• Stars
    star
    823
  • Rank 55,417 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 7 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Extract and aggregate threat intelligence.

ThreatIngestor

Build Status Documentation Status PyPI Version

An extendable tool to extract and aggregate IOCs from threat feeds.

Integrates out-of-the-box with ThreatKB and MISP, and can fit seamlessly into any existing workflow with SQS, Beanstalk, and custom plugins.

Currently used by InQuest Labs IOC-DB: https://labs.inquest.net/iocdb

Overview

ThreatIngestor can be configured to watch Twitter, RSS feeds, sitemap (XML) feeds, or other sources, and extract meaningful information such as malicious IPs/domains and YARA signatures, and send that information to another system for analysis.

ThreatIngestor flowchart with several sources feeding into multiple operators

Try it out now with this quick walkthrough, read more ThreatIngestor walkthroughs on the InQuest blog, and check out labs.inquest.net/iocdb, an IOC aggregation and querying tool powered by ThreatIngestor.

Installation

ThreatIngestor requires Python 3.6+, with development headers.

Install ThreatIngestor from PyPI:

pip install threatingestor

Install optional dependencies for using some plugins, as needed:

pip install threatingestor[all]

View the full installation instructions for more information.

Usage

Create a new config.yml file, and configure each source and operator module you want to use. (See config.example.yml for layout.) Then run the script:

threatingestor config.yml

By default, it will run forever, polling each configured source every 15 minutes.

If you'd like to run the image extraction source, or include the image extraction functionality for other sources, you will need to be running Python 3.7 >= due to the dependencies:

pip install opencv-python pytesseract numpy

View the full ThreatIngestor documentation for more information.

Plugins

ThreatIngestor uses a plugin architecture with "source" (input) and "operator" (output) plugins. The currently supported integrations are:

Sources

Operators

View the full ThreatIngestor documentation for more information on included plugins, and how to create your own.

Threat Intel Sources

Looking for some threat intel sources to get started? InQuest has a Twitter List with several accounts that post C2 domains and IPs: https://twitter.com/InQuest/lists/ioc-feed. Note that you will need to apply for a Twitter developer account to use the ThreatIngestor Twitter Source. Take a look at config.example.yml to see how to set this list up as a source.

For quicker setup, RSS feeds can be a great source of intelligence. Check out this example RSS config file for a few pre-configured security blogs.

Support

If you need help getting set up, or run into any issues, feel free to open an issue. You can also reach out to @InQuest on Twitter or read more about us on the web at https://www.inquest.net.

We'd love to hear any feedback you have on ThreatIngestor, its documentation, or how you're putting it to work for you!

Contributing

Issues and pull requests are welcomed. Please keep Python code PEP8 compliant. By submitting a pull request you agree to release your submissions under the terms of the LICENSE.

Docker

Production

A Dockerfile is available for running ThreatIngestor within a Docker container.

First, you'll need to build the container:

docker build . -t threatingestor

After that, you can mount the container by using this command:

docker run -it --mount type=bind,source=/,target=/dock threatingestor /bin/bash

After you've mounted the container and you're inside the /bin/bash shell, you can run ThreatIngestor like normal:

threatingestor config.yml

Development

There is also a Dockerfile.dev for building a development version of ThreatIngestor. All you need is an available .whl file, which can be generated with the following command:

python3 -m build 

After you've built the project, you can build the container:

docker build . -t threatingestor -f Dockerfile.dev

NOTE: If you run into any issues while building the development environment or running ThreatIngestor within the container, you may need to comment out the following lines in Dockerfile.dev to work properly:

FROM ubuntu:18.04
...
# RUN apt-get install tesseract-ocr -y
...
# RUN pip3 install opencv-python pytesseract numpy
...

Extra Scripts

Some scripts are now provided to help with your local configuration of ThreatIngestor.

A README.md with additional information is available here.

More Repositories

1

awesome-yara

A curated list of awesome YARA rules, tools, and people.
3,504
star
2

malware-samples

A collection of malware samples and relevant dissection information, most probably referenced from http://blog.inquest.net
ActionScript
882
star
3

iocextract

Defanged Indicator of Compromise (IOC) Extractor.
Python
498
star
4

yara-rules

A collection of YARA rules we wish to share with the world, most probably referenced from http://blog.inquest.net.
Python
363
star
5

omnibus

The OSINT Omnibus (beta release)
Python
327
star
6

sandboxapi

Minimal, consistent Python API for building integrations with malware sandboxes.
Python
137
star
7

ThreatKB

Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL) (ALPHA STATE AT THE MOMENT)
JavaScript
95
star
8

yara-rules-vt

Collection of YARA rules designed for usage through VirusTotal.com.
YARA
64
star
9

python-inquestlabs

A Pythonic interface and command line tool for interacting with the InQuest Labs API.
Python
34
star
10

microsoft-office-macro-clustering

Jupyter Notebook
17
star
11

labs-experiments

A collection of experiments overtop the InQuest Labs open data portal (https://labs.inquest.net).
Python
3
star
12

splunk-inquest

Splunk Addon for InQuest.
Python
3
star
13

iqui-icons

2
star
14

iqui-ngx

Angular CDK based, Bootstrap styled components library
TypeScript
2
star
15

python-threatkb

Python library and command-line tool for InQuest ThreatKB. (pre-release)
Python
2
star
16

iq-cli

InQuest Platform v3 CLI and Python Library
Python
1
star
17

ipython-notebooks

A collection of iPython notebooks probably referenced from https://inquest.net/blog
Jupyter Notebook
1
star
18

RFIQ-Card

Recorded Future InQuest Labs Integration
Python
1
star