Skip to content

Instantly share code, notes, and snippets.

@mmguero

mmguero/sample intel sources.md

Created April 12, 2024 13:34
Show Gist options
  • Save mmguero/8546ddb2d5f77f255a5d8dcb50a14068 to your computer and use it in GitHub Desktop.
Save mmguero/8546ddb2d5f77f255a5d8dcb50a14068 to your computer and use it in GitHub Desktop.
Download ZIP
sample Public STIX and MISP intel sources for testing Malcolm's Zeek Intelligence Framework integration
Raw
sample intel sources.md

Zeek Intelligence Framework for Malcolm

  • /zeek/intel/MISP/.misp_input.txt
misp|https://www.circl.lu/doc/misp/feed-osint/manifest.json
misp|https://www.botvrij.eu/data/feed-osint/manifest.json
misp|https://osint.digitalside.it/Threat-Intel/digitalside-misp-feed/manifest.json
  • /zeek/intel/STIX/.stix_input.txt
taxii|2.0|https://cti-taxii.mitre.org/taxii/|*
taxii|2.0|https://limo.anomali.com/api/v1/taxii2/taxii/|CyberCrime|guest|guest
taxii|2.0|https://limo.anomali.com/api/v1/taxii2/taxii/|Abuse.ch Ransomware IPs|guest|guest
taxii|2.0|https://limo.anomali.com/api/v1/taxii2/taxii/|Abuse.ch Ransomware Domains|guest|guest
taxii|2.0|https://limo.anomali.com/api/v1/taxii2/taxii/|Malware Domain List - Hotlist|guest|guest
taxii|2.0|https://limo.anomali.com/api/v1/taxii2/taxii/|Emerging Threats C&C Server|guest|guest
taxii|2.0|https://limo.anomali.com/api/v1/taxii2/taxii/|Emerging Threats - Compromised|guest|guest
@mmguero
Copy link
Author

mmguero commented Apr 12, 2024
edited
Loading

An example of it working:

NOTE and WARNING: the URL used in this example is to a site hosting the powershell payload for an active C2, hence why I'm doing -o /dev/null on my curl command.

$ docker-compose exec -u $(id -u) zeek-live grep -P "boli.*::URL" /opt/zeek/share/zeek/site/intel/.threat_autogen.zeek | head -n 1 | awk '{print $1,$2}'
bolibachan.com/g.txt Intel::URL

$ curl -fsSL -o /dev/null bolibachan.com/g.txt

$ grep boli /home/user/Malcolm/zeek-logs/live/spool/logger/intel.log | head -n 1 | jq
{
  "ts": 1712928077.097249,
  "uid": "C3smWC2DupS3iZa8E4",
  "id.orig_h": "172.16.0.20",
  "id.orig_p": 59340,
  "id.resp_h": "95.217.119.176",
  "id.resp_p": 80,
  "seen.indicator": "bolibachan.com/g.txt",
  "seen.indicator_type": "Intel::URL",
  "seen.where": "HTTP::IN_URL",
  "seen.node": "worker-1-1",
  "matched": [
    "Intel::URL"
  ],
  "sources": [
    "CUDESO"
  ],
  "cif.tags": "Network activity,tlp:white,misp-galaxy:malpedia=\"Rhadamanthys\",misp-galaxy:stealer=\"Rhadamanthys\",misp-galaxy:threat-actor=\"TA547\",misp-galaxy:target-information=\"Germany\"",
  "cif.firstseen": "1712773766.0",
  "cif.lastseen": "1712773766.0"
}

@mmguero
Copy link
Author

mmguero commented Apr 12, 2024

Screenshot 2024-04-12 at 07-47-02 Zeek Intelligence - Malcolm Dashboards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment