Integrating Threat Intelligence into Security Onion

[namobud...@gmail.com]

What's the best way to integrate threat Intel which comes as URL's Into security onion, can I just search ELSA for these strings? Is there a way to automate this?

Thanks,

[wedgeshot]

You cant utilize the "Intel" via Bro. You can add things to /opt/bro/share/bro/intel/intel.dat which the management server deploys out to all sensors if you have "Salt" enabled.

Also, you can look the the critical stack feeds which automates the integration of there feeds into Bro. https://intel.criticalstack.com

Cheers,
-B

[Marcelo Ramos]

Have a look at this, it should give you an idea of what you can do:
http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html

Hth

[Doug Burks]

If you're wanting to search retroactively through your existing data
in ELSA, you may want to consider scripting something up using the
ELSA API. Take a look at
/opt/elsa/contrib/securityonion/contrib/cli.sh.

On Thu, Nov 19, 2015 at 8:53 AM, <namobud...@gmail.com> wrote:
> What's the best way to integrate threat Intel which comes as URL's Into security onion, can I just search ELSA for these strings? Is there a way to automate this?
>
> Thanks,
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com