Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dcso/tie-threatbus-bridge

tool to feed IoCs from DCSO TIE to Threat Bus
https://github.com/dcso/tie-threatbus-bridge

Last synced: 6 months ago
JSON representation

tool to feed IoCs from DCSO TIE to Threat Bus

Awesome Lists containing this project

README 

        
# TIE<->ThreatBus Bridge



This tool acts as a bridge between the TIE and

[Threat Bus](https://github.com/tenzir/threatbus) software components.

It can be used to regularly query the TIE API and publishes new IOCs to

ThreatBus. This is necessary since TIE does not have a push hook to use

for that purpose.



## Dependencies



We need libzmq for ZeroMQ communication to Threat Bus.



```

$ sudo apt install libzmq3-dev

```



## Building



```

$ go get github.com/DCSO/tie-threatbus-bridge

```



## Running

```

$ tie-threatbus-bridge -help

Usage of ./tie-threatbus-bridge:

  -config string

    	configuration file (default "config.yaml")

  -verbose

    	be verbose

```



Example:



```

$ tie-threatbus-bridge --config config.yaml

```



## Configuration



```yaml

# Collectors settings

# -------------------

collectors:

  tie:

    # Set to true to enable this collector

    enable: true

    # TIE API version. Currently: 1

    api-version: 1

    # Base URL for the DCSO TIE service

    baseurl: https://tie.dcso.de/api/v1/iocs

    # TIE token for the API

    token: 

    # Categories to select IoCs for

    categories:

      - c2-server

      - espionage

    # Indicator types to be selected from the TIE

    data-types:

      - DomainName

      - URLVerbatim

    # Time selection constraint

    since: 4h

    # Query name, e.g. "updated_at_since", "created_at_since", "first_seen_since"

    time-query-name: created_at_since

    # Severity range to search for. Both ends need to be specified

    # (range 0-6)

    severity:

      from: 1

      to: 5

    chunk-size: 100

    # Maximum limit for returned IoCs, which will be returned sorted by

    # data types, in the order specified in the "data-types" config field above

    # Set to 0 to disable limiting.

    limit:

      total: 1000



# Threat Bus ZeroMQ connection settings

# -------------------------------------

threatbus:

  host: 1.0.0.1

  port: 13372

  # legacy or stix2

  format: legacy



logfile: /var/log/tie-threatbus-bridge.log

```



## Operation



Trigger an update by sending `SIGUSR1` to the process:



```

$ kill -USR1 `pgrep tie-threatbus`

```

This is useful, for example, to trigger regular updates via a cron job.



## Ideas for improvement



 - Deduplication of repeating IOCs



## Contact



Sascha Steinbiss