This tool acts as a bridge between the TIE and Threat Bus software components. It can be used to regularly query the TIE API and publishes new IOCs to ThreatBus. This is necessary since TIE does not have a push hook to use for that purpose.
We need libzmq for ZeroMQ communication to Threat Bus.
$ sudo apt install libzmq3-dev
$ go get github.com/DCSO/tie-threatbus-bridge
$ tie-threatbus-bridge -help
Usage of ./tie-threatbus-bridge:
-config string
configuration file (default "config.yaml")
-verbose
be verbose
Example:
$ tie-threatbus-bridge --config config.yaml
# Collectors settings
# -------------------
collectors:
tie:
# Set to true to enable this collector
enable: true
# TIE API version. Currently: 1
api-version: 1
# Base URL for the DCSO TIE service
baseurl: https://tie.dcso.de/api/v1/iocs
# TIE token for the API
token: <redacted>
# Categories to select IoCs for
categories:
- c2-server
- espionage
# Indicator types to be selected from the TIE
data-types:
- DomainName
- URLVerbatim
# Time selection constraint
since: 4h
# Query name, e.g. "updated_at_since", "created_at_since", "first_seen_since"
time-query-name: created_at_since
# Severity range to search for. Both ends need to be specified
# (range 0-6)
severity:
from: 1
to: 5
chunk-size: 100
# Maximum limit for returned IoCs, which will be returned sorted by
# data types, in the order specified in the "data-types" config field above
# Set to 0 to disable limiting.
limit:
total: 1000
# Threat Bus ZeroMQ connection settings
# -------------------------------------
threatbus:
host: 1.0.0.1
port: 13372
# legacy or stix2
format: legacy
logfile: /var/log/tie-threatbus-bridge.logTrigger an update by sending SIGUSR1 to the process:
$ kill -USR1 `pgrep tie-threatbus`
This is useful, for example, to trigger regular updates via a cron job.
- Deduplication of repeating IOCs
Sascha Steinbiss