Implementation of informaiton from MISP through the eCrimeLabs API and into SecurityOnion
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
configure-ecrimelabs
download-ecrimelabs
ecrimelabscfg
setup-ecrimelabs

README.md

SecurityOnion-eCrimeLabs

Implementation of information from MISP through the eCrimeLabs API and into SecurityOnion

Prerequisites:

  • Security Onion (installed,configured)
  • eCrimeLabs Broker API access and API Key
  • Download and Configure (on Master or Standalone)

Clone the repo:

git clone https://github.com/eCrimeLabs/securityonion-ecrimelabs

Run the setup script:

sudo bash securityonion-ecrimelabs/setup-ecrimelabs

Update rules (if desired):

/usr/sbin/download-ecrimelabs
sudo rule-update

Confirm rules in place:

cat /etc/nsm/rules/alert.ecrimelabs.rules
cat /etc/nsm/rules/incident.ecrimelabs.rules

Confirm Bro Intel in place:

cat /opt/bro/share/bro/intel/ecrimelabs-intel.dat

A cron job will run every 2 hours to download new NIDS rules and Intel.


Remember to modify ecrimelabscfg

The setup will allways pull the incident feed, and here from it is up to the individual implementation on what other feeds will be extracted.