Criminalip: Vulnerabilities Honeypot stats
all
Template Security Criminalip: Criminalip: Vulnerabilities Snort stats
all
Template Security Criminalip: Criminalip: Vulnerabilities CVE stats
all
Template Security Criminalip: Criminalip: Vulnerabilities Webcam stats
all
## 4. Zabbix Server Settings
Edit ExternalScripts in the Zabbix server.
__vi /etc/zabbix/zabbix_server.conf :__
```
ExternalScripts=/usr/lib/zabbix/externalscripts
```
__Restart the Zabbix server.__
```
$ systemctl restart zabbix-server
```
## 5. Zabbix Agent Settings
__Mandatory installation__
- The Zabbix-sender must be installed.
Register UserParameter
Create and save the /etc/zabbix/zabbix_agentd.d/criminalip.conf file
__vi /etc/zabbix/zabbix_agentd.d/criminalip.conf :__
```
UserParameter=get.criminalip.api[*],/usr/lib/zabbix/externalscripts/Get_criminalip_data.py $1
UserParameter=sender.criminalip.malicious.count,/usr/lib/zabbix/externalscripts/FileRead_count_criminalip.py
UserParameter=lld.criminalip.ports,/usr/lib/zabbix/externalscripts/FileRead_lld_criminalip.py
UserParameter=check.criminalip.port[*],/usr/lib/zabbix/externalscripts/Check_has_vulnerability.py $1 $2
```
Save the following Python script (UserParameter), which is stored in GIT, to the /usr/lib/zabbix/externalscripts/ directory
__ls /usr/lib/zabbix/externalscripts/ :__
```
Get_criminalip_data.py
FileRead_count_criminalip.py
Check_has_vulnerability.py
FileRead_lld_criminalip.py
```
Changing permissions with Zabbix
```
$ chown -Rf zabbix:zabbix /usr/lib/zabbix/externalscripts/
```
Edit the file /usr/lib/zabbix/externalscripts/Get_criminalip_data.py
- ${CRIMINALIP_API_KEY}: Register API_KEY issued from https://www.criminalip.io/
__vi /usr/lib/zabbix/externalscripts/Get_criminalip_data.py :__
```
API_KEY = '${CRIMINALIP_API_KEY}'
```
Edit the file /usr/lib/zabbix/externalscripts/FileRead_count_criminalip.py
- ${ZABBIX_SERVER_IP}: Enter the Zabbix server or Proxy IP
- ${ZABBIX_SERVER_PORT}: Enter the Zabbix server or Proxy IP
__vi /usr/lib/zabbix/externalscripts/FileRead_count_criminalip.py :__
```
ZABBIX_SERVER = '${ZABBIX_SERVER_IP}'
ZABBIX_PORT = '${ZABBIX_SERVER_PORT}'
```
Install the Python library to use the UserParameter script
```
$ pip install requests
$ pip install py-zabbix
```
Restart Zabbix agent
```
$ systemctl restart zabbix-agent
```
## 6. Test Process
__Run on a Zabbix server__
Check the Criminal IP API to verify if the searched information is stored properly to ***/tmp/criminalip_cache.txt***
- ${ZABBIX_AGENT_IPADDRESS}: Enter the Access IP where the Zabbix agent is installed, accessed by the Zabbix server (or proxy)
- ${CRIMINALIP_TARGET_PUBLIC_IP}: Enter the Public IP target (macro registration) to detect threats
```
$ zabbix_get -s ${ZABBIX_AGENT_IPADDRESS} -k get.criminalip.api[${CRIMINALIP_TARGET_PUBLIC_IP}]
```
Data saved to file: /tmp/criminalip_cachefile.txt
__cat /tmp/criminalip_cachefile.txt :__
```
{
"datetime": "2023-03-28T12:34:06.038880",
"ip": "${CRIMINALIP_TARGET_PUBLIC_IP}",
"ids_count": 0,
"vulnerability_count": 39,
"webcam_count": 0,
"scanning_record_count": 0,
"current_opened_port_value":
[
{"socket_type": "tcp", "port": 22, "protocol": "ssh", "product_name": "openssh", "product_version": "7.4", "has_vulnerability": true, "confirmed_time": "2023-02-21 16:58:52"},
{"socket_type": "tcp", "port": 80, "protocol": "http", "product_name": "openssl", "product_version": "1.0.2k", "has_vulnerability": true, "confirmed_time": "2023-02-22 03:24:31"},
{"socket_type": "tcp", "port": 443, "protocol": "https", "product_name": "openssl", "product_version": "1.0.2k", "has_vulnerability": true, "confirmed_time": "2023-02-05 03:01:50"}
]
}
```
Check whether the discovery function of the saved local file works correctly
- ${ZABBIX_AGENT_IPADDRESS}: Enter the Access IP where the Zabbix agent is installed, accessed by the zabbix_server (or proxy)
```
{
"data":
[
{"{#SOCKEY_TYPE}": "tcp", "{#PROTOCOL}": "ssh", "{#PORT}": 22, "{#PRODUCT_NAME}": "openssh", "{#PRODUCT_VERSION}": "7.4", "{#HAS_VULNERABILITY}": true, "{#CONFIRMED_TIME}": "2023-02-21 16:58:52"},
{"{#SOCKEY_TYPE}": "tcp", "{#PROTOCOL}": "http", "{#PORT}": 80, "{#PRODUCT_NAME}": "openssl", "{#PRODUCT_VERSION}": "1.0.2k", "{#HAS_VULNERABILITY}": true, "{#CONFIRMED_TIME}": "2023-02-22 03:24:31"},
{"{#SOCKEY_TYPE}": "tcp", "{#PROTOCOL}": "https", "{#PORT}": 443, "{#PRODUCT_NAME}": "openssl", "{#PRODUCT_VERSION}": "1.0.2k", "{#HAS_VULNERABILITY}": true, "{#CONFIRMED_TIME}": "2023-02-05 03:01:50"}
]
}
```