Code Monkey home page Code Monkey logo

crits-adapter's Introduction

About the Soltra Edge CRITs adapter

Intent

  • Enable the use of Soltra Edge as a transport mechanism for threat intelligence data between distributed CRITs instances via bidirectional translation between CRITs JSON and STIX/CybOX and bidirectional synchronization between CRITs (via API) and Soltra Edge (via TAXII).

Capabilities

  • CRITs to Soltra Edge: translation of emails, IP addresses, samples, domains, and indicators.
  • Soltra Edge to CRITs: translation of selected CybOX Observable objects (Domain Name, File, Address, Email Message) and STIX Indicator objects.

Constraints

  • CRITs samples: while the CRITs API (get) allows the retrieval of all available sample metadata, for inserting (post) samples currently the CRITs API is limited to file name and MD5 hash. There is an open GitHub issue for this.

  • CRITs releasability flag: while the CRITs API (get) allows filtering data retrieval based on a releasability flag, for inserting (post) data the CRITs API currently does not support setting a releasability flag.There is an open GitHub issue for this.

  • STIX indicator objects: by last count there are at least 12 different ways to express context between 2 IP addresses. This adapter currently only supports STIX indicators containing inline CybOX Observable Composition externally referencing (idref) the related CybOX Observable objects (#2 in the IP address example) and STIX indicators containing inline CybOX Observable objects (#1 in the IP address example)

Commands

  • Note: all commands provide detailed usage info when passed the --help flag
  • datagen.py
    • Description: Inject randomly generated observable / indicator data into CRITs or Soltra Edge (useful for development and testing)
    • Example usage: ./datagen.py --inject --type=edge --target=localhost --datatype=indicator --count=1000 (as repo user)
  • edgy_critsd.py
    • Description: Daemon that continually syncs data between configured CRITs and Soltra Edge instances.
    • Example usage: service edgy_critsd start (as root)
  • edgy_crits.py
    • Description: Performs a one-off, unidirectional sync between a configured CRITs and Soltra Edge instance
    • Example usage: ./edgy_crits.py --c2e --src=localhost --dest=localhost (as repo user)
  • util/flush.sh
    • Description: Flush all indicator and observable data from (localhost) CRITs and Edge MongoDB collections, edgy_crits logfiles, adapter-specific MongoDB collections (useful for development and testing)
    • Example usage: ./util/flush.sh (as root)
  • util/setup.sh
    • Description: Install adapter dependencies, fix permissions, and configure edgy_critsd as a service set to start on boot.
    • Example usage: ./util/setup.sh (as root)

12 ways to express context between 2 IP addresses

  1. Indicator, with two inline IPv4 AddressObjects
  2. Indicator, with two referenced IPv4 AddressObjects
  3. Indicator, with one inline IPv4 AddressObject using comma notation (127.0.0.1##comma##127.0.0.2)
  4. Indicator, with one referenced IPv4 AddressObject using comma notation (127.0.0.1##comma##127.0.0.2)
  5. A composite indicator including a single indicator, with two inline IPv4 AddressObjects
  6. A composite indicator including a single indicator, with two referenced IPv4 AddressObjects
  7. A composite indicator including a single indicator, with one referenced IPv4 AddressObject using comma notation (127.0.0.1##comma##127.0.0.2)
  8. A composite indicator including a single indicator, with one inline IPv4 AddressObject using comma notation (127.0.0.1##comma##127.0.0.2)
  9. A composite indicator with two indicators. Each indicator has a single inline IPv4 AddressObjects
  10. A composite indicator with two indicators. Each indicator has a single referenced IPv4 AddressObjects
  11. Two AddressObjects, no indicators, and "These IP addresses are malicious" placed in the Title field of the STIX_Header
  12. One AddressObject using comma notation (127.0.0.1##comma##127.0.0.2), no indicators, and "These IP addresses are malicious" placed in the Title field of the STIX_Header

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.