Threat Bus 2021.06.24

[lava]

We’re happy to announce our release 2021.06.24 of Threat Bus.

One important update concerns our community. We finally consolidated our Gitter chats into a Slack Community. Join us in the #threatbus channel for vibrant discussions.

Suricata Integration

A new month, a new Threat Bus app! We have implemented initial support to connect Suricata to Threat Bus. The main use case for the popular network monitor and IDS is rule-based alerting. Luckily, Suricata rules are valid pattern types in STIX-2.1 indicators and hence Threat Bus can already transport them.

The new Suricata app works similar to pyvast-threatbus and stix-shifter-threatbus in that it communicates via ZeroMQ. It subscribes to the STIX-2 indicator stream in Threat Bus and picks up all indicator domain objects where the STIX-2 pattern type equals suricata. The Suricata rules in those indicators are then forwarded to Suricata using a configurable rules file, which the app periodically reloads via UNIX domain sockets using suricatasc.

Suricata only supports hot reloading of rules through a file, which is the reason whysuricata-threatbus maintains its own rules file. It would be nice if there was a path to directly push rules into Suricata, without the need to go through files. There are also other types of security content that users can configure in Suricata. For example, IP reputation lists (likewise file-based) and Datasets. Our Suricata app will leverage these structures in the future and synchronize them with generic STIX indicators. Especially datasets hold promise as generic carrier for tactical TI. If you are interested in the matter, please also read this post in the Suricata forum and check the linked issues for updates.

With suricata-threatbus, Suricata users can now finally benefit from the rich integration ecosystem Threat Bus has to offer. For example, with a STIX-based threat intelligence platform like OpenCTI, you can now also manage Suricata rules along with your security content, and, thanks to our OpenCTI Threat Bus integration, updates to those Suricata rules are immediately published on the bus, which in turn live-updates all your Suricata instances. With our all-new Suricata app, users can now seamlessly integrate intelligence from OpenCTI or MISP with Suricata. Stay tuned for future updates and integrations!

Sightings Backchannel for STIX-Shifter

With last month’s release we have published stix-shifter-threatbus. The Threat Bus app leverages STIX-Shifter to transform STIX-2 indicators from Threat Bus into native queries for a huge set of commercial security tools and SIEMs. Now stix-shifter-threatbus just got a little better and is finally able to report back query results in the form of STIX-2 sightings. Sightings are forwarded to Threat Bus via ZeroMQ and subscribers receive them via their usual topic subscriptions on stix2/sighting.

Users can now fully integrate their Splunk, IBM QRadar, ElasticSearch SIEM, and many more tools with Threat Bus. For example, you can easily maintain your intelligence with OpenCTI, forward updates to your SIEM in near-real time and get query results (sightings) reported back in, again, near real time. We’re excited to fuel integration of awesome tools with Threat Bus!

Smaller Things

• We have dockerized pyvast-threatbus and stix-shifter-threatbus. Both projects are available on Dockerhub.
• pyvast-threatbus now collects metrics about received indicators that are about to be matched retrospectively against VAST. The new metric is called retro_match_backlog and allows users to determine if a backlog is building up.
• The Threat Bus Docker base image has moved to debian:bullseye for improved Zeek/Broker support.

Changelog Highlights

As always, you can find the full scoop in our various changelogs for Threat Bus and all Tenzir-maintained apps: pyvast-threatbus, stix-shifter-threatbus, and suricata-threatbus. Please also check out our OpenCTI connector over in the official OpenCTI repository.

---

This discussion was created from the release Threat Bus 2021.06.24.