Threat Analysis, Reconnaissance, and Data Intelligence System
Clone or download
Travis Smith
Travis Smith Adding missing config file
Config file required to tell TARDIS where to look.
Latest commit 45d221f Aug 29, 2015
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
VulnXML Fixing STIX Format Aug 28, 2015
ElasticSearchQuery.py Initial Commit Aug 3, 2015
LICENSE Initial commit Aug 3, 2015
NOTICE Initial Commit Aug 3, 2015
README.txt Initial Commit Aug 3, 2015
TARDIS.py Initial Commit Aug 3, 2015
config.xml Adding missing config file Aug 28, 2015
dbColumns.config Initial Commit Aug 3, 2015
dependencies.py Initial Commit Aug 3, 2015
findStixObservables.py Initial Commit Aug 3, 2015
idmap.config Initial Commit Aug 3, 2015
parseIP360.py Initial Commit Aug 3, 2015
parseSTIX.py Initial Commit Aug 3, 2015
splunk.py Initial Commit Aug 3, 2015
sql_tardis.sql Initial Commit Aug 3, 2015

README.txt

1) Execute 'python dependencies.py' to ensure all Python modules have been installed.  Continue when no errors are generated. 

2) Execute the sql_tardis.sql script to create the appropriate database and tables within MySQL. 

3) Edit the config.xml with the appropriate credentials of the MySQL Server, Splunk, or Elastic Search instances.  Update the log_source element with either 'splunk' or 'elastic_search', depending on the log repository being searched.  

4) Edit the dbColumns.config document.  This will be a mapping of STIX fields to the appropriate normalized column name in the log repository. Samples are provided for reference. 

5a) If using an IP360 scan output file, execute 'python parseIP360.py -f <xml_file>'
	-Note: Referenced STIX files are stored in the VulnXML directory.  A sample for ShellShock (98520.xml) is provided for reference. Any number of STIX documents can be referenced.  

5b) If using an individual STIX file, execute 'python parseSTIX.py -f <STIX_file> -i <ip_address> -d <hostname>
	-Note: the -d argument is optional.  If no hostname is provided, TARDIS will attempt to look up the hostname from the IP provided.  
	-Note: A copy of the STIX file is saved to the VulnXML directory using the CVE name as the filename.