- Notifications
You must be signed in to change notification settings - Fork0
satta/fever-threatbus
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
The FEVER-Threat Bus connector acts as bridge betweenThreat BusandFEVER,updating FEVER's internal Bloom filter matcher with all compatible indicatorsthat are distributed via Threat Bus.
You can configure the app via a YAML configuration file. Seeconfig.yaml.example for an example config file. Rename the example toconfig.yaml before starting.
Alternatively, configure the app via environment variables, similarly to ThreatBus, or pass a path to configuration file via-c /path/to/config.yaml.
Installfever-threatbus in a virtualenv and start:
python -m venv venvsource venv/bin/activatemake dev-modefever-threatbusIn the configuration file, you mainly need to configure thesocket option inthe config file, specifying the path to FEVER's control socket (default/tmp/fever-mgmt.sock). It is also possible to configure what indicatorobject pathsare to be included into the Bloom filter. For example, the following(default) settings of
...threatbus:localhost:13370snapshot:30# Socket for the FEVER gRPC connectionsocket:/tmp/fever-mgmt.sock# STIX Object Paths to include in Bloom filter additionsobject_paths: -domain-name:value -url:value
would cause patterns like
[domain-name:value = 'evil.com'][url:value = 'http://example.com/foo']
to be matched via FEVER's Bloom filter.