The Threat Bus VAST plugin enables communication with the network telemetry engine VAST. Since VAST cannot directly communicate with Threat Bus, a wrapper script is used that implements all the (un)subscription logic via ZeroMQ.
The plugin makes the following deployment assumptions:
- Indicators of compromise (IoCs) are published on the Threat Bus topic
- VAST threat intel matching is enabled and can match IoCs.
With the help of this plugin and the respective
VAST bridge, VAST
subscribes to the topic
threatbus/intel where it receives IoC updates that
apply to the VAST threat intel data format.
After an IoC match, VAST generates a sighting and passes it to Threat Bus.
Sightings are published to the topic
threatbus/sighting. Plugins that consume
sightings, such as the MISP plugin, can
subscribe to this topic.
Install VAST before proceeding with the installation of the VAST bridge or the plugin.
It is recommended to use a virtual environment for the installation. Set it up as follows.
The wrapper script (bridge) has its own
After downloading it, install it via
The plugin itself is published as PyPI package. All required dependencies will be installed automatically when installing the plugin.
The plugin starts three listening ZeroMQ endpoints. The endpoint characteristics for listening can be configure as follows.
manage endpoint is used for handling (un)subscriptions, the
is used to publish new messages to all subscribers, and the
sub endpoint is
used by subscribers to report sighting to. Check out the
Communication Flow section for
details about these endpoints.
Threat Bus VAST Bridge
Threat Bus is a publish-subscribe broker for threat intelligence. It is expected that applications register themselves at the bus. Since VAST cannot do so on its own (yet), vast-bridge.py implements that functionality in the meantime.
The bridge provides a thin layer around PyVAST, VAST's Python CLI bindings. It facilitates message exchange between Threat Bus and a VAST instance.
The bridge has to be provided with the
manage endpoint of the plugin to
subscribe to Threat Bus. For example, an invocation of the bridge could look as
The above call tells the VAST bridge to contact Threat Bus on
and requests a snapshot for 30 days.
help command to list all available options of the VAST bridge.
The VAST plugin provides three endpoints for subscribers. The bridge only
manage endpoint at startup and gets to know about the rest
dynamically during the subscription process.
Threat Bus (or rather, the Threat Bus VAST plugin) creates a unique queue and
topic for each new subscriber (VAST bridge instances). On registration success,
Threat Bus sends the topic name to the subscriber. Subscribers then bind to the
pub endpoint using that topic.
The snapshot feature only works reliably due to those dedicated topics. Without them, every subscriber would potentially see the requested snapshot data of other subscribers.
Once a bridge has subscribed, it can be considered a very thin message mapping
layer. Incoming intelligence data (IoCs) are mapped to
PyVAST calls. New IoCs are ingested. Matched
IoCs (sightings) are mapped and sent back to Threat Bus on the