Zeek情报源订阅服务

作者：Sec-Labs | 发布时间：2023-06-10 13:35:46

项目地址

https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds

带有综合指标的Zeek情报威胁源

这是基于公共威胁源和CRITICAL PATH SECURITY收集的数据的公共源。该源将尽可能频繁地更新。

入门指南

这些说明将帮助您获取项目的副本并运行它。

依赖项

ZEEK 3.0或更高版本

安装

安装Zeek依赖项

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

克隆存储库到“/opt”

cd /opt
git clone --recursive https://github.com/zeek/zeek
./configure && make && sudo make install

安装Zeek

./configure && make && sudo make install

安装情报威胁源

将存储库克隆到“/usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds”

cd /opt
git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds
echo "@load Zeek-Intelligence-Feeds" >> /usr/local/zeek/share/zeek/site/local.zeek

用法

导航到“/usr/local/zeek/bin/”

./zeekctl deploy

定期更新

可以使用一个简单的bash脚本进行更新。下面是一个示例。

vi /opt/zeek_update.sh

添加以下内容：

#!/bin/sh
cd /usr/local/zeek/share/zeek/site/Zeek-Intelligence-Feeds && git fetch origin master
git reset --hard FETCH_HEAD
git clean -df

使脚本可执行。

chmod +x /opt/zeek_update.sh

为每24小时的更新制作以下cron条目。

5 * * * * sh /opt/zeek_update.sh >/dev/null 2>&1

日志将被写入：

/usr/local/zeek/logs/current/intel.log

Sources:

Filename	Provider	Homepage	List URL	License/TOU
Amnesty_NSO_Domains.intel	Amnesty NSO Domains	https://github.com/AmnestyTech/investigations	https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso	Not Defined
abuse-ch-ipblocklist.intel	Abuse.CH Blacklist	https://sslbl.abuse.ch/blacklist/	https://sslbl.abuse.ch/blacklist/	https://sslbl.abuse.ch/blacklist/
abuse-ch-malware.intel	Abuse.CH Malware	https://bazaar.abuse.ch/	https://bazaar.abuse.ch/	https://bazaar.abuse.ch/
abuse-ch-threatfox-ip.intel	Abuse.CH ThreatFox	https://threatfox.abuse.ch/	https://threatfox.abuse.ch/	https://threatfox.abuse.ch/
abuse-ch-urlhaus.intel	Abuse.CH URLHaus	https://urlhaus.abuse.ch/	https://urlhaus.abuse.ch/	https://urlhaus.abuse.ch/
alienvault.intel	AlienVault	https://www.alienvault.com/	http://reputation.alienvault.com/reputation.data	https://otx.alienvault.com/
binarydefense.intel	Binary Defense	https://www.binarydefense.com/	https://www.binarydefense.com/banlist.txt	https://www.binarydefense.com/
censys.intel	Censys	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
cobaltstrike_ips.intel	CobaltStrike IP	https://threatview.io/	https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt	https://threatview.io/
compromised-ips.intel	Emerging Threats	https://rules.emergingthreats.net/	https://rules.emergingthreats.net/blockrules/compromised-ips.txt	https://rules.emergingthreats.net/OPEN_download_instructions.html
cps-collected-iocs.intel	Critical Path Security	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
cps_cobaltstrike_domain.intel	Critical Path Security	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
cps_cobaltstrike_ip.intel	Critical Path Security	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
fangxiao.intel	Cyjax	https://www.cyjax.com/	https://www.cyjax.com/app/uploads/2022/11/fangxiao-a-chinese-threat-actor.txt	https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/
filetransferportals.intel	Critical Path Security	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
illuminate.intel	Critical Path Security	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
inversion.intel	Google / Inversion	https://github.com/elliotwutingfeng/Inversion-DNSBL-Blocklists	Github	https://github.com/elliotwutingfeng/Inversion-DNSBL-Blocklists/blob/main/LICENSE
lockbit_ip.intel	Critical Path Security	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
log4j_ip.intel	Multiple Sources	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
openphish.intel	OpenPhish	https://openphish.com	https://openphish.com/feed.txt	https://openphish.com/terms.html
predict_intel.intel	Georgia Tech Research Institute (GTRI)	https://www.gatech.edu/	https://www.gatech.edu/	https://www.gatech.edu/
ragnar.intel	Critical Path Security	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
sans.intel	SANS	https://isc.sans.edu/	https://isc.sans.edu/api/intelfeed	https://isc.sans.edu/data/threatfeed.html
scumbots.intel	ScumBots	None	None	Permission given by Paul Melson - Free Usage
stalkerware.intel	Critical Path Security	https://www.criticalpathsecurity.com/	Github	https://www.criticalpathsecurity.com/
tor-exit.intel	Tor Project	https://www.torproject.org/	https://check.torproject.org/exit-addresses	https://www.torproject.org/

贡献

请阅读贡献指南以了解如何为此源做出贡献。

许可证

该项目基于MIT许可证。有关更多信息，请参见LICENSE文件。

标签：工具分享