{"id":217,"date":"2020-11-03T12:03:53","date_gmt":"2020-11-03T16:03:53","guid":{"rendered":"https:\/\/secognition.com\/?p=217"},"modified":"2022-01-02T18:32:33","modified_gmt":"2022-01-02T23:32:33","slug":"intelstack-threat-feed-is-shutdown-heres-a-new-intel-threat-feed-aggregator-for-zeek","status":"publish","type":"post","link":"https:\/\/secognition.com\/?p=217","title":{"rendered":"Intelstack Threat Feed is Shutdown. Here’s a new intel threat feed aggregator for Zeek"},"content":{"rendered":"

Hello Everyone,<\/p>\n

I hope everyone reading this is healthy and safe. Some sad news today, intelstack.com is no more.\u00a0 For those of you who followed my Zeek IDS Installation on Raspberry PI Part 2<\/a> blog, intelstack was the heart of the threat intel feed to Zeek.<\/p>\n

Thankfully, other intrepid users have done some great work through easier and open source means to update threat feeds through systems such as git.\u00a0 I’ve been testing out the intel feeds from Critical Path Security.\u00a0 They aggregate different feeds on GitHub and I’ll go into detail on how to do it for the Zeek setup on Raspberry Pi.<\/p>\n

Most of these instructions are already available on https:\/\/github.com\/CriticalPathSecurity\/Zeek-Intelligence-Feeds<\/p>\n

If you want to install Zeek from GitHub, look at my previous post ….<\/p>\n

To replace your threat feeds please read on, I made a few changes to the instructions to better support my setup.<\/p>\n

As root go into the \/usr\/local\/zeek\/share\/zeek\/site directory<\/p>\n

cd \/usr\/local\/zeek\/share\/zeek\/site\r\n<\/code><\/pre>\n
To clone the git repository:<\/p>\n
\r\ngit clone https:\/\/github.com\/CriticalPathSecurity\/Zeek-Intelligence-Feeds.git \r\n<\/code><\/pre>\n
This will create the Zeek-Intelligence-Feeds directory<\/p>\n
\/usr\/local\/zeek\/share\/zeek\/site\/Zeek-Intelligence-Feeds<\/code><\/pre>\n
 <\/p>\n
Then you need to tell Zeek where the new intel feeds are, edit your zeek.local file at:<\/p>\n
\/usr\/local\/zeek\/share\/zeek\/site\/local.zeek<\/code><\/pre>\n
Add<\/p>\n
@load Zeek-Intelligence-Feeds<\/code><\/pre>\n
And remove any mentions of intelstack feeds<\/p>\n
@load \/opt\/intel-stack-client\/frameworks\/intel<\/del><\/em><\/span><\/pre>\n
optional: Remove the intel-stack-client directory<\/p>\n
rm -rf \/opt\/intel-stack-client\r\n<\/span><\/pre>\n
Automate updates of critical path intel feeds:<\/h6>\n
If you created the zeekupdate file from part 2<\/a> in \/usr\/local\/zeek\/bin, we can modify this to remove the intelstack entries and replace them with the new critical path feed entries<\/p>\n
echo \"***Updating Threat Feeds***\"\r\ncd \/usr\/local\/zeek\/share\/zeek\/site\/Zeek-Intelligence-Feeds && git fetch origin master\r\ngit reset --hard FETCH_HEAD\r\ngit clean -df\r\necho \"***Applying Updates***\"\r\n\/usr\/local\/zeek\/bin\/zeekctl check\r\n\/usr\/local\/zeek\/bin\/zeekctl install\r\necho \"***Restarting Zeek***\"\r\n\/usr\/local\/zeek\/bin\/zeekctl restart\r\n<\/code><\/pre>\n
Save your file and make sure it is still set to executable (the x in the file permissions) via:<\/p>\n
ls -la zeekupdate<\/span>\r\n\r\n-rwxr-xr-x 1 root root 342 Nov 1 15:21 zeekupdate<\/span><\/pre>\n
if not, set the zeekupdate file to executable:<\/p>\n
chmod +x \/usr\/local\/zeek\/bin\/zeekupdate<\/span><\/pre>\n
Now edit your crontab through “crontab -e” and add the following:<\/p>\n
0 *\/12 * * 0-6  \/usr\/local\/zeek\/bin\/zeekupdate<\/span><\/pre>\n
This will run the zeekupdate script twice a day, everyday.<\/p>\n
Conclusion<\/h6>\n
I’ve seen an uptick in different intel logs since i’ve added the new feed source.\u00a0 Admittedly I wasn’t using all that many feeds from the intelstack client.\u00a0 I hope this entry helps you on your security journey and stay tuned for more Zeek and elasticsearch info shortly!<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Hello Everyone, I hope everyone reading this is healthy and safe. Some sad news today, intelstack.com is no more.\u00a0 For those of you who followed my Zeek IDS Installation on Raspberry PI Part 2 blog, intelstack was the heart of the threat intel feed to Zeek. Thankfully, other intrepid users have done some great work… 
 Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6,5,8,7],"tags":[],"class_list":["post-217","post","type-post","status-publish","format-standard","hentry","category-ids","category-security","category-threat-intel","category-zeek"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts\/217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=217"}],"version-history":[{"count":0,"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts\/217\/revisions"}],"wp:attachment":[{"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}