Skip to main content

Using Kivred to fetch threat intelligence and find snort rules






Using Kivred to fetch threat intelligence and find snort rules to use it with snort



Before diving into the procedure, let me give you some terminologies.

TAXII - Trusted Automated eXchange of Indicator Information. A free and open transport mechanism that standardizes the automated exchange of cyber threat information.

STIX - Structured Threat Information Expression. A language for describing cyber threat information
in a standardized and structured manner to enable the exchange of cyber threat intelligence (CTI).

http://hailataxii.com/ - Hail a TAXII.com is a repository of Open Source Cyber Threat Intellegence feeds in STIX format.

Kivred – A simple taxi client to fetch data from taxi service provider such as hailataxii.


Indicator – contains a pattern that can be used to detect suspicious or malicious cyber activity.

Observed Data – conveys information observed on a system or network (e.g., an IP address).

TTPs - Tactics, Techniques, and Procedures. (e.i., Malware, Attack Pattern)

Note: If you are experiencing kivred to be (Not Responding) this is due to a no or poor threading implementation. Please wait for a couple of minutes as the code is running in the background.

Snort – Is a network intrusion detection prevention system. 


Now let’s jump right into our objective.
For our first demo, we are going to use the guest.phishtank_com feed.

Check out http://hailataxii.com/ for info.






1. Fill in the form.

2. We found out about a latest Indicator of type URL Watchlist.

(e.i. This URL:[http://swisscom.myfreesites.net/] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-06-14T23:43:59+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=5049760


3. Notice the scrollbar and imagine the amount of result we have gathered, remember when we fill the form, we only wanted threat intelligence from June 15 2017 to June 16 2017.


For the next demonstration, we are going to use the guest.EmergingThreats_rules feed.
Notice that we did not provide from and to option.



Example of snort rule provided by rules.emergingthreats.net:

alert tcp $HOME_NET any -> 37.187.22.88 32000 (msg:"ET CNC Shadowserver Reported CnC Server Port 32000 Group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405053; rev:3617;)

alert tcp $HOME_NET any -> 154.35.64.54 6768 (msg:"ET CNC Shadowserver Reported CnC Server Port 6768 Group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405038; rev:3617;)




Click on the observables button.


Click on the TTPs buttons to see the Tactics, Techniques and procedures.



Click on the Raw button to see the raw output for more information.



Good to know when using kivred:
1. You can copy  and paste the results to notepad for searching of specific data.
2. Avoid requesting with long period of time stamp. A connection and chunk size error often occurs.


Kivred is written in python version 3.4
Help and improve, the project is on github. 
https://github.com/CodesInTheShell/kivred/


Denial of grace is not my thing, if you wish to donate feel free to contact me. 
How I wish to see http://intelsecuretech.blogspot.com to www.intelsecuretech.com




References and more information can be found on the following:
https://www.oasis-open.org/
https://oasis-open.github.io/cti-documentation/
http://hailataxii.com/
https://www.snort.org/




Comments

Post a Comment

Popular posts from this blog

Install Snort IDS in Windows

Install Snort IDS in Windows In this article, we are going to install Snort on windows, perform basic configuration then add snort rules. Snort can also be configured as an intrusion prevention system, but in our case, we will just configure snort as an IDS. Carry out the following steps Download and install Snort and Winpcap Download snort rules Configure snort.conf file Run snort that displays alert on console Run snort that saves alert to a file ============================================================= Step 1: Note: Install snort and winpcap as an administrator. Download winpcap https://www.winpcap.org/ and install it as an administrator, just let it install with default settings. Restart your computer. Download snort installer exe at https://www.snort.org/downloads and install it as an administrator, just choose defaults configuration where you only have to click “I Agree”, “Next” , “Next” , “Next”, “Close” and “Ok”. ==============
Post a Comment
Read more

Mapping the cyber security world with GIS

Using GIS software to develop a cyber map for analysis of cyber attacks globally helps IT security understand cyber world and to identify vulnerabilities in cyber networks which allow security teams to prioritize their work and solve areas with the potential to do the most damage first. Below are some cyber map images develop with GIS software. The accuracy of the data is not guaranteed and mostly referenced to the work of Cyber Security Insides on the following link. https://www.cybersecurity-insiders.com/list-of-countries-which-are-most-vulnerable-to-cyber-attacks/  http://gis.usc.edu/blog/gis-and-cybersecurity/
1 comment
Read more

Kivred on windows - Latest cyber threat intelligence on your finger tips

Kivred on windows - Latest cyber threat intelligence on your finger tips I just recently compiled kivred to an exe for ease of use. You can download the zip file, extract and run kivred.exe. You don’t have to install because the software is portable. The file can be downloaded on my github repo  https://github.com/CodesInTheShell/kivred . Let’s try to check for the latest threats as of July 13 2017 to July 14 2017. Number 1 is our settings, check out http://hailataxii.com/ for more available feeds. Number 2 are indicators of URL Watchlist identified to be a part of phishing attack. Number 3 is the scrollbar, scroll down to check more indicators. Note that you may experience kivred not responding while it is running in the background, just wait for about a minute. That's it, stay up to date with the latest cyber security threats folks. There will always be a storm coming.
Post a Comment
Read more