The plugin makes the following deployment assumptions:
- Indicators of compromise (IoCs) are published on the Threat Bus topic
- The Zeek Intelligence Framework is enabled and can match IoCs.
With the help of this plugin and the respective
Zeek script, Zeek
subscribes the topic
threatbus/intel where it receives IoC updates that
apply to the intelligence framework data.
After an IoC match, Zeek generates a sighting and passes it to Threat Bus.
Sightings are published to the topic
threatbus/sighting. Plugins that consume
sightings, such as the MISP plugin, can subscribe
to this topic.
The plugin uses the Broker python bindings for native interaction with Zeek. Broker and the Python bindings need to be installed on the Threat Bus host system to use this plugin. Please consult the official Broker documentation for installation instructions.
Once the prerequisites are met, install the Zeek plugin via pip.
The plugin starts a listening Broker endpoint. The endpoint characteristics for listening can be configure as follows.
The last parameter
module_namespace: Tenzir is required for Zeek's messaging
Threat Bus Zeek Script
Threat Bus is a pub/sub broker for threat intelligence data. Applications, like Zeek, have to register themselves at the bus. Zeek cannot communicate with Threat Bus out of the box, but we provide a Zeek script that adds the ability to Zeek to communicate with Threat Bus.
The script can be configured via certain options for setting topic names or requesting an intel snapshot, as follows.