Skip to content
/ OpenDXL-RIMalShare Public

RIMalShare (Reputation Ingest - MalShare) employs ETL to import new threat indicators from malshare.com into your TIE Enterprise Reputations.

0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

opendxl-community/OpenDXL-RIMalShare

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
README.md
README.md
 
 
common.py
common.py
 
 
dxlclient.config
dxlclient.config
 
 
ms.config
ms.config
 
 
nodered.json
nodered.json
 
 
requirements.txt
requirements.txt
 
 
ri_malshare.py
ri_malshare.py
 
 

Repository files navigation

OpenDXL-RIMalShare

RIMalShare (Reputation Ingest - MalShare) employs ETL to import new threat indicators from malshare.com into your TIE Enterprise Reputations.

Introduction

RI MalShare takes advantage of newly posted malware hashes submitted to the malshare.com repository. This allows Cyber System Administrators the ability to quickly innoculate all systems in their environment by making them aware of these critical updates.

Alt text

Alt text

Several steps take place...

Extract

During extraction, RIMalShare pulls the new content for the last 24 hours. You can run this as often as you'd like but I recommend at least every 24 hours. If its an entry which we've already addressed, the process will scope handling it.

Transform

MalShare returns a simple list seperated by newlines of MD5 hashes. To transform into a Python dictionary object we can use, the process splits on the newline character and enumerates through each. No filenames are recorded from MalShare, so we enter MALSHARE.unknown as the filename in transformed data structure.

Load

During the load process, RIMalShare checks that several conditions are met.

  • Both enterprise and GTI trustlevels must not be set or
  • The enterprise trust level is unkown or lower. Note: RIMalShare will overwrite trusted enterprise scores with untrusted trust levels.

Functional Logic Diagram

RIMalShare uses McAfee TIE DXL Python Client Library for gets and sets

Setup

Dependencies

To run RI Malshare install Python 2.7 or later. Python 3 is not currently supported.

Install the required dependencies with the requirements.txt file:

$ pip install -r requirements.txt

This will install the dxlclient, dxltieclient, and requests modules.

MalShare

https://www.malshare.com/

Edit the ms.config

[malshare]
apikey=<API KEY>
ms_host=https://www.malshare.com

Edit the dxlclient.config

Provision DXL client certificates and fill in the broker list for the DXL Client.

[Certs]
BrokerCertChain=certs/brokercert.crt
CertFile=certs/client.crt
PrivateKey=certs/client.key

[Brokers]
{}={};8883;

For more information on configuring the DXL client see the OpenDXL Python Client SDK Documentation

Run RI Malshare

$ python ri_malshare.py

McAfee OpenDXL SDK

https://www.mcafee.com/us/developers/open-dxl/index.aspx

McAfee Threat Intelligence Exchange (TIE) DXL Python Client Library at the follow link:

https://github.com/opendxl/opendxl-tie-client-python/wiki

  • Certificate Files Creation link
  • ePO Certificate Authority (CA) Import link
  • ePO Broker Certificates Export link

Node Red

Added node red configuration. Simply import nodered.json as a flow to get the same functionality in node red.

About

RIMalShare (Reputation Ingest - MalShare) employs ETL to import new threat indicators from malshare.com into your TIE Enterprise Reputations.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases 1

First release of RIMalShare Latest
Jul 18, 2017

Packages

No packages published

Contributors 2

  •  
  •  

Languages