Using Kivred to fetch threat intelligence and find snort rules

Using Kivred to fetch threat intelligence and find snort rules to use it with snort

Before diving into the procedure, let me give you some terminologies.

TAXII - Trusted Automated eXchange of Indicator Information. A free and open transport mechanism that standardizes the automated exchange of cyber threat information.

STIX - Structured Threat Information Expression. A language for describing cyber threat information

in a standardized and structured manner to enable the exchange of cyber threat intelligence (CTI).

http://hailataxii.com/ - Hail a TAXII.com is a repository of Open Source Cyber Threat Intellegence feeds in STIX format.

Kivred – A simple taxi client to fetch data from taxi service provider such as hailataxii.

Indicator – contains a pattern that can be used to detect suspicious or malicious cyber activity.

Observed Data – conveys information observed on a system or network (e.g., an IP address).

TTPs - Tactics, Techniques, and Procedures. (e.i., Malware, Attack Pattern)

Note: If you are experiencing kivred to be (Not Responding) this is due to a no or poor threading implementation. Please wait for a couple of minutes as the code is running in the background.

Snort – Is a network intrusion detection prevention system. 

Now let’s jump right into our objective.

For our first demo, we are going to use the guest.phishtank_com feed.

Check out http://hailataxii.com/ for info.

1. Fill in the form.

2. We found out about a latest Indicator of type URL Watchlist.

(e.i. This URL:[http://swisscom.myfreesites.net/] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2017-06-14T23:43:59+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=5049760

3. Notice the scrollbar and imagine the amount of result we have gathered, remember when we fill the form, we only wanted threat intelligence from June 15 2017 to June 16 2017.

For the next demonstration, we are going to use the guest.EmergingThreats_rules feed.


Notice that we did not provide from and to option.

Example of snort rule provided by rules.emergingthreats.net:

alert tcp $HOME_NET any -> 37.187.22.88 32000 (msg:"ET CNC Shadowserver Reported CnC Server Port 32000 Group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405053; rev:3617;)

alert tcp $HOME_NET any -> 154.35.64.54 6768 (msg:"ET CNC Shadowserver Reported CnC Server Port 6768 Group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405038; rev:3617;)

Click on the observables button.

Click on the TTPs buttons to see the Tactics, Techniques and procedures.

Click on the Raw button to see the raw output for more information.

Good to know when using kivred:

1. You can copy  and paste the results to notepad for searching of specific data.

2. Avoid requesting with long period of time stamp. A connection and chunk size error often occurs.

Kivred is written in python version 3.4

Help and improve, the project is on github. 

https://github.com/CodesInTheShell/kivred/

Denial of grace is not my thing, if you wish to donate feel free to contact me. 

How I wish to see http://intelsecuretech.blogspot.com to www.intelsecuretech.com

References and more information can be found on the following:

https://www.oasis-open.org/

https://oasis-open.github.io/cti-documentation/

http://hailataxii.com/

https://www.snort.org/