ThreatBus or Dovehawk for MISP integration

Zeek
1

Good afternoon,

Has anyone used threatbus to integrate MISP IOCs into Zeek? Personally I have used DoveHawk in some installations and the result was satisfactory.

This time I have to integrate more than one CTI platform with Zeek and I was thinking of using ThreatBus.

Any experiences or problems encountered with ThreatBUS? Or is it better to keep Dovehawk?

Many thanks.

2

(Disclaimer: I am involved in the Threat Bus project.)

Hi Carlos,

When it comes to point-to-point integration of Zeek and MISP, both Dovehawk and Threat Bus suit the bill. There are some details, e.g., Threat Bus has snapshots and uses Zeek’s native comm library Broker for communication, but these are technical.

These points may help you assess the fit for you:

  • Threat Bus also supports OpenCTI as of the latest release, and also has early CIF support. So based on what other TIP you are trying to integrate, there is more flexibility.

  • Threat Bus also gives you choice on the underlying distribution channel. Right now, our production users rely on RabbitMQ as backbone, but adding Kafka or other AMQs would be easy, making it easy to piggyback on existing messaging infrastructure in your environment.

  • Threat Bus uses STIX-2.1 internally, making it easy to integrate with many other tools out there.

Feel free to reach out if you are looking to get going with Threat Bus, either via github discussions or privately.

Matthias

3

Many thanks Matthias for your answer. But is it possible to query MISP and OpenCTI with ThreatBus at the same time for one/same indicator in “real time"?

Best regards,
C. L. Martinez

4

The basic model in Threat Bus is publish/subscribe. With respect to indicators, Zeek is a subscriber and MISP and OpenCTI are publishers. With respect to sightings, the publish/subscribe roles are reversed. Both platforms register the sightings in their native form. This means that if you change/update/add an IoC in either threat intel platform, it will get synced with Zeek.

Syncing here means inserted into a table within Zeek’s intel framework. Zeek does not actively “query out” to a threat intel platform, because it has an up-to-date copy of the IoCs.

Setting this up doesn’t require anything special, other than configuring Threat Bus.

Hope that helps,

Matthias