Skip to content
This repository has been archived by the owner on Jun 17, 2023. It is now read-only.

Where do I start with Integrations

Jump to bottom
Wes edited this page Oct 17, 2017 · 4 revisions

Open Source Integrations

Bro

While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyberinfrastructure. Bro's user community includes major universities, research labs, supercomputing centers, and open-science communities.

see more at bro.org

$ cif --itype ipv4 --feed --confidence 8 --format bro --limit 5
#fields	indicator	indicator_type	meta.desc	meta.cif_confidence	meta.source
92.50.31.66	Intel::ADDR	exploit	95	spamhaus.org
210.4.72.138	Intel::ADDR	exploit	95	spamhaus.org
61.150.89.67	Intel::ADDR	spam	95	spamhaus.org
68.180.32.194	Intel::ADDR	exploit	95	spamhaus.org
221.206.72.203	Intel::ADDR	spam	95	spamhaus.org

Snort

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

see more at snort.org

$ cif --itype ipv4 --feed --confidence 8 --format snort --limit 5
alert TCP any any -> 74.28.188.130 any (reference: http://www.spamhaus.org/query/bl?ip=74.28.188.130; priority: 1; threshold: type limit,track by_src,count 1,seconds 3600; sid: 5000000000; msg: CIF - GREEN - exploit;)
alert IP any any -> 74.208.184.119 any (reference: http://www.spamhaus.org/query/bl?ip=74.208.184.119; priority: 1; threshold: type limit,track by_src,count 1,seconds 3600; sid: 5000000001; msg: CIF - GREEN - spam;)
alert TCP any any -> 173.237.190.72 any (reference: http://www.spamhaus.org/query/bl?ip=173.237.190.72; priority: 1; threshold: type limit,track by_src,count 1,seconds 3600; sid: 5000000002; msg: CIF - GREEN - spam;)

Bind

BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s at the University of California at Berkeley.

BIND is by far the most widely used DNS software on the Internet, providing a robust and stable platform on top of which organizations can build distributed computing systems with the knowledge that those systems are fully compliant with published DNS standards.

see more at isc.org

$ cif --itype fqdn --feed --confidence 8 --format bind --tags phishing,malware --limit 5
// generated by: CIF at 2016-35-23T10:02:55 EST
zone "mail.ghiend.com" {type master; file "/etc/namedb";};
zone "ghiend.com" {type master; file "/etc/namedb";};
zone "ns1.bwreg.com" {type master; file "/etc/namedb";};

Splunk

[Note these are older and may or maynot 100% integrate with v3 yet]

Clone this wiki locally