Metadata-Version: 2.1
Name: threatbus-cif3
Version: 2022.5.16
Summary: A plugin to enable indicators to be submitted to CIFv3 in real-time
Home-page: https://github.com/tenzir/threatbus
Author: Michael Davis, derived from work by Tenzir
Author-email: 
License: BSD 3-clause
Keywords: cif,cifv3,cif3,renisac,ren-isac,threatbus,Threat Bus,threat intelligence,TI,TI dissemination
Platform: UNKNOWN
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Plugins
Classifier: License :: OSI Approved :: BSD License
Classifier: Operating System :: MacOS :: MacOS X
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Scientific/Engineering :: Information Analysis
Classifier: Topic :: Scientific/Engineering :: Interface Engine/Protocol Translator
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Object Brokering
Classifier: Topic :: System :: Distributed Computing
Requires-Python: >=3.6
Description-Content-Type: text/markdown
Requires-Dist: stix2 (>=3.0)
Requires-Dist: threatbus (>=2022.5.16)
Requires-Dist: cifsdk (<4.0,>3.0.0rc4)

Threat Bus CIFv3 Plugin
======================

<h4 align="center">

[![PyPI Status][pypi-badge]][pypi-url]
[![Build Status][ci-badge]][ci-url]
[![License][license-badge]][license-url]

</h4>

A Threat Bus plugin to push indicators from Threat Bus to
[Collective Intelligence Framework v3](https://github.com/csirtgadgets/bearded-avenger).

The plugin uses the [cifsdk (v3.x)](https://pypi.org/project/cifsdk/) Python
client to submit indicators received from Threat Bus into a CIFv3 instance.

The plugin breaks with the pub/sub architecture of Threat Bus, because CIF does
not subscribe itself to the bus. Instead, the plugin actively contacts a CIF
endpoint.

## Installation

```sh
pip install threatbus-cif3
```

## Configuration

Configure this plugin by adding a section to Threat Bus' `config.yaml` file, as
follows:

```yaml
...
plugins:
  cif3:
    api:
      host: http://cif.host.tld:5000
      ssl: false
      token: CIF_TOKEN
    group: everyone
    confidence: 7.5
    tlp: amber
    tags:
      - test
      - malicious
...
```

## Development Setup

The following guides describe how to set up local, dockerized instances of CIF.

### Dockerized CIFv3

Use [dockerized CIFv3](https://github.com/sfinlon/cif-docker) to set
up a local CIFv3 environment:

*Setup a CIFv3 docker container*

```sh
git clone https://github.com/sfinlon/cif-docker.git
cd cif-docker
docker-compose build
```

*Edit the docker-compose.yml*

```sh
vim docker-compose.yml
```
Find the section `cif` in the configuration and edit the following as
appropriate to bind port 5000 to your localhost:

```yaml
cif:
    ...
    ports:
      - "5000:5000"
    ...
```


*Start the container*

```sh
docker-compose up -d
# Get an interactive shell in the container:
docker-compose exec cif /bin/bash
# Become the cif user:
su cif
# check to see if access tokens were successfully created. Copy the `admin`
# token to the CIF config section:
cif-tokens
# Ping the router to ensure connectivity:
cif --ping
```

## License

Threat Bus comes with a [3-clause BSD license][license-url].

[pypi-badge]: https://img.shields.io/pypi/v/threatbus-cif3.svg
[pypi-url]: https://pypi.org/project/threatbus-cif3
[ci-url]: https://github.com/tenzir/threatbus/actions?query=branch%3Amaster
[ci-badge]: https://github.com/tenzir/threatbus/workflows/Python%20Egg/badge.svg?branch=master
[license-badge]: https://img.shields.io/badge/license-BSD-blue.svg
[license-url]: https://github.com/tenzir/threatbus/blob/master/COPYING


