SHIPS OF THE GODS, KINGS, & OF THE PEOPLE. Web server endpoints to ship desired data across the realms
Version 1.0.1
Learning coding as I go and I know there are better ways to code this but here is my version of it.
Using AlienVault's Open Threat Exchange to gather Threat Intel data on IPs, Domains and Hashes. This is used to enrich Blue Team logs such as firewall logs, email, DNS, AV and EDR for IOCs. This is a part of Operational Threat Intelligence program for an organization.
- Ping: for service status. '/server/ping'
- IP: to query OTX for threat intel data on specific IP(s).'/threatintel/ip'
- Hash: to query OTX for threat intel data on specific hashe(s). '/threatintel/hash'
- Domain: to query OTX for threat intel data on specific domain(s). '/threatintel/domain'
- CVE: to query OTX for threat intel data on specific cve(s). '/threatintel/cve'
- Firewall logs: inbound & outbound external IPs - Enrich firewall logs with Threat Intel
- DNS logs: Domain queries - Enrich DNS logs with Threat Intel
- AV/EDR logs: File hashes - Enrich AV/EDR alerts with Threat Intel info on specific hashes
- Log enrichments can be done during log ingestion to SIEM or add Barque response to a DB for later querying
- Research of specific IOCs using AlienVault OTX by sending POST requests
- Server can be queried via curl/python/bash or manually by Postman. See configuration file
- IOC and type
- Pulse count: how many times this specific IOC is present in OTX Pulses
- Associated IPs, Hashes, Domains, URLs, Emails and their counts
- Reference Links
- GEO info for IOC
- CVE Details
- Full OTX Intel dump
- Reverse Proxy - Nginx
- Containers - Docker
- docker, docker-compose
Follow the steps below to get the app running
-
Clone the repository
$ git clone https://github.com/nonameyo/ThreatIntel-Barque.git -
Obtain API key from OTX
- OTX requires an API key to perform searches. A free API can be obtained from their console by creating a free account. See link for how-to on AlienVault's site
- Add your OTX API key in config.py
$ API_KEY = 'KEY_HERE' └── services ├── investigate-server │ ├── app │ │ ├── config.py
-
Run APP
$ cd ThreatIntel-Barque $ docker-compose -f docker-compose-prod.yml build $ docker-compose -f docker-compose-prod.yml up -dBuild App (--no-cache)
$ docker-compose -f docker-compose-prod.yml build --no-cachePrint Logs
$ docker-compose -f docker-compose-prod.yml logs or $ docker-compose -f docker-compose-prod.yml logs {container name}
- make a GET request to /server/ping. JSON respones should look like:
{ "status": "success", "message": "barque-investigate-server - active" }
- make a POST request to /threatintel/ip with JSON in body. Should look like:
{ "ip":["209.99.40.222"] } - cURL:
curl -X POST http://Barque/threatintel/ip -d '{"ip":["209.99.40.222"]}' - Python Requests:
import requests url = "http://Barque/threatintel/ip" payload = "{\n\t\"ip\":[\"209.99.40.222\"]\n}" headers = { 'Content-Type': "application/json", 'cache-control': "no-cache" } response = requests.request("POST", url, data=payload, headers=headers) print(response.text)
- make a POST request to /threatintel/hash with JSON in body. Should look like:
{ "hash": ["db349b97c37d22f5ea1d1841e3c89eb4"] } - cURL:
curl -X POST http://Barque/threatintel/hash -d '{"hash":["db349b97c37d22f5ea1d1841e3c89eb4"]}' - Python Requests:
import requests url = "http://Barque/threatintel/hash" payload = "{\n\t\"hash\":[\"db349b97c37d22f5ea1d1841e3c89eb4\"]\n}" headers = { 'Content-Type': "application/json", 'cache-control': "no-cache" } response = requests.request("POST", url, data=payload, headers=headers) print(response.text)
- make a POST request to /threatintel/domain with JSON in body. Should look like:
{ "domain": ["iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"] } - cURL:
curl -X POST http://Barque/threatintel/domain -d '{"domain":["iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"]}' - Python Requests:
import requests url = "http://Barque/threatintel/domain" payload = "{\n\t\"domain\":[\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\"]\n}" headers = { 'Content-Type': "application/json", 'cache-control': "no-cache" } response = requests.request("POST", url, data=payload, headers=headers) print(response.text)
- make a POST request to /threatintel/cve with JSON in body. Should look like:
{ "cve": ["CVE-2017-0143"] } - cURL:
curl -X POST http://Barque/threatintel/cve -d '{"cve":["CVE-2017-0143"]}' - Python Requests:
import requests url = "http://Barque/threatintel/cve" payload = "{\n\t\"CVE-2017-0143\":[\"CVE-2017-0143\"]\n}" headers = { 'Content-Type': "application/json", 'cache-control': "no-cache" } response = requests.request("POST", url, data=payload, headers=headers) print(response.text)
├── README.md
├── docker-compose-dev.yml
├── docker-compose-prod.yml
├── resources
│ └── Barque.postman_collection.json
└── services
├── investigate-server
│ ├── app
│ │ ├── common
│ │ │ ├── middleware.py
│ │ │ ├── multiregex.py
│ │ │ └── __pycache__
│ │ │ ├── middleware.cpython-36.pyc
│ │ │ └── multiregex.cpython-36.pyc
│ │ ├── config.py
│ │ ├── __init__.py
│ │ ├── __pycache__
│ │ │ ├── config.cpython-36.pyc
│ │ │ ├── __init__.cpython-36.pyc
│ │ │ └── server.cpython-36.pyc
│ │ └── server.py
│ ├── Dockerfile
│ └── requirements.txt
└── nginx
├── dev.conf
├── Dockerfile-dev
├── Dockerfile-prod
└── prod.conf
Thanks for reading! Follow me on Twitter