由于注册criticalstack后无法在collections中添加feeds,导致无法使用其开源的威胁情报库,咨询其网站也没有相关回应,因此采用Alienvault-OTX开源情报数据。
1、注册获取API key
进入https://otx.alienvault.com,并进行注册,获取相关的API Key
2、正常安装bro
在bro官网下载bro,测试时使用2.5.5,在ubuntu16下测试成功:
(1)下载组件
apt-get install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel
(2)安装bro
下载bro源代码包到本地
https://www.bro.org/sphinx/install/install.html#id2
版本:bro-2.5.5.tar.gz
解压包
tar -vzxf bro-2.5.5.tar.gz
编译安装
cd bro-2.5.5
./configure
make & make install
(3)修改网口号:(ifconfig查看本地网卡卡号)
vi /usr/local/bro/etc/node.cfg
interface=eth0改为interface=ens33
日志存入:/usr/local/bro/logs/current
bro脚本文件在:/usr/local/bro/share/bro/policy
3、使用脚本安装OTX相关脚本和数据
(1)使用wget https://raw.githubusercontent.com/weslambert/securityonion-otx/master/securityonion-otx下载onion的相关OTX的运行脚本。由于本文在普通bro中测试,需要进行修改,修改脚本如下:
#!/bin/bash
# If this is changed, you MUST manually update local.bro to the desired path
OTX_PATH="/usr/local/bro/share/bro/policy/bro-otx"
# Download connector
echo
echo "Downloading Bro/OTX Connector ..."
echo
if [ ! -d $OTX_PATH ]; then
git clone https://github.com/hosom/bro-otx $OTX_PATH
else
echo "Bro-OTX directory already exists!"
fi
cd $OTX_PATH
if [ -d scripts ]; then
cp -av scripts/* .
rm -rf scripts
fi
# Get APIKEY
echo
echo "Please provide an Alienvault OTX API key! [ENTER]:"
echo "(Input field is hidden)"
echo
read -s APIKEY
# Configure connector
echo "Configuring Bro OTX Connector..."
echo
if [ -f $OTX_PATH/bro-otx.conf ]; then
sed -i "s|api_key.*|api_key = $APIKEY|" $OTX_PATH/bro-otx.conf
sed -i "s|outfile.*|outfile = $OTX_PATH/otx.dat|" $OTX_PATH/bro-otx.conf
fi
if [ -f $OTX_PATH/bro-otx.py ];then
sed -i "s|default='bro-otx.conf'|default='$OTX_PATH/bro-otx.conf'|" $OTX_PATH/bro-otx.py
fi
# Add to local.bro
if [[ ! `grep bro-otx /usr/local/bro/share/bro/site/local.bro` ]]; then
cp /usr/local/bro/share/bro/site/local.bro /usr/local/bro/share/bro/site/local.bro.bak
cat << EOF >> /usr/local/bro/share/bro/site/local.bro
# Load Bro OTX Pulses
@load bro-otx
EOF
else
echo "@load bro-otx already exists in local.bro!"
fi
# Run Pulse retrieval script for first time
echo "Pulling OTX Pulses..."
echo
if [ -f $OTX_PATH/bro-otx.py ]; then
/usr/bin/python $OTX_PATH/bro-otx.py
fi
# Restart Bro
echo "Restarting Bro..."
echo
/usr/local/bro/bin/broctl check
/usr/local/bro/bin/broctl install
/usr/local/bro/bin/broctl restart
echo "Done!"
echo
# Check if script(s) loaded
if [[ `grep otx /usr/local/bro/logs/current/loaded_scripts.log` ]]; then
echo "Script(s) loaded!"
echo
else
echo "There seems to be an issue with your configuration. Check /usr/local/bro/logs/current/reporter.log for clues."
echo
fi
中间提示输入OTX的api,复制粘贴即可
运行脚本前,需要:
apt-get install git
apt-get install pip-python
pip install requests
(2)运行sudo bash securityonion-otx
4、测试
sudo gedit /usr/local/bro/share/bro/policy/bro-otx/otx.dat
添加一些内容:
www.baidu.com Intel::DOMAIN Test1-baidu-Intel https://baidu.com T
www.google.com Intel::DOMAIN Test1-Google-Intel https://google.com T
baidu.com Intel::DOMAIN Test1-baidu-Intel https://baidu.com T
google.com Intel::DOMAIN Test1-Google-Intel https://google.com T
测试完毕后请删除。
如果成功,会在/usr/local/bro/logs/current/intel.log中出现下列类似的内容:
1543810814.561031 C54ogUaVovQHmrqlj 192.168.2xx.131 42862 223.252.199.7 443 163.com Intel::DOMAIN X509::IN_CERT
bro Intel::DOMAIN 163.test Fogk7hNCBjfSr8Bg3 application/pkix-cert 223.252.199.7:443/tcp