Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Please keep in mind we do not officially support use of this script, so installation is at your own risk.
In order to do begin, we will need to make sure we satisfy a few prerequisites:
Alienvault OTX API key - can be obtained for free at: https://otx.alienvault.com
Security Onion standalone/sensor (running Bro)
External internet access - to retrieve updated pulses (https://otx.alienvault.com/api/v1/pulses/subscribed)
Grab the installation script and run it.
sudo bash securityonion-otx
After using the above script,
/opt/bro/share/bro/policy/bro-otx will house all necessary files, etc (including
otx.dat, the intel file where all pulses will be fed).
We can test our configuration by adding another piece of intel to the end of
google.com[literal tab]Intel::DOMAIN[literal tab]Test-Google-Intel[literal tab]https://google.com[literal tab]T
As long as our syntax is correct, we should not need to restart Bro. We can check for errors in
Let's see if we can get an intel hit by doing the following:
Next, we need to check
/nsm/bro/logs/current/intel.log for entries in regard to our indicator:
grep google /nsm/bro/logs/current/intel.log
We should have received a Bro Notice as well, so lets check that as well:
grep google /nsm/bro/logs/current/notice.log
After successful testing, we can remove our addition from
or just run
By default, pulses will be retrieved on an hourly basis. To change this to a different value, simply alter the interval in