Usage

This section covers a brief walk-through of how to get started with Threat Bus. First, install Threat Bus and all plugins you need. Use the default configuration file to get started or create a custom one.

Start Up

Display the help text:

venv/bin/threatbus --help

Pass a configuration file to Threat Bus via -c <file>:

venv/bin/threatbus -c config.yaml

Start Zeek as Threat Bus App

Apps need to register at the bus. Zeek can be scripted, and the relevant functionality for Zeek to subscribe to Threat Bus is implemented in this Zeek script. To connect Zeek with Threat Bus, download and load the Zeek script as follows.

curl -L -o threatbus.zeek https://raw.githubusercontent.com/tenzir/threatbus/master/apps/zeek/threatbus.zeek
zeek -i <INTERFACE> -C threatbus.zeek

Request an IoC Snapshot with Zeek

Threat Bus allows apps to request snapshots of intelligence items from the past. The Zeek script implements the request functionality. Invoke it like this.

zeek -i <INTERFACE> -C threatbus.zeek -- "Tenzir::snapshot_intel=30 days"

Use the Docker Container

Threat Bus can be used in a containerized setup. The pre-built docker image comes with all required dependencies and all existing plugins pre-installed.

docker run tenzir/threatbus:latest --help