Intelstack Threat Feed is Shutdown. Here’s a new intel threat feed aggregator for Zeek
Hello Everyone,
I hope everyone reading this is healthy and safe. Some sad news today, intelstack.com is no more. For those of you who followed my Zeek IDS Installation on Raspberry PI Part 2 blog, intelstack was the heart of the threat intel feed to Zeek.
Thankfully, other intrepid users have done some great work through easier and open source means to update threat feeds through systems such as git. I’ve been testing out the intel feeds from Critical Path Security. They aggregate different feeds on GitHub and I’ll go into detail on how to do it for the Zeek setup on Raspberry Pi.
Most of these instructions are already available on https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds
If you want to install Zeek from GitHub, look at my previous post ….
To replace your threat feeds please read on, I made a few changes to the instructions to better support my setup.
As root go into the /usr/local/zeek/share/zeek/site directory
cd /usr/local/zeek/share/zeek/site
To clone the git repository:
git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git
This will create the Zeek-Intelligence-Feeds directory
/usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds
Then you need to tell Zeek where the new intel feeds are, edit your zeek.local file at:
/usr/local/zeek/share/zeek/site/local.zeekAdd
@load Zeek-Intelligence-FeedsAnd remove any mentions of intelstack feeds
@load /opt/intel-stack-client/frameworks/inteloptional: Remove the intel-stack-client directory
rm -rf /opt/intel-stack-client
Automate updates of critical path intel feeds:
If you created the zeekupdate file from part 2 in /usr/local/zeek/bin, we can modify this to remove the intelstack entries and replace them with the new critical path feed entries
echo "***Updating Threat Feeds***"
cd /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds && git fetch origin master
git reset --hard FETCH_HEAD
git clean -df
echo "***Applying Updates***"
/usr/local/zeek/bin/zeekctl check
/usr/local/zeek/bin/zeekctl install
echo "***Restarting Zeek***"
/usr/local/zeek/bin/zeekctl restart
Save your file and make sure it is still set to executable (the x in the file permissions) via:
ls -la zeekupdate -rwxr-xr-x 1 root root 342 Nov 1 15:21 zeekupdate
if not, set the zeekupdate file to executable:
chmod +x /usr/local/zeek/bin/zeekupdateNow edit your crontab through “crontab -e” and add the following:
0 */12 * * 0-6 /usr/local/zeek/bin/zeekupdateThis will run the zeekupdate script twice a day, everyday.
Conclusion
I’ve seen an uptick in different intel logs since i’ve added the new feed source. Admittedly I wasn’t using all that many feeds from the intelstack client. I hope this entry helps you on your security journey and stay tuned for more Zeek and elasticsearch info shortly!
2 Responses
There is no need to run the command (mkdir /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds). This actually makes Zeek fail when you run the ‘scripts’ command in Zeekctl. I noticed there was another file named ‘Zeek-Intelligence-Feeds below the path quoted above, so I found all the appropriate feeds in there. However Zeekctl isn’t told to navigate two layers of folders (/usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds/Zeek-Intelligence-Feeds/…) to run the scripts. The corrective action was to clone the github repo from the (/usr/local/zeek/share/zeek/site) directory where the initial Zeek-Intelligence-Feeds folder (and subsequent scripts) will be placed. Running ‘diag’ and ‘scripts’ in Zeekctl after this action indicates it is now working properly.
Thank you for the write-up! This was extremely helpful! Keep up the good work.
Thanks for your feedback, much appreciated. I’ll modify the post shortly.
David