RabbitMQ Backbone Plugin

The RabbitMQ plugin enables Threat Bus to use RabbitMQ as message broker backbone. RabbitMQ provides a reliable, high-performance message passing infrastructure for indicator delivery within Threat Bus. Using this backbone plugin, Threat Bus relays all messages through a RabbitMQ endpoint. As a result, Threat Bus can scale horizontally via RabbitMQ.

This plugin simplifies network segregation and the communication trust model. Threat Bus requires no trust between the connected applications. Connected apps only need to know one Threat Bus endpoint, while Threat Bus itself only needs to know a RabbitMQ endpoint.

The plugin implements the minimal backbone specs for Threat Bus backbone plugins.

Installation

Install the RabbitMQ backbone plugin via pip.

pip install threatbus-rabbitmq

Configuration

The plugin requires some configuration parameters, as described in the example excerpt from a Threat Bus config.yaml file below.

...
plugins:
backbones:
rabbitmq:
host: localhost
port: 5672
username: guest
password: guest
vhost: /
naming_join_pattern: . # symbol to concatenate names with. Example queue-name: threatbus.intel."hostname"
queue:
name_suffix: "my_suffix" # optional. remove property / set empty to use 'hostname'
durable: true
auto_delete: false
lazy: true
exclusive: false
max_items: 100000 # optional. remove property / set to 0 to allow infinite length
...

Parameter Explanation

While most parameters are self-explanatory, like host and port, others require some further explanation as described below.

naming_join_pattern

The plugin creates fanout exchanges and binds queues to these on the RabbitMQ host. The option naming_join_pattern provides some flexibility to the user when it comes to the naming of these resources.

For example, if your organization has a naming scheme to always concatenate resource names based on their domain via _, you can specify that here. Queues and exchanges will then be called accordingly, e.g., threatbus_intel.

queue.name_suffix

Each Threat Bus host binds its own queues to the exchanges in RabbitMQ. The queue names should not overlap with the queue names from other Threat Bus instances. Hence, queue names are by default suffixed with the hostname of the Threat Bus instance that binds to them. Use the option queue.name_suffix to override the name-suffix of queues with a user-specified value, instead of the hostname.

queue.durable

Sets the queue property for durable queues. If true, queues will survive a RabbitMQ broker restart.

queue.auto_delete

Sets the queue property to auto-delete queues. If true, these queues will be cleared from the RabbitMQ host when Threat Bus disconnects.

queue.lazy

If set, Threat Bus will declare all queues as lazy. If true, RabbitMQ shifts queue contents to disk early and optimizes for memory management.

queue.exclusive

Sets the queue property for exclusive queues. If true, a RabbitMQ queue can only be used by one connection and is deleted after that connection closes.

queue.max_items

Limits the maximum amount of items in a RabbitMQ queue.