THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
For this example we will be using a Zeus malware tracker list located here: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist.
- Log into the $HOST_WITH_ENRICHMENT_TAG as root
- Lets copy the contents from that link to Copy the data form the above link into a file called domainblocklist.txt on your VM..csv
Run the following command to parse the above file to a csv file called domainblocklist.csvcat domainblocklist.txt | grep -v "^#" | grep -v "^$" | grep -v "^https" | awk '{print
curl https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist | grep -v "^#" | grep -v "^$" | grep -v "^https" | awk '{print$1",abuse.
ch”ch"}'
>
domainblocklist.csv
Step 3: Configure an Extractor Config File
- Log into the $HOST_WITH_ENRICHMENT_TAG as root
- Now that we have the "Threat Intel Feed Source" , we need to now configure an extractor config file that describes the the source. Create a file called extractor_config_temp.json and put the following contents in it.
{
"config":
{
"columns":
{
"domain":
0
,"source":
1
}
,"indicator_column":
"domain"
,"type":
"zeusList"
,"separator":
","
}
,"extractor":
"CSV"
} - Run the following to remove the non-ascii characters we run the following:
iconv -c -f utf-8 -t ascii extractor_config_temp.json -o extractor_config.json
...
We now have to configure what element of a tuple and what threat intel feed to cross-reference with.This configuration will be stored in zookeeper.
The config looks like the following:
...
- Log into the $HOST_WITH_ENRICHMENT_TAG as root
- Cut and paste this file into a file called "enrichment_config_temp.json" .
{
"zkQuorum" : "$ZOOKEEPER_HOST:2181"
,"sensorToFieldList"
...
:
...
{
"squid" : {
"type" : "THREAT_INTEL"
,"fieldToEnrichmentTypes"
...
:
...
{
"domain_without_subdomains" : [ "zeusList" ]
}
}
}
}
- Because copying and pasting from this blog will include some non-ascii invisible characters, to strip them out please run
iconv
...
-c
...
-f
...
utf-8
...
-t
...
ascii
...
enrichment_config_temp.json
...
-o
...
enrichment_config.json
...
iconv -c -f utf-8 -t ascii enrichment_config_temp.json -o enrichment_config.json
Step 5: Run the Threat Intel Loader
Now that we have the threat intel source, threat intel exractor and threat intel mapping config defined, we can now run the loader to move the data from the threat intel source to the Metron threat intel Store and store the enrichment config in zookeeper.
- Log into the $HOST_WITH_ENRICHMENT_TAG as root
- Run the loader
/usr/metron/
...
$METRON_RELEASE/bin/flatfile_loader.sh
...
-n
...
enrichment_config.json
...
-i
...
domainblocklist.csv
...
-t
...
threatintel
...
-c
...
t
...
-e
...
extractor_config.json
...
- After this, the threat intel data will be loaded in Hbase and a Zookeeper mapping will be established. The data will be populated into Hbase table called threatintel. To verify that the logs were properly ingested into Hbase run the following command:
hbase
...
shell
...
scan
...
'threatintel'
...
- You should see the table bulk loaded with data from the CSV file. Now check if Zookeeper enrichment tag was properly populated:
/usr/metron/
...
$METRON_RELEASE/bin/zk_load_configs.sh
...
-m DUMP -z
...
$ZOOKEEPER_HOST:2181
- Generate some data by using the squid client to execute http requests (do this about 20 times)
squidclient
...
...
...
Step 5: View the Threat Alerts in Metron UI
...