Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: tenzir/threatbus
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 5cba3694883cb07c2d7b6004742602870a0c01bd
Choose a base ref
..
head repository: tenzir/threatbus
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 90b452fc39207e6d6bb8d13fc8a7655744fc9284
Choose a head ref
Showing with 12 additions and 6 deletions.
  1. +2 −1 apps/zeek/threatbus.zeek
  2. +7 −4 plugins/apps/threatbus_misp/threatbus_misp/plugin.py
  3. +3 −1 plugins/apps/threatbus_zeek/threatbus_zeek/plugin.py
3 changes: 2 additions & 1 deletion apps/zeek/threatbus.zeek
Original file line number Diff line number Diff line change
@@ -119,7 +119,8 @@ event zeek_init() &priority=1
{
if ( log_operations )
{
Reporter::info(fmt("subscribing to management topic %s", management_topic));
Reporter::info(fmt("subscribing to management topic %s with snapshot request for %s",
management_topic, snapshot_intel));
Reporter::info(fmt("reporting noisy intel at %d matches/sec",
noisy_intel_threshold));
}
11 changes: 7 additions & 4 deletions plugins/apps/threatbus_misp/threatbus_misp/plugin.py
Original file line number Diff line number Diff line change
@@ -220,7 +220,7 @@ def validate_config(config: Subview):
@threatbus.app
def snapshot(snapshot_request: SnapshotRequest, result_q: JoinableQueue):
global logger, misp, lock, filter_config
if snapshot_request.snapshot_type != MessageType.INTEL:
if snapshot_request.snapshot_type != MessageType.INDICATOR:
logger.debug("Sighting snapshot feature not yet implemented.")
return # TODO sighting snapshot not yet implemented
if not misp:
@@ -256,13 +256,16 @@ def snapshot(snapshot_request: SnapshotRequest, result_q: JoinableQueue):
if not data:
continue
for attr in data["Attribute"]:
intel = attribute_to_stix2_indicator(attr, "add", logger)
if intel:
try:
ioc = attribute_to_stix2_indicator(attr, "add", logger)
except Exception as e:
logger.warn(f"Failed to parse MISP attribute {attr}: {e}")
if ioc:
result_q.put(
SnapshotEnvelope(
snapshot_request.snapshot_type,
snapshot_request.snapshot_id,
intel,
ioc,
)
)

4 changes: 3 additions & 1 deletion plugins/apps/threatbus_zeek/threatbus_zeek/plugin.py
Original file line number Diff line number Diff line change
@@ -74,7 +74,9 @@ def manage_subscription(self, task: Union[Subscription, Unsubscription]):
global lock, subscriptions
if type(task) is Subscription:
# point-to-point topic and queue for that particular subscription
logger.info(f"Received subscription for topic: {task.topic}")
logger.info(
f"Received subscription for topic '{task.topic}' with snapshot '{task.snapshot}'"
)
p2p_topic = task.topic + self.rand_string(self.rand_suffix_length)
p2p_q = JoinableQueue()
ack = broker.zeek.Event(