info@secognition.com

Intelstack Threat Feed is Shutdown. Here’s a new intel threat feed aggregator for Zeek

Intelstack Threat Feed is Shutdown. Here’s a new intel threat feed aggregator for Zeek

Hello Everyone,

I hope everyone reading this is healthy and safe. Some sad news today, intelstack.com is no more.  For those of you who followed my Zeek IDS Installation on Raspberry PI Part 2 blog, intelstack was the heart of the threat intel feed to Zeek.

Thankfully, other intrepid users have done some great work through easier and open source means to update threat feeds through systems such as git.  I’ve been testing out the intel feeds from Critical Path Security.  They aggregate different feeds on GitHub and I’ll go into detail on how to do it for the Zeek setup on Raspberry Pi.

Most of these instructions are already available on https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds

If you want to install Zeek from GitHub, look at my previous post ….

To replace your threat feeds please read on, I made a few changes to the instructions to better support my setup.

As root go into the /usr/local/zeek/share/zeek/site directory

cd /usr/local/zeek/share/zeek/site

To clone the git repository:


git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git 

This will create the Zeek-Intelligence-Feeds directory

/usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds

 

Then you need to tell Zeek where the new intel feeds are, edit your zeek.local file at:

/usr/local/zeek/share/zeek/site/local.zeek

Add

@load Zeek-Intelligence-Feeds

And remove any mentions of intelstack feeds

@load /opt/intel-stack-client/frameworks/intel

optional: Remove the intel-stack-client directory

rm -rf /opt/intel-stack-client
Automate updates of critical path intel feeds:

If you created the zeekupdate file from part 2 in /usr/local/zeek/bin, we can modify this to remove the intelstack entries and replace them with the new critical path feed entries

echo "***Updating Threat Feeds***"
cd /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds && git fetch origin master
git reset --hard FETCH_HEAD
git clean -df
echo "***Applying Updates***"
/usr/local/zeek/bin/zeekctl check
/usr/local/zeek/bin/zeekctl install
echo "***Restarting Zeek***"
/usr/local/zeek/bin/zeekctl restart

Save your file and make sure it is still set to executable (the x in the file permissions) via:

ls -la zeekupdate

-rwxr-xr-x 1 root root 342 Nov 1 15:21 zeekupdate

if not, set the zeekupdate file to executable:

chmod +x /usr/local/zeek/bin/zeekupdate

Now edit your crontab through “crontab -e” and add the following:

0 */12 * * 0-6  /usr/local/zeek/bin/zeekupdate

This will run the zeekupdate script twice a day, everyday.

Conclusion

I’ve seen an uptick in different intel logs since i’ve added the new feed source.  Admittedly I wasn’t using all that many feeds from the intelstack client.  I hope this entry helps you on your security journey and stay tuned for more Zeek and elasticsearch info shortly!

 

2 Responses

  1. Jeff Carroll says:

    There is no need to run the command (mkdir /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds). This actually makes Zeek fail when you run the ‘scripts’ command in Zeekctl. I noticed there was another file named ‘Zeek-Intelligence-Feeds below the path quoted above, so I found all the appropriate feeds in there. However Zeekctl isn’t told to navigate two layers of folders (/usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds/Zeek-Intelligence-Feeds/…) to run the scripts. The corrective action was to clone the github repo from the (/usr/local/zeek/share/zeek/site) directory where the initial Zeek-Intelligence-Feeds folder (and subsequent scripts) will be placed. Running ‘diag’ and ‘scripts’ in Zeekctl after this action indicates it is now working properly.

    Thank you for the write-up! This was extremely helpful! Keep up the good work.

  2. dave says:

    Thanks for your feedback, much appreciated. I’ll modify the post shortly.

    David

Leave a Reply

Your email address will not be published. Required fields are marked *