VAST Plugin

The Threat Bus VAST plugin enables communication with the network telemetry engine VAST. Since VAST cannot directly communicate with Threat Bus, a wrapper script is used that implements all the (un)subscription logic via ZeroMQ.

The plugin makes the following deployment assumptions:

  1. Indicators of compromise (IoCs) are published on the Threat Bus topic threatbus/intel.
  2. VAST threat intel matching is enabled and can match IoCs.

With the help of this plugin and the respective VAST bridge, VAST subscribes to the topic threatbus/intel where it receives IoC updates that apply to the VAST threat intel data format.

After an IoC match, VAST generates a sighting and passes it to Threat Bus. Sightings are published to the topic threatbus/sighting. Plugins that consume sightings, such as the MISP plugin, can subscribe to this topic.

Installation

Install VAST before proceeding with the installation of the VAST bridge or the plugin.

It is recommended to use a virtual environment for the installation. Set it up as follows.

virtualenv venv
source venv/bin/activate

The wrapper script (bridge) has its own requirements.txt. After downloading it, install it via pip.

curl -L -o requirements.txt https://raw.githubusercontent.com/tenzir/threatbus/master/apps/vast/requirements.txt
pip install -r requirements.txt

The plugin itself is published as PyPI package. All required dependencies will be installed automatically when installing the plugin.

pip install threatbus-vast

Configuration

The plugin starts three listening ZeroMQ endpoints. The endpoint characteristics for listening can be configure as follows.

...
plugins:
apps:
vast:
zmq:
host: "127.0.0.1"
manage: 13370
pub: 13371
sub: 13372
...

The manage endpoint is used for handling (un)subscriptions, the pub endpoint is used to publish new messages to all subscribers, and the sub endpoint is used by subscribers to report sighting to. Check out the Communication Flow section for details about these endpoints.

Threat Bus VAST Bridge

Threat Bus is a publish-subscribe broker for threat intelligence. It is expected that applications register themselves at the bus. Since VAST cannot do so on its own (yet), vast-bridge.py implements that functionality in the meantime.

The bridge provides a thin layer around PyVAST, VAST's Python CLI bindings. It facilitates message exchange between Threat Bus and a VAST instance.

Usage

The bridge has to be provided with the manage endpoint of the plugin to subscribe to Threat Bus. For example, an invocation of the bridge could look as follows.

python vast-bridge.py --threatbus="localhost:13370" --snapshot=30

The above call tells the VAST bridge to contact Threat Bus on localhost:13370 and requests a snapshot for 30 days.

Use the help command to list all available options of the VAST bridge.

python vast-bridge.py --help

Communication Flow

The VAST plugin provides three endpoints for subscribers. The bridge only requires the manage endpoint at startup and gets to know about the rest dynamically during the subscription process.

Threat Bus (or rather, the Threat Bus VAST plugin) creates a unique queue and topic for each new subscriber (VAST bridge instances). On registration success, Threat Bus sends the topic name to the subscriber. Subscribers then bind to the pub endpoint using that topic.

The snapshot feature only works reliably due to those dedicated topics. Without them, every subscriber would potentially see the requested snapshot data of other subscribers.

Once a bridge has subscribed, it can be considered a very thin message mapping layer. Incoming intelligence data (IoCs) are mapped to PyVAST calls. New IoCs are ingested. Matched IoCs (sightings) are mapped and sent back to Threat Bus on the sub endpoint.