Recently I have been trying to learn more about other types of information you can get from Zeek/Suricata (IP Reputation/DNS Rep), which previously lead me to add IOCs to Suricata with Datasets.
Today I am adding CriticalPathSecurity Threat Intel to Zeek on Security Onion 2.3.130. Overall it was a pretty simple install, and only really required one file edit (Salt file).
Following these steps
- Clone the Critical Path Security Intelligence Feeds:
- git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git /opt/so/saltstack/local/zeek/policy/intel/Zeek-Intelligence-Feeds
- Copy the __load.zeek__ from default to local
- cp /opt/so/saltstack/default/zeek/policy/intel/ /opt/so/saltstack/local/zeek/policy/intel/
- Edit __load.zeek__
- (Added @load integration/collective-intel & file instead of using one intel.dat, I added each file separately under the folder that Salt/Docker matches out on the host machine)
- Update Salt
- salt systemname_standalone system.highstate
 |
| __load.zeek__ |
Lets check the Intel Dashboards under Security Onion 2.3.130
 |
| Intel Dashboard Security Onion 2.3.130 |
The first IP address listed here was from abuse.ch and I did a nslookup for it to appear in the list.
No comments:
Post a Comment