Integrate Threatview.io feed?

skogs

Anybody figure out how to integrate the ET Threatview.io feed(s)?

I have a SIEM that has it integrated and occasionally will alert on something reaching out (like to a list of IPs assocaited with Cobalt Strike C2) but the same ruleset doesn't seem to be in the pfsense snort setup.

Would be nice to add it.

threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt for more info

fireodo

@skogs said in Integrate Threatview.io feed?:

Anybody figure out how to integrate the ET Threatview.io feed(s)?

You can integrate the feed in pfBlockerNG-devel if you want ...

Regards,
fireodo

bmeeks

@skogs said in Integrate Threatview.io feed?:

Anybody figure out how to integrate the ET Threatview.io feed(s)?

I have a SIEM that has it integrated and occasionally will alert on something reaching out (like to a list of IPs assocaited with Cobalt Strike C2) but the same ruleset doesn't seem to be in the pfsense snort setup.

Would be nice to add it.

threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt for more info

You can add additional custom rules feeds to Suricata, but not for Snort. You might consider switching over to the Suricata package if having those rules is important to you. The GUI in the two packages is very nearly identical, so the learning curve is quick and pretty easy.

skogs

Well I'm not smart enough to make a custom feed; but did find good stuff to ease my mind.
Suricata Rules
SID 2527000 and 2527001
The message portion states ET Threatview.io High Confidence Cobalt Strike C2 IP group 1 and group 2. So...that is what I was looking for.
Comes into the system with the emerging-threatview_CS_c2.rules category.

Mystery solved.
Thanks for the brainpower expended.