Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Threat Bus 2020.10.29
Compare
Choose a tag to compare
@0snap 0snap released this 29 Oct 09:43
2020.10.29
d27d756
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

We're happy to announce the monthly release 2020.10.29 of Threat Bus.

ZeroMQ Apps

Threat Bus got a new application plugin! The plugin offers a generic ZeroMQ interface to connect with Threat Bus. While most existing plugins are very application-specific, like the MISP or Zeek plugin, the new zmq-app plugin is way more generic: it exposes a simple ZeroMQ interface and protocol that apps can implement, independent of their application-specific communication protocol. The new plugin also replaces the previous VAST plugin.

Our VAST bridge now connects via the new zmq-app plugin and implements the new protocol. Learn how to connect via this plugin on our documentation page and check out the VAST bridge to see a working example.

MISP Plugin Enhancements

The MISP plugin now supports a whitelist-filtering mechanism. Users can specify required properties of IoCs (MISP attributes) in the configuration file. The filter applies to IoCs that are exported from MISP (either via ZeroMQ or Kafka) as well as IoCs that are requested as part of a snapshot. Learn more about the filtering feature on the MISP plugin documentation

Another enhancement of the MISP plugin now supports starting Threat Bus without a valid PyMISP API connection. If omitted in the configuration, the plugin can still receive indicators via ZeroMQ or Kafka, but it cannot report back sightings or request snapshots.

Changelog Highlights

Starting with this release, you can find the full technical scoop of what changed in our changelog.

🎁 Features

  • The MISP plugin now works without a valid PyMISP API connection. If omitted in the configuration, the plugin can still receive indicators via ZeroMQ or Kafka, but it cannot report back sightings or request snapshots. #55
  • The MISP plugin now supports a whitelist-filtering mechanism. Users can specify required properties of IoCs (MISP attributes) in the configuration file. The filter is implemented for IoCs that are received via ZeroMQ or Kafka as well as IoCs that are requested as part of a snapshot. #49
  • The generic Threat Bus ZeroMQ application plugin has replaced the former VAST plugin. Any app that communicates via ZeroMQ can implement this plugin's protocol to connect with Threat Bus effortlessly. #46
Assets 3
Loading