Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Threat Bus 2021.03.25
Compare
Choose a tag to compare
@0snap 0snap released this 25 Mar 09:13
2021.03.25
7751e3f
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

We're happy to announce the monthly release 2021.03.25 of Threat Bus. All Tenzir-maintained app plugins, as well as pyvast-threatbus now support STIX-2 for indicators and sightings.

STIX-2 Adoption

Following up on our February release, pyvast-threatbus and all Tenzir-maintained Threat Bus plugins now support STIX-2. This change brings a very clear separation of concerns into the codebase. Threat Bus only accepts Indicators and Sightings in STIX-2 format, while all format conversion logic is handled within the application plugins. For example, the Zeek plugin implements the conversion from STIX-2 Indicators to Zeek events, and likewise converts Zeek events into STIX-2 Sightings. Threat Bus itself only implements the open STIX-2 standard and stays completely unaware of application specific formats and communication protocols.

Most app plugins and pyvast-threatbus implement the conversion logic on best-effort basis, with the exception of the zmq-app plugin. Best-effort basis means that conversion between app-specific formats and STIX-2 can be lossy. The Zeek Intel Framework, for example, only supports point-indicators, meaning that a single IoC only makes up a single value like a domain name or URL. Hence, the Threat Bus Zeek plugin can only convert STIX-2 Indicators to Zeek events if they consist of a single value, and discards other Indicators, such as compound pairs.

We find that this is an acceptable trade-off. Subscribing apps are always limited to their own capabilities and formats, but with STIX-2 Threat Bus now supports a format that is more expressive than what most of the consuming apps can handle. We are excited about the new possibilities the project gains from the STIX-2 adoption, like seamless integration with other open security tools, such as OpenCTI. Keep an eye out on the OpenCTI connectors repository, as we have a Threat Bus integration already on our roadmap!

Changelog Highlights

As always, you can find the full scoop in our changelogs for Threat Bus and pyvast-threatbus

🎁 Features

  • The CIFv3 plugin now supports the STIX-2 (version 2.1) standard for Indicators. The plugin converts STIX-2 Indicators on best-effort basis to CIFv3 indicators before forwarding them to the configured CIF endpoint. #106

  • The Zeek plugin now supports the STIX-2 (version 2.1) standard for Indicators and Sightings. The plugin converts STIX-2 Indicators on best-effort basis to Zeek Intel items before forwarding them to Zeek. Likewise, the plugin converts Zeek sightings to valid STIX-2 Sightings before publishing them on Threat Bus topics. #103

  • The MISP plugin now supports the STIX-2 (version 2.1) standard for Indicators and Sightings. The plugin converts MISP attributes to valid STIX-2 Indicators on best-effort basis before publishing them on Threat Bus topics. Likewise, the plugin converts STIX-2 Sightings to MISP sightings before sending them the MISP. #102

  • pyvast-threatbus now supports the STIX-2 (version 2.1) standard for Indicators and Sightings. The app converts STIX-2 Indicators on best-effort basis to both VAST queries and VAST matcher IoCs to support both retro- and live-matching. Likewise, pyvast-threatbus converts VAST query results as well as VAST matcher sightings to valid STIX-2 Sightings before publishing them on Threat Bus topics. #105

🐞 Bugfixes

  • We fixed a bug in the routing logic for SnapshotRequests. Apps can now request snapshots as expected for all stix2-prefixed topics. #103
Assets 3
Loading