Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Rewrite pyvast-threatbus to convert to/from STIX-2 Indicators and Sightings #105

Merged
merged 14 commits into from
Mar 23, 2021
Merged

Rewrite pyvast-threatbus to convert to/from STIX-2 Indicators and Sightings #105

merged 14 commits into from
Mar 23, 2021

Conversation

0snap
Copy link
Contributor

@0snap 0snap commented Mar 16, 2021
edited
Loading

📔 Description

Following up on the STIX-2 rewrite of Threat Bus: this PR updates pyvast-threatbus.

  • Convert STIX-2 Indicators to VAST queries
  • Convert VAST query results to valid STIX-2 Sightings
  • Convert STIX-2 Indicators to VAST matcher IoCs
  • Convert VAST matcher hits to valid STIX-2 Sightings
  • Update unit tests

📝 Checklist

  • All user-facing changes have changelog entries.
  • The changes are reflected on docs.tenzir.com/threatbus, if necessary.
  • The PR description contains instructions for the reviewer, if necessary.

🎯 Review Instructions

  • Run the unit tests

For live testing:

  • start a VAST node w/ matcher plugin enabled
  • ingest data into VAST
  • start Threat Bus and pyvast-threatbus both from this branch
  • send an IoC (e.g., use MISP or the zmq-sender test utils), this should trigger two things (visible with debug logging):
    • a VAST query (for retro matching). If your IoC is found in VAST you should see sightings in the logs
    • an ingest of the IoC into the VAST matcher
  • now ingest data again into VAST. If your schema is annotated properly and the data you ingest coincides with the IoCs known to the VAST matcher, it should immediately generate a match during ingest and sightings should show up in the logs

@0snap 0snap changed the title Story/ch23320 Rewrite pyvast-threatbus to convert to/from STIX-2 Indicators and Sightings Mar 16, 2021
@0snap 0snap marked this pull request as ready for review March 16, 2021 16:26
@0snap 0snap requested review from tobim and mavam March 16, 2021 16:26
@0snap 0snap added the feature New functionality label Mar 16, 2021
tobim
tobim suggested changes Mar 23, 2021
View reviewed changes
Copy link
Member

@tobim tobim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have almost no critique for this as I can follow the flow of quite well from reading the new implementation in my local working copy.

plugins/apps/threatbus_zmq_app/README.md Show resolved Hide resolved
apps/vast/pyvast_threatbus/test_message_mapping.py Show resolved Hide resolved
apps/vast/pyvast_threatbus/message_mapping.py Show resolved Hide resolved
@0snap 0snap merged commit 7b7df46 into master Mar 23, 2021
@0snap 0snap deleted the story/ch23320 branch March 23, 2021 11:42
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tobim tobim tobim approved these changes

@mavam mavam Awaiting requested review from mavam

Assignees

@tobim tobim

Labels
feature New functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@0snap @tobim